[Senate Hearing 106-838]
[From the U.S. Government Publishing Office]
S. Hrg. 106-838
``CYBER ATTACK: IMPROVING PREVENTION AND PROSECUTION''
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
on
EXAMINING HOW TO COMBAT CYBER ATTACKS BY IMPROVING PREVENTION AND
PROSECUTION
__________
SCOTTSDALE, AZ
__________
APRIL 21, 2000
__________
Serial No. J-106-79
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
69-335 WASHINGTON : 2001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
______
Subcommittee on Technology, Terrorism, and Government Information
JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
Stephen Higgins, Chief Counsel and Staff Director
Neil Quinter, Minority Chief Counsel and Staff Director
(ii)
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Kyl, Hon. Jon, U.S. Senator From the State of Arizona............ 1
CHRONOLOGICAL LIST OF WITNESSES
Panel consisting of Janet Napolitano, Attorney General, State of
Arizona; and Guadalupe, Gonzalez, Special Agent In Charge,
Phoenix Field Investigation, Federal Bureau of Investigation... 3
Panel consisting of David W. Aucsmith, chief security architect,
Intel Corp.; and Jose Grando, senior manager, Ernst & Young
LLP, Houston, TX............................................... 89
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Aucsmith, David W.:
Testimony.................................................... 89
Prepared statement........................................... 93
Gonzalez, Guadalupe:
Testimony.................................................... 66
Prepared statement........................................... 71
Granado, Jose:
Testimony.................................................... 102
Prepared statement........................................... 104
Napolitano, Janet:
Testimony.................................................... 3
Prepared statement........................................... 5
Letter from the Attorney General......................... 11
Summary.................................................. 13
Computer Crimes Act of 2000.............................. 15
Attorney General's Website............................... 54
News Articles............................................ 57
``CYBER ATTACK: IMPROVING PREVENTION AND PROSECUTION''
----------
FRIDAY, APRIL 21, 2000
U.S. Senate,
Subcommittee on Technology, Terrorism,
and Government Information,
Committee on the Judiciary,
Scottsdale, AZ.
The subcommittee met, pursuant to notice, at 9 a.m., in
City Council Chambers, Scottsdale, AZ, Hon. Jon Kyl (chairman
of the subcommittee) presiding.
OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE
STATE OF ARIZONA
Senator Kyl. This hearing will please come to order.
Let me first welcome everyone to this field hearing of the
Subcommittee on Technology, Terrorism, and Government
Information of the U.S. Senate Judiciary Committee. It is
encouraging to see so many people who are interested in this
critical subject. Before we begin, I want to thank the Mayor of
Scottsdale, Sam Campana, for hosting us here at the Scottsdale
City Council chambers and for the assistance of Peggy Carpenter
from the city of Scottsdale, who helped set up this hearing. I
also want to thank Ed Denison from the Arizona Software
Association for his assistance in spreading the word about the
hearing, and, finally, to say hello to the people watching this
hearing on the city of Scottsdale's Cable Television channel.
The danger from cyber attack has recently received a lot of
attention. The denial-of-service attacks against popular
Internet sites like Yahoo, eBay, and CNN and the arrest earlier
this week of a Canadian teenager in the case brought home to
Americans just how vulnerable we are. This is the seventh
hearing I have held on the subject in the past 3 years, and it
won't be the last.
In examining how to combat cyber attacks, it is important
to reflect on how the Information Age is rapidly transforming
our society. Today, virtually every key service is dependent
upon computers--from electrical power grids, to phone systems,
air traffic control, banking, military early-warning networks.
The list goes on and on. Unfortunately, most of these critical
computer networks were not designed with good security measures
in mind.
America's increased dependence on computer networks must
also be viewed in context of our changing role in the post-cold
war world. The United States is the world's only superpower,
and our armed forces enjoy technological superiority on the
battlefield. I sit on the Senate Intelligence Committee, and I
receive a lot of briefings from the CIA and others about
threats facing our country. The overriding trend in these
briefings is that nations and terrorist groups that are hostile
to our interests are increasingly choosing not to confront our
military strengths directly--that is, by trying to field fleets
of advanced fighter planes or aircraft carriers on a par with
ours--but, rather, are seeking to exploit our vulner-
abilities, looking hard for our Achilles heel. As the ancient
Chinese military strategist Sun Tzu said, ``You can be sure of
succeeding in your attacks if you only attack places which are
undefended.''
China's current military strategists appear to have taken
this lesson to heart. A recent article in the official
Liberation Army Daily stated that China is considering creating
a fourth branch of the military for information warriors and
said ``Internet warfare'' should be equated with air, land, and
sea combat operations.
Russia is another country of concern in this area. Last
year, a series of widespread intrusions were detected on
computer networks operated by the Defense Department, other
Federal agencies, and the private sector. The FBI traced these
intrusions to Russia in an operation dubbed Moonlight Maze.
According to the FBI, the attacks resulted in the theft of vast
quantities of unclassified, but still sensitive information
about defense technological
research matters. Although the details of the case are
classified, according to Newsweek Magazine, the primary
suspects in the intrusions, which have since terminated, are
``crack cyber spooks from the Russian Academy of Sciences, a
government-supported organization that interacts with Russia's
top military labs.'' And Russia and China are not the only
countries of concern. According to the National Security
Agency, over a dozen countries are working on information
warfare techniques.
U.S. military planners have also begun to try to assess how
cyber attacks could affect our military's performance and to
take steps to close those vulnerabilities. In 1997, the Joint
Chiefs of Staff conducted an exercise called Eligible Receiver
to find out how easy it would be for an enemy to attack U.S.
military communication systems and other critical
infrastructures. During the exercise, a small team of 2 dozen
people used readily available computer hacking tools to attack
the military's critical infrastructures and within 4 days
crippled our ability to respond to a simulated crisis in the
Pacific theater. They also broke into networks that control the
electric power grid for the entire United States.
In addition to being conscious of the threat from foreign
countries and the need to take steps to improve the security of
the critical computer networks, we need to combat computer
hacking by criminals here in the United States, which can also
have very serious consequences. The number of computer crimes
is rapidly increasing, and we need to be sure that Federal,
State, and local law enforcement agencies have the tools they
need to investigate and prosecute violators.
Catching and punishing those who commit cyber crimes is
essential for deterring future attacks. When a cyber attack
occurs, it is not initially apparent whether the perpetrator is
a mischievous teenager, a professional hacker, a terrorist
group, or even a hostile nation. Law enforcement must be
equipped with the resources and authorities necessary to
swiftly trace a cyber attack back to its source and
appropriately prosecute criminals.
Finally, it is important to recognize that private
companies own and operate the vast majority of the computer
networks used to operate our critical infrastructure. We must
raise awareness in industry about cyber threats, encourage
companies to take responsible steps to protect themselves, and
remove roadblocks to effective industry cooperation. For
example, protection from attack necessitates that information
about cyber vulnerabilities and threats be communicated among
companies and with government agencies. Antitrust laws that
were created to prevent collusion among competitors in an
industry need to be updated to allow companies to cooperate in
establishing good cyber security. Furthermore, the Freedom of
Information Act may need to be updated to encourage companies
to share information with the Federal Government. Communication
is critical for protection, and these roadblocks need to be
removed.
Our witnesses are well suited to address these issues. On
our second panel, David Aucsmith, the Intel Corporation's top
security specialist, will discuss some of the trends and
challenges in cyber security, and Jose Granado, a senior
manager of Ernst & Young, will conduct a live computer hacking
demonstration. Guadalupe Gonzalez, the special agent in charge
of the FBI's Phoenix Office, will provide the Federal law
enforcement perspective on cyber crime.
Before we hear from these three experts, I would like to
introduce our first witness, Arizona Attorney General Janet
Napolitano. Ms. Napolitano has served as attorney general since
January 1999, and prior to her election to this post, she
served for over 4 years as the U.S. attorney for Arizona.
Attorney General Napolitano, thank you very much for
testifying at today's hearing. Your full statement and that of
all of the witnesses will be included in the record, and I
would invite you to make any summary remarks at this time.
PANEL CONSISTING OF JANET NAPOLITANO, ATTORNEY GENERAL, STATE
OF ARIZONA; AND GUADALUPE GONZALEZ, SPECIAL AGENT IN CHARGE,
PHOENIX FIELD INVESTIGATION, FEDERAL BUREAU OF INVESTIGATION
STATEMENT OF JANET NAPOLITANO
Ms. Napolitano. Thank you, Mr. Chairman, and thank you for
inviting me to be here today and for your long-time interest in
the cyber area. You have truly been a national leader in this
regard, and we are grateful.
Arizona is one of the leading States, I believe, in
prosecuting computer crime. In the Attorney General's office,
we have established a Technology Crimes Unit. The head of that
unit is with me today, Gail Thackery, who is one of the
Nation's leading prosecutors in this emerging area.
We also now have one of the most comprehensive computer
crime statutes in the country that was passed by the
legislature this past session, was recently signed into law by
Governor Jane Hull, and had broad bipartisan support.
Let me, if I might, divide my summary remarks into three
brief categories, and I understand my full statement will be
admitted into the record. But the three categories are what
kinds of things we're seeing at the State level in Arizona,
what is in our cyber crime legislation that supports and
augments what is in some of the proposed Federal legislation,
and, finally, what we as State prosecutors would like to see
from the Federal Government.
But, very briefly, lest we think that all cyber crime takes
place internationally or in cyberspace somewhere else, we have
a great deal of it here in Arizona, and it really doesn't
matter whether you are in urban Arizona or rural Arizona.
Anywhere you have a PC you have the potential of a cyber crime.
Currently, we have cases in our office pending involving
the five following kinds of cyber crime: cyber stalking, online
school threats, infrastructure attacks and hacker offenses,
fraud--in fact, in our Consumer Fraud Division in the Attorney
General's office, we have now created a separate way to track
the Internet fraud cases so that we can follow the trend line
more accurately as to what kinds of fraud we are seeing on the
Internet--and child sexual exploitation cases. We currently
have task forces involving child sexual exploitation in Tucson
and Phoenix, and our office is helping Arizona post the
training agency for law enforcement train investigators and
prosecutors in this area.
So you can see we have quite a panoply of different types
of computer crimes. Some are old kinds of crime committed in
new ways, i.e., fraud. Some are new crimes that we could not
have imagined 20 years ago.
To deal with this, our office proposed the Computer Crime
Act of 2000 in Arizona, and briefly, Senator, that statute,
which is attached to part of my testimony, has six parts. One
is cyber terrorism, and it raises the penalties for disrupting
operations of things like utilities, emergency services,
medical institutions, traffic control and the like.
It contains cyber tools for law enforcement. For the first
time, for example, our office has the ability to seek the
source of e-mails through desk subpoenas rather than having to
go continually to court, a concept I think that the FBI is
supporting federally.
It has sections on forgery, fraud, and theft, and
acknowledges that people have online identities that themselves
can be the subject of the theft of identity.
It has a new felony for cyber stalking because the current
laws were not adequate to deal with the prosecution of those
offenses.
It has a felony for computer use and disruption. The denial
of service attacks you mentioned in your opening statement are
now felonies in Arizona. I think we are one of the few
jurisdictions in the country that actually has that.
And, finally, it has provisions related to child
pornography on the Internet, and it adds the offense of
luring--l-u-r-i-n-g--meaning that the offense of sexual
solicitation of a minor is committed with the solicitation
itself. It doesn't require any further act in furtherance of
the crime of meeting the minor in order to be able to charge
the higher felony. We make the solicitation itself, the luring,
a crime on the Internet. So that is the new Arizona bill.
Now, we have a Technology Crimes Unit, as I mentioned, and
I might like to say that this year the legislature, under the
leadership of Representative Jim Wyers from the northwest part
of the valley, passed a bill that provides some monetary
resources both to the Attorney General's office and to the
Department of Public Safety to help us meet the increasing
need. And as good a bill as that is, it is only a first step in
terms of the resources that State and local prosecutors are
going to need. The chief thing we need from the Feds, if I can
use the nickname, right now is training and resources.
Attorneys, investigators, and prosecutors with computer
skills are in incredible demand. We are unable to hire people
with this expertise because State and local public salaries
simply are not competitive in the current marketplace. That
means what we need to do and what we are doing is training
people who are already in public service on how to deal with
these new kinds of crime. That means training is very, very
key. It is expensive, and it also requires equipment that is
continually updated to match what is out there in the field.
As I have already indicated, the bulk of prosecuting these
crimes, the bulk of these crimes, be it identity theft, be it a
child pornography case, be it a luring case, are going to end
up being prosecuted by State and local authorities because that
is where the bulk of prosecutions in this country occurs in any
area. And the same is holding true in cyber crime.
So we would like to emphasize the need for training
resources, and there are existing vehicles already in place to
deliver that training, both through the National District
Attorneys Association and the National Association of Attorneys
General. NAAG, by the way, has made cyber crime one of its top
priorities, and I would ask that the Senate and that you
consider how we make those training resources available on a
continual basis, not a one-time thing but continual, because
the technology keeps changing.
The other idea I would like to offer to you, Sir, is
something that is reminiscent of what the Senate and the
Congress did in the 1970's when they provided seed money to
Attorneys General to open up or to start antitrust units or
economic competition units within their offices to handle those
kinds of cases. Seed money for every Attorney General to have a
cyber crime unit such as we have in Arizona, or to build on one
if they already have one, I think would provide a very big bang
for the buck in the sense of expanding our reach, expanding our
prosecutorial resources, and expanding what we can do working
with these new technologies to make sure and to ensure that
basic law enforcement is being carried out, be it in cyberspace
or be it on the ground.
Thank you very much.
[The prepared statement of Ms. Napolitano follows:]
Prepared Statement of Janet Napolitano
Mr. Chairman, thank you for the opportunity to address your
subcommittee today. As the Attorney General of Arizona, I am here to
report on our state's activities in combating and prosecuting
cybercrime. Cybercrime is an emerging issue in law enforcement as an
increasing number of crimes are committed using computers and other
technologies. In fact, while we have seen a decline in violent crime,
cybercrime has increased exponentially. As crime migrates to the
Internet and other frontiers of technology, law enforcement must be
adequately prepared to apprehend and prosecute the criminals.
Instead, law enforcement has had a difficult time keeping up with
cybercrime. Laws have been found to be inadequate in dealing with new
technologies. The speed with which technology advances demands rapid
and innovative solutions to complex problems. Lastly, there is a
desperate lack of resources for cybercrime law enforcement. There are
three issues I want to discuss today--legislation, emerging issues in
cybercrime and current challenges facing law enforcement.
ARIZONA LEGISLATION--THE COMPUTER CRIMES ACT OF 2000
The Office of the Attorney General drafted the Computer Crime Act
of 2000, which was sponsored and passed by a bi-partisan coalition of
legislators. HB 2428, recently signed into law by Governor Jane Dee
Hull, is designed to better protect Arizona citizens from cybercrime,
which is a threat to private citizens, public infrastructure,
businesses, and government, as these incidents prove:
In 1998 a computer user in Arizona hacked his way onto a
billing database of a public utility, looking to cancel someone's
account. Once in the system, he gained high-level access to the canal
controlling system, putting the system at serious risk.
Just this past year, a young man, angry at his ex-
girlfriend, posted pictures of her and assumed her identity on the
Internet. Through sexually explicit e-mail with other users, he put the
young woman in great danger to potentially become a victim of sexual
assault or worse by inviting people to her home and workplace.
Phoenix man hacked into the computer of an Internet
Service Provider in Canada and crashed the server, disabling the entire
network, including all e-mail services, for a week. Numerous businesses
and individuals lost valuable information, time and money.
There are six parts to this legislation:
Cyberterrorism
We must use every means available to crack-down on attacks on our
high-tech infrastructure. This section raises judicial penalties for
disrupting operations of utilities, emergency services, medical
institutions, traffic control, etc.
Cybertools for law enforcement
Cybertools strengthen law enforcement's ability to preserve
electronic evidence and to trace rapidly criminal activity on the
Internet.
Forgery, fraud and theft
Private individuals and businesses must be protected from
electronic forgery, fraud and theft. New provisions such as these
update our laws, demonstrating that individuals and companies have an
``online'' identity that can be used by others in criminal or malicious
activity. Fraud statutes must protect Internet consumers and businesses
against crimes such as theft of trade secrets, credit card fraud,
identity theft and forgery.
Cyberstalking
Current statutes did not provide adequate protection from
cyberstalking, where physical contact between the victim and stalker
may never occur. The new legislation includes the unique and technical
aspect of cyberstalking and provides an effective tool for prosecution
and prevention.
Computer use and disruption
When a company or an individual loses their access to the Internet,
they can lose contact to their customers, business records, financial
information, and other materials hindering their ability to work,
retrieve data, and communicate. This section is designed to deter
several forms of disruption which have not been covered by the current
statute.
Child pornography
The section protects computer repair technicians and others who
report child pornography to the police. It also adds the offense of
``luring,'' to attack effectively the online solicitation or offering
of a child with an intent of sexual exploitation. Individuals would be
held criminally liable for any sexually explicit material knowingly
transmitted to a school or minor.
The Computer Crimes Act of 2000 goes into effect July 18, 2000.
EMERGING ISSUES
Law enforcement and the public at large have raised several issues
that Congress and the states will have to come to terms with in the
near future. Two of the ones my office is working on are Privacy and
the Theft of Intellectual Property.
Privacy
The public is becoming increasingly concerned over the collection
and ownership of personal identifying information. The traditional
American model is that organizations that gather information about
individuals become the owners of that information, and can use it for
their own purposes or even sell it to others. The phrase seen in hacker
chat rooms currently is, ``You have no privacy now--get over it.''
On the other hand, for 25 years or more, many countries have had
strong privacy protections including transborder data flow statutes
prohibiting the transfer of personal data across national boundaries,
and others laws forbidding the ``secondary use'' of personal data
without permission of the individual. In fact, American corporations
have just agreed to honor European Union privacy rules which are much
more stringent than any they observe in this country, in connection
with our own citizens' data.
We have made tremendous advances with the use of the Internet in
numerous fields. But at the same time, the Internet poses a threat to
individual privacy--and security--on a scale never imaginable in
earlier times, when records pertaining to individuals were maintained
by corporations and public agencies in separate files scattered across
the business and government landscapes.
The time has come for a comprehensive assessment of our nation's
business practices with regard to the collection and use of personal
data. The national epidemic of Identity Theft crimes is proof that we
also need to establish industry standards for maintaining the security
and accuracy of information that is collected about individuals. I
intend to work with Arizona business, consumer and privacy groups in
the next legislative session to craft legislation that will offer our
citizens reasonable assurance that they know what information is being
collected about them, have an opportunity to correct inaccuracies, and
have some say in what is done with their personal data. I believe that,
working together, Arizona citizens and businesses can establish a
reasonable framework for protecting individual privacy in a world where
all records are online, all the time.
Theft of intellectual property
The Internet has also caused another revolution--the quick and
rapid distribution of many perfect copies of the same original.
Arizona's ``Silicon Desert'' is an important and fast-growing part of
our economy, and the protection of our information resources is
critical. Currently, the Federal copyright statute preempts the states
from enforcing thefts of intellectual property such as software, video
and music, yet the Federal agencies only have the resources to pursue a
tiny fraction of the reported offenses. This situation robs our
American businesses of billions of dollars a year, and allows the
thieves to flourish.
As a former United States Attorney, I understand the limitations of
resources among the Federal agencies. However, every year a number of
business victims come to our office for help, but the Federal
preemption of copyright theft leaves us powerless to help them. I know
that industry would support a change in the copyright law to permit
enforcement at the state level, and I urge Congress to amend the
copyright laws to permit enforcement by both Federal and State
agencies. A strong information economy requires strong protection for
our information assets.
CONCLUSION--CURRENT CHALLENGES
The Arizona Attorney General's Office is charging ahead in
partnership with various groups to address Arizona's state of emergency
regarding cybercrime.
Law Enforcement--we have created a three-tiered training
program:
1. A two-day comprehensive evidence seizure and crime scene
procedure class. This will be certified by AZ POST and taught by the
Department of Public Safety, the Attorney General's Office and other
agencies. The goal is to create regional expert teams, similar to the
meth lab multi-agency teams, and certify 200 officers in the State.
2. Police officers training to teach various tools and programs for
extracting computer evidence and creating a case ready for prosecution.
3. Detective training to teach the special skills necessary to
perform investigations in cyberspace.
Communication Industry--We are working with on-line
providers to develop standardized policies and forms for legal
procedures necessary to obtain computer evidence.
Business--We are working with corporations to assist in
raising awareness on computer security issues and using their expertise
to help train law enforcement.
Schools--We are working closely with schools and school
districts to deal with the increasing problem of school online threats.
Public--We are conducting townhalls throughout Arizona to
educate the public at large particularly seniors and parents, to
potential dangers on the Internet.
In addition to the work being done in Arizona, other states have
also been active: California has established regional task forces; the
Attorney General of Illinois has established a state level unit to
investigate and prosecute computer crimes; and the Attorney General of
South Carolina has, with the assistance of the Office of Juvenile
Justice and Delinquency Programs in the U.S. Department of Justice,
created a task force to investigate and prosecute child pornographers
and pedophiles. In fact, Attorneys General from around the country have
made cybercrime a high priority for the National Association of
Attorneys General.
But like Arizona, states face two major obstacles in setting up
units or task forces to address computer crimes: staff and equipment.
Attorneys, investigators and prosecutors with computer skills are in
high demand. Unable to hire and retain these skilled professionals at
state salaries, states have turned to grooming these professionals
within current ranks. Training, however, is expensive and not enough
police and prosecutors are receiving it. Equipment to investigate these
crimes is also expensive and must be constantly updated to keep pace
with technology.
Participation of the states in protecting the nation's
infrastructure by investigating and prosecuting computer crimes is
critical. As in other areas of criminal law, the states will
undoubtedly carry the bulk of the computer crime investigations and
prosecutions and, in the area of juvenile prosecutions, the states will
have the full burden of those cases. This burden is likely to be
considerable because computers have become ubiquitous in almost every
type of crime.
The efforts of Arizona and other states to address computer crimes
must be nurtured by the Federal Government. The states need direct
Federal funding to establish computer forensic laboratories.
The development of a basic curriculum for prosecutors is underway.
The means to execute the training and to provide ongoing technical
assistance exists through the National Association of Attorneys General
and the National District Attorneys Association. Unfortunately, we are
missing the funding to implement the training and assistance.
Approximately $1 million a year for 5 years would allow over 100
prosecutors to be trained each year.
To combat cybercrime, states need a program to provide seed money
to assist with hiring knowledgeable staff and buying much needed
equipment should be established on the Federal level. This program
would need to provide a minimum of $500,000 per year per state for at
least 3 years to allow the states to establish programs and begin
funding them.
Updates to the law, such as Arizona's Computer Crimes Act 2000, is
a powerful first step in the battle against cybercriminals. But
resources, applied intelligently, would revolutionize law enforcement's
ability to respond swiftly and effectively to cybercrime.
I look forward to working with this Subcommittee and other Federal
entities to ensure that we have a coordinated Federal-State effort to
combat cybercrime.
Once again, thank you for inviting me to present the perspective of
the Arizona Attorney General's Office and I would be pleased to answer
any questions from Subcommittee members.
[GRAPHIC] [TIFF OMITTED] T9335.001
[GRAPHIC] [TIFF OMITTED] T9335.002
[GRAPHIC] [TIFF OMITTED] T9335.003
[GRAPHIC] [TIFF OMITTED] T9335.004
[GRAPHIC] [TIFF OMITTED] T9335.005
[GRAPHIC] [TIFF OMITTED] T9335.006
[GRAPHIC] [TIFF OMITTED] T9335.007
[GRAPHIC] [TIFF OMITTED] T9335.008
[GRAPHIC] [TIFF OMITTED] T9335.009
[GRAPHIC] [TIFF OMITTED] T9335.010
[GRAPHIC] [TIFF OMITTED] T9335.011
[GRAPHIC] [TIFF OMITTED] T9335.012
[GRAPHIC] [TIFF OMITTED] T9335.013
[GRAPHIC] [TIFF OMITTED] T9335.014
[GRAPHIC] [TIFF OMITTED] T9335.015
[GRAPHIC] [TIFF OMITTED] T9335.016
[GRAPHIC] [TIFF OMITTED] T9335.017
[GRAPHIC] [TIFF OMITTED] T9335.018
[GRAPHIC] [TIFF OMITTED] T9335.019
[GRAPHIC] [TIFF OMITTED] T9335.020
[GRAPHIC] [TIFF OMITTED] T9335.021
[GRAPHIC] [TIFF OMITTED] T9335.022
[GRAPHIC] [TIFF OMITTED] T9335.023
[GRAPHIC] [TIFF OMITTED] T9335.024
[GRAPHIC] [TIFF OMITTED] T9335.025
[GRAPHIC] [TIFF OMITTED] T9335.026
[GRAPHIC] [TIFF OMITTED] T9335.027
[GRAPHIC] [TIFF OMITTED] T9335.028
[GRAPHIC] [TIFF OMITTED] T9335.029
[GRAPHIC] [TIFF OMITTED] T9335.030
[GRAPHIC] [TIFF OMITTED] T9335.031
[GRAPHIC] [TIFF OMITTED] T9335.032
[GRAPHIC] [TIFF OMITTED] T9335.033
[GRAPHIC] [TIFF OMITTED] T9335.034
[GRAPHIC] [TIFF OMITTED] T9335.035
[GRAPHIC] [TIFF OMITTED] T9335.036
[GRAPHIC] [TIFF OMITTED] T9335.037
[GRAPHIC] [TIFF OMITTED] T9335.038
[GRAPHIC] [TIFF OMITTED] T9335.039
[GRAPHIC] [TIFF OMITTED] T9335.040
[GRAPHIC] [TIFF OMITTED] T9335.041
[GRAPHIC] [TIFF OMITTED] T9335.042
[GRAPHIC] [TIFF OMITTED] T9335.043
[GRAPHIC] [TIFF OMITTED] T9335.044
[GRAPHIC] [TIFF OMITTED] T9335.045
[GRAPHIC] [TIFF OMITTED] T9335.046
[GRAPHIC] [TIFF OMITTED] T9335.047
[GRAPHIC] [TIFF OMITTED] T9335.048
[GRAPHIC] [TIFF OMITTED] T9335.049
[GRAPHIC] [TIFF OMITTED] T9335.050
[GRAPHIC] [TIFF OMITTED] T9335.051
[GRAPHIC] [TIFF OMITTED] T9335.052
[GRAPHIC] [TIFF OMITTED] T9335.053
[GRAPHIC] [TIFF OMITTED] T9335.054
[GRAPHIC] [TIFF OMITTED] T9335.055
[GRAPHIC] [TIFF OMITTED] T9335.056
[GRAPHIC] [TIFF OMITTED] T9335.057
Senator Kyl. Thank you very much. That is very helpful, and
I have got several questions that I have noted.
But let me first turn to our next witness, Mr. Guadalupe
Gonzalez, the special agent in charge of the FBI's Phoenix
Field Office. Mr. Gonzalez has served in his post since August
1998. Prior to coming to Phoenix, he was the special agent in
charge of organized crime, drugs, and violent crimes in the
FBI's Los Angeles office.
Mr. Gonzalez, thank you very much for testifying at today's
hearing. As I noted before, your full written statement will be
placed in the record. I would like to invite you to make any
summary remarks at this time, and I would note to the people
who are here, in the hearing that we held a couple of weeks ago
in Washington, DC, on this same subject, the FBI Director Louis
Freeh presented his testimony, and in asking him how best to
relate that testimony to people in Arizona, he suggested that
we ask Mr. Gonzalez to be his representative here. And we are
delighted to do that, so thank you.
STATEMENT OF GUADALUPE GONZALEZ
Mr. Gonzalez. Good morning, Mr. Chairman. Thank you for
inviting me to the field hearing to discuss the growing problem
of cyber crime and our response to it. Our ability in the field
to deal with this crime problem requires the support of
Congress. The recent denial-of-service attacks against Yahoo,
Amazon.com, eBay, CNN, Buy.com, and other e-commerce websites
have thrust the security of our information infrastructure into
the spotlight. But they are only one example of a large and
growing problem of criminal activity in cyberspace. I would
like to discuss with you the national challenge of battling
computer intrusions.
The cyber revolution has permeated virtually every facet of
our lives, and we see its effects all around us in the way we
communicate, do business, and even in the way Government
operates. Unfortunately, that revolution has affected the
nature of criminal activity as well. Criminals are increasingly
seeing the utility of cyber tools to facilitate traditional
crimes such as fraud, extortion, and dissemination of child
pornography. And they are also inventing new forms of crime
which make computers and the information stored on them the
targets of the crime. Thus, we see criminals intruding into
computers to steal credit card numbers, to abscond with
proprietary information, and to shut down e-commerce sites. And
this is not just a criminal problem. It is also a national
security problem. This is because our Nation's critical
infrastructures, by which I mean those services that are vital
to our economy and national security, such as electrical
energy, telecommunications, banking and finance,
transportation, and government operations, are now dependent on
computer technology for their very operations. And this very
dependence makes them vulnerable to an attack which, if
successful, could deny service on a broad scale.
The same basic types of cyber attack tools, therefore,
become attractive not only to criminals interested in illicit
financial gain, but also to foreign intelligence services
seeking new ways to obtain sensitive government or industry
information and to terrorists of hostile foreign nations bent
on attacking U.S. interests.
The difficulty of dealing with this challenge stems from
the nature of the cyber environment. The cyber environment is
borderless, afford easy anonymity and methods of concealment to
bad actors, and provides new tools to allow for remote access
to targeted computers. A criminal sitting on the other side of
the planet is now capable of stealthily infiltrating a computer
network in Arizona to steal money, abscond with proprietary
information, or shut down
e-commerce sites.
To deal with this problem, law enforcement has retooled its
workforce, its equipment, and its own information
infrastructure. It must also forge new partnerships with
private industry, other agencies, and our international
counterparts.
We at the FBI have been doing all of these things for the
last 2 years, but we must continue to build upon our progress
to ensure that we can perform our responsibilities to protect
public safety and national security in the information age.
My written statement provides an overview of the broad
spectrum of cyber threats which gives a flavor of the
incredibly varied nature of the threats we face. The examples
range from insiders bent on revenge against their employers, to
hackers seeking bragging rights in the hacking community, to
criminal groups stealing credit card numbers or money, to
foreign intelligence agencies or foreign military services who
target U.S. interests.
The most common threats we face are from hackers and
criminals stealing for profit. For example, in March,
authorities in the United Kingdom, acting in coordination with
the FBI, arrested two individuals for alleged intrusions into
e-commerce sites in several countries and the theft of credit
card information on over 26,000 accounts. One subject used the
Internet alias ``CURADOR.'' Losses from this case could exceed
$3 million. The FBI cooperated closely with the Dyfed-Powys
Police Department in the United Kingdom and the Royal Canadian
Mounted Police in Canada and private industry.
Here in Arizona, we are investigating a computer intrusion
case in which a private enterprise was defrauded of several
hundred thousand dollars in fraudulent telephone calls that
were placed to a foreign country.
We are also concerned about the terrorist threat. Terrorist
groups are increasingly using new information technology and
the Internet to formulate plans, raise funds, spread
propaganda, and to communicate securely. Director of Central
Intelligence George Tenet has testified that terrorist groups,
``including Hizbollah, Hamas, the Abu Nidal organization, and
Bin Laden's al Qa'ida organization are using computerized
files, e-mail, and encryption to support their operations.''
While we have not yet seen these groups employ cyber tools
as a weapon to use against critical infrastructures, their
reliance on information technology and acquisition of computer
expertise are clear warning signs.
Finally, given the presence of military research facilities
in Arizona, we must be concerned with national security
threats. As you know, the FBI has observed a series of
intrusions into numerous Department of Defense and other
Federal Government computer networks and private sector
entities. An investigation last year determined that the
intrusions appear to have originated in Russia. The intruder
successfully accessed U.S. Government networks and took large
amounts of unclassified but sensitive information, including
defense technical research information.
Here in Arizona, we have seen scans of military computer
systems by outside intruders. Some of the logs indicate that
the source of some of these scans may be foreign.
The recent distributed denial-of-service attacks have
garnered a tremendous amount of interest in the public. Because
the FBI is actively investigating these attacks, I cannot
provide a detailed briefing on the status of our efforts.
However, I can tell you that all FBI field offices, including
the Phoenix Division, have been asked to assist on a case to
the extent that entities in our jurisdiction are involved in
the matter or to the extent that we can cover leads within our
jurisdiction.
In February 1998, the National Infrastructure Protection
Center, NIPC, was established as a focal point for the Federal
Government's efforts to protect the critical infrastructures.
On October 2, 1998, the center was designated a branch of the
FBI's National Security Division, and the National
Infrastructure Protection and Computer Intrusion Program was
approved as an investigative program. This program is a tier
one priority under the FBI's strategic plan and serves as the
FBI's vehicle for performing the infrastructure protection
mission assigned to the NIPC under Presidential Decision
Directive 63. In October 1999, the program was moved to a
newly-formed Counterterrorism Division of the FBI, reflecting
the FBI's high priority on protecting the infrastructures from
terrorist threats.
At headquarters, the NIPC has a budget of approximately $21
million. This is not slated to increase in fiscal year 2001.
There are currently 193 agents in the field devoted to NIPC
matters as well as 101 personnel at FBI headquarters. The NIPC
at headquarters also houses 19 interagency detailees, mainly
from the law enforcement, defense, and intelligence
communities. The NIPC works closely with foreign counterparts
on case-related matters.
Beyond the NIPC at FBI headquarters, a cyber crime
investigative program has been created in all FBI field
offices, including the Phoenix Division. We have special agents
here who are responsible for investigating computer intrusions,
viruses, or denial-of-service attacks, and for conducting
critical liaison activities with private industry. Given the
amount of work we have and the fact that Phoenix is the sixth
largest city in the United States, we are seeking to establish
a full computer intrusion squad in the Phoenix Division by the
year 2002.
One major difficulty that distinguishes cyber threats from
physical threats is determining who is attacking your system,
why, how, and from where. This difficulty stems from the ease
with which individuals can hide or disguise their tracks by
manipulating logs and directing their attacks through networks
in many countries before hitting their ultimate target. This
will continue to pose a problem as long as the Internet remains
rife with vulnerabilities and allows easy anonymity and
concealment.
Another significant challenge we face is intrusions
involving multiple jurisdictions. A typical investigation
involves victim sites in multiple States and often many
countries. This is the case even when the hacker and the victim
are both located in the United States. In the United States, we
can subpoena records, engage in judicially approved electronic
surveillance, and execute search warrants on suspects' homes,
seize evidence, and examine it. We can do none of these things
ourselves overseas; rather, we depend on the local authorities
to assist us.
The most difficult situation will arise, however, when a
foreign country with interests adverse to our own simply
refuses to cooperate. In such a situation, we could find that
an investigation is stymied unless we can find an alternative
method of tracing the activity back to its source.
Our challenge lies in continuing to expand our computer
investigative, analytic, training, and outreach programs. Given
the explosive and continued growth of computer intrusions, the
Infrastructure Protection and Computer Intrusion Program needs
to more than double the current number of field investigative
personnel and headquarters analysts. In addition, we need to
leverage our resources by expanding our training programs to
reach more State, local, and international investigators.
Finally, NIPC investigators need high-speed computer processing
and large-capacity storage for investigations.
I have tried to review with you some of the threats and
challenges we face. Some of the challenges stem from the
structure of the present loss governing computer crime. For
example, we should ask whether the sentencing guidelines for
computer crime are adequate and whether the $5,000 threshold
for damage is a useful benchmark, because in many cases the
true damage cannot be measured in monetary terms. Examples of
damage difficult to measure monetarily are impairment of
medical diagnosis, threat to public safety, or damage to
national security, national defense, or administration-of-
justice computers.
Another problem we face is having to obtain multiple trap
and trace orders for different jurisdictions. The Kyl-Schumer
bill addresses these concerns and other concerns. We support
the goal of Senate bill 2092 to strengthen the general
deterrence aspects of the Computer Fraud and Abuse Act and to
provide some needed procedural enhancements to help us confront
the expanding criminal threat in this dynamic and important
part of our national economy, while continuing to protect
individual privacy interests. The FBI looks forward to working
with this committee on this important legislation.
Addressing the threat of cyber crime requires teamwork--
teamwork among Government agencies, teamwork between Federal,
State, and local law enforcement, and teamwork between the
Government and the private sector. We have made much progress
in establishing this sort of teamwork on all three fronts over
the last 2 years. The FBI is also developing cyber crime task
forces in partnership with State and local law enforcement
entities within their jurisdiction to leverage the limited
resources in this area. The first one was founded in Pittsburgh
in March. We hope that one can be established in our
jurisdiction in the next few years as the program expands.
The partnerships we have established with the private
sector are particularly important for several reasons. Most of
the victims of cyber crimes are private companies; therefore,
successful investigation and prosecution of cyber crimes
depends on private victims reporting incidents to law
enforcement and cooperating with investigators. Second, the
network administrator, who alone knows the intricacies of his
or her network, often must provide critical assistance to the
investigation leading him to the evidence of the intruder's
activity.
Much has been said over the last few years about the
importance of information sharing. Here in the Phoenix
Division, we have an excellent working relationship with our
private sector counterparts and the community in general. We
share information on a number of areas, including
infrastructure protection, and receive information from the
private sector that greatly assists in protecting the
community.
As a result of our close working relationship with the
private sector, we can detect criminal activity in its initial
stages and in some cases prevent criminal incidents. The NIPC
also provides the private sector with warning information which
also lessens their vulnerability. These warnings assist field
offices like Phoenix to be better prepared and better protect
our community. They further allow us the opportunity to respond
quickly and efficiently to cyber threats. I believe that as
companies continue to gain experience in dealing with the NIPC
and the FBI field offices, as we continue to provide them with
important and useful threat information, and as companies
recognize that cyber crime requires a joint effort by industry
and Government together, we will continue to make real progress
in the area.
Our Key Asset Initiative facilitates response to threats
and intrusion incidents by building liaison and communication
links with the owners and operators of individual companies in
the critical infrastructure sectors and enabling contingency
planning. The Key Asset Initiative initially will involve
determining which assets are key within the jurisdiction of
each FBI field office and obtaining 24-hour points of contact
at each asset in cases of emergency. Eventually, if future
resources permit, the initiative will include the development
of contingency plans to respond to attacks on each asset,
exercises to test response plans, and modeling to determine the
effects of an attack on particular assets.
Here in the Phoenix Division, we have identified dozens of
key assets around the State for including in the national list.
These assets include power generation facilities, water storage
and distribution centers, transportation assets, military
installations, research institutions, and key public emergency
service entities.
The second is the InfraGard initiative. This is an
initiative that we have developed in concert with private
companies and academia to encourage information sharing about
cyber intrusions, exploited vulnerabilities, and physical
infrastructure threats. A vital component of InfraGard is the
ability of industry to provide information on intrusions to the
local FBI field offices using secure e-mail communications in
both a sanitized and detailed format. We can use the detailed
version to initiate an investigation, while NIPC headquarters
can analyze that information in conjunction with other
information we obtain to determine if the intrusion is part of
a broader attack on numerous sites. The NIPC can simultaneously
use the sanitized version to inform other members of the
intrusion without compromising the confidentiality of the
reporting company.
Here in Phoenix, we are planning to roll out our InfraGard
Chapter on May 9. We expect to have representatives from in-
state universities, businesses, and some of the critical
infrastructures on hand.
We look forward to working with Congress to ensure that law
enforcement can continue to address the cyber crime problem in
the year ahead.
Thank you.
[The prepared statement of Mr. Gonzalez follows:]
Prepared Statement of Guadalupe Gonzalez
INTRODUCTION
Mr. Chairman, Members of the Subcommittee: Thank you for inviting
me to discuss the threats to our Nation's critical infrastructures and
the FBI's approach in the field to meeting those challenges. In
February 1998 the National Infrastructure Protection Center (NIPC) was
established as a focal point for the federal government's efforts to
protect the critical infrastructures. Following the founding of the
Center, the National Infrastructure Protection and Computer Intrusion
Program (NIPCIP) was approved as an FBI investigative program. NIPCIP
is a Tier One priority under the FBI Strategic Plan and serves as the
FBI vehicle for performing the NIPC's missions under PDD-63. In October
1999 the NIPCIP was moved to the newly-formed Counterterrorism Division
of the FBI, reflecting the FBI's high priority on protecting the
infrastructures from terrorist threats.
With the support of Congress and in particular the leadership of
this committee, the NIPCI program has rapidly developed in FBI field
offices across the United States, including here in Arizona. Today I
will focus on the nature of the national security and criminal threats
we face in cyberspace, the progress we have made in meeting those
threats in the field, and the continuing challenges we face.
THE NIPC
The NIPC is an interagency Center located at the FBI. Created in
1998, the NIPC serves as the focal point for the government's efforts
to warn of and respond to cyber attacks, particularly those that are
directed at our nation's ``critical infrastructures.'' These
infrastructures include telecommunications and information, energy,
banking and finance, transportation, government operations, and
emergency services. Presidential Decision Directive (PDD) 63 directed
that the NIPC serve as a ``national critical infrastructure threat
assessment, warning, vulnerability, and law enforcement investigation
and response entity.'' The PDD further states that the mission of the
NIPC ``will include providing timely warnings of intentional threats,
comprehensive analyses and law enforcement investigation and
response.''
In field offices such as Phoenix, we have created a cyber crime
investigative program called the National Infrastructure Protection and
Computer Intrusion (NIPCI) Program. This program, managed by the NIPC,
consists of special agents in each FBI Field Office who are responsible
for investigating computer intrusions, viruses, or denial of service
attacks, for implementing our key asset initiative, and for conducting
critical liaison activities with private industry. Cyber crime task
forces are being developed in partnership with state and local law
enforcement entities within their jurisdiction to leverage the limited
resources in this area. The first one opened in Pittsburgh last month.
THE BROAD SPECTRUM OF THREATS
Cybercrime threats faced by law enforcement
Before discussing the FBI's programs and requirements with respect
to cybercrime, let me take a few minutes to discuss the dimensions of
the problem. The FBI's case load is increasing dramatically. In fiscal
year 1998, it opened 547 computer intrusion cases; in fiscal year 1999,
that had jumped to 1,154. At the same time, because of the opening the
National Infrastructure Protection Center (NIPC) in February 1998, and
improving ability to fight cyber crime, more cases were closed. In
fiscal year 1998, 399 intrusion cases were closed, and in fiscal year
1999, 912 such cases were closed. However, given the exponential
increase in the number of cases opened, cited above, the actual number
of pending cases has increased by 39 percent, from 601 at the end of
fiscal year 1998, to 834 at the end of fiscal year 1999. In short, even
though the FBI has markedly improved its capabilities to fight cyber
intrusions, the problem is growing even faster.
A few days ago the Computer Security Institute released its fifth
annual ``Computer Crime and Security Survey.'' The results only confirm
what we had already suspected given our burgeoning case load, that more
companies surveyed are reporting intrusions, that dollar losses are
increasing, that insiders remain a serious threat, and that more
companies are doing more business on the Internet than ever before.
The statistics tell the story. Ninety percent of respondents
detected security breaches over the last 12 months. At least 74 percent
of respondents reported security breaches including theft of
proprietary information, financial fraud, system penetration by
outsiders, data or network sabotage, or denial of service attacks.
Information theft and financial fraud caused the most severe financial
losses, put at $68 million and $56 million respectively. The losses
from 273 respondents totaled just over $265 million. Losses traced to
denial of service attacks were only $77,000 in 1998, and by 1999 had
risen to just $116,250. Further, the new survey reports on numbers
taken before the high-profile February attacks against Yahoo, Amazon
and eBay. Finally, many companies are experiencing multiple attacks; 19
percent of respondents reported 10 or more incidents.
Over the past several years the FBI has seen a range of computer
crimes from defacement of websites by juveniles to sophisticated
intrusions that we suspect may be sponsored by foreign powers, and
everything in between. Some of these are obviously more significant
than others. The theft of national security information from a
government agency or the interruption of electrical power to a major
metropolitan area have greater consequences for national security,
public safety, and the economy than the defacement of a web-site. But
even the less serious categories have real consequences and,
ultimately, can undermine confidence in e-commerce and violate privacy
or property rights. A website hack that shuts down an e-commerce site
can have disastrous consequences for a business. An intrusion that
results in the theft of credit card numbers from an online vendor can
result in significant financial loss and, more broadly, reduce
consumers' willingness to engage in e-commerce. Because of these
implications, it is critical that we have in place the programs and
resources to investigate and, ultimately, to deter these sorts of
crimes.
The following are some of the categories of cyber threats that we
confront today.
Insiders. The disgruntled insider (a current or former employee of
a company) is a principal source of computer crimes for many companies.
Insiders' knowledge of the target companies' network often allows them
to gain unrestricted access to cause damage to the system or to steal
proprietary data. The just-released 2000 survey by the Computer
Security Institute and FBI reports that 71 percent of respondents
detected unauthorized access to systems by insiders.
In January and February 1999 the National Library of Medicine (NLM)
computer system, relied on by hundreds of thousands of doctors and
medical professionals from around the world for the latest information
on diseases, treatments, drugs, and dosage units, suffered a series of
intrusions where system administrator passwords were obtained, hundreds
of files were downloaded which included sensitive medical ``alert''
files and programming files that kept the system running properly. The
intrusions were a significant threat to public safety and resulted in a
monetary loss in excess of $25,000. FBI investigation identified the
intruder as Montgomery Johns Gray, III, a former computer programmer
for NLM, whose access to the computer system had been revoked. Gray was
able to access the system through a ``backdoor'' he had created in the
programming code. Due to the threat to public safety, a search warrant
was executed for Gray's computers and Gray was arrested by the FBI
within a few days of the intrusions. Subsequent examination of the
seized computers disclosed evidence of the intrusion as well as images
of child pornography. Gray was convicted by a jury in December 1999 on
three counts for violation of Title 18 U.S.C. Sec. 1030. Subsequently,
Gray pleaded guilty to receiving obscene images through the Internet,
in violation of 47 U.S.C. 223.
Hackers. Hackers (or ``crackers'') are also a common threat. They
sometimes crack into networks simply for the thrill of the challenge or
for bragging rights in the hacker community. Recently, however, we have
seen more cases of hacking for illicit financial gain or other
malicious purposes.
While remote cracking once required a fair amount of skill or
computer knowledge, hackers can now download attack scripts and
protocols from the World Wide Web and launch them against victim sites.
Thus while attack tools have become more sophisticated, they have also
become easier to use. The distributed denial-of-service (DDOS) attacks
last month are only the most recent illustration of the economic
disruption that can be caused by tools now readily available on the
Internet.
Another recent case illustrates the scope of the problem. In March,
authorities in the United Kingdom, acting in coordination with the FBI,
arrested two individuals for alleged intrusions into e-commerce sites
in several countries and the theft of credit card information on over
26,000 accounts. One subject used the Internet alias ``CURADOR.''
Losses from this case could exceed $3,000,000. The FBI cooperated
closely with the Dyfed-Powys Police Service in the United Kingdom, the
Royal Canadian Mounted Police in Canada, and private industry. This
investigation involved the Philadelphia Division, seven other FBI field
offices, our Legal Attache in London, and the NIPC. This case
demonstrates the close partnerships that we have built with our foreign
law enforcement counterparts and with private industry.
We are making some progress in convicting hackers. For example, on
March 8, 2000, FBI Boston Division and New Hampshire Police arrested
Dennis M. Moran, aka COOLIO, in association with the unauthorized
intrusion and changes made to the Drug Abuse Resistance Education's
(DARE) Web site, violating New Hampshire State Laws 638: 17 and 638:
18(I), unauthorized access into a computer system, unauthorized changes
to a computer system and damage to a computer system exceeding
$1,000.00. It is anticipated that the New Hampshire State Attorney's
Office will prosecute Moran, who is 17, as an adult. The United States
Attorney's Office for the District of New Hampshire has therefore
deferred prosecution of Moran to the State.
In April, Patrick Gregory, the co-founder of the hacker group known
as ``Global Hell,'' was convicted of a single count of conspiracy to
commit telecommunications wire fraud and computer hacking in Texas U.S.
District Court. He currently awaits sentencing.
Virus Writers. Virus writers are posing an increasingly serious
threat to networks and systems worldwide. Last year saw the
proliferation of several destructive computer viruses or ``worms,''
including the Melissa Macro Virus, the Explore.Zip worm, and the CIH
(Chernobyl) Virus. The NIPC frequently sends out warnings or advisories
regarding particularly dangerous viruses, which can allow potential
victims to take protective steps and minimize the destructive
consequences of a virus.
The Melissa Macro Virus was a good example of the NIPC's two-fold
response--encompassing both warning and investigation--to a virus
spreading in the networks. The NIPC sent out warnings as soon as it had
solid information on the virus and its effects; these warnings helped
alert the public and reduce the potential destructive impact of the
virus. On the investigative side, the NIPC acted as a central point of
contact for the field offices who worked leads on the case. A tip
received by the New Jersey State Police from America Online, and their
follow-up investigation with the FBI's Newark Division, led to the
April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one
count of violating 18 U.S.C. Sec. 1030 in Federal Court, and to four
state felony counts. As part of his guilty plea, Smith stipulated to
affecting one million computer systems and causing $80 million in
damage. Smith is awaiting sentencing.
Criminal Groups. We are also seeing the increased use of cyber
intrusions by criminal groups who attack systems for purposes of
monetary gain. In September, 1999, two members of a group dubbed the
``Phonemasters'' were sentenced after their conviction for theft and
possession of unauthorized access devices (18 USC Sec. 1029) and
unauthorized access to a federal interest computer (18 USC Sec. 1030).
The ``Phonemasters'' were an international group of criminals who
penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even
the National Crime Information Center. Under judicially approved
electronic surveillance orders, the FBI's Dallas Division made use of
new technology in the investigation. One suspect, Mr. Calvin Cantrell,
downloaded thousands of Sprint calling card numbers, which he sold to a
Canadian individual, who passed them on to someone in Ohio. These
numbers made their way to an individual in Switzerland and eventually
ended up in the hands of organized crime groups in Italy. Cantrell was
sentenced to two years as a result of his guilty plea, while one of his
associates, Cory Lindsay, was sentenced to 41 months.
The Phonemasters' methods included ``dumpster diving'' to gather
old phone books and technical manuals for systems. They used this
information to trick employees into giving up their logon and password
information. The group then used this information to break into victim
systems. It is important to remember that often ``cyber crimes'' are
facilitated by old fashioned guile, such as calling employees and
tricking them into giving up passwords. Good cyber security practices
must therefore address personnel security and ``social engineering'' in
addition to instituting electronic security measures.
Beyond criminal threats in cyber space, we also face a variety of
significant national security threats
Terrorists. Terrorists groups are increasingly using new
information technology and the Internet to formulate plans, raise
funds, spread propaganda, and to communicate securely. In his statement
on the worldwide threat in 2000, Director of Central Intelligence
George Tenet testified that terrorists groups, ``including Hizbollah,
HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida
organization are using computerized files, e-mail, and encryption to
support their operations.'' In one example, convicted terrorist Ramzi
Yousef, the mastermind of the World Trade Center bombing, stored
detailed plans to destroy United States airliners on encrypted files on
his laptop computer. While we have not yet seen these groups employ
cyber tools as a weapon to use against critical infrastructures, their
reliance on information technology and acquisition of computer
expertise are clear warning signs. Moreover, we have seen other
terrorist groups, such as the Internet Black Tigers (who are reportedly
affiliated with the Tamil Tigers), engage in attacks on foreign
government websites and e-mail servers. ``Cyber terrorism''--by which I
mean the use of cyber tools to shut down critical national
infrastructures (such as energy, transportation, or government
operations) for the purpose of coercing or intimidating a government or
civilian population--is thus a very real, though still largely
potential, threat.
Foreign intelligence services. Not surprisingly, foreign
intelligence services have adapted to using cyber tools as part of
their espionage tradecraft. Even as far back as 1986, before the
worldwide surge in Internet use, the KGB employed West German hackers
to access Department of Defense systems in the well-known ``Cuckoo's
Egg'' case. Foreign intelligence services increasingly view computer
intrusions as a useful tool for acquiring sensitive U.S. Government and
private sector information.
More recently, we observed a series of intrusions into numerous
Department of Defense and other federal government computer networks
and private sector entities. Investigation last year determined that
the intrusions appear to have originated in Russia. The intruder
successfully accessed U.S. Government networks and took large amounts
of unclassified but sensitive information, including defense technical
research information. The NIPC coordinated a multi-agency
investigation, working closely with FBI field offices, the Department
of Defense, and the Intelligence Community.
Information Warfare. The prospect of ``information warfare'' by
foreign militaries against our critical infrastructures is perhaps the
greatest potential cyber threat to our national security. We know that
several foreign nations are developing information warfare doctrine,
programs, and capabilities for use against the United States or other
nations. Knowing that they cannot match our military might with
conventional or ``kinetic'' weapons, some nations see cyber attacks on
our critical infrastructures or military operations as a way to hit
what they perceive as America's Achilles heel--our growing dependence
on information technology in government and commercial operations. For
example, two Chinese military officers recently published a book that
called for the use of unconventional measures, including the
propagation of computer viruses, to counterbalance the military power
of the United States. And a Russian official has also commented that an
attack on a national infrastructure could, ``by virtue of its
catastrophic consequences, completely overlap with the use of [weapons]
of mass destruction.''
Distributed denial of service tools
The recent distributed denial of service (DDOS) attacks on e-
commerce sites have garnered a tremendous amount of interest in the
public and in the Congress. While we do not yet have official damage
estimates, the Yankee Group, a research firm, estimates the impact of
the attacks at $1.2 billion due to lost capitalization losses, lost
revenues, and security upgrades. Because we are actively investigating
these attacks, I cannot provide a detailed briefing on the status of
our efforts. However, I can provide an overview of our activities to
deal with the DDOS threat beginning last year and of our investigative
efforts. These attacks illustrate the growing availability of
destructive, yet easy-to-use, exploits that are widely available on the
Internet. They also demonstrate the NIPC's two-fold mission: sharing
information with the private sector and warning of possible threats,
and responding to actual attacks.
In the fall of last year, the NIPC began receiving reports about a
new set of ``exploits'' or attack tools collectively called distributed
denial of service (or DDOS) tools. DDOS variants include tools known as
``Trin00,'' ``Tribal Flood Net'' (TFN), ``TFN2K,'' and ``Stacheldraht''
(German for ``barbed wire''). These tools essentially work as follows:
hackers gain unauthorized access to a computer system(s) and place
software code on it that renders that system a ``master'' (or a
``handler''). The hackers also intrude into other networks and place
malicious code which makes those systems into agents (also known as
``zombies'' or ``daemons'' or ``slaves''). Each Master is capable of
controlling multiple agents. In both cases, the network owners normally
are not aware that dangerous tools have been placed and reside on their
systems, thus becoming third-party victims to the intended crime.
The ``Masters'' are activated either remotely or by internal
programming (such as a command to begin an attack at a prescribed time)
and are used to send information to the agents, activating their DDOS
ability. The agents then generate numerous requests to connect with the
attack's ultimate target(s), typically using a fictitious or
``spoofed'' IP (Internet Protocol) address, thus providing a falsified
identity as to the source of the request. The agents act in unison to
generate a high volume of traffic from several sources. This type of
attack is referred to as a SYN flood, as the SYN is the initial effort
by the sending computer to make a connection with the destination
computer. Due to the volume of SYN requests the destination computer
becomes overwhelmed in its efforts to acknowledge and complete a
transaction with the sending computers, degrading or denying its
ability to complete service with legitimate customers--hence the term
``Denial of Service''. These attacks are especially damaging when they
are coordinated from multiple sites--hence the term Distributed Denial
of Service.
An analogy would be if someone launched an automated program to
have hundreds of phone calls placed to the Capitol switchboard at the
same time. All of the good efforts of the staff would be overcome. Many
callers would receive busy signals due to the high volume of telephone
traffic.
In November and December, the NIPC received reports that
universities and others were detecting the presence of hundreds of
agents on their networks. The number of agents detected clearly could
have been only a small subset of the total number of agents actually
deployed. In addition, we were concerned that some malicious actors
might choose to launch a DDOS attack around New Year's Eve in order to
cause disruption and gain notoriety due to the great deal of attention
that was being paid to the Y2K rollover. Accordingly, we decided to
issue a series of alerts in December to government agencies, industry,
and the public about the DDOS threat.
Moreover, in late December, it was determined that a detection tool
that was developed by the NIPC for investigative purposes might also be
used by network operators to detect the presence of DDOS agents or
masters on their operating systems, and thus would enable them to
remove an agent or master and prevent the network from being
unwittingly utilized in a DDOS attack. Moreover, at that time there
was, to our knowledge, no similar detection tool available
commercially. The NIPC therefore decided to take the unusual step of
releasing the tool to the Department of Defense, other government
agencies, and to the public in an effort to reduce the level of the
threat. The first variant of our software was made available on the
NIPC web site on December 30, 1999. To maximize the public awareness of
this tool, we announced its availability in an FBI press release that
same date. Since the first posting of the tool, we have posted three
updated versions that have perfected the software and made it
applicable to different operating systems.
The public has downloaded these tools tens of thousands of times
from the web site, and has responded by reporting many installations of
the DDOS software, thereby preventing their networks from being used in
attacks and leading to the opening of criminal investigations both
before and after the widely publicized attacks of the last few weeks.
The work with private companies has been so well received that the
trade group SANS awarded their yearly Security Technology Leadership
Award to members of the NIPC's Special Technologies Applications Unit.
In February, reports were received that a new variation of DDOS
tools was being found on Windows operating systems. One victim entity
provided us with the object code to the tool found on its network. On
February 18 the binaries were made available to anti-virus companies
(through an industry association) and the Computer Emergency Response
Team (CERT) at Carnegie Mellon University for analysis and so that
commercial vendors could create or adjust their products to detect the
new DDOS variant. Given the attention that DDOS tools have received in
recent weeks, there are now numerous detection and security products to
address this threat, so it was determined that the NIPC could be most
helpful by giving them the necessary code rather than deploying a
detection tool ourselves.
Unfortunately, the warnings that we and others in the security
community had issued about DDOS tools last year, while alerting many
potential victims and reducing the threat, did not eliminate the
threat. Quite frequently, even when a threat is known and patches or
detection tools are available, network operators either remain unaware
of the problem or fail to take necessary protective steps. In addition,
in the cyber equivalent of an arms race, exploits evolve as hackers
design variations to evade or overcome detection software and filters.
Even security-conscious companies that put in place all available
security measures therefore are not invulnerable. And, particularly
with DDOS tools, one organization might be the victim of a successful
attack despite its best efforts, because another organization failed to
take steps to keep itself from being made the unwitting participant in
an attack.
On February 7, 2000, the NIPC received reports that Yahoo had
experienced a denial of service attack. In a display of the close
cooperative relationship that we have developed with the private
sector, in the days that followed, several other companies (including
Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also
reported denial of service outages to the NIPC or FBI field offices.
These companies cooperated with us by providing critical logs and other
information. Still, the challenges to apprehending the suspects are
substantial. In many cases, the attackers used ``spoofed'' IP
addresses, meaning that the address that appeared on the target's log
was not the true address of the system that sent the messages. In
addition, many victims do not keep complete network logs.
The resources required in an investigation of this type are
substantial. Companies have been victimized or used as ``hop sites'' in
numerous places across the country, meaning that we must deploy special
agents nationwide to work leads. We currently have seven FBI field
offices with cases opened and all the remaining offices are supporting
the offices that have opened cases. Agents from these offices are
following up literally hundreds of leads. The NIPC is coordinating the
nationwide investigative effort, performing technical analysis of logs
from victims sites and Internet Service Providers (ISP's), and
providing all-source analytical assistance to field offices. Moreover,
parts of the evidentiary trail have led overseas, requiring us to work
with our foreign counterparts in several countries through our Legal
Attaches (Legats) in U.S. embassies. Here in Phoenix we followed up on
leads resulting from the DDOS attacks.
While the crime may be high tech, investigating it involves a
substantial amount of traditional investigative work as well as highly
technical work. Interviews of network operators and confidential
sources can provide very useful information, which leads to still more
interviews and leads to follow-up. And victim sites and ISP's provide
an enormous amount of log information that needs to be processed and
analyzed by human analysts.
CHALLENGES IN COMBATING CYBER INTRUSIONS
The burgeoning problem of cyber intrusions, viruses, and denial of
service attacks poses unique challenges to the NIPC. These challenges
require novel solutions, close teamwork among agencies and with the
private sector, and adequate human and technical resources.
Identifying the Intruder. One major difficulty that distinguishes
cyber threats from physical threats is determining who is attacking
your system, why, how, and from where. This difficulty stems from the
ease with which individuals can hide or disguise their tracks by
manipulating logs and directing their attacks through networks in many
countries before hitting their ultimate target. The ``Solar Sunrise''
case illustrates this point. This will continue to pose a problem as
long as the Internet remains rife with vulnerabilities and allows easy
anonymity and concealment.
Jurisdictional Issues. Another significant challenge we face is
intrusions involving multiple jurisdictions. A typical investigation
involves victim sites in multiple states and often many countries. This
is the case even when the hacker and victim are both located in the
United States. In the United States, we can subpoena records, engage in
judicially approved electronic surveillance, and execute search
warrants on suspects' homes, seize evidence, and examine it. We can do
none of those things ourselves overseas; rather, we depend on the local
authorities to assist us. However, some local police forces do not have
the technical resources or expertise to provide assistance. In other
cases, these nations may not have laws against computer intrusions and
are therefore limited in their ability to help us. FBI Legal Attaches
in 35 embassies abroad provide critical help in building bridges with
local law enforcement to enhance cooperation on cyber crime and in
working leads on investigations. As the Internet spreads to even more
countries, we will see greater demands placed on the Legats to support
computer crime investigations. The NIPC also has held international
computer crime conferences and offered cyber crime training classes to
foreign law enforcement officials to develop liaison contacts and bring
these officials up to speed on cyber crime issues.
The most difficult situation will arise, however, in which a
foreign country with interests adverse to our own simply refuses to
cooperate. In such a situation, we could find that an investigation is
stymied unless we find an alternative method of tracing the activity
back to its source.
THE LEGAL LANDSCAPE
To deal with this crime problem, we must look at whether changes to
the legal procedures governing investigation and prosecution of cyber
crimes are warranted. The problem of Internet crime has grown at such a
rapid pace that the laws have not kept up with the technology. The FBI
is working with the Department of Justice to propose a legislative
package for your review to help keep our laws in step with these
advances.
One example of some of the problems law enforcement is facing is
the jurisdictional limitation of pen registers and trap-and-trace
orders issued by federal district courts. These orders allow only the
capturing of tracing information, not the content of communications.
Currently, in order to track back a hacking episode in which a single
communication is purposely routed through a number of Internet Service
Providers that are located in different states, we generally have to
get multiple court orders. This is because, under current law, a
federal court can order communications carriers only within its
district to provide tracing information to law enforcement. As a result
of the fact that investigators typically have to apply for numerous
court orders to trace a single communication, there is a needless waste
of time and resources, and a number of important investigations are
either hampered or derailed entirely in those instances where law
enforcement gets to a communications carrier after that carrier has
already discarded the necessary information. For example, Kevin Mitnick
evaded attempts to trace his calls by moving around the country and by
using cellular phones, which routed calls through multiple carriers on
their way to the final destination. It was impossible to get orders
quickly enough in all the jurisdictions to trace the calls.
Finally, we should consider whether current sentencing provisions
for computer crimes provide an adequate deterrence. Given the degree of
harm that can be caused by a virus, intrusion, or a denial of service--
in terms of monetary loss to business and consumers, infringement of
privacy, or threats to public safety when critical infrastructures are
affected--it would be appropriate to consider, as S. 2092 does, whether
penalties established years ago remain adequate.
Evaluation of the effectiveness of 18 U.S.C. Sec. 1030 and the
tools to enforce it under both current law and under S. 2092.--
Generally, 18 U.S.C. Sec. 1030 has enabled the FBI and other law
enforcement agencies to investigate and prosecute persons who would use
the power of the Internet and computers for criminal purposes.
Nonetheless, just as computer crime has evolved over the years, so too
must our laws and procedures evolve to meet the changing nature of
these crimes.
One persistent problem is the need under current law to demonstrate
at least $5,000 in damage for certain hacking offenses enumerated by 18
U.S.C. Sec. 1030(a)(5). In some of the cases investigated by the FBI,
damages in excess of $5,000 on a particular system are difficult to
prove. In other cases, the risk of harm to individuals or to the public
safety posed by breaking into numerous systems and obtaining root
access, with the ability to destroy the confidentiality or accuracy of
crucial--perhaps lifesaving information--is very real and very serious
even if provable monetary damages never approach the $5,000 mark. In
investigations involving the dissemination or importation of a virus or
other malicious code, the $5,000 threshold could potentially delay or
hinder early intervention by Federal law enforcement.
S. 2092 significantly adjusts the $5,000 threshold and other
provisions in the current law by: (1) creating a misdemeanor offense
for those cases where damages are below $5,000, while simultaneously
adjusting the minimum mandatory sentences under the Sentencing
Guidelines; and (2) moving the aggravating factors previously included
in the definition of``damage'' under 18 U.S.C. Sec. 1030(e)(8) (such as
impairment of medical diagnosis, physical injury to any person, threat
to public health or safety or damage to nation security, national
defense or administration of justice computers) to the general
sentencing provisions of Sec. 1030(c) (where they will be on par in
serious cases with the existing $5,000 threshold requirement and will
expose offenders to an enhanced 10-year period of imprisonment up from
the current maximum of 5 years). The critical element here is that the
criminal intended to cause damage, not the specific amount of damage he
intended to cause
Another issue involves the alarming number of computer hackers
encountered in our investigations who are juveniles. Under current law,
Federal authorities are not able to prosecute juveniles for any
computer violations of 18 U.S.C. Sec. 1030. S. 2092 would authorize
(but not require) the Attorney General to certify for juvenile
prosecution in Federal court youthful offenders who commit the more
serious felony violations of section 1030. Recognizing that this change
will, over time, result in the prosecution of repeat offenders, S. 2092
also defines the term ``conviction'' under Sec. 1030 to include prior
adjudications of juvenile delinquency for violations of that section.
This is intended to provide greater specific deterrence to juveniles
who are adjudicated delinquent for computer hacking. Similarly, a
majority of the States have enacted criminal statutes prohibiting
unauthorized computer access analogous to the provisions of section
1030. As State prosecutions for these offenses increase, the likelihood
of encountering computer offenders in Federal investigations who have
prior State convictions will similarly rise. The Department is studying
whether prior state adult convictions for comparable computer crimes
justify enhanced penalties for violations of section 1030, just as
prior State convictions for drug offenses trigger enhanced penalties
for comparable Federal drug violations.
Law enforcement also needs updated tools to investigate, identify,
apprehend and successfully prosecute computer offenders. Today's
electronic crimes, which occur at the speed of light, cannot be
effectively investigated with procedural devices forged in the last
millennium during the infancy of the information technology age.
Statutes need to be rendered technology neutral so that they can be
applied regardless of whether a crime is committed with pen and paper,
e-mail, telephone or geosynchronous orbit satellite personal
communication devices.
As discussed above, a critical factor in the investigation of
computer hacking cases is law enforcement's ability to swiftly identify
the source and the direction of a hacker's communications. Like all law
enforcement agencies, the FBI relies upon the pen register and trap and
trace provisions contained in 18 U.S.C. Sec. 3121 et seq. to seek court
approval to acquire data identifying non-content information relating
to a suspect's communications. Our ability to identify the perpetrators
of crimes like computer hacking is directly proportional to our ability
to quickly acquire the necessary court orders and quickly serve them
upon one or more service providers in a communications chain. Under
current law, however, valuable time is consumed in acquiring individual
court orders in the name of each communications company for each newly
discerned link in the communications chain even though the legal
justification for the disclosure remains unchanged and undiminished. S.
2092 would amend 18 U.S.C. Sec. 3123(a) to authorize Federal courts to
issue one nation-wide order which may then be served upon one or more
service providers thereby substantially reducing the time necessary to
identify the complete pathway of a suspect's communication. Second, S.
2092 makes the statute more technology neutral by, among other things,
inserting the terms ``or other facility'' wherever ``telephone''
appears. This change codifies Federal court decisions that apply the
statute's provisions not merely to traditional telephone, but to an
ever expanding array of other, communications facilities. Together,
these are important changes that do not alter or lower the showing
necessary for the issuance of the court order but which do enhance the
order's usefulness to law enforcement.
We support the goal of S. 2092 to strengthen the general deterrence
aspects of the Computer Fraud and Abuse Act, and to provide some needed
procedural enhancements to help us confront the expanding criminal
threat in this dynamic and important part of our national economy while
continuing to protect individual privacy interests. The FBI looks
forward to working with the Committee on this important legislation.
INTERAGENCY COOPERATION
The broad spectrum of cyber threats described earlier, ranging from
hacking to foreign espionage and information warfare, requires not just
new technologies and skills on the part of investigators, but new
organizational constructs as well. In most cyber attacks, the identity,
location, and objective of the perpetrator are not immediately
apparent. Nor is the scope of his attack--i.e., whether an intrusion is
isolated or part of a broader pattern affecting numerous targets. This
means it is often impossible to determine at the outset if an intrusion
is an act of cyber vandalism, organized crime, domestic or foreign
terrorism, economic or traditional espionage, or some form of strategic
military attack. The only way to determine the source, nature, and
scope of the incident is to gather information from the victim sites
and intermediate sites such as ISP's and telecommunications carriers.
Under our constitutional system, such information typically can be
gathered only pursuant to criminal investigative authorities. This is
why the NIPC is part of the FBI, allowing us to utilize the FBI's legal
authorities to gather and retain information and to act on it,
consistent with constitutional and statutory requirements.
But the dimension and varied nature of the threats also means that
this is an issue that concerns not just the FBI and law enforcement
agencies, but also the Department of Defense, the Intelligence
Community, and civilian agencies with infrastructure-focused
responsibility such as the Departments of Energy and Transportation. It
also is a matter that greatly affects state and local law enforcement.
This is why the NIPC is an interagency center, with representatives
detailed to the FBI from numerous federal agencies and representation
from state and local law enforcement as well. These representatives
operate under the direction and authority of the FBI, but bring with
them expertise and skills from their respective home agencies that
enable better coordination and cooperation among all relevant agencies,
consistent with applicable laws.
In Phoenix, we work closely with the U.S. military as well as other
government agencies. For example, we have worked with U.S. military
installations located in Arizona on attempted intrusions into their
systems. The expansion of cyber task forces, such as the one just
started in Pittsburgh, to other field divisions such as Phoenix, should
assist us with interagency cooperation.
PRIVATE SECTOR COOPERATION
Our success in battling cyber crime also depends on close
cooperation with private industry. This is the case for several
reasons. First, most of the victims of cyber crimes are private
companies. Therefore, successful investigation and prosecution of cyber
crimes depends on private victims reporting incidents to law
enforcement and cooperating with the investigators. Contrary to press
statements by cyber security companies that private companies won't
share information with law enforcement, many private companies have
reported incidents and threats to the NIPC or FBI field offices. While
there are undoubtedly companies that would prefer not to report a crime
because of the subsequent loss of consumer confidence, the situation
has improved markedly. Companies increasingly realize that deterrence
of crime depends on effective law enforcement, and that the long-term
interests of industry depend on establishing a good working
relationship with government to prevent and investigate crime.
Second, the network administrator at a victim company or ISP is
critical to the success of an investigation. Only that administrator
knows the unique configuration of their system, and the administrator
typically must work with an investigator to find critical transactional
data that will yield evidence of a criminal's activity.
Third, the private sector has the technical expertise that is often
critical to resolving an investigation. It would be impossible for us
to retain experts in every possible operating system or network
configuration, so private sector assistance is critical. In addition,
many investigations require the development of unique technical tools
to deal with novel problems. Private sector assistance has been
critical there as well.
We have several other initiatives devoted to private sector
outreach that bear mentioning here. The first is called ``InfraGard.''
This is an initiative that we have developed in concert with private
companies and academia to encourage information-sharing about cyber
intrusions, exploited vulnerabilities, and physical infrastructure
threats. A vital component of InfraGard is the ability of industry to
provide information on intrusions to the local FBI field office using
secure e-mail communications in both a ``sanitized'' and detailed
format. The local FBI field offices can, if appropriate, use the
detailed version to initiate an investigation; while NIPC Headquarters
can analyze that information in conjunction with other information we
obtain to determine if the intrusion is part of a broader attack on
numerous sites. The NIPC can simultaneously use the sanitized version
to inform other members of the intrusion without compromising the
confidentiality of the reporting company. The key to this system is
that whether, and what, to report is entirely up to the reporting
company. A secure web site also contains a variety of analytic and
warning products that we make available to the InfraGard community. The
success of InfraGard is premised on the notion that sharing is a two-
way street: the NIPC will provide threat information that companies can
use to protect their systems, while companies will provide incident
information that can be used to initiate an investigation and to warn
other companies.
Here in Phoenix, we are planning to roll-out our InfraGard Chapter
on May 9. We expect to have representatives from in state universities,
businesses, and some of the critical infrastructures on hand.
Our Key Asset Initiative (KAI) is focused more specifically on the
owners and operators of critical components of each of the
infrastructure sectors. It facilitates response to threats and
incidents by building liaison and communication links with the owners
and operators of individual companies and enabling contingency
planning. The KAI began in the 1980's and focused on physical
vulnerabilities to terrorism. Under the NIPC, the KAI has been
reinvigorated and expanded to focus on cyber vulnerabilities as well.
The KAI currently involves determining which assets are key within the
jurisdiction of each FBI Field Office and obtaining 24-hour points of
contact at each asset in cases of emergency. Eventually, if future
resources permit, the initiative will include the development of
contingency plans to respond to attacks on each asset, exercises to
test response plans, and modeling to determine the effects of an attack
on particular assets. FBI field offices are responsible for developing
a list of the assets within their respective jurisdictions, while the
NIPC maintains the national database. The KAI is being developed in
coordination with DOD and other agencies. Currently the database has
about 2,600 entries. This represents 2,600 contacts with key private
sector nodes made by the NIPC and FBI field offices.
Here in the Phoenix Division, we have identified dozens of key
assets around the state for inclusion in the national list. These
assets include power generation facilities, water storage and
distribution centers, transportation assets, military installations,
research institutions, and key public emergency service entities.
Much has been said over the last few years about the importance of
information sharing. Here in the Phoenix Division, we have an excellent
working relationship with our private sector counterparts and the
community in general. We share information on a number of areas,
including infrastructure protection, and receive information from the
private sector that greatly assist us in protecting the community. As a
result of our close working relationship with the private sector we can
detect criminal activity in its initial stages and in some cases
prevent criminal incidents. The NIPC also provides the private sector
with warning information which also lessens their vulnerability. These
warnings assist field offices like Phoenix to be better prepared and
better protect our community. They further allow us the opportunity to
respond quickly and efficiently to cyber threats. I believe that as
companies continue to gain experience in dealing with the NIPC and FBI
field offices, as we continue to provide them with important and useful
threat information, and as companies recognize that cyber crime
requires a joint effort by industry and government together, we will
continue to make real progress in this area.
MEETING THE GROWING CYBER THREAT
As Internet use continues to soar, the number of cyber attacks is
also increasing exponentially. Nationally there are over 1000 open
computer intrusion cases. Further, this figure does not count computer
facilitated crimes such as Internet fraud, child pornography, or e-mail
extortion efforts. In these cases, the NIPC and NIPCI squads often
provide technical assistance to traditional investigative programs
responsible for these categories of crime.
We can clearly expect these upward trends to continue, and for the
threats to become more serious. While insiders, hackers, and criminal
groups make up much of our case load at the moment, we can anticipate a
growing number of national security cases in the near future. To meet
this challenge, we must ensure that we have adequate resources,
including both personnel and equipment, both at the NIPC and in FBI
field offices. We currently have 193 agents nationwide dedicated to
investigating computer intrusion and virus cases. In order to maximize
investigative resources the FBI has taken the approach of creating
regional squads in 16 field offices that have sufficient size to work
complex intrusion cases and to assist those field offices without a
NIPCI squad. In those field offices without squads, the FBI is building
a baseline capability by having one or two agents work NIPC matters,
i.e. computer intrusions (criminal and national security), viruses,
InfraGard, state and local liaison, etc.
The Phoenix office has a three agent team working on infrastructure
protection and computer intrusion matters. Three agents are assigned to
investigate cyber child pornography, and additional four agents are
assigned to the Computer Assisted Response Team (CART), which is
responsible to provide cyber forensics in support of all the cyber
investigations in the Phoenix office. Since January 1, 2000 the Phoenix
office has opened 9 new computer intrusion cases. This represents an
almost 100 percent increase in computer intrusion cases opened in 1999.
Currently, at NIPC Headquarters, there are 101 personnel on board,
including 82 FBI employees and 19 detailees from other government
agencies. This cadre of investigators, computer scientists, and
analysts perform the numerous and complex tasks outlined above, and
provide critical coordination and support to field office
investigations. As the crime problem grows, we need to make sure that
we keep pace by bringing on board additional personnel, including from
other agencies and the private sector.
In addition to putting in place the requisite number of agents,
analysts, and computer scientists in the NIPC and in FBI field offices,
we must fill those positions by recruiting and retaining personnel who
have the appropriate technical, analytical, and investigative skills.
This includes personnel who can read and analyze complex log files,
perform all-source analysis to look for correlations between events or
attack signatures and glean indications of a threat, develop technical
tools to address the constantly changing technological environment, and
conduct complex network investigations. There is a very tight market
for information technology professionals. The Federal Government needs
to be able to recruit the very best people into its programs.
Fortunately, we can offer exciting, cutting-edge work in this area and
can offer agents, analysts, and computer scientists the opportunities
to work on issues that no one else addresses, and to make a difference
to our national security and public safety. In addition, Congress
provided the FBI with a pilot program that exempts certain technical
personnel from the Title V civil service rules, which allows us to pay
more competitive salaries and recruit and retain top notch personnel.
Unfortunately, this pilot is scheduled to expire in November unless
extended
Training and continuing education are also critical, and we have
made this a top priority at the NIPC. In fiscal year 1999, we trained
383 FBI and other-government-agency students in NIPC sponsored training
classes on network investigations and infrastructure protection. The
emphasis for 2000 is on continuing to train federal personnel while
expanding training opportunities for state and local law enforcement
personnel. During fiscal year 2000, we plan to train approximately 740
personnel from the FBI, other federal agencies, and state and local law
enforcement.
Developing and deploying the best equipment in support of the
mission is also very important. Not only do investigators and analysts
need the best equipment to conduct investigations in the rapidly
evolving cyber system but the NIPC must be on the cutting edge of cyber
research and development. Conducting a network intrusion or denial-of-
service investigation often requires analysis of voluminous amounts of
data. For example, one network intrusion case involving an espionage
matter currently being investigated has required the analysis of 17.5
Terabytes of data. To place this into perspective, the entire
collection of the Library of Congress, if digitized, would comprise
only 10 Terabytes. The Yahoo DDOS attack involved approximately 630
Gigabytes of data, which is equivalent to enough printed pages to fill
630 pickup trucks with paper. Technical analysis requires high capacity
equipment to store, process, analyze, and display data. Again, as the
crime problem grows, we must ensure that our technical capacity keeps
pace. We are also working closely with other agencies to ensure that we
leverage existing resources to the fullest extent possible.
THE ROLE OF LAW ENFORCEMENT
Finally, I would like to conclude by emphasizing two key points.
The first is that our role in combating cyber crime is essentially two-
fold: (1) preventing cyber attacks before they occur or limiting their
scope by disseminating warnings and advisories about threats so that
potential victims can protect themselves; and (2) responding to attacks
that do occur by investigating and identifying the perpetrator. This is
very much an operational role. Our role is not to determine what
security measures private industry should take, or to ensure that
companies or individuals take them. It is the responsibility of
industry to ensure that appropriate security tools are made available
and are implemented. We certainly can assist industry by alerting them
to the actual threats that they need to be concerned about, and by
providing information about the exploits that we are seeing criminals
use. But network administrators, whether in the private sector or in
government, are the first line of defense.
Second, in gathering information as part of our warning and
response missions, we rigorously adhere to constitutional and statutory
requirements. Our conduct is strictly limited by the Fourth Amendment,
statutes such as Title III and ECPA, and the Attorney General
Guidelines. These rules are founded first and foremost on the
protection of privacy inherent in our constitutional system. Respect
for privacy is thus a fundamental tenet in all of our activities.
CONCLUSION
I want to thank the subcommittee again for giving me the
opportunity to testify here today. The cyber threat is real,
multifarious, and growing. The FBI is moving aggressively to meet this
challenge by training investigators and analysts to investigate
computer intrusion cases, equipping them with the latest technology,
developing our analytic capabilities and warning mechanisms to head off
or mitigate attacks, and closely cooperating with the private sector.
We have already made considerable progress in developing our
capabilities to protect public safety and national security in the
Information Age. I look forward to working with Congress to ensure that
we continue to be able to meet the threat as it evolves and grows.
Thank you.
Senator Kyl. Thank you very much, Mr. Gonzalez.
Let me begin by asking both of you a question. Mr.
Gonzalez, you mentioned the multiple trap and trace issue, and
I would like to ask both of you a question about that. For the
benefit of those who aren't familiar with it, currently Federal
law requires that law enforcement obtain a separate court order
for trap and trace authority in each jurisdiction through which
a cyber attack travels. Obviously, it is important for law
enforcement to be able to quickly trace a source of an attack,
as both witnesses have mentioned.
Could either of you give some examples of how
investigations have been bogged down by the need to get this
trap and trace authority in each jurisdiction and how the
legislation that Senator Schumer and I have introduced, which
would provide for national trap and trace authority, would
resolve that issue? Mr. Gonzalez.
Mr. Gonzalez. Yes, Sir. Well, in terms of the ability to
obtain the national trap and trace orders, as you mentioned,
timeliness is of the essence. And because of the different
nature of how companies involved in information technology deal
with their records and their record systems, some records are
destroyed faster than others, it is imperative that we be able
to get those orders in a timely fashion and be able to get out
to the place where we need to deliver the orders to recoup the
information.
If in the cases we mentioned--we talked about a case, for
example, where the hacker's victims are in three different
States and to get there we go through, say, multiple providers
of either communications services or Internet technology
services in different jurisdictions, we have to individually go
to each one of those areas, provide the necessary information
to get the court order. If we were able to do it at one time,
it would save us a tremendous amount of time, and we could
almost simultaneously be at all those different locations at
one time and obtaining the information we need.
Senator Kyl. Attorney General Napolitano.
Ms. Napolitano. Yes, Senator, in response to your question,
there is a very big need for a Federal hot pursuit statute in
cyberspace, and the bill that you and Senator Schumer have put
forward I think is going to be very, very valuable in that
respect for many of the problems that Special Agent Gonzalez
has mentioned.
Let me give you two examples of cases where we have gotten
bogged down and have had to do an inordinate amount of work to
get a result.
One is the very recent case in Scottsdale where a juvenile
sent a threat via e-mail and basically shut down one of the
middle schools in Scottsdale while the police department and
the bomb dogs came out and looked to see whether there was
anything to the threat. While that was going on, our office was
tracking down and working with law enforcement to track down
the source of the
e-mail, and we were trying to do it very, very quickly both
because of the school disruptions and because we didn't know
whether it was a serious threat or not a serious threat.
To do that, we ultimately in the course of that
investigation had to obtain separate court orders in both
California and Virginia to identify the source of the e-mail.
It would have been much better as a State if we had access to a
Federal hot pursuit law that would have allowed us to get
basically nationwide service of an order to track that source.
A second example is one you may be familiar with, and it
involved hacking into a local utility company. That ultimately
required the prosecutors to get orders in very many States all
over the country to identify the source of the hacking into a
utility company here.
So two concrete examples where we have been slowed down,
have had to do a lot of extra work, and it illustrates the need
for us to be able to speed up the process.
Senator Kyl. And just to ensure that there is no invasion
of privacy or inhibition of exercise of constitutional rights,
would this nationwide trap and trace authority in any way
diminish the constitutional rights of any of the entities from
whom you are trying to obtain information?
Ms. Napolitano. No, it would not. You would still have to
comply with the fourth amendment.
Senator Kyl. And the fourth amendment requirements would
require that the law enforcement officials do what with respect
to obtaining an order?
Ms. Napolitano. In terms of getting a trap and trace order?
Senator Kyl. Yes.
Ms. Napolitano. You would still have to get an order issued
by a court. The difference would be it would have nationwide
application.
Senator Kyl. So you would still have to prove the same kind
of probable cause to a judge for the issuance of the warrant
that would exist in any other situation?
Ms. Napolitano. Yes. I assume the basic statutory and
constitutional requirements for obtaining orders for traps and
traces would apply. The difference would be that we wouldn't
have to do it over and over again for basically the same
search.
Senator Kyl. Right. This is a good example, it seems to me,
of the law needing to evolve with technology, or technology is
going to get way ahead of law enforcement's ability to protect
the citizens of the country.
Ms. Napolitano. That is right, because even a delay of a
few hours while you go to another courthouse in Virginia or
California can be very critical in these kinds of cases.
Senator Kyl. Now, I gather it would be safe to say, from
what both of you have testified, that in Arizona you have seen
a significant increase in the amount of cyber crime. Would that
be fair, Mr. Gonzalez?
Mr. Gonzalez. Yes, Sir. We have had a significant increase,
in fact, specifically since the beginning of this year. Our
caseload has increased probably 5 times, and we suspect it will
continue to increase.
Senator Kyl. One of the cases that I believe you alluded to
in your prepared testimony but you didn't mention in your
summary was a situation involving a very potentially dangerous
situation with the dams in the State of Arizona. Could you
describe that in just a little bit of detail?
Ms. Napolitano. Yes. This is a case--I believe it happened
in 1995. There is a typo in the testimony. But what happened in
this instance was a computer user hacked his way into the
billing database of the Salt River Project. He was looking to
cancel someone's account. He then thereafter gained access,
high-level access to the canal controlling system.
Now, when that crime occurred, we didn't have the bill I
was describing to you, Senator. He was actually, I think,
charged with a class III computer fraud felony. He subsequently
provided a great deal of cooperation in some other cases, and
so he pled down to a probation-eligible offense. And I believe,
ironically, he is working in computer security in the private
sector now, be that as it may.
Under the new law in Arizona, such hacking into a vital
infrastructure, which is a defined term in the law, would be a
class II felony. Under our statutory scheme, that is the next
most serious offense to a first-degree murder.
Senator Kyl. And when will this new law take effect?
Ms. Napolitano. July 18.
Senator Kyl. OK. Great.
Just a few more questions here. Are there any--I alluded to
this in my opening statement, the possibility that there are
legal impediments to the sharing of information, particularly
by the private sector, with law enforcement. How would you
characterize the cooperation between industry and law
enforcement during the investigation of cyber crimes? And are
there any disincentives that you are aware of that need to be
removed for companies to come forward once they have
experienced an attack? I will address that to both of you.
Mr. Gonzalez. Well, Sir, I think the cooperation is good.
It is getting better. There is a tendency sometimes on the part
of the private sector to be a little hesitant, maybe, in say
reporting either attempted intrusions or intrusions because of
the fear of the impact that it may have on their status in the
community where they are working. However, I think as part of
the InfraGard program that we talked about where we are
basically being able to--we are starting to form partnerships
with the private sector to where they have an ability to
anonymously join that program and provide us information that
we can either use specifically with detail to initiate case or
sanitize for NIPC to use to disseminate to other members of the
program in terms of potential either attempted intrusions or
intrusions. I think as we work more through that system and
basically show and convince the industry that it is a viable
system and it can only help in terms of deterring attempted
intrusions and in the case of where the intrusions are
successful prosecuting the offenders, I think as we develop
more of a track record in that area the industry will be much
more willing to continue and move forward with that cooperative
effort.
Senator Kyl. Now, some people in industry have expressed a
concern that their computers could be confiscated or critical
components of their operations could be brought down during the
course of an investigation, which would essentially paralyze
their ability to do business. What kind of assurance can you
give them that this would not occur?
Mr. Gonzalez. Actually, it would be almost the opposite.
What we need from the industry is, first of all, if they have
either an attempted intrusion or an intrusion, we need a timely
notification almost immediately so that we can respond. And the
other thing is we need their assistance in terms of whether it
be their systems administrators or people from their companies
or businesses that have the expertise in their systems to help
us go through their system and identify the information and the
evidence that can either provide leads for us, investigative
leads, or determine how the intrusion occurred.
We do not seize their computers. We will not seize their
computers, and we do our best to be as unobtrusive in terms of
affecting their business operations. But we need their help and
assistance in doing that, one, in the timeliness of the
reporting of the
intrusions and, two, in the use of their technical expertise
for their systems to get us through the investigative process.
Senator Kyl. Now, another related concern is going public
with information, and, General Napolitano, let me ask you as
well as Mr. Gonzalez this. Let's say a classic bank fraud
intrusion occurs, or, as you say, somebody hacks into the
utility to cancel out their bill, but let's say it is a bank
and there is a suggestion here that the bank is potentially
exposed to lose hundreds of millions of dollars as a result of
this intrusion. They discover that internally. They obviously
don't want the evening news to carry the story: ABC Bank losing
hundreds of millions of dollars to a hacker. That would suggest
to their customers that it is not a safe place to keep their
money and so on.
How can the law enforcement and prosecution authorities
ensure that that won't happen and, therefore, provide a good
incentive for people to cooperate with law enforcement as soon
as possible to get the critical information to law enforcement
so that the perpetrators can be brought to justice?
Ms. Napolitano. Senator, that is a difficult question
because we find it in a lot of different areas where entities
that are actually the victims of crime are reluctant to report
it because of likely media attention. And certainly you
sometimes cannot control the media. I know this will come as a
shock, but sometimes they find their own things of interest.
But a couple of very concrete things can be done to
increase, I think, the security that a business can have in
working with law enforcement. One is to make greater use of and
have the ability to make greater use of sealing orders in court
to protect things like trade secret information, proprietary,
computer security information, and the like. After all, the
long-term damage to an institution or a business is not the
one-day news story. It is having the actual data put into the
public domain that would enable someone else to commit a
similar crime. The new bill in Arizona that I described
actually has some express statutory provisions in that regard.
I believe in terms of sealing trade secret information, Federal
law already had a provision. Most States don't have something
similar.
Senator Kyl. Mr. Gonzalez, anything to add?
Mr. Gonzalez. I would offer a couple of comments, Sir. In
terms of publicity and public awareness, generally speaking,
with the FBI and with the numerous Attorney General guidelines
we have regarding the contacts with the media, information that
is relayed to us or is reported to us a potential crime does
not necessarily intimate that it is going to be made public any
time soon or any time in the near future.
Senator Kyl. Well, they would need a lot better assurance
than that, though.
Mr. Gonzalez. That is generally--that is our process.
The other thing that I would intimate is there is a
particular case that I am pretty sure has been resolved where a
bank, in fact, was defrauded of about 10 or so million dollars,
and we were able to recover all that money based on the
company's willingness to report. I think we recovered all but
$800,000 of the $10 million or so that were taken.
So I think the upside or the benefits to private industry
and to these companies that have the potential of being
defrauded is much better in joining forces with law enforcement
to try to resolve the issue as opposed to not reporting.
Senator Kyl. I believe that, you believe that, and it makes
intuitively good sense. Obviously, it is going to be necessary
to continue to operate in a way that assures the public that
this kind of protection of their sensitive information will
occur with law enforcement so that they will have an incentive
to fully cooperate.
Let me ask you about the arrest earlier this year. Maybe
you are not totally familiar with the inside details of it, but
perhaps you could share some information with us here about the
Canadian law enforcement officials' arrest of the young man in
Canada, a 15-year-old teenager, as I understand it, who is
suspected of being at least one of the people responsible for
the recent denial-of-service attacks on the Internet sites in
the United States. Can you tell us a little bit more about how
the investigation of that case was conducted by the FBI and
what the status of it is?
Mr. Gonzalez. I can tell you in general terms the processes
that we went through that I think resulted in some of the
successes.
First of all, there was an almost immediate reporting of
the intrusions or the denial-of-service attacks by the
companies affected, which obviously triggered a response from
the FBI. With the FBI's structure as it is nationwide, where we
have nationwide offices, in each of those offices we may not
have fully fledged computer intrusion squads, but we have
agents that are assigned to those matters across the country.
We were able to almost simultaneously develop information that
had leads, as we call them, all over the country and able to
address those simultaneously with the use of the National
Infrastructure Protection Center, which one of their roles is
the coordination of these types of investigations because of
their national scope and international scope.
So all those things occurred almost, again, I will use the
term simultaneously, because once it was reported, it put
several processes into action, including the coordination
efforts by NIPC, the individual field divisions getting out and
addressing the particular leads they had, which we had some in
Phoenix, and at the same time, once it was determined that
there was a nexus to Canada, our legal attache office in Canada
was able to have liaison with the RCMP and able to make the
information either available or pass it and a lot for the
successful processing of the information to the Canadian
authorities so they could make the arrest.
But as you can see, it is a multifaceted process that we
went through. It would be extremely difficult to do that if we
didn't have the national resources available and on hand to
conduct the adequate investigation.
Senator Kyl. It sounds like another good example for the
need for a multiple or nationwide trap and trace authority as
well.
Mike Vatis in Washington, DC, in our hearing there, the
Director of the FBI's National Information Protection Center,
the NIPC----
Mr. Gonzalez. Infrastructure.
Senator Kyl. Yes, I misstated that. He discussed two
programs called InfraGard and Key Asset Initiative. Can you
describe those two programs and how they are being carried out
here?
Mr. Gonzalez. Yes, Sir. The Key Asset Initiative involves
each field division of the FBI within their jurisdiction in
identifying key assets that are involved, whether it be
providing infrastructure services, whether it be
communications, transportation, academia, identifying these
assets and making contact with them and obtaining--and setting
up with them a system whereby we have 24-hour points of contact
with those different assets so that in the event there is
either an intrusion or an attempted intrusion, that we can be--
we will have access to those different entities.
The InfraGard program involves an information-sharing
initiative that is coming out--that is actually in place in a
lot of areas. We are getting ready to implement it in Arizona.
But what we do is, we offer anonymity to any company that wants
to join us, and it will do things. It will give them the
ability to provide the FBI and NIPC with information regarding
either intrusions or potential--or attempted intrusions into
their system through an encrypted e-mail capability, and also
as being part of that program, it will allow them to receive
warnings or threat warnings or intrusion warnings from NIPC as
they are doing their national review of these particular
incidents.
So the Key Asset Initiative identifies areas in industry
and in business that have potential for being either attacked
or have potential of affecting our infrastructure and our
commerce, and then the InfraGard initiative includes those
entities and other entities in private business, private
enterprise, that have a need to be advised of either threats or
potential threats through the encrypted e-mail system.
Senator Kyl. So are you actually going out to industry and
visiting with them about their potential participation?
Mr. Gonzalez. Yes, Sir. We are currently in the process of
doing that.
Senator Kyl. Let me ask each of you a last question just to
indicate to the audience here we have to conclude the hearing
by 11 o'clock. We have two more witnesses. So even though I
can--I love getting information from these folks, and I could
sit here all day. But we will have to close it off and move on
to our next witnesses here.
But let me ask both of you, Attorney General Napolitano,
you mentioned desk subpoenas in your testimony, and Director
Louis Freeh testified about administrative subpoenas necessary
to effectively track cyber crime. Could you describe what those
are and how that relates to our need for modifying law or
procedures?
Mr. Gonzalez. In terms of the FBI, they are referred to as
administrative subpoenas. The FBI currently has that and some
other Federal law enforcement agencies have that ability in
drug investigations, in health care fraud investigations, and
in crimes against children investigations. It basically allows
the head of an office or one of his designees to issue a
subpoena for information when it regards one of those types of
investigations.
What that does, it is actually two-fold: Again, it goes to
the timeliness. We have an ability to do that almost at a
moment's notice if needed in a particular investigation; and,
No. 2, the information we gain from those subpoenas, there are
no restraints in terms of us sharing it with other State and
local law enforcement agencies or anyone else that would have a
need to know in terms of getting that information as opposed to
comparing it to a Federal grand jury.
Senator Kyl. Is there a difference between an
administrative subpoena and a desk subpoena?
Ms. Napolitano. Well, we use the term desk subpoena as
shorthand for a subpoena that a prosecutor signs as opposed to
continually going back to the grand jury to get another
subpoena duces tecum. So what Arizona law will provide when
this provision takes effect is that on the certification of the
prosecutor that this is relevant to an ongoing criminal
investigation, we can issue based on that signature on a
subpoena duces tecum to a service provider without having to
continually go back to the grand jury and get a subpoena. It is
very important because in a lot of these cases, as you see, we
are following, say, for example, an e-mail to its source, and
we can literally go around the country and end up in Glendale.
But this way we can do it very quickly. We can do it at night.
We can do it on weekends when the grand jury is not in session,
and oftentimes we need to be able to do that.
Senator Kyl. And the legal protection is that the evidence
is obviously not usable if it has exceeded the probable cause
requirements that you would ordinarily have to seek from a
judge.
Ms. Napolitano. Right. And the purpose is not to get the
content of the e-mail. This is simply to be able to track where
it--the chain of where it is coming from. So that is the
primary purpose of this, not to get the actual content but to
be able to find out the source of the e-mail. And as I
mentioned earlier, Senator, many times we have to do that at
night and over the weekends where continually going back to get
a subpoena is impossible.
Senator Kyl. I hope if our viewers have picked up anything
from this hearing, they will appreciate the challenge that law
enforcement is faced with in investigating these kinds of
crimes because of the huge technological challenges that are
presented and the very limited resources that you alluded to,
Ms. Napolitano, and some of the legal--the very strict legal
requirements that we impose in this country to make sure that
people's constitutional rights are not in any way invaded, and
that sets up some very high barriers for law enforcement but
that obviously we intend to continue to abide by those
requirements. It makes it tough for law enforcement, but you
can still get your job done if you have adequate cooperation
with the people who are reporting the crimes, and from the
Congress perhaps and the State legislature, as you have noted,
in providing the kind of legal authority and resources
necessary to do the job.
It is a very difficult challenge. It will evolve as time
goes on, and I commend both of you and your offices for the way
that you have jumped on this very quickly. And certainly as you
have pointed out, General Napolitano, Arizona being the leader
in developing both the legal authority and within your office
the ability to quickly deal with these kinds of cyber attacks.
I commend you both, and I appreciate you testifying here.
We will have the record open for a period of time for any other
comments you would like to make, and naturally I am always
appreciative of your advice on the subject. So thank you very,
very much.
Mr. Gonzalez. Thank you.
Ms. Napolitano. Thank you, Senator.
Senator Kyl. Our next witness is David Aucsmith, the chief
security architect for the Intel Corporation. Mr. Aucsmith is a
recognized expert in the computer security field and will be
making the U.S. industry presentation at the upcoming G-8
summit on cyber crime in May in Paris, France.
Mr. Aucsmith, your full statement will be placed in the
record, and I would invite you to make summary remarks at this
time. And, again, I very much appreciate your presence here.
PANEL CONSISTING OF DAVID W. AUCSMITH, CHIEF SECURITY
ARCHITECT, INTEL CORP.; AND JOSE GRANADO, SENIOR MANAGER, ERNST
& YOUNG LLP, HOUSTON, TX
STATEMENT OF DAVID W. AUCSMITH
Mr. Aucsmith. Thank you very much, Senator.
The purpose, I think, of my presentation is to talk about
the technological trends and challenges facing the protection
of critical infrastructures as we move forward.
Intel's former CEO, Andy Grove, was very fond of starting a
lot of his presentations with the statement that we are rapidly
approaching a time of a billion connected computers. That is
actually a fairly fantastic statement. He said there are
roughly a billion connected computers simultaneously exchanging
data. And the computers that we are talking about are not just
PC's. As was mentioned earlier, we are talking about the
controls to an irrigation system. We are talking about national
power grids, airline reservations, financial information from
Wall Street, accessible by a billion connected computers.
Why is this done? The obvious reason is to improve cost and
efficiency. It lowers the cost if there are common
infrastructures
allowing communications and information to take place, and it
significantly raises the efficiency. In fact, a year or so ago,
the Department of Commerce credited that efficiency with
keeping the level of inflation a whole percentage point lower
than it would have been otherwise.
However, this same efficiency also created quite a number
of vulnerabilities, which is what this hearing is basically
about. Those efficiencies mean that we have just-in-time
inventory management, we have just-in-time commission and
movement. That leaves very, very little room for error when
that system is disrupted. That just-in-time inventory also
applies to critical components of the national power grid and
transportation sectors.
Basically what we have seen so far is vandals on the
Internet, as another way of putting it. That is the majority of
the cases. If you have a billion connected computers, one way
to look at that is you have a billion minus one potential
attackers to your particular computer system.
Another way from my end that we look at this is that we
basically have a billion connected computers each of which has
a billion different security policies. We actually can't seem
to agree on precisely what is the right way to defend or to
state even how we should defend each of the individuals sites.
The statistics are rather frightening. It includes major
companies such as Intel and others attacked somewhere around
the neighborhood of 6,000 a day. You have cable modem users who
would reflect around 250 attacks or so a week. And it is a
fairly phenomenal amount.
Now, most of these attacks are the equivalent of vandalism.
I like to point out it is somewhat like spray painting in
cyberspace. It is about the same equivalent. The problem, of
course, is that you really can't tell which of those are
potential spray painters and which of those are potentially
serious fraud or an intelligence-
gathering operation.
One way to look at it is if you were a business you
wouldn't tolerate a few thousand people a day walking up and
rattling your front doors or trying to see if there is an open
window where they could come into your business, yet in
cyberspace, we have sort of grown up and accept these just as a
matter of fact. We can't live with this as a basic problem. In
fact, when vandalism gets out of hand, you end up with the
distributed denial-of-service attacks that we have just had.
That's what happens if several thousand people show up at your
front door at once.
There are other problems which is just essentially the
cascading destruction that occurs when one part of the system
fails due to a vandalism or a malicious attack or a terrorist
incident or whatever. The interconnectivity causes a great deal
of things to happen all through.
But I don't want to dwell on vandalism. There is a great
statement from the bank robber of the 1950's, Willie Sutton.
When he was asked why did he rob banks, he said, ``Because
that's where the money is.'' Well, right now e-commerce is
where the money is. In fact, it is very likely that we will see
serious criminals--and we are beginning to see them--move into
cyberspace because that is where the money is.
We have seen this in the case of credit card theft and a
number of others. Basically cyberspace offers precisely the two
things that criminals need: anonymity and mobility. Those
happen to be the things that generally e-commerce also needs,
but they do facilitate the bad guys.
Most security domains as they are set up now approach what
we call the nougat method of security, which is they have a
very hard shell on the outside and they are soft and chewy on
the inside. So all you have to do is break through that outer
barrier and people do not practice defense in depth in general.
That is not to say that people aren't trying. There is a
great deal of standards development going on within the
industry. The international standards is essentially the glue
that binds cyberspace together, and there is a lot of work,
including IP security standards for telecommunications, use of
better identification methods like smart cards and biometrics.
All of those things are happening, but it is important to
stress that standards development is extremely slow. Because it
is an international endeavor, it does not move at cyber speed.
Also, security is traditionally a form of insurance. We
didn't put up metal detectors in airports until after airlines
were hijacked. We are unlikely to put in strong security in
cyberspace until after major incidents. It is just very hard to
get people motivated otherwise.
One of the perhaps best things that we can do is to provide
some assistance for law enforcement and others in dealing with
the current problems. The technology that we deal with is
extremely complex. Its very efficiencies frequently frustrate
the ability to catch criminals in cyberspace. It is complex and
esoteric. Experts typically are hard to find and have to be
paid a great deal. It is very difficult for law enforcement to
deal with that.
Intel might be regarded as being at the forefront of this
technological revolution, certainly one of the companies, and
it is very difficult for us to keep up with the technology, and
we dedicate a great number of people to doing that.
The best thing that we can do is to have good cooperation
amongst industry components and with governments to help make
the Internet a safer place and to protect the critical
infrastructures. There are several good examples of that
cooperative effort. Some of them have already been alluded to.
There are others such as the information technology study
group, which is a joint industry and FBI initiative to look at
strategic directions in solving these problems.
However, there are problems with that cooperation. Some of
them have been alluded to. We are now having a collection of
industry competitors coming together to share information. That
brings up antitrust issues. Certainly from the strategic
standpoint, we have companies disclosing vulnerabilities and
other intellectual property about their products that is
subject to discovery and may end up in a court of law. That is
not something generally wanted by industry.
There are problems with funding of those cooperative
efforts. Industry is pretty much consenting to do this on a pro
bono basis, gratis, if you will, but the government sectors of
those require funding in order to do the Administration and
make the best use of that.
Congress also will have to address other problems. The
biggest problem looming on the horizon is that having to do
with jurisdictional issues. Cyber crime occurs all over the
world. It is very difficult to figure out who exactly has
jurisdiction and in what cases. Some of that is being
addressed.
So, basically, in closing, though I don't want to leave you
with too bleak a view here, the technology is basically amoral.
It is just moving at a very rapid pace. It is being used for
good and, of course, bad guys will move in, too. Traditionally,
law enforcement and national security interests have been able
to adapt to changes in technology from the automobile, the
telephone, and others over time. I am sure that in time we will
be able to adapt to create effective order in the new
technologies. It is perhaps fitting, if you will, that this is
being held in Arizona. It somewhat resembles the Wild West at
this point of view, and it is merely a need to slowly but
surely civilize it. That is one way to look at it.
Thank you very much, Senator.
[The prepared statement of Mr. Aucsmith follows:]
[GRAPHIC] [TIFF OMITTED] T9335.058
[GRAPHIC] [TIFF OMITTED] T9335.059
[GRAPHIC] [TIFF OMITTED] T9335.060
[GRAPHIC] [TIFF OMITTED] T9335.061
[GRAPHIC] [TIFF OMITTED] T9335.062
[GRAPHIC] [TIFF OMITTED] T9335.063
[GRAPHIC] [TIFF OMITTED] T9335.064
[GRAPHIC] [TIFF OMITTED] T9335.065
[GRAPHIC] [TIFF OMITTED] T9335.066
Senator Kyl. Well, thank you very much, Mr. Aucsmith. Of
course, we wanted to put one of our premier corporations on
display as well, and since you are a leading technology expert
in the area, we thought this would be a good forum in which to
discuss this. I am not sure whether we should have had you
before or after our next witness, though, because our next
witness is going to demonstrate to us how this hacking is done.
Now, I have some assurances that with the law enforcement
officials here, this will all be done in a quasi-legal way, but
I take no--I give no assurances in that regard. Let me properly
introduce to you Jose Granado. He is a senior manager at Ernst
& Young, a highly qualified accounting firm in the country, no
fly-by-night hacking outfit, I would hasten to point out. And
recently it was named as the outstanding information security
organization, as I understand it, by the Information Systems
Security Association. So Jose also comes by his expertise
rightly.
He has been involved with information security for the last
12 years. He is a frequent speaker on the topic. We thank you
for testifying today, and as I have mentioned to the others,
your full statement will be placed in the record, and we would
appreciate a summary of your remarks at this time.
STATEMENT OF JOSE GRANADO
Mr. Granado. Good morning, Mr. Chairman. Thank you for the
opportunity to testify today regarding improving prevention and
prosecution against cyber attacks. As you mentioned, I am a
senior manager with Ernst & Young's eSecurity Services group. I
direct a team of ``white hat hackers'' who perform network
assessments on client networks. Their objective is to identify
existing weaknesses in computer systems that will lead to
unauthorized access. My perspective comes from having led over
100 network security assessments over the past several years.
Assisting me today is Ron Nguyen, a manager with our eSecurity
Services group. Today we will describe and demonstrate the
process we utilize to perform these assessments.
When performing these assessments, we obtain a snapshot in
time of an organization's network security posture. This
snapshot allows us to identify potential points of entry to
gain unauthorized access to a network. The demand for these
assessments has been generated by several factors: increased e-
commerce initiatives, increased Internet dependency, which has
generated a need for independent security reviews, increased
discovery of operating system and application level
vulnerabilities, and increased publicity, as we have seen
recently with the denial-of-service attacks on eBay, Yahoo, and
others.
Although our team is extremely skilled, over 75 percent of
our initial access into client networks is gained via
relatively simple methods and techniques. Our success is
facilitated by three factors: poor selection of user ID's and
passwords, poor system configuration from a security
perspective, and the inability for organizations to implement
solutions on a realtime basis to existing vulnerabil-
ities.
Hundreds of websites exist that contain system security
information. The network used to exchange this type of
information transcends physical, geographical, and cultural
boundaries. Internet chat sites, informal gatherings, and
conferences also help to facilitate the flow of information.
During today's online demonstration, we will identify a
live computer system, scan the computer system for potential
entry points, gain access to the system, eavesdrop and control
the system remotely, crack the password file, and, finally,
execute a denial-of-service attack.
Our demonstration network is comprised of two Windows NT
laptop computers. The computer labeled ``attack,'' the one on
the larger screen, will be performing the hacking activity. The
computer labeled ``victim,'' the one on the smaller screen,
will be the recipient of the attacks. Although these computers
comprise their own mini network, the techniques demonstrated
today can be performed against any live computer on the
Internet that is in a similar security state as our victim
system.
An attacker can run a ping utility to randomly identify a
range of targets on the Internet. The attacker can also target
a specific victim to attack. For our demonstration, we will
ping www.
victim.com.
The ping utility has identified one live system on our
network designated by the IP address 192.168.10.10. An IP
address is a numerical designation that identifies a computer
on a network. Once we identify a live target, there are a
number of freely available vulnerability scanning tools that
can be used to identify potential entry points. For our
demonstration, we will use the freeware tool called
``Superscan'' on our attack system to scan our victim.
The scanner has identified potential entry points on our
target system--specifically, ports 21, 80, 135, and 139. A port
is a numerical designation for a specific network function.
Part of the system access process is mapping vulnerabilities
associated with these open ports to exploit tools. Our scan
identified port 80, which is associated with Web browsing, as
open. For our demonstration, we will launch the iishack tool on
our attack system to gain access to our victim.
We now have gained access to our victim system. The attack
was successful. The iishack tool the attacker used exploited a
buffer overflow vulnerability on the target system. A buffer
overflow condition is caused by the transmission of unexpected
data to a target system, causing it to accept commands from an
attack system. The hack tool launched a listening service that
the attacker can now use to remotely control the system. This
listening service allows the attacker to eavesdrop on the
victim system by using a standard Web browser. For our
demonstration, the attack system will monitor a letter being
typed by the victim system.
As you can see, the attack system now actually has the
screen of the victim system displayed on it. The victim
computer is typing a letter with the notepad function, and what
he is typing keystroke by keystroke is now appearing on the
bigger screen, which is the attack system.
With remote control access, the attacker can leverage the
target system as a launchpad to attack other systems, start
programs, access and view files. For our demonstration, we will
access and view files on the victim system from our attack
system.
As you can see, the attack system here is going through the
contents of the C drive on the victim system and actually
bringing up documents that are on the victim system and
actually appearing on the screen of the attack system. The
documents, as you can see, appear in their complete entirety.
Now that the attacker has full control of the target
system, one of the most popular activities is password
cracking. The attacker can download the password file from the
remote system and run a password cracker to discover user
passwords. For our demonstration, we will download the password
file to our attack system and using the lopht crack program
demonstrate how quickly passwords can be cracked.
We have located the password file on the victim system. We
have dragged it to the desktop of our attack system. We are now
bringing up the lopht crack tool and feeding that password file
to the cracking tool. And as you can see, in a matter of
seconds 18 of 21 passwords were cracked, and that took probably
2 or 3 seconds.
If the attacker is simply looking for targets to crash,
they can easily launch a denial-of-service attack directed
specifically at the target system. For our demonstration today,
we will launch a denial-of-service attack on our attack system
to disable our victim.
The IP address of the victim system is being inputted into
the denial-of-service tool, and after pressing the nuke button,
we see that our victim system has been disabled as evidenced by
the blue screen with all the error messages that are on it. And
now that that system is disabled, it needs to be restarted to
get back to its original state.
Thank you for the opportunity to testify today at this
hearing, and subject to your questions, this concludes our
quick demonstration.
[The prepared statement of Mr. Granado follows:]
Prepared Statement of Jose Granado
POWERPOINT TITLE SLIDE
Introduction
Mr. Chairman and distinguished members of the Subcommittee, thank
you for the opportunity to testify today regarding improving prevention
and prosecution against Cyber Attacks.
My name is Jose Granado. I am a Senior Manager with Ernst & Young's
eSecurity Services group. I direct a team of ``white hat hackers'' who
perform network assessments on client networks. Their objective is to
identify existing weaknesses in computer systems that will lead to
unauthorized access. My perspective comes from having led over 100
network security assessments over the past several years. Assisting me
today is Ron Nguyen, a manager with our eSecurity Services group. Today
we will describe and demonstrate the process we utilize to perform
these assessments.
POWERPOINT SLIDE ONE
Introduction to White Hat Hacking
When performing these assessments we obtain a ``snapshot'' in time
of an organization's network security posture. This snapshot allows us
to identify potential points of entry to gain unauthorized access to a
network. The demand for these assessments has been generated by several
factors:
Increased eCommerce initiatives.
Increased Internet dependency--which has generated a need
for independent security reviews.
Increased discovery of operating system and application
level vulnerabilities.
Increased publicity--as we have seen recently with the
Denial of Service Attacks on eBay, Yahoo and others.
Although our team is extremely skilled, over 75 percent of our
initial access into client networks is gained via relatively simple
methods and techniques. Our success is facilitated by three factors:
Poor selection of userids and passwords.
Poor system configuration from a security perspective.
Challenges organizations face in keeping up the large
volume of vulnerabilities discovered on a daily basis.
POWERPOINT SLIDE TWO
Hundreds of web sites exist that contain system security
information. The network used to exchange this type of information
transcends physical, geographical, and cultural boundaries. Internet
Chat sites, informal gatherings and conferences also help to facilitate
the flow of information.
POWERPOINT SLIDE THREE
During today's online demonstration we will:
Identify a ``live'' computer system.
Scan the computer system for potential entry points.
Gain access to the system.
Eavesdrop and control the system remotely.
Crack the password file.
Execute a denial of service attack.
START DEMO
Demonstration
Our demonstration network is comprised of 2 Windows NT laptop
computers. The computer labeled ``attack'' will be performing the
hacking activity. The computer labeled ``victim'' will be the recipient
of the attacks. Although these computers comprise their own mini
network, the techniques demonstrated today can be performed against any
``live'' computer on the Internet that is in a similar security state
as our victim system.
Identifying a ``live system''
An attacker can run a ping utility to randomly identify a range of
targets on the Internet. The attacker can also target a specific victim
to attack. For our demonstration we will ping www.victim.com.
Scanning a system for potential vulnerabilities
The ping utility has identified one live system on our network
designated by the IP address 192.168.10. 10 An IP address is the
numerical designation that identifies a computer on a network. Once we
identify a live target, there are a number of freely available
vulnerability scanning tools that can be used to identify potential
entry points. For our demonstration, we will use the freeware tool
``Superscan'' on our attack system to scan our victim.
Gaining access to a system
The scanner has identified potential entry points on our target
system. Specifically, ports 21, 80, 135 and 139. A port is a numerical
designation for a specific
network function. Part of the system access process is mapping
vulnerabilities associated with these open ports to exploit tools. Our
scan identified port 80 which is associated with web browsing as open.
For our demonstration we will launch the iishack tool on our attack
system to gain access to our victim.
Eavesdropping on a system remotely
The iishack tool the attacker used exploited a buffer overflow
vulnerability on the target system. A buffer overflow condition is
caused by the transmission of unexpected data to a target system,
causing it to accept commands from an attack system. The hack tool
launched a listening service that the attacker can now use to remotely
control the system. This listening service allows the attacker to
eavesdrop on the victim system by using a standard web browser. For our
demonstration the attack system will monitor a letter typed by the
victim system.
Controlling a system remotely
With remote control access, the attacker can leverage the target
system as a launchpad to attack other systems, start programs, access
and view files. For our demonstration we will access and view files on
the victim system from our attack system.
Cracking passwords
Now that the attacker has full control of the target system, one of
the most popular activities is password cracking. The attacker can
download the password file from the remote system, and run a password
cracker to discover user passwords. For our demonstration we will
download the password file to our attack system and using the lopht
crack program demonstrate how quickly the passwords are cracked.
Executing a Denial of Service Attack
If the attacker is simply looking for targets to crash, they can
easily launch a denial of service attack directed specifically at the
target system. For our demonstration, we will launch a denial of
service attack on our attack system to disable our victim.
Subject to any questions this concludes the presentation.
Senator Kyl. Thank you very much.
Did the FBI get all of that down? [Laughter.]
You were taking good notes.
Obviously, this simulation attack is designed to illustrate
how people with a little bit of expertise--and I know that our
witness here has a lot of expertise, but I am going to ask him
as kind of a first question how much expertise you need to do
this--can quickly get into, can disable, can secure information
from or deface a system, whether it be a business or commercial
system, a government computer, a research or university
computer, or certainly a private computer.
Let me begin by asking, Mr. Granado, just how experienced
do you have to be to be able to do the kind of thing that you
just now did?
Mr. Granado. The experience is not what one would think. We
often find that individuals involved in this kind of activity
have a love for technology. These are folks that stay up until
2, 3 or 4 a.m. reading everything they can get their hands on
on systems and vulnerabilities and things of that nature. These
kind of folks aren't individuals that have to go to Harvard to
get this kind of experience. So the love for technology, a
basic understanding of computer systems and networks is really
at the foundation level all that is required.
Now, as I mentioned during my testimony, the voluminous
amount of information that is out there on the Internet on how
to go at these systems actually helps to facilitate the
knowledge process for folks that want to get involved in this
kind of activity. But the experience needed to do this is not
great. It is just a general understanding of computers and
networks, and then all the information that is available out
there kind of helps snowball your experience level so that you
can perform these kind of activities.
Senator Kyl. I think illustrative of that is the fact that
the first person arrested in connection with the denial of
service of the various sites in the United States, the young
Canadian, was 15 years old. And I will mention another
operation. During the time the United States was preparing an
attack on Iraq, there was an intrusion into some U.S.
Government computers that was serious enough that it got the
highest levels of our Government. We dubbed the exercise
``Solar Sunrise.'' We eventually found that there were three
people under the age of 20 in I think two different countries
that were involved in that attack. They were fortunately
brought to justice.
But the point is that this seems to be coming a lot from
young people who obviously don't have the college degree you
are speaking of but have acquired the capability to cause great
mischief.
Mr. Granado. Absolutely.
Senator Kyl. Let me ask Mr. Aucsmith, at our hearing in
Washington, DC, Harris Miller, who I am sure you know--he is
president of the Information Technology Association of
America--testified and he said one of the inhibitions of
sharing information between the private sector and the
Government regarding these vulnerabilities and threats is that
companies naturally don't want their vulnerabilities and the
attacks that have actually occurred against them to be publicly
known since this could easily impact on consumer confidence in
their particular sites and people then might not want to use
their website. He said that unless companies are given an
exemption from the Freedom of Information Act so that
information they disclose to the Government can't be obtained
by any other person that files the paperwork, that they would
not want to voluntarily submit information to the Government in
the name of cyber security.
Do you share this view? Do you think we need that kind of
protection of private information from being acquired under the
Freedom of Information Act?
Mr. Aucsmith. Yes, Sir, I actually do, very much so. There
are two issues at stake here, and it depends on for what the
information is being used. If it is tactical information, the
FBI may be needed to solve the problem.
Senator Kyl. Meaning on how to--sort of to understand the
kind of thing that Mr. Granado just now did, how does this
system work so that we can track back the perpetrator.
Mr. Aucsmith. Right. And for that, our concern is if we
share that information, we may end up as a witness in a
discovery process. No company wants to end up in a criminal
proceeding with their product. The second, somewhat longer
range, has to do with we are aware--as much as we may try, we
can't produce perfectly secure systems. It is just not
economically feasible. In many cases, it is not even
technically feasible. So we are made aware of vulnerabilities,
but we are sort of constantly trying to fix those
vulnerabilities in each new product revolution. So what you
basically have is a sliding window of vulnerabilities that go
along, and industry is very reluctant to make that public
because, clearly, that is only helping the bad guy. It
certainly could be used by your competition to weaken your
product. So there is some need--there is a need to come up with
some solution for allowing--sharing the strategic
vulnerabilities, helping your practical situation with
knowledge that we have in a way that doesn't adversely affect
the security of a company or the infrastructure that are built
off of those products. Something needs to be done.
Senator Kyl. Well, Congress is looking--I was involved in
the Y2K legislation which gave some temporary time-outs for
liability on sharing of information in order to ensure that in
that run-up to the Y2K turnover that we wouldn't have an excess
of problems. And that seemed to work pretty well.
So you would be supportive of Congress looking into the
Freedom of Information Act, the potential for class action
liability, antitrust liability, in a way to try to balance the
need to share this information with the protections needed if
the information is shared.
Mr. Aucsmith. That is correct. Clearly, we are not
advocating removal of FOIA. But what we are advocating is
giving some level of protection where such vulnerabilities are
so terribly sensitive.
Senator Kyl. Now, Mr. Granado, one of the issues here is
insider threat. In addition to hacking in from the outside,
clearly there are some problems of the insiders. Could you
comment a little bit about your concern there?
Mr. Granado. Yes, Sir, absolutely. I mentioned during my
testimony that our access into computer networks 75 percent of
the time is through simple methods and techniques, and that
specific statistic was for attacks from the outside in. When we
are invited into an organization to perform our assessments,
our success rate is 100 percent. The reasoning there is
obviously there is a certain level of trust that is assumed
when an individual or a group of individuals are inside an
organization, the security problem I think becomes twice as
difficult because of that assumed level of trust, and the
security controls that an organization implements, they need to
be perimeter-based for external threat, but there also needs to
be auditing and monitoring tools on the inside so that the
activities of users on the inside could be monitored so that if
any weird activities are occurring they can be flagged and
acted upon.
Senator Kyl. This is the so-called defense in depth concept
that Mr. Aucsmith mentioned.
Mr. Granado. So there is no question that the insider
threat is greater from my perspective than the outside threat.
Again, that assumed level of trust of someone that you let
inside your facility, they have already beaten one hurdle. They
now just have to get to your network and access systems.
Senator Kyl. I want to ask both of you a question here, and
this goes right to the point Mr. Aucsmith made a minute ago.
Maybe neither one of you want to reveal this nasty little
secret to the public here, but I think it is important to do so
in order to help do the job that both of you do.
I would like for you to describe just how vulnerable anyone
on the Internet is, and let me put it in this context. Suppose
I buy one of the new encryption products and let's call it
pretty good security, and I buy that and I think, great, I am
encrypted now, and unless some organization like the CIA tried
to crack it, it is not going to be crackable. So I am home free
here.
How foolish is that attitude? Just how vulnerable is anyone
on the Internet? How easy is it and how many different ways are
there to break into these kind of systems?
Mr. Aucsmith. You have actually gone a reasonable step
towards achieving security from a particular type of threat.
That particular type of threat is collecting tactics at some
intermediate point. What you have done nothing for is to
protect the endpoint systems where that information originates
or the destination of where it goes. In fact, given most
encryption systems, the vulnerability is actually to break into
the system and record the information before it is ever
encrypted, which basically could be done in the attack you just
saw here, or to go hunting around in the computer itself for
the keystrokes that were used to invoke the unknown--or the
key, the encryption key. You would solve one of the problems,
but probably not the hardest one, quite frankly. And how
vulnerable are they? If you were to take this scenario that I
just went through here, and instead of launching the particular
attack I did, but start downloading the swap file, which is
where the operating system puts intermediate material as it is
being processed for efficiency, and then scan that for the
invocation of your particular encryption program and the
keystrokes that were used to invoke it, you will most likely
recover the key.
Senator Kyl. Can you describe this in terms of an analogy?
I know you used the analogy of leaving the window open in the
home. But can you think of a good analogy to bring home to
people how you may have provided security at points D through
F, but that is not all the way from A to Z.
Mr. Aucsmith. The analogy that we frequently talk about is
putting an armory on a screen door. I think basically you have
armored the front door and left all the windows open.
Senator Kyl. Mr. Granado, do you want to add anything to
that?
Mr. Granado. Sure. The way I would like to comment on that,
Senator, Ernst & Young is very active in providing this kind of
information to the IT community. We have a website, www.
esecurityonline.com, which provides vulnerability information
for IT folks who are interested on what the latest threats are.
And we also provide a separate section for clients. We give
them customized vulnerability information based on the types of
computers they have.
Anyway, my point is, for anyone to think that if they have
a security product that they just purchased today and that
makes them secure for the rest of time, it is extremely
foolish. From a statistical perspective, we discover about 7 to
10 vulnerabilities a day that we either discover through our
research labs or that we just gain information from other
folks.
So as you can see, you think you are secure today,
tomorrow, and the next day, but next week you may not be. You
know, this issue is something that organizations need to
consider a more proactive approach versus a reactive approach
to security. And security is a process. It is not a matter of
plugging a hole and then you are done. It is a process where
you need to test, you need to implement solutions, and then you
need to monitor those solutions. And that needs to be
recurring. And that is the only way that we are going to be
able to get ahead of the game with respect to these kinds of
attacks.
Mr. Aucsmith. Senator, one more follow-up to that. What the
people from Ernst & Young are talking about is exactly correct.
But I think we need to emphasize that the scenario they just
painted is that for an IT organization or business. The same
scenario is very difficult to work when you are talking about a
home user. And one of our problems is my industry has been
pushing very much to get everybody online all the time, always
connected. We have been a little bit behind on sharing with
them the vulnerabilities of being online and always connected.
And the same set of methodologies that work for businesses are
unlikely to work in the home users. I can't imagine my mother
being able to discern the information required to make a system
secure.
So what we have to do as an industry is make security
somewhat more seamless and automatic and easier to deal with.
We have a ways to go on that. We are working very hard, but it
is a very hard problem.
Senator Kyl. I think that is a very candid and excellent
statement of the state of play right now in the industry coming
from one of the leading industry drivers here, acknowledging
that in making this wonderful new tool so available to so many
people so fast, we have got to catch up in terms of security
and that that is going to require a significant degree of
effort.
I think that our hearing today, if it will do nothing else,
will be to demonstrate to people that there is a significant
lack of security, but that shouldn't deter people from using
the Internet, but that they should be very, very careful to the
extent that what they have on there is private and they want to
keep it private, and that industry generally and individuals
are going to have to make good recommendations to the
Government about what kind of protections they need in order to
provide the fullest possible cooperation with law enforcement
for law enforcement to do its job.
This is something that we want to do our best to cooperate
on, and I just would reiterate to the audience here, my
subcommittee deals with three subjects, and in this one area
they all tie together: technology, terrorism, and Government
information. And so we are right on the cusp of this. I have
introduced several pieces of legislation, some of which have
already been signed into law, some of which are pending, as you
heard before, and designed to try to begin to resolve these
issues. But perhaps the biggest point that I would make--and I
would like to have the witnesses comment on this, and then we
will--again, I could talk to these guys all day long. I
wouldn't understand a lot of what they say, but I can at least
appreciate the point they are trying to make. But we will need
to cut our hearing off here in a moment.
We need to create an atmosphere of understanding and mutual
commitment and trust that will enable private users, the
private commercial sector, and the Government policymakers and
Government law enforcement people to work together in order to
ensure that there is the maximum protection so that there can
be the maximum use. And if we do that, I think we will continue
to lead the world and improve the quality of life in this
country dramatically.
But to the extent that there continues to be a residue of
mistrust and an unwillingness to work together, it inhibits
this wonderful opportunity that we have.
Actually, there is one last question I would like to ask
both of you because I think it is important for particularly
our viewers and people who came to this hearing to appreciate.
If you want to know more about how to make your own systems
secure, let's say you are a small business here in Arizona,
what is the best advice you have to individuals or small
businesses? I am sure big businesses have found their way to
your doorstep, but how does a small business do the best it can
in an economic way to provide the security that it needs?
Mr. Granado. There are a lot of organizations that folks
and small businesses can join--Information Systems Security
Organization is just one--where members of small businesses can
join these organizations, and they have monthly meetings of
security professionals within that specific community to
discuss vulnerability issues, strategic issues, tactical issues
with respect to systems security. So that would be one good
economic avenue to gain knowledge on this issue.
Then the other point, again, what I alluded to earlier, the
Internet is just full of information that is free and easily
accessible. You know, I described today the hacking-related
information. There is just as much information out there on how
to secure your system, and step by step how to secure it, that
people can just do searches on the Internet, pull that
information, pull out what is specific to their machines, and
work on securing their systems, again, free and all that is
required is Internet access.
Mr. Aucsmith. And that is the nice thing about the
Internet, its opportunities. There are bad guys out there, but
there are also good guys. You can find lists of places to go
for the good guys. There is a variety of sources for finding
that, just a general search will probably help, but you can
start with CERT, which is an organization at Carnegie Mellon.
The Computer Emergency Response Team has a wide range of links
that you can go to where the good guys are. The problem with
all of that is it is necessary to have the technical competence
to make that a reality in small business, and many small
businesses lack that resource, in which case, much as you might
call a locksmith or a burglar alarm company to help protect
your physical security, you may very well need to make the
investment of contacting a security professional to help you
with your cyber security.
Senator Kyl. And probably one of the most important points
is, even though you develop what you think is a secure system,
always understand that there are numerous vulnerabilities, and
you have got to constantly be alert to the little things, you
know, leaving your password taped to the top of your computer,
as I saw one time, by the way--I mean, it sounds silly, but
there are a lot of vulnerabilities that people just don't stop
to think, basically, about what they need to do to make their
systems secure.
Mr. Aucsmith. We put them underneath the keyboards.
Senator Kyl. Yes, right. [Laughter.]
That is a good metaphor for the need to always be alert
that there could be a problem, even though you have secured
what you think is a pretty good system. But the first step is
to try to take advantage of this.
I am informed and we learned at our hearing in Washington
that this Carnegie Mellon entity which Mr. Aucsmith alluded to
had developed good counter-software to the kind of denial-of-
service attack that occurred against some of the sites that we
have been referring to today. Some entities took advantage of
that software. Some did not. Those that did didn't experience
that denial of service.
So take advantage of that which is available to you as has
been described and remain alert to the possibility that even
that won't necessarily deter a determined hacker. I guess those
would be the two watch words.
I really appreciate your demonstration, Mr. Granado, and,
Mr. Aucsmith, your expertise in this. I will hope to continue
to plumb the depths of that expertise as we try to fashion the
kind of national policy and legislative solution to develop
this cooperation that is going to be so essential to the
future, and I look forward to continuing to cooperate with you.
I thank all of you who have joined us at this hearing
today. As I said at the beginning, this is an official hearing
of the U.S. Senate Judiciary Committee's subcommittee which I
chair, and anyone who wishes to communicate with us, we can put
your comments in the record if they are appropriate. If you
have questions, obviously submit them through me, and perhaps
we will have an opportunity to share those with our witnesses
here today.
If there is nothing further, then I will declare this
meeting adjourned.
[Whereupon, at 10:30 a.m., the subcommittee was adjourned.]
�