[Senate Hearing 113-891]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 113-891

                    TAKING DOWN BOTNETS: PUBLIC AND
                     PRIVATE EFFORTS TO DISRUPT AND
                    DISMANTLE CYBERCRIMINAL NETWORKS

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON CRIME AND TERRORISM

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 15, 2014

                               __________

                          Serial No. J-113-70

                               __________

         Printed for the use of the Committee on the Judiciary








[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]










                                 
		 
                     U.S. GOVERNMENT PUBLISHING OFFICE 
		 
28-403 PDF                WASHINGTON : 2018                 














                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
DIANNE FEINSTEIN, California         CHUCK GRASSLEY, Iowa, Ranking 
CHUCK SCHUMER, New York                  Member
DICK DURBIN, Illinois                ORRIN G. HATCH, Utah
SHELDON WHITEHOUSE, Rhode Island     JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota             LINDSEY GRAHAM, South Carolina
AL FRANKEN, Minnesota                JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware       MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut      TED CRUZ, Texas
MAZIE HIRONO, Hawaii                 JEFF FLAKE, Arizona
           Kristine Lucius, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director
                                 ------                                

                  Subcommittee on Crime and Terrorism

               SHELDON WHITEHOUSE, Rhode Island, Chairman
DIANNE FEINSTEIN, California         LINDSEY GRAHAM, South Carolina, 
CHUCK SCHUMER, New York                  Ranking Member
DICK DURBIN, Illinois                TED CRUZ, Texas
AMY KLOBUCHAR, Minnesota             JEFF SESSIONS, Alabama
                                     MICHAEL S. LEE, Utah
                 Ayo Griffin, Democratic Chief Counsel
                David Glaccum, Republican Chief Counsel 
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                            C O N T E N T S

                              ----------                              

                        JULY 15, 2014, 2:31 P.M.

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Graham, Hon. Lindsey O., a U.S. Senator from the State of South 
  Carolina.......................................................     3
Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode 
  Island.........................................................     1
    prepared statement...........................................    85

                               WITNESSES

Witness List.....................................................    31
Boscovich, Richard, Boscovich, Assistant General Counsel, Digital 
  Crimes Unit, Microsoft Corporation, Redmond, Washington........    16
    prepared statement...........................................    54
Caldwell, Hon. Leslie R., Caldwell, Assistant Attorney General, 
  Criminal Division, U.S. Department of Justice, Washington, DC..     4
    prepared statement...........................................    32
Demarest, Joseph, Jr., Assistant Director, Cyber Division, 
  Federal Bureau of Investigation, Washington, DC................     6
    prepared statement...........................................    47
McGuire, Cheri F., Vice President, Global Government Affairs and 
  Cybersecurity Policy, Symantec Corporation, Mountain View, 
  California.....................................................    17
    prepared statement...........................................    63
Spiezle, Craig D., Executive Director and Founder, Online Trust 
  Alliance, Bellevue, Washington.................................    22
    prepared statement...........................................    78
Vixie, Paul, Ph.D., Chief Executive Officer, Farsight Security, 
  San Mateo, California..........................................    19
    prepared statement...........................................    71

                               QUESTIONS

Questions submitted to Richard Boscovich by Senator Whitehouse...    87
Questions submitted to Cheri F. McGuire by Senator Whitehouse....    88
Questions submitted to Craig D. Spiezle by Senator Whitehouse....    89
Questions submitted to Paul Vixie, Ph.D., by Senator Whitehouse..    90

                                ANSWERS

[Note: At the time of printing, after several attempts to obtain 
  responses to the written questions, the Committee had not 
  received responses from Richard Boscovich.]
Responses of Cheri F. McGuire to questions submitted by Senator 
  Whitehouse.....................................................    91
Responses of Craig D. Spiezle to questions submitted by Senator 
  Whitehouse.....................................................    93
Responses of Paul Vixie, Ph.D., to questions submitted by Senator 
  Whitehouse.....................................................    95


 
                          TAKING DOWN BOTNETS: 
                       PUBLIC AND PRIVATE EFFORTS 
                        TO DISRUPT AND DISMANTLE 
                         CYBERCRIMINAL NETWORKS 

                              ----------                              


                         TUESDAY, JULY 15, 2014

                      United States Senate,
               Subcommittee on Crime and Terrorism,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:31 p.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Sheldon 
Whitehouse, Chairman of the Subcommittee, presiding.
    Present: Senators Whitehouse, Coons, and Graham.

         OPENING STATEMENT OF HON. SHELDON WHITEHOUSE,
         A U.S. SENATOR FROM THE STATE OF RHODE ISLAND

    Chairman Whitehouse. I will call this hearing of the 
Judiciary Committee's Subcommittee on Crime and Terrorism to 
order, and I thank everyone for being here. I have the 
permission of my Ranking Member to get underway. He will be 
joining us shortly, but allowing for opening statements and so 
forth, I think it is probably the best way to do this, to 
simply proceed and get underway.
    Today's hearing is entitled, ``Taking Down Botnets: Public 
and Private Efforts to Disrupt and Dismantle Cybercriminal 
Networks.'' We are going to be hearing testimony about these 
botnets and about the threat that they pose to our economy, to 
our personal privacy, and to our national security.
    A botnet is a simple thing. It is a network of computers 
connected over the Internet that can be instructed to carry out 
specific tasks. The problem with botnets is that typically the 
owners of those computers do not know that they are carrying 
out those tasks.
    Botnets have existed in various forms for well over a 
decade, and they are now recognized as a weapon of choice for 
cyber criminals, and it is easy to see why. A botnet can 
increase the computing resources at a hacker's disposal 
exponentially, all while helping conceal the hacker's identity. 
A cyber criminal with access to a large botnet can command a 
virtual army of millions, most of whom have no idea that they 
have been conscripted.
    Botnets enable criminals to steal individuals' personal and 
financial information, to plunder bank accounts, to commit 
identity theft on a massive scale. For years, botnets have sent 
most of the spam that we all receive. The largest botnets are 
capable of sending billions of spam messages every day.
    Botnets are also used to launch distributed denial-of-
service--or DDOS--attacks, which can shut down websites by 
simply overwhelming them with incoming traffic. This is a 
constant danger for businesses in every sector of our economy, 
but we have seen this strategy used against everything from 
businesses to sovereign nations.
    The only limit to the malicious purposes for which botnets 
can be used is the imagination of the criminal who controls 
them. And when a hacker runs out of uses for a botnet, he can 
simply sell it to another criminal organization to use for an 
entirely new purpose. It presents a virtual infrastructure of 
crime.
    Let us be clear. The threat from botnets is not just a 
threat to our wallets. Botnets are effective weapons not merely 
for those who want to steal from us, but also for those who 
wish to do us far more serious harm. Experts have long feared 
that the next 9/11 may be a cyber attack. If that is the case, 
it is likely that a botnet will be involved.
    Simply put, botnets threaten the integrity of our computer 
networks, our personal privacy, and our national security.
    In recent years, the Government and the private sector have 
launched aggressive enforcement actions to disrupt and to 
disable individual botnets. The techniques used to go after 
these botnets have been as varied as the botnets themselves. 
Many of these enforcement actions used the court system to 
obtain injunctions and restraining orders, utilizing innovative 
legal theories, combining modern statutory claims under 
statutes such as the Computer Fraud and Abuse Act with such 
ancient common law claims as trespass to chattels.
    In 2011, the Government obtained for the first time a court 
order that allowed it to seize control of a botnet using a 
substitute command and control server. As a result, the FBI 
launched a successful takedown of the Coreflood botnet, freeing 
90 percent of the computers Coreflood had infected in the 
United States.
    Microsoft, working with law enforcement, has obtained 
several civil restraining orders to disrupt and in some cases 
take down individual botnets, including the Citadel botnet, 
which was responsible for stealing hundreds of millions of 
dollars. And earlier this year, the Justice Department and the 
FBI, working with the private sector and law enforcement 
agencies around the world, obtained a restraining order 
allowing them to take over the Gameover Zeus botnet. This 
action was particularly challenging because the botnet relied 
on a decentralized command structure that was designed to 
thwart efforts to stop it.
    Each of our witnesses today has played a role in efforts to 
stop botnets. I look forward to learning more about these and 
other enforcement actions and the lessons that we should take 
away from them. We must recognize that enforcement actions are 
just one part of the answer, so I am interested in hearing also 
about how we can better inform computer users of the dangers of 
botnets and what other hygiene steps we can take to address 
this threat.
    My hope is that this hearing starts a conversation among 
those dealing day to day with the botnet threat and those of us 
in Congress who are deeply concerned about that threat. 
Congress, of course, cannot and should not dictate tactics for 
fighting botnets. That must be driven by the expertise of those 
on the front lines of the fight.
    But Congress does have an important role to make sure that 
there is a solid legal foundation for enforcement actions 
against botnets and clear standards governing when they can 
occur.
    We must also ensure that botnet takedowns and other actions 
are carried out in a way that protects consumers' privacy, all 
while recognizing that botnets themselves represent one of the 
greatest privacy threats that computer users face today. They 
can actually hack into your computer and look at you through 
your webcam. And we must make sure that our laws respond to a 
threat that is constantly evolving and encourage rather than 
stifle innovation to disrupt cyber criminal networks.
    I look forward to starting this conversation today and to 
continuing it in the months ahead. I thank my distinguished 
Ranking Member for being such a terrific colleague on these 
cyber issues. We hope that a good piece of botnet legislation 
can emerge from our work together.
    I thank you all for participating in this hearing and for 
your efforts to protect Americans from this dangerous threat, 
and before we hear from our witnesses, I will yield to my 
distinguished Ranking Member, Senator Lindsey Graham.

           OPENING STATEMENT OF HON. LINDSEY GRAHAM,
        A U.S. SENATOR FROM THE STATE OF SOUTH CAROLINA

    Senator Graham. Thank you, Mr. Chairman. I just want to 
acknowledge your work on this issue and everything related to 
cyber threats. There is no stronger, clearer voice in the 
Senate than Sheldon Whitehouse in terms of the threats we face 
on the criminal front and the terrorist front that come from 
cyber misdeeds, and Congress is having a difficult time 
organizing ourselves to combat both threats.
    But to make sure that this is not an academic exercise, I 
guess it was last year--or it might even have been a bit 
longer, but the Department of Revenue in South Carolina was 
hacked into by--we do not know all the details, but a criminal 
enterprise that stole millions of Social Security numbers and 
information regarding companies' charters, revenue, and that 
has required the State of South Carolina to purchase 
protection. I think it was a $35 million per year allocation to 
protect those who had their Social Security numbers stolen, we 
believe by a criminal enterprise. So it happened in South 
Carolina. It can happen to any company, any business, any 
organization in America, and our laws are not where they should 
be, so the purpose of this hearing is to gather information and 
hopefully come out and be a friend of law enforcement.
    So, Senator Whitehouse, you deserve a lot of credit in my 
view about leading the effort in the United States Senate, if 
not the Congress as a whole, on this issue.
    Thank you.
    Chairman Whitehouse. I am delighted now to welcome our 
administration witnesses. Before we do, his timing is perfect. 
Senator Chris Coons has joined us and yields on making an 
opening statement, so let us go ahead to the witnesses.
    The first is Leslie Caldwell. She is the head of the 
Criminal Division at the Department of Justice and was 
confirmed on May 15, 2014. She oversees nearly 600 attorneys 
who prosecute Federal criminal cases across the country. She 
has dedicated most of her professional career to handling 
Federal criminal cases, previously having served as the 
Director of the Justice Department's Enron Task Force and as a 
Federal AUSA in U.S. Attorneys' Offices in both New York and 
California.
    And after her testimony, we will hear from Joseph Demarest, 
who is the Assistant Director for the FBI's Cyber Division. He 
joined the FBI as a special agent in 1988 and has held several 
leadership positions within the Bureau, serving as, for 
instance, head and Assistant Director of the International 
Operations Division and as the Assistant Director in charge of 
the New York Division. He was appointed to his current position 
in 2012, and I have to say that I have had the chance to work 
very closely with Mr. Demarest, and I appreciate very much the 
energy and determination that he has brought to this particular 
arena of combat against the criminal networks of the world. And 
I look forward to his testimony.
    We begin with Assistant Attorney General Caldwell.

   STATEMENT OF HON. LESLIE R. CALDWELL, ASSISTANT ATTORNEY 
    GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE, 
                         WASHINGTON, DC

    Ms. Caldwell. Thank you, Chairman Whitehouse, Ranking 
Member Graham, and Senator Coons. Thank you for the opportunity 
to discuss today the Justice Department's fight against 
botnets, and I particularly want to thank the Chair for holding 
this hearing and for his continued leadership on these 
important issues.
    The threat from botnets--defined in simple terms as 
networks of hijacked computers surreptitiously infected with 
malicious software, or malware, which are controlled by an 
individual or an organized group for criminal purposes, has 
increased dramatically over the past several years. Criminals 
are using state-of-the-art techniques, seemingly drawn from 
science fiction movies, to take control of thousands or even 
hundreds of thousands of victim computers, or bots. They can 
then command these bots to do various things, as Senator 
Whitehouse indicated. They can flood an Internet site with junk 
data. They can knock it offline by doing that. They can steal 
banking credentials, credit card numbers, other personal 
information, other financial information; send fraudulent spam 
email; or even spy on unsuspecting computer users through their 
webcams.
    Botnet attacks are intended to undermine Americans' privacy 
and security and to steal from unsuspecting victims. If left 
unchecked, they will succeed in doing so. As cyber criminals 
have become more sophisticated in recent years, the Department 
of Justice, working through highly trained prosecutors at the 
Computer Crime and Intellectual Property Section of the 
Criminal Division, which I will call ``CCIPS,'' the National 
Security Division of the Justice Department, U.S. Attorneys' 
Offices across the country, and the FBI and other law 
enforcement agencies, we have likewise adapted and advanced our 
tactics to meet this threat.
    As just one example, in May of this year, CCIPS, the U.S. 
Attorney for the Western District of Pennsylvania, and the FBI, 
in partnership with other Federal and private sector 
organizations, disrupted the Gameover Zeus botnet and indicted 
a key member of that group that operated that botnet. Until its 
disruption, Gameover Zeus was widely regarded as the most 
sophisticated criminal botnet in existence worldwide. From 2011 
through 2014, Gameover Zeus infected between 500,000 and 1 
million computers, and it caused more than $100 million in 
financial loss.
    Put simply, the botmaster stole personal information from 
victim computers and with the click of a mouse, used that 
stolen information to empty bank accounts and rob small 
businesses, hospitals, and other victims by transferring funds 
from the victims' accounts to the criminals' own accounts.
    They also used Gameover Zeus to install CryptoLocker, which 
is a type of malware known as ``ransomware.'' That was 
installed on infected computers, and CryptoLocker enabled these 
criminals to encrypt key files on the infected computers and to 
charge victims a ransom for the release of their own files. In 
the short period between its emergence and our action, 
CryptoLocker infected more than 260,000 computers worldwide.
    The Department's operation against Gameover Zeus began with 
a complex international investigation conducted in close 
partnership with the private sector. It continued through the 
Department's use of a combination of a court-authorized 
criminal and civil legal process to stop infected computers 
from communicating with one another and with other servers 
around the world. The investigation and operation ultimately 
permitted the team not only to identify and charge one of the 
leading perpetrators, but also to cripple the botnet and to 
stop the ransomware from functioning.
    Moreover, the FBI was able to identify victims and, working 
with the Department of Homeland Security, foreign governments, 
and private sector partners, was able to facilitate the removal 
of malware from many victim computers. As we informed the court 
last week, at present the Gameover Zeus botnet remains 
inoperable and out of the criminals' hands. Gameover Zeus 
infections are down 30 percent, and CryptoLocker remains non-
operational.
    As the successful operation demonstrates, we are employing 
investigative and remedial tools that Congress has given us to 
protect our citizens and businesses. We have leveraged our 
strengths by partnering with agencies all over the world and in 
the private sector. If we want to remain effective in 
protecting our citizens and businesses, however, our laws and 
resources must keep pace with the increasingly sophisticated 
tactics and growing numbers of our adversaries. Our adversaries 
are always adapting. So must we.
    In my written statement, I describe several legislative 
proposals and resource increases that will assist the 
Department in its efforts to counter this threat. These 
proposals include an amendment to the Computer Fraud and Abuse 
Act and several other proposals. We very much look forward to 
working with the Committee to address these issues. We also 
need additional resources at the Department to continue to 
disrupt botnets, including hiring new attorneys, as indicated 
in my statement.
    Thank you again for the opportunity to discuss our work in 
this area, and I look forward to answering any questions you 
might have.
    [The prepared statement of Ms. Caldwell appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you, Assistant Attorney General 
Caldwell.
    And now, Mr. Demarest, Director Demarest.

 STATEMENT OF JOSEPH DEMAREST, JR., ASSISTANT DIRECTOR, CYBER 
   DIVISION, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC

    Mr. Demarest. Good afternoon, Chairman Whitehouse, Ranking 
Member Senator Graham, and Senator Coons. Thank you for holding 
this hearing, Chairman Whitehouse, and I look forward to 
discussing the progress the FBI has made on campaigns to 
disrupt and disable our significant botnets that you know that 
we target.
    Cyber criminal threats pose very real risks to the economic 
security and private sector of the United States and its 
citizens. The use of botnets is on the rise. Industry experts 
estimate that botnet attacks have resulted in the overall loss 
of millions of dollars from financial institutions and other 
major businesses. They also affect universities, hospitals, 
defense contractors, government, and even private citizens.
    The ``weapons'' of a cyber criminal are tools, like 
botnets, which are created with malicious software that is 
readily available for purchase on the Internet. Criminals 
distribute this malicious software, also known as `malware,' 
that can turn a computer into a bot. When this occurs, a 
computer can perform automated tasks over the Internet, without 
any direction from its rightful user. A network of these 
infected computers is called a ``botnet,'' as you pointed out. 
Botnets can be used for organized criminal activity, covert 
intelligence collection, or even attacks on critical 
infrastructure.
    The impact of this global cyber threat has been 
significant. According to industry estimates, botnets have 
caused over $9 billion in losses to U.S. victims and over $110 
billion in losses globally. Approximately 500 million computers 
are infected each year, translating into 18 victims per second.
    The FBI, with its law enforcement partners and private 
sector partners, to include the panel of distinguished 
presenters today from Microsoft, Symantec, and Farsight, has 
had success in taking down a number of large botnets. But our 
work is never done, and by combining the resources of 
Government and the private sector, and with the support of the 
public, we will continue to improve cybersecurity by 
identifying and catching those who threaten it.
    Due to the complicated nature of today's cyber threat, the 
FBI has developed a strategy to systematically identify cyber 
criminal enterprises and individuals involved in the 
development, distribution, facilitation, and support of complex 
criminal schemes impacting U.S. systems. The complete strategy 
involves a holistic look at the entire cyber underground 
ecosystem and all facilitators of a computer intrusion.
    The FBI has initiated an aggressive approach to disrupt and 
dismantle most significant botnets threatening the U.S. economy 
and our national security. The initiative, coined ``Operation 
Clean Slate,'' is spearheaded by the FBI, our National Cyber 
Investigative Joint Task Force, along with a host of USG 
partners to include DHS and the private sector. It is a 
comprehensive, public-private effort engineered to eliminate 
the most significant botnets jeopardizing U.S. interests by 
targeting the bot infrastructure and at the same time the 
coders or those who are responsible for creating them. This 
initiative incorporates all facets of the USG, as I mentioned, 
international partners, major ISPs, the U.S. financial sector, 
and other private sector stakeholders like the many 
cybersecurity services. Again, I would point out Dell Secure 
Works being one of the main, and we talked about Gameover Zeus.
    Operation Clean Slate has three objectives: to degrade or 
disrupt the actor's ability to exfiltrate sensitive information 
from victims; to increase the actor's cost of business; and to 
seed uncertainty in the actor's cyber activity by causing 
concern about potential or actual law enforcement action 
against them.
    Just a brief description about some of the successes of 
late. In December 2012, the FBI disrupted an international 
organized cybercrime ring related to Butterfly Botnet, which 
stole computer users' credit card, bank account, and other 
personally identifiable information. The Butterfly Botnet 
compromised more than 11 million computer systems and resulted 
in over $850 million in losses. The FBI, along with 
international law enforcement partners, executed numerous 
search warrants, conducted interviews, and arrested 10 
individuals from Bosnia and Herzegovina, Croatia, Macedonia, 
New Zealand, Peru, the United Kingdom, and the United States--
all of this not possible without DOJ, CCIPS in particular, and 
local U.S. Attorneys' Offices.
    In June 2013, again, the formal debut of Operation Clean 
Slate, the team, in coordination with Microsoft and financial 
service industry leaders, disrupted the Citadel Botnet that you 
pointed out, which had facilitated unauthorized access to 
computers of individuals and financial institutions to steal 
online banking credentials, credit card information, and other 
PII. Citadel was responsible for the loss of over a half 
billion dollars. Over 1,000 Citadel domains were seized, 
accounting for more than 11 million victim computers worldwide.
    Building on that success of the disruption of Citadel, in 
December 2013, the FBI and Europol, together with Microsoft 
and, again, the Operation Clean Slate team and other industry 
partners, disrupted the ZeroAccess botnet. ZeroAccess was 
responsible for infecting more than 2 million computers, 
specifically targeting search results on Google, Bing, and 
Yahoo search engines, and is estimated to have cost online 
advertisers $2.7 million each month.
    Again, in April 2014, the Operation Clean Slate team 
investigative efforts resulted in the indictments of nine 
alleged members of a wide-ranging racketeering enterprise and 
conspiracy that infected thousands of business computers with 
malicious software known as ``Zeus'' or ``Jabba Zeus,'' which 
is malware that captured passwords, account numbers, and other 
information necessary to log into online banking accounts. The 
conspirators allegedly used the information captured by Zeus to 
steal millions of dollars from account-holding victims' bank 
accounts.
    Later, in June 2014, yet another operation by the Clean 
Slate team announced a multinational effort to disrupt the 
Gameover Zeus botnet, the most sophisticated botnet that the 
FBI and its allies had ever attempted to disrupt. Gameover Zeus 
is believed to be responsible for the theft of millions of 
dollars from businesses and consumers in the U.S. and around 
the world. This effort to disrupt it involved impressive 
cooperation with the private sector--namely, Dell Secure 
Works--and international law enforcement. Gameover Zeus is an 
extremely sophisticated type of malware designed specifically 
to steal banking and other credentials from the computers it 
infects. In the case of Gameover Zeus, its primary purpose is 
to capture banking credentials from infected computers, then 
use those credentials to initiate or redirect wire transfers to 
accounts overseas that are controlled by the criminals. Losses 
attributable to Gameover Zeus are estimated to be more than 
$100 million.
    Much like the FBI's other investigative priorities and 
programs, our focus is impacting the leaders of the criminal 
enterprises and terrorist organizations we pursue. We are 
focusing the same effort on the major cyber actors behind the 
botnets. We remain focused on defending the United States 
against these threats, and we welcome the opportunity like the 
one today to discuss our efforts.
    We are grateful for the Committee's support, and yours in 
particular, Senator Whitehouse, and we look forward to working 
closely with you as we continue to forge aggressive campaigns 
against botnets.
    [The prepared statement of Mr. Demarest appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you very much.
    Assistant Director Demarest, there have to be, what, 
hundreds of thousands, millions of botnets out there?
    Mr. Demarest. Yes.
    Chairman Whitehouse. One could say, ``So many botnets, so 
little time.'' So given that, what are your factors for 
prioritizing which ones to go after through the Clean Slate 
program or just generally?
    Mr. Demarest. So by Operation Clean Slate, it was to forge 
an alliance with the private sector and Government and then 
prioritize the most egregious botnets that are out there in the 
wild that we know about. So working with not only Government, 
DHS being principal, and friends in the intelligence community, 
but also I will say in the private sector, Microsoft being 
chief, and looking across, you know, the world, and those 
botnets that are seemingly causing the most damage, economic 
damage or other means or potentially physical damage, and 
prioritizing those and then developing a campaign about going 
after not only the infrastructure but the actors behind that 
botnet or those botnets.
    Chairman Whitehouse. Assistant Attorney General Caldwell, 
one of the--this pre-dates you, but I have had some concerns 
based on my time in the Department of Justice as a U.S. 
Attorney about the way in which the Department has responded to 
the botnet threat. I think you are doing a good job, but there 
is a cultural divide sometimes between the criminal prosecutors 
and the civil attorneys for the Government.
    These cases that take down the botnet tend to be civil 
cases in nature, so I have worried a bit about the extent to 
which it is instinctive on the part of criminal prosecutors to 
think that that is a lesser task and a lesser pursuit than what 
they are doing and whether that gets in the way of adequately 
pursuing the civil remedies that shut these botnets down.
    The second is that when the Coreflood takedown took place, 
it appeared to me that that was kind of an ad hoc group of very 
talented people who were brought together to address themselves 
to Coreflood and to succeed at taking it down; but once the 
operation was complete, they went back to their individual AUSA 
slots in offices around the country, and the effort was 
dispersed.
    I think that the botnet problem is a continuing one. I 
think as soon as you strip out, as Mr. Demarest said, some of 
the worst offenders, others pop up into the next most wanted 
botnet slot. And I am interested first in how you are making 
sure that this is prioritized, despite the civil nature of the 
legal proceeding that cures the botnet problem, that strips it 
out of the system, and what you have done to try to establish a 
permanent, lasting institutional presence for taking down 
botnets without having to reassemble teams each time a botnet 
rears its head as a target.
    Ms. Caldwell. Thank you, Senator. I think that the Gameover 
Zeus operation is the perfect example of how we see this going 
forward. Although I would not dispute that there are some 
criminal Assistant U.S. Attorneys who may think that the civil 
Assistant U.S. Attorneys have a less exciting job, we do not 
see it that way. The civil component, as you indicated, is a 
very critical part of this, but there are different ways to 
approach botnets. They are all different, as you indicated 
earlier.
    In Gameover Zeus, we used a combination of civil and 
criminal authorities, and I think that is--again, it is not one 
size fits all, but I think that is likely what we will continue 
to see in the future. As you know, the leading perpetrator of 
that particular botnet was actually indicted criminally, and 
the civil injunctions were obtained at the same time. It was 
very carefully coordinated. There was a lot of communication 
between the civil prosecutors who were handling the injunction 
paperwork and the criminal prosecutors who were--it was really 
all one team. So I think the civil tool is a very important 
tool, and we expect to continue to use it.
    There are some holes in that tool. Right now we are 
permitted to get a civil injunction against fraud and a civil 
injunction against wiretapping. But as you indicated in your 
opening remarks, botnets are not always engaged in fraud and 
wiretapping. They are engaged in other things, too. So one 
thing that we would like to see happen is an amendment to the 
statute to permit injunctions in other circumstances in which 
we see botnets operating.
    Then on the issue of the institutional knowledge, the 
Computer Crime and Intellectual Property Section is really the 
receptacle--that is a bad word, but where all that knowledge is 
based. The Computer Crime and Intellectual Property Section has 
a headquarters component. It has field components. It has a lot 
of institutional knowledge about botnets, so that if one 
prosecutor leaves, the knowledge is not going to leave. We 
coordinate regularly with the FBI, and there is a lot of 
coordination. There is a lot of coordination with the Computer 
Hacking Intellectual Property Network in the U.S. Attorneys' 
Offices. And there really is an institutional base of knowledge 
about botnets. So even----
    Chairman Whitehouse. In a nutshell, you feel right now that 
that task has been adequately institutionalized in the 
Department, that there will be continuity and persistence 
rather than ad hoc efforts?
    Ms. Caldwell. Yes, and I think that although they were not 
as prominent, there were at least a half-dozen other botnet 
takedowns in the last couple of years between Coreflood and 
Gameover Zeus. So there is definitely--it is definitely a 
priority, and there is definitely a focus, and there is a lot 
of knowledge among the CCIPS prosecutors and their counterparts 
at the FBI about these botnets. And they will keep coming, and 
we will keep attacking them.
    Chairman Whitehouse. I will yield to my Ranking Member, but 
my impression was that some of those were sort of sporadic and 
ad hoc takedowns that appeared in individual U.S. Attorneys' 
Offices and not necessarily consistent with a continuing, 
lasting, persistent presence stripping down one botnet after 
another. And I am glad that you have gotten to where you have 
gotten, so thank you.
    Senator Graham.
    Senator Graham. Are you the Eliot Ness of botnets?
    [Laughter.]
    Senator Graham. Do we have an Eliot Ness of botnets?
    Ms. Caldwell. I think he is the Eliot Ness of botnets.
    Senator Graham. Okay. Well, no matter what kind of behavior 
you are dealing with, you try to deter it, make people think, 
``If I do this, I am going to get caught, and if I get caught, 
bad things are going to happen.'' What do you think the 
deterrence is like right now, Mr. Demarest?
    Mr. Demarest. Well, I think it is significant now, and in 
years past, maybe not as much so, where they did travel and 
they felt they could take some actions with impunity. And we 
are finding today, based on some of the actions, enforcement 
actions that were successful, we are causing impact because we 
actually see that in other collections, them talking amongst 
each other, and concern about traveling now, which is a way of 
containing some of the threats that we see in individuals 
today.
    Senator Graham. What nation states do we need to worry 
about in terms of being involved in this activity?
    Mr. Demarest. I would say the Nation states of EurAsia, 
principally. We have seen a lot of the criminal actors coming 
from that area of the world.
    Senator Graham. Okay. Are they reliable partners, the 
governments?
    Mr. Demarest. We are opening dialogue, I will say on that 
front. I think you will find some of our Russian counterparts 
in law enforcement are a bit more agreeable, but, you know, as 
in any new relationship, I think especially in this space, we 
are working toward improving them.
    Senator Graham. If it is possible, maybe by the end of the 
year could you provide the Committee with a list of countries 
that you think have been good partners and the list of 
countries you think have been resistant.
    Mr. Demarest. Yes, easily done, based on our activities or 
working with the countries we do work with.
    Senator Graham. Well, once we identify them, maybe we can 
change their behavior. There are all kinds of ways of getting 
people's attention.
    Was this a problem 5 years ago? How long ago has this been 
a problem?
    Mr. Demarest. This has existed for years, and probably we 
are just now--you know, this is the tip of the iceberg. And I 
think as we get more sophisticated internally in the U.S. 
Government in seeing and being able to identify----
    Senator Graham. What made us aware of it today more than, 
say, 5 years ago? Just the consequences?
    Mr. Demarest. I think the consequences, I think victim 
reporting, I think major losses occurring to private industry.
    Senator Graham. Is there any end to this? How far can these 
people go?
    Mr. Demarest. They will keep on going. As you can see, each 
bot will evolve. We take actors off. Now they will change. We 
see a complete evolution. But, again, we are actually placing--
at least there is a price to pay for actually engaging in this 
activity now.
    Senator Graham. Are terrorist organizations involved in 
this?
    Mr. Demarest. We track them very closely. I would say there 
is an interest. But much further than that, Senator Graham, 
probably in a different setting we could give you a further 
briefing.
    Senator Graham. Ms. Caldwell, on the civil-criminal aspect 
of this, what are the couple things that you would like 
Congress to do to enhance your ability to protect our Nation? I 
am sure you have got this written down somewhere, but just for 
the average person out there listening to this hearing, what 
are the couple things you would like to see us do?
    Ms. Caldwell. Well, one is the one that I already 
mentioned, which is changing the civil injunction ability so 
that we will have the capability to enjoin botnets other than 
those that are engaged in fraud and wiretapping, because there 
are, for example, distributed denial-of-service attacks. Right 
now we cannot get an injunction against that. So we would like 
to be able to do that.
    Senator Graham. Do we need to increase penalties?
    Ms. Caldwell. That is an interesting question, Senator, and 
I think that we have been seeing increased penalties being 
imposed by courts. So----
    Senator Graham. I mean statutorily, Mr. Demarest, do we 
need to change any statutes to make this bite more?
    Mr. Demarest. I will defer to Ms. Caldwell, but--I will 
defer to you.
    Ms. Caldwell. Yes, I think that the maximum sentences under 
most of the statutes are adequate. I do not think we need any 
kind of mandatory minimums because we have been seeing judges 
imposing sentences around the 7-, 8-, and 9-year range, which 
is, I think, a very substantial sentence.
    There are a couple other things that we would like to see. 
Right now there is no law that explicitly covers the sale or 
transfer of a botnet that is already in existence, and we have 
seen evidence that a lot of folks sell botnets. They rent them 
out, and we would like to see a law that addresses that.
    One other thing which is a little bit off point but I think 
is still relevant to botnets, is that right now there is no law 
that prohibits the overseas sale of U.S. credit cards unless 
there has been some action taken in the United States or unless 
money is being transferred from overseas to the United States. 
So we see credit card--situations where people have millions of 
credit cards from U.S. financial institutions, but they never 
set foot in the United States. That is currently not covered by 
our existing law.
    Senator Graham. So you could steal my credit card 
information from overseas and basically be immune.
    Ms. Caldwell. Correct, unless you transferred proceeds of 
your scheme back to the United States.
    Senator Graham. Okay. One last question here. When they 
basically seize your computer, hijack your computer, the 
information contained therein, they actually hold--I mean, they 
make a ransom demand? How does that work?
    Ms. Caldwell. Under CryptoLocker what happened--and I am 
certainly not a technical expert, so jump in--you would be on 
your computer, and you would see something flash up on your 
screen that basically told you all your files were encrypted 
and would remain encrypted until you paid a ransom. And you had 
to pay the ransom within X hours, and if you did not pay, your 
files would all be deleted.
    Mr. Demarest. In a payment made through Bitcoin or 
whatever. Whatever the established venue is, they expected 
payment within a given amount of time, and if not, your box 
would be encrypted.
    Senator Graham. Do people pay?
    Mr. Demarest. They do.
    Senator Graham. What is the biggest payout you have seen?
    Mr. Demarest. Well, of all CryptoLocker and then Cryptowall 
now, and where there is a major concern, they have paid 
probably in excess of $10,000. But they are focused more now on 
major concerns, businesses, and entities as opposed to single 
victims.
    Senator Graham. Is that extortion under our law?
    Ms. Caldwell. Yes.
    Senator Graham. So you do not need to change that statute?
    Ms. Caldwell. No. The problem is, though, as with a lot of 
these cybercrimes, most of the people who are engaged in this 
activity are overseas.
    Senator Graham. Thank you.
    Chairman Whitehouse. Let me recognize Senator Coons, who 
has been very interested and dedicated to this topic and whose 
home State is very energized on this topic because the Delaware 
National Guard actually has a cyber wing that is very active, 
and they are one of the best cyber National Guard detachments 
in the country. I say ``one of the best'' because Rhode Island 
has one, too.
    Senator Coons.
    Senator Coons. Thank you very much. Thank you, Chairman 
Whitehouse, and thank you, Senator Graham. You have both been 
great and engaged and effective leaders on this issue.
    So to the point raised by the Chairman, given the 
persistency of this threat, given its trajectory, its scope, 
its scale, and the resources that you are having to deploy in 
order to take down these botnets and in order to break up the 
criminal gangs, is it acceptable, is it possible for us to deal 
with this threat with a Federal law enforcement response alone? 
Do we need a partnership from State and local law enforcement? 
I assume the answer is yes. And how are we doing at delivering 
an integrated capability, Federal, State, and local, first?
    Second, what kind of capabilities do businesses and 
individuals and the private sector and citizens have? And what 
are we doing to help scale up that? Because the resiliency of 
our country, our ability to respond to these threats, as we all 
know, much as it is with natural disasters or with terrorism 
threats, requires a sort of ``everybody engaged'' response that 
engages our private sector, engaged entrepreneurs, and engages 
State and local as well as Federal law enforcement? So I would 
be interested in your answer to that question.
    Mr. Demarest. Sure. Thank you, Senator Coons. So on the 
State and local question, we have cyber task forces throughout 
each of our offices. There are 56 out there. Each office is 
engaging at the local level to bring State and local 
authorities aboard, whether investigator or net defenders from 
the organizations they represent. It is very difficult because 
of resources being somewhat constrained at the State and local 
level and fully understanding and appreciating what the threat 
is.
    Operation Wellspring is an effort we kicked off, and what 
that is, it is focused on Internet fraud, whether defrauding 
the elderly, it is real estate fraud, and working with State 
and local, having them either bring an officer or investigator 
aboard, or an analyst. We work closely with them to foster 
their skills or to develop their skill in this area working 
cybercrime. It has worked well in some of the initial offices 
in Salt Lake City, with the Utah Department of Public Safety, 
and down in Dallas with some of the local departments, the 
Dallas Police Department. We have got a long way to go in that 
space and for them to fully appreciate what the threats are 
today facing the public or the citizens they are responsible 
for.
    In the private sector, we have worked far and wide and 
somewhat limited in force. We have now focused on those 
priority sectors, if you will, that are most threatened. But we 
have found time and time again the most threatened and the most 
vulnerable are those small to medium-sized business owners 
where they may have one single person that is responsible for 
Internet security or cybersecurity, information assurance and 
the like. So it is not--it is how do we target that band and 
actually bring them aboard when we are still working through--
we actually had health care, representatives from the health 
care industry in our headquarters working through what that 
relationship would look like with health care, because we have 
focused on, as you can imagine, finance, energy, the IT, 
telecommunications and the like over the past 2 years, and now 
how do we broaden that effort out?
    Senator Coons. Implicitly, from your reference to health 
care, I share your concern that as we have transitioned to 
electronic medical records, we now have an online treasure 
trove of data for cyber criminals to go after?
    Ms. Caldwell.
    Ms. Caldwell. Yes, I think any online data base is 
vulnerable. Some obviously have more security protections than 
others. And as you indicated, Senator Coons, the health care 
data bases obviously have a lot of very sensitive personal 
information. So we have seen, I know, in some of the botnets 
that we have seen over the years, including, if I am not 
mistaken, Gameover Zeus, some of the victims were hospitals. So 
that is a very serious area of concern, which we are very 
concerned about.
    Senator Coons. Let me just ask one other question. As 
Senator Whitehouse referenced, both of our States are blessed 
to have network warfare squadrons of the National Guard. The 
Air National Guard in Delaware has stood up and grown and 
developed this National Guard capability which takes advantage 
of the fact that we have a fairly sophisticated financial 
services community. We have large data centers. We have a lot 
of credit card processing, and as a result, there is a lot of 
fairly capable and sophisticated online security and financial 
services security professionals who can then also serve in a 
law enforcement and national security, first responder context 
through the National Guard.
    What lessons do you think we could learn from that 
partnership, that collaboration in our two home States? And how 
could that lead us to a better scale-up of the needed Federal 
work force to respond to and deal with these law enforcement 
challenges?
    Mr. Demarest. There is a treasure trove of skill in the 
Guard and Reserve forces. We participated, actually hosted down 
at the FBI Academy the Cyber Guard exercise in 2014. We brought 
personnel in from around the field, at least 50 from our local 
cyber task forces that corresponded with the local Guard units 
that were in. Great capability there. Our Director, along with 
the Deputy Director, had a meeting with the combatant command, 
cyber command, OSD, and joint staff about how we better 
correlate or collaborate in this space.
    Tomorrow we actually have another meeting with the 
combatant commanders at my level to actually put this in place 
along with the Reserve and Guard units.
    As you know, Admiral Rogers held a meeting at NSA recently 
to talk through what that looks like in working with cyber 
command, the Guard forces, and Reserve forces, and what skills 
they bring, how that may assist the FBI in our operations, and 
also training opportunities that we can leverage with one 
another.
    Senator Coons. Terrific. Thank you for your testimony. I 
look forward to hearing more about the development of this 
partnership.
    I just want to thank you for your leadership in this area, 
Senator Whitehouse.
    Chairman Whitehouse. Well, I will let you two go. I am sure 
we could ask you questions all afternoon. This is such a 
fascinating and emerging area of criminal law enforcement. I 
appreciate very, very much the work that you do, and I want you 
to pass on to Attorney General Holder my congratulations for 
the dedication that he has brought to this pursuit, 
particularly as exemplified by the Gameover Zeus takedown and 
by the indictment of the Chinese PLA officials. Those were both 
very welcome steps, and I am looking forward to seeing more 
criminal prosecution of foreign cyber hackers. I think the 
opening gambit with the indictment of the Chinese PLA folks was 
really terrific. So congratulations to you both. Thank you for 
your good work, and we will release you and call the next panel 
forward.
    Chairman Whitehouse. All right. Thank you all so much for 
being here. This is a really terrific private sector panel on 
this issue, and I am grateful that you have all joined. I will 
make the formal introductions right now of everyone, and then 
we can just go right across with your statements.
    Our first witness is going to be Richard Boscovich, who is 
the assistant general counsel on Microsoft's Digital Crimes 
Unit, a position where he developed the legal strategies used 
in the takedowns and disruptions of several botnets, including 
the Citadel, Zeus, and Zeus Access botnets. He previously 
served for over 17 years at the Department of Justice as an 
Assistant U.S. Attorney in Florida's Southern District, where 
he directed the district's Computer Hacking and Intellectual 
Property Unit.
    We will next hear from Cheri McGuire, the vice president of 
global government affairs & cybersecurity policy at Symantec 
Corporation, which is one of our leading cybersecurity 
providers in this country. She is responsible for Symantec's 
global public policy agenda and government engagement strategy, 
including cybersecurity, data integrity, critical 
infrastructure protection, and privacy. Before she joined 
Symantec in 2010, she was director for critical infrastructure 
and cybersecurity in Microsoft's Trustworthy Computing Group, 
and before that she served in numerous positions at the 
Department of Homeland Security, including as Acting Director 
and Deputy Director of the National Cyber Security Division and 
the US-CERT.
    We will then hear from Dr. Paul Vixie, who is the chief 
executive officer of Farsight Security, which is a commercial 
Internet security company. He previously served as the chief 
technology officer for Abovenet, an Internet service provider, 
and as the founder and CEO of MAPS, the first anti-spam 
company, and as the operator of the ``F'' DNS root name server. 
Dr. Vixie is the author of several Internet standards related 
to DNS and was the maintainer of BIND, a popular open-source 
DNS software system, for 11 years. And he was recently inducted 
into the Internet Hall of Fame.
    Finally, we will hear from Craig Spiezle, who is the 
executive director, founder, and president of the Online Trust 
Alliance. The Online Trust Alliance encourages best practices 
to help protect consumer trust, and he works to protect the 
vitality and innovation of the Internet. Prior to founding the 
Online Trust Alliance, he worked at Microsoft, again--the 
fraternity--where he drove development of anti-spam, anti-
phishing, anti-malware, and privacy-enabling technologies. He 
is on the board of the Identity Theft Council and was appointed 
to the FCC's Communications Security, Reliability, and 
Interoperability Council. He is also a member of InfraGard, 
which is the partnership between the FBI and the private 
sector.
    So these are immensely knowledgeable and experienced 
witnesses, and let me begin with Richard Boscovich. We are so 
glad you are here. Thank you.

  STATEMENT OF RICHARD BOSCOVICH, ASSISTANT GENERAL COUNSEL, 
DIGITAL CRIMES UNIT, MICROSOFT CORPORATION, REDMOND, WASHINGTON

    Mr. Boscovich. Chairman Whitehouse, Ranking Member Graham, 
and Members of the Subcommittee, my name is Richard Domingues 
Boscovich, and I am an assistant general counsel in Microsoft's 
Digital Crimes Unit. Thank you for the opportunity to discuss 
Microsoft's approach to fighting and detecting botnets. We also 
thank you for your leadership in focusing attention to this 
complicated and important topic.
    Botnets are groups of computers remotely controlled by 
hackers without their owners' knowledge or consent, enabling 
criminals to steal information and identities, to disrupt the 
operation of computer networks, and to distribute malicious 
software and spam. I will describe for you how Microsoft, one, 
works with partners to fight botnets; two, raises costs for 
cyber criminals by disrupting their tools; and, three, 
carefully designs these operations to protect consumers.
    To understand the devastating impact of botnets, we can 
look at how they affected one victim. Consider Eunice Power, a 
chef in the United Kingdom, who turned on her laptop 1 day to 
find a warning that she could not access her files unless she 
paid a ransom to cyber criminals within 72 hours. When she 
failed to meet the deadline, all of her photos, financial 
account information, and other data were permanently deleted. 
All this was caused by a botnet. She later told a reporter, 
``[i]f someone had robbed my house it would have been easier.''
    Indeed, botnets conduct the digital equivalent of home 
invasions, but on a massive scale. Botnet operators quietly 
hijack webcams to spy on people in their own homes and later 
sell explicit photographs of the unsuspecting victims on the 
black market. They use malicious software to log every 
keystroke that users enter on their computers--including credit 
card numbers, Social Security numbers, work documents, and 
personal emails. They send deceptive messages designed to 
appear as though they were sent by banks that convince people 
to disclose their financial account information.
    Now, Microsoft has long partnered with other companies and 
global law enforcement agencies to battle malicious cyber 
criminals such as those who operate botnets. We do not and 
cannot fight botnets alone. As the title of this hearing 
suggests, fighting botnets requires efforts from both the 
private and the public sector. We routinely work with other 
companies and domestic and international law enforcement 
agencies to dismantle botnets that have caused billions of 
dollars in worldwide economic damage. I joined efforts to 
demonstrate that public-private partnerships are highly 
effective at combating cybercrime. In reality, problems as 
complex as botnets cannot be addressed without partnerships.
    Microsoft's philosophy to fighting botnets is simple: We 
aim for their wallets. Cyber criminals operate botnets to make 
money. We disrupt botnets by undermining cyber criminals' 
ability to profit from their malicious attacks.
    Microsoft draws on our deep technical and legal expertise 
to develop carefully planned and executed operations that 
disrupt botnets pursuant to court-approved procedures. In 
general terms, Microsoft asks a court for permission to sever 
the command-and-control structures of the most destructive 
botnets. This breaks the connection between the botnets and the 
infected computers to control. Traffic generated by infected 
computers is either disabled or routed to domains controlled by 
Microsoft where the IP addresses of the victims can be 
identified.
    Now, privacy is a fundamental value in Microsoft's anti-
botnet actions. When we execute an operation, we are required 
to work within the bounds of the court order. We never have 
access to email or other content of victim communications from 
infected computers. Instead, Microsoft receives the IP address 
used by the infected computers to identify the victims. We give 
domestic IP addresses to Internet service providers in the 
United States so they can alert their customers directly. We 
give the rest to the Computer Emergency Response Teams, 
commonly referred to as ``CERTS,'' in countries where those 
victims are located. The owners are then notified of the 
infections and offered assistance in cleaning their computers.
    In summary, through the course of anti-botnet operations, 
Microsoft has worked with partners to protect millions of 
people and their computers against malicious cyber criminals. 
This has led to the disruption and shutdown of some of the most 
menacing threats to public trust and security on the Internet. 
Cyber criminals continue to evolve their tactics. They keep 
developing more sophisticated tools to profit from the online 
chaos that they themselves create. We remain firmly committed 
to working with other companies and law enforcement to disrupt 
botnets and make the Internet a more trusted and secure 
environment for everyone.
    Thank you for your time, Senator, and I am happy to answer 
any questions you may have.
    [The prepared statement of Mr. Boscovich appears as a 
submission for the record.]
    Chairman Whitehouse. Ms. McGuire.

     STATEMENT OF CHERI F. McGUIRE, VICE PRESIDENT, GLOBAL 
     GOVERNMENT AFFAIRS AND CYBERSECURITY POLICY, SYMANTEC 
             CORPORATION, MOUNTAIN VIEW, CALIFORNIA

    Ms. McGuire. Chairman Whitehouse, thank you for the 
opportunity to testify today. I am especially pleased to be 
here with you again to focus attention on botnets and 
cybercrime and how industry and Government are working together 
to address these serious issues.
    As the largest security software company in the world, 
Symantec protects much of the world's information, but botnets 
today are the foundation of the cyber criminal ecosystem. And 
as was discussed earlier, the uses for malicious botnets are 
only limited by the imagination of the criminal botmasters. 
These can range, as you mentioned, from distributed denial-of-
service attacks to Bitcoin mining to distribution of malware 
and spam. Botmasters also rent out their botnets as well as use 
them for stealing passwords, credit card data, intellectual 
property, or other confidential information, which is then sold 
to other criminals.
    Until now, virtually all botnets have been networks of 
infected laptop and desktop computers. However, in the past few 
years we have seen botnets made up of mobile devices, and we 
fully expect that the coming ``Internet of Things'' will bring 
with it a future of ``thingbots,'' ranging from appliances to 
home routers to video recorders--and who knows what else.
    Taking down a botnet is technically complex and requires a 
high level of expertise. But despite these obstacles, law 
enforcement and the private sector working together have made 
significant progress in the past several years.
    Symantec's work to bring down the ZeroAccess botnet, one of 
the largest botnets in history at 1.9 million infected devices, 
is a good example of how coordination can yield results. 
ZeroAccess was designed for click fraud and Bitcoin mining, 
with an estimated economic impact of tens of millions of 
dollars lost per year. And the electricity alone to run that 
botnet cost as much as $560,000 per day.
    One year ago today, Symantec began to sinkhole ZeroAccess 
infections, which quickly resulted in the detachment of more 
than half a million bots. This meant that these bots could no 
longer receive any commands and were effectively unavailable to 
the botmaster for updating or installing new revenue generation 
malware.
    Another significant win came last month with the major 
operation against the financial fraud botnet Gameover Zeus, as 
several witnesses have testified to. As part of this effort, 
Symantec worked in a broader coalition to provide technical 
insights into the operation and impacts of this botnet. As a 
result, authorities were able to seize a large portion of the 
criminals' infrastructure.
    In our view, the approach used in the Gameover Zeus 
operation was the most successful to date and should serve as a 
model for the future. A group of more than 30 international 
organizations from law enforcement, the security industry, 
academia, researchers, and ISPs all cooperated to collectively 
disrupt this botnet. This successful model of public and 
private cooperation should be repeated in the future.
    While ZeroAccess and Gameover Zeus were successes for law 
enforcement and industry, there are undoubtedly more criminal 
rings operating today. Unfortunately, there are just not enough 
resources. As you said, so many botnets, so little time. As 
criminals migrate online, law enforcement needs more skilled 
personnel dedicated to fighting cybercrime.
    At Symantec, we take numerous steps to assist victims of 
botnets and cybercrime and to aid law enforcement around the 
world. In the interest of time, I will mention only 
victimvoice.org, a new online assistance program that we 
unveiled in April with the National White Collar Crime Center. 
This site helps cybercrime victims file complaints and 
understand the investigation process. And in particular, I 
would like to thank you again, Senator Whitehouse, for your 
support and participation in that launch. It has already helped 
many victims of cybercrime.
    To combat botnets and cybercrime, cooperation is key. In 
the private sector, we need to know that we can work with 
Government and industry partners to disrupt botnets without 
undue legal barriers. To be clear, I am not talking about a 
blank check. But consistent with privacy protections and legal 
parameters, we need to be able to share cyber threat 
information and coordinate our efforts quickly.
    Information-sharing legislation will go a long way to do 
this. But it also must address the considerable privacy 
concerns and must include a civilian agency lead and data 
minimization requirements for both the Government and industry.
    Last, the laws governing cybercrime should be modernized. 
In the U.S., we need to amend laws such as the Electronic 
Communications Privacy Act, the CFAA, and others that were 
written before our modern Internet and e-commerce was 
envisioned.
    In addition, Mutual Legal Assistance Treaties and their 
process that allows governments to cooperate take far too long 
to address the real-time nature of international cybercrime and 
should be streamlined.
    As this Subcommittee knows so well, we still face 
significant challenges in our efforts to take down botnets and 
dismantle cybercrime networks. But while there remains much 
work to be done, we have made progress.
    At Symantec, we are committed to improving online security 
across the globe, and we will continue to work collaboratively 
with our customers, industry, and governments on ways to do so.
    Thank you again for the opportunity to testify today, and I 
will be happy to answer any questions you may have.
    [The prepared statement of Ms. McGuire appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you, Ms. McGuire, and thank you 
for Symantec's leadership in this area.
    I am going to briefly recess the hearing and then return. 
We have a vote on the Senate floor that started 15 minutes ago, 
and I have 15 minutes to get there and vote, so I have zero 
time. But with any luck, that means I can get over there, vote, 
vote on the next vote, and then come right back. And then we 
will be able to proceed in uninterrupted fashion. So please 
just relax in place. It probably is going to be 5 to 10 
minutes, and we will resume. Thank you.
    [Whereupon, at 3:28 p.m., the Subcommittee was recessed.]
    [Whereupon, at 3:45 p.m., the Subcommittee reconvened.]
    Chairman Whitehouse. All right. The hearing will come back 
to order. I appreciate everybody's courtesy while I got those 
two votes done.
    And now, Dr. Vixie, we welcome your testimony. We welcome 
you here. Please proceed.

   STATEMENT OF PAUL VIXIE, Ph.D., CHIEF EXECUTIVE OFFICER, 
            FARSIGHT SECURITY, SAN MATEO, CALIFORNIA

    Mr. Vixie. Thank you, Mr. Chairman. Thank you for inviting 
me to testify on the subject of botnets. I am speaking today in 
my personal capacity based on a long history of building and 
securing Internet infrastructure, including domain name system 
infrastructure. I am also here at the behest of the Messaging, 
Malware and Mobile Anti-Abuse Working Group (M3AAWG), a 
nonprofit Internet security association whose international 
membership is actively working to improve the Internet security 
condition worldwide.
    Let me start by reviewing some successful botnet takedowns 
in recent years, since they may prove instructive. They are 
successes, after all.
    In 2008 the Conficker worm was discovered, and by mid-2009 
there were over 10 million infected computers participating in 
this botnet. That was the largest to that time. I had a hands-
on-keyboard role in operating the data collection and 
measurement infrastructure for the takedown team, in which 
competing commercial security companies and Internet service 
providers--most of which were members of M3AAWG--cooperated 
with each other and with the academic research and law 
enforcement communities to mitigate this global threat.
    Then in 2011, the U.S. Department of Justice led 
``Operation Ghost Click'' in which a criminal gang 
headquartered in Estonia was arrested and charged with wire 
fraud, computer intrusion, and conspiracy. The DNS Changer 
botnet included at that time at least 600,000 infected 
computers, and the mitigation task was made complicated by the 
need to keep all of these victims online while shutting off the 
criminal infrastructure the victims depended on. My employer 
was the court-appointed receiver for the criminal's Internet 
connectivity and resources, and I personally prepared, 
installed, and operated the replacement DNS servers necessary 
for that takedown.
    In each of these examples we see an ad hoc public-private 
partnership in which trust was established and sensitive 
information, including strategic planning, was shared without 
any contractual framework. These takedowns were so-called 
handshake deals where personal credibility, not corporate or 
government heft, was the glue that held it together and made it 
work. And in each case the trust relationships we had formed as 
members of M3AAWG were key enablers for rapid and coherent 
reaction.
    Each of these takedowns is also an example of modern 
multilateralism in which intent, competence, and merit were the 
guiding lights. The importance of multilateralism cannot be 
overemphasized. We have found that when a single company or a 
single agency or nation goes it alone in a takedown action, the 
result has usually been catastrophe, because the Internet is 
richly interdependent and many of the rules governing its 
operation are unwritten.
    Now, the ad hoc nature of these public-private partnerships 
may seem like cause for concern, but I hope you will consider 
the following:
    First, this is how the Internet was built and how the 
Internet works.
    Second, this is how criminals work with other criminals. We 
would not get far by trying to solve these fast-evolving global 
problems with top-down control or through Government directives 
and rules.
    Let me explain what makes botnets possible. As you yourself 
pointed out in your opening remarks, a botnet is literally a 
network of robots, where by ``robot'' we mean a computer that 
has been captured and made to run software neither provided by 
the computer's maker nor authorized or installed by its owner. 
Every Internet-connected device has some very complex software 
including an operating system, installed applications, and so 
forth. The only hard and fast requirement for any of this 
software is interoperability, meaning it merely has to work.
    Now, the cost of the Internet's spectacular growth is that 
much of the software we run was not adequately tested. The 
challenge for the Internet is that today there is perhaps more 
assurance that a UL-listed toaster oven will not burn down our 
house than there is that some of our vastly more expensive and 
powerful Internet-connected devices are insulated from becoming 
a tool of online criminals. These are consumer devices in a 
competitive and fast-moving market, so time to market is often 
the difference between success and bankruptcy.
    This is a very brief overview, and I would like to leave 
you with the following thoughts:
    Number one, the Internet is the greatest invention in 
recorded history, in my opinion, in terms of its positive 
impact on human health, education, freedom, and on every 
national economy.
    Number two, the Internet is also the greatest invention in 
recorded history in terms of its negative impact on human 
privacy and freedom, as evidenced by the massive and continuing 
intrusions that have been described here today.
    Number three, our democratic commitment to the rule of law 
has very little traction on the Internet compared to how it 
works in the real world. The Internet is borderless, and yet it 
carries more of the world's commerce every year.
    Number four, takedown of criminal infrastructure, including 
botnets, must be approached not just as reactions after the 
fact but also as prevention by attacking underlying causes.
    Number five, the U.S. Department of Justice is the envy of 
the world in its approach to takedown and its awareness of the 
technical and social subtleties involved, and I want to give a 
special nod to NCFTA, a public-private partnership with strong 
FBI ties, located in Pittsburgh.
    Number six, and finally, no legislative or regulatory 
relief is sought in these remarks. The manner in which 
Government and industry have coordinated and cooperated on 
botnet takedown efforts has underscored the effectiveness of 
public-private partnerships as currently practiced in this 
field.
    Mr. Chairman, this concludes my oral statement. Thank you 
for this opportunity to speak before you, and I would be happy 
to answer your questions.
    [The prepared statement of Mr. Vixie appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you very much.
    Finally, Mr. Spiezle. But before I let you begin your 
statement, my apologies for the mispronunciation earlier. And 
let me also say that, without objection, everybody's complete 
statements will be made a part of the record, and I appreciate 
the abbreviated version that allows the testimony to proceed 
expeditiously at the hearing.

STATEMENT OF CRAIG D. SPIEZLE, EXECUTIVE DIRECTOR AND FOUNDER, 
          ONLINE TRUST ALLIANCE, BELLEVUE, WASHINGTON

    Mr. Spiezle. Thank you very much. Chairman Whitehouse, 
Ranking Member Graham, and Members of the Committee, thank you 
for the opportunity to testify before you today. I also would 
like to thank you for your leadership in focusing attention to 
this important topic which is impacting users and businesses 
throughout this country.
    My name is Craig Spiezle, and I am the executive director 
and president of the Online Trust Alliance. OTA is a global 
nonprofit, with the mission to enhance online trust and empower 
users, while promoting innovation and the vitality of the 
Internet.
    Botnets pose a significant risk to businesses and 
governments, and one of my specific concerns is the impact to 
small and medium businesses that are often defenseless. 
Increasingly bots are deploying loggers, malvertising, and 
ransomware driving identity theft and bank account take-overs 
and holding users and their data hostage.
    It is important to recognize that fighting bots is not a 
domestic issue. Criminals are leveraging the jurisdictional 
limitations of law enforcement and often operate with impunity. 
Left unabated, they are a significant threat to our Nation's 
critical infrastructure and to our economy.
    In my brief testimony, I will touch on five key areas: 
status of industry efforts, a holistic anti-bot strategy, the 
role and issues of takedowns, the role of data sharing, and the 
importance of privacy safeguards.
    I should note efforts to combat botnets have been embraced 
by a range of public and private efforts. An example is the 
FCC's Communications Security, Reliability and Interoperability 
Council (CSRIC), which last year developed a voluntary Anti-
Botnet Code of Conduct for ISPs. This is a first step and 
example of the industry's ability to self-regulate.
    In parallel, the OTA has facilitated several multi-
stakeholder efforts, bringing in leaders throughout the world. 
We have published specific remediation and notification best 
practices and anti-bot guidelines for hosters and cloud service 
providers. The initial adoption of these practices are now 
paying dividends helping to protect users' data and their 
privacy.
    Fighting botnets requires a global strategy. As outlined 
here in Exhibit A, OTA advocates a six-pronged (1) framework, 
(2) prevention, (3) detection, (4) notification, (5) 
remediation, and (6) recovery. Within each one of these, we 
have outlined a partial list of tactics, which underscores the 
increased need for collaboration, research, and data sharing 
between both the public and private sectors.
    In the bottom of this slide, it points out the role of 
consumers and education. We need to help them update their 
device and look to how we can help educate them on the risks of 
botnets.
    As outlined, law enforcement is an important part here as 
well, and it serves three major functions: disrupting cyber 
criminals, gathering intelligence, and bringing criminals to 
justice.
    But law enforcement cannot act on this alone. A trusted 
partnership is required, and progress has been made with 
industry leaders, including Microsoft, Symantec, and others.
    But takedowns need to be taken with respect to three major 
considerations: one, the risk of collateral damage; two, the 
errors in identifying targets for mitigation; and, three, the 
importance of respecting users' privacy. For example, when 
taking down a web hoster because they have a handful of bad 
customers, there is a risk of collateral damage. At the same 
time, service providers cannot hide behind bad actors, and they 
must take steps to prevent the harboring of such criminals.
    It is also important to note that all anti-abuse and 
security tactics all run similar risks. The anti-spam community 
often blocks legitimate senders. Web browsers can misidentify 
phishing sites and AV solutions can mistakenly block downloads. 
Recognizing these possibilities, risk assessment procedures 
must be pre-established with processes in place to remediate 
any unintended impact.
    Data sharing has the promise of being one of the most 
impactful tools in our arsenal, yet it must be reciprocal. 
Collaboration is required in all sectors, including retail, 
financial services, and advertising. In this void, criminals 
move from one industry to another, sending malicious spam one 
day and perpetrating click fraud and malvertising the next.
    The privacy landscape is also rapidly evolving, creating 
perceived obstacles to data sharing. Privacy needs to be at the 
foundation of all fraud prevention and data-sharing practices. 
I believe these can be easily addressed. When data is used and 
collected for threat detection, entities should be afforded a 
``safe harbor.'' Conversely, industry needs assurances that law 
enforcement will not use any data for any other purposes.
    As Exhibit A outlines, every stakeholder has a 
responsibility. Progress has been made, but a renewed 
commitment needs to be required by all stakeholders. As the 
Internet of Things, mobile, the smart grid, and wearable 
technologies becomes prevalent, we need to look beyond the 
desktop.
    In summary, it is important to recognize that there is no 
absolute defense. Both the public and private sectors need to 
increase investments in data sharing and adopt privacy-
enhancing practices while finding new approaches to work with 
law enforcement and expand international cooperation. Working 
together we can make the Internet more trustworthy, secure, and 
resilient.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Spiezle appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you very much, Mr. Spiezle, and 
thank you all.
    Let me start with a question that I will ask each of you 
for the record, which means if you could provide a written 
response, and that is that, as you have heard, Senator Graham 
and I are working on legislation in this area. As you heard 
from the first panel, the Department of Justice and the Federal 
Bureau of Investigation have a number of suggestions. I would 
like to ask you to provide your comments, if any, to the 
suggestions that have been made so far and add any suggestions 
that you may have of your own for this legislation so that we 
can build a good legislative record to support our proposal 
going forward.
    [The information referred to appears as a submission for 
the record.]
    Chairman Whitehouse. I am also interested in your thoughts. 
As a lay person, it strikes me that botnets are becoming more 
dangerous, that their capabilities are growing. My first 
exposure to botnets was when they were spam propagators, and 
then they became distributed denial-of-service vectors to swamp 
individual websites. But now they seem--so many additional 
capabilities have been listed in this hearing, right up to and 
including having people spy on you through your webcam on your 
computer while you are going about your business and tracking 
your keystrokes individually so that they can know your 
passwords and have access to your accounts.
    Is my lay reading that botnets are becoming more dangerous 
or the criminals behind them are learning more dangerous 
capabilities a correct one? And what do you think the rate is 
of that change, if I am correct? Let me start with Mr. 
Boscovich.
    Mr. Boscovich. Yes, Senator, I think the observation is 
correct. I think that we are seeing an ever-changing 
sophistication on the part of cyber criminals.
    I would like to point out one particular case which really 
demonstrates how creative cyber criminals are, and in this 
particular case, which was the Bamital case, if my memory 
serves me correctly, one of our industry partners was Symantec 
on that case. It was a case in with the botherders had actually 
developed code which actually took a step backward. And one of 
the reasons why they did that is because technical 
countermeasures that had been put in place by Bing, Google, and 
other companies to detect click fraud relied upon a certain 
type of algorithm. The criminals understood that, and they had 
to reintroduce a human element into their code. In essence, 
what they did is that they have changed their code, and they 
took one step back to take two steps forward in such a way that 
now the user would actually be using his mouse or her mouse, 
and while he or she thought he was actually clicking or looking 
for something, the reality was that they were, in fact, 
clicking on ads that the user was not even seeing, was 
appearing behind the screen that they were looking at, 
introducing a certain variation that was consistent with human 
behavior.
    So the observation that criminals are, in fact, always 
learning, always changing, is an accurate one, and I think this 
example really underscores how sophisticated these cyber 
criminals are.
    Chairman Whitehouse. And in both dimensions. I mean, in 
terms of if you view a botnet as an infrastructure for criminal 
activity, it is one that has to be maintained and groomed, and 
they are getting more sophisticated at that. They are also 
getting more sophisticated at the type of criminal payload, if 
you will, that they deliver through that botnet as well. Is 
that correct, Ms. McGuire?
    Ms. McGuire. That is correct. I think your summary is quite 
accurate, that these have begun to progress and become much 
more sophisticated over the last 5 years. For example, the type 
of technology or infrastructure that they are using now, moving 
from central command and control, simple command and control 
servers to peer-to-peer networks, which are much more difficult 
to take down because of their complexity, is the type of 
morphing that we are seeing by the cyber criminals to use all 
avenues at their availability.
    Chairman Whitehouse. Dr. Vixie, you mentioned that in the 
face of this threat, prevention was something that we should be 
looking at, and you used the phrase in your testimony 
``underlying causes,'' that we should be prepared to address 
the underlying causes that allow this to occur even before the 
harm of a particular botnet is made manifest.
    What did you mean by ``underlying causes''? And what would 
you recommend, if anything, that we do to get ahead of this 
more by going after those underlying causes, as you have 
defined them?
    Mr. Vixie. I think that the reason that botnets have gotten 
stronger is because our computers have gotten stronger, better 
CPUs, more memory, more storage, et cetera. Our network has 
also gotten stronger, so it is possible to get a lot more work 
done with each computer you steal now compared to 5 years ago 
or 5 years before that.
    If we wanted to start kicking the dependencies under 
botnets, we would need to somehow address the lack of testing. 
I mentioned in my written remarks that this last week there was 
an Internet of Things, I think it was a wireless light bulb 
that has a terrible security flaw in it, and I understand how 
that can happen. I have tried to get things--software products 
out the door myself, and it is difficult to say let us hold it 
back for another couple of weeks while we try to attack it 
every which way. Really what you want to do is get it out there 
and put it in customers' hands and so forth.
    That is not going to work. We have got to find a way to 
test this software the way the bad guys do. We have to do the 
so-called Red Team test where you try to break in, and if you 
can, you get some sort of internal prize. We have got to find a 
way to encourage that.
    Chairman Whitehouse. So when electricity was the new 
technology and people were trying to get stuff out the door 
that caught fire if you left it on too long, as you pointed 
out, with respect to the toaster, Underwriters Laboratories was 
established to make sure that appliances met basic standards, 
and as a result, toaster fires and things like that have not 
been a very prominent concern for Americans for quite some 
time.
    Do you think that an equivalent to an Underwriters 
Laboratories is possible on the Internet? And how would you see 
it as being overseen?
    Mr. Vixie. I do not think a direct equivalent is possible. 
When you are doing this kind of testing, you are looking for 
combinations and permutations of sort of how you set the knobs, 
what you put in the toaster, other conditions. And, you know, 
every one of those conditions is a State variable, and the 
problem is that my laptop has more complexity of that kind than 
all the computers on the planet had 30 years ago. And so coming 
up with a direct analog of the way UL tests our electric 
devices I think is misleading. I think standards in software 
development, standards in testing, possibly getting away from 
some of the older programming languages that almost encourage 
the type of defects that we see in our monthly updates are 
going to be better approaches. But I do want to say----
    Chairman Whitehouse. How would those approaches be 
administered?
    Mr. Vixie. Excuse me?
    Chairman Whitehouse. How would those proposals be best 
administered? Through the Government? Through the Internet 
governance system? Through a rating that you can advertise you 
have on your product if you have been through it voluntarily?
    Mr. Vixie. In that sense, the Underwriters Laboratories 
system is perfect because it is voluntary. If you want to sell 
a device that is not listed, then that is up to you. And if 
people would not buy as many--if fewer people want to buy it 
because it does not have that stamp, that is up to them. So I 
think there is room for someone to step into that role, but it 
is not a Government role.
    Chairman Whitehouse. Got you. And, Mr. Spiezle, you said 
that you felt that there were steps that consumers, 
individuals, could take to better acquaint themselves with this 
threat and to better protect themselves from this threat. What 
would your recommendations be? This seems like such a giant and 
complex and very high tech type of crime, and if you are an 
innocent user of your own computer going about your own 
business and doing what you are good at, which may not be 
anything to do with computers, how can you--what sensible steps 
should people be thinking about who are not computer whizzes to 
defend themselves and their computers?
    Mr. Spiezle. Let me clarify. My point is that we all have a 
shared responsibility, not unlike driving a car. We have a 
responsibility of driving safely. We need to make sure our car 
is maintained and we have new tires on it. That was the point 
there.
    I think realistically, though, education has a limited 
effect here. These attacks are--social engineering exploits are 
very hard to identify. They are drive-by, so just by their very 
nature of going to a trusted website that someone types in a 
URL, there can be malicious ads served on them. So it is a 
shared responsibility, but I do not put the faith that 
education is going to be the solution, but it should be one 
part.
    I do want to address one point in your original question 
about the sophistication. Clearly, in the technical aspect, 
botmasters are more and more sophisticated. They are leveraging 
big data, data mining capability and analytics. So that adds to 
the profitability. Their ability to use that data, append data 
from other sources, and then trade in the underground economy 
makes it very profitable. They have become very nimble, become 
good marketers in a sense, and they are learning from business. 
So those are some of the challenges we must address.
    Chairman Whitehouse. Two final questions. The first is that 
many of the perpetrators in this area are foreigners, and we 
are obviously going to work with the Department of Justice and 
the Federal Bureau of Investigation to make sure that they have 
the capabilities that they need to be as strong as they can be 
in terms of pursuing foreign criminals. But none of you are 
involved as law enforcement officials. You are involved 
representing private companies and organizations, and in that 
sense, when you bring a civil action to close down a botnet, 
you may have civil remedies against individuals overseas that 
are different than what a prosecutor would be looking at.
    Are there recommendations that you would have as to how we 
could strengthen overseas enforcement against the individuals 
and organizations that are running the botnets that would 
supplement just the technical capability to take down the 
botnets? Let me start with you, Mr. Boscovich.
    Mr. Boscovich. Well, Senator, I think that obviously as a 
private company, as you mentioned, our main sphere of influence 
is only using the civil process, and even in the civil process, 
once we get default judgments, there actually is a procedure in 
which we could seek to, for example, localize a U.S. judgment 
overseas. But it is a complex and lengthy process.
    In all of the actions that we take with our partners, we 
then go ahead and always refer the cases and the evidence that 
is the basis of the information that we arrive at through the 
civil process to law enforcement. The process that law 
enforcement uses, of course, has been around for quite some 
time, and I believe some of the representatives of DOJ and the 
FBI were here earlier today, and they made references to the 
MLAT process and things of that sort. And these are procedures 
that have been around for a very long time. And in terms of how 
quickly these things could turn around, there has always been a 
question. I could only talk about my experiences when I was at 
Justice, that it does take time to turn this information 
request around.
    But from the civil perspective, I think----
    Chairman Whitehouse. Particularly if the coordinating 
country is of two minds as to how much they want to take down 
this industry.
    Mr. Boscovich. Well, that is why the partnership, the 
private and public partnership is important, because what we 
try to focus on, of course, is the immediate cessation of the 
harm to people on the Internet. And to sever that 
communication, to stop the harm, and then notify the victims 
and then try to do something to remediate and clean their 
computers, working through ISPs and country CERTs, that is the 
job that we believe we can do, and do very well, with industry 
partners and with the Government as well.
    In terms of the criminal side, I would have to defer to, 
you know, my former colleagues at the Justice Department.
    Chairman Whitehouse. No, I was thinking more of the civil 
side and pursuing personal liability and accountability of 
foreigners who have done harm to your companies.
    Ms. McGuire, any thoughts on that?
    Ms. McGuire. Just this week we have seen reports, for 
example, that Gameover Zeus, that modifications to that 
particular malware are already being used by a new criminal 
gang or perhaps the original perpetrator, who fled to Eastern 
Europe, to launch new criminal activity. This is the kind of 
thing where, if we had a faster, speedier MLAT process, we 
could potentially address these kinds of issues at the speed of 
the Internet as opposed to what I have been told by law 
enforcement partners can take anywhere from 6 months to never.
    And so those are the kinds of enhancements, modernizations 
to these international treaties that we really need in order to 
go after----
    Chairman Whitehouse. Again, you are comfortable relying on 
the law enforcement process for that and at this point do not 
have any interest in pursuing civil liability on the part of 
your private sector companies against foreign individuals to--
as a deterrent or to recover for the damages that they have 
caused you?
    Ms. McGuire. Most of our activity is on the sharing of 
information and notification to both our international law 
enforcement and CERT partners so that they can then take the 
action that they need within their jurisdictions.
    Chairman Whitehouse. And what have each of you seen in 
terms of the coordination that has been your experience between 
the private sector and between law enforcement? It has emerged, 
and it seems to me from what I hear to be in a pretty good 
place right now. There are a number of mechanisms through which 
the FBI in particular but other Federal law enforcement 
agencies cooperate with the private sector and exchange 
information and deconflict activities. I think there has been a 
lot of improvement there, but I would like to hear from each of 
you how close you think we are to what we should be doing and 
whether there is any specific recommendations you have. Let me 
start from this side, Mr. Spiezle.
    Mr. Spiezle. Thank you. I think we have had great success, 
but I think there is a whole other layer of information sharing 
that we are not getting today, and we need to bring other data 
sources together. So more data sharing between the financial 
services, and certainly we are seeing progress with the FS-
ISAC. We are seeing more breaches experienced in the retail 
sector. We get data from them. And the reason this is important 
is it is connecting the dots. And so it is not always just from 
the ISPs and other sectors. So we need to get that. We need to 
open the dialogue, but also to remove the burden of whether it 
is antitrust, the concerns of privacy, or the concerns of 
regulatory authorities coming after them. So how do we open up 
that dialogue even domestically so we can get a higher level of 
granularity and telemetry from other data sources?
    Chairman Whitehouse. Dr. Vixie.
    Mr. Vixie. So I mentioned in my remarks that the Internet 
is borderless, and you mentioned in this question that the 
criminals are borderless, and I think that firmly points to the 
fact that our solutions have to be borderless. So I will say 
again NCFTA in Pittsburgh has a huge international outreach 
program. I go and do some training there of the international 
law enforcement community every summer. But they do it year-
round, and it is a huge thing, because a lot of the other 
countries where the cybercrime is originating right now do not 
have the capability to train their people locally. They do not 
necessarily have the budget for the tools that are needed and 
so forth. So I think I really want to encourage more outreach 
of that kind, possibly not just by NCFTA but by other U.S. 
agencies who are leading in the world.
    I do not have an answer for civil lawsuits. I know that it 
can be used if you are trying to get at somebody and you do not 
know who they are. You can often get a court order using a John 
Doe. But it is messy, and it has not really produced consistent 
results.
    Chairman Whitehouse. Ms. McGuire.
    Ms. McGuire. I would also echo that the NCFTA is a terrific 
organization, particularly on the international front, as well 
as working with industry and between law enforcement partners 
and Government agencies. But in particular to your question on 
information sharing and has it gotten better with the FBI and 
the Department of Justice, we have seen significant 
improvements, frankly, over the last 2 years in our ability to 
work with them, their responsiveness to the information that we 
are sharing with them about indicators of compromise, about 
just the process that they are using. And as I think I 
mentioned earlier, Gameover Zeus we think is the best example 
so far where they reached out to more than 30 international 
organizations, including industry, governments, researchers, 
ISPs, brought all of them together so that collectively we 
could be ready and work the takedown once the injunctions and 
the appropriate actions were taken.
    So that is, I think, the model----
    Chairman Whitehouse. The borderless response, to Dr. 
Vixie's point.
    Ms. McGuire. Yes, borderless response, exactly. And I think 
that is the model we need to work toward in the future, and we 
have one now as a proof point for the future.
    Chairman Whitehouse. Mr. Boscovich, last thoughts.
    Mr. Boscovich. I think deconfliction is one of the key 
components of a successful private-public partnership, and in 
cases such as Citadel, Gameover Zeus, and more recently the 
Shylock-Capshaw operation recently that went down in Europe is 
a perfect example of public-private partnerships, civil process 
complementing criminal process, all while stopping the harm 
immediately, working to help the victims, yet at the same time 
allowing the criminal side to do what they do best, the 
deterrent effect, going out and arresting individuals. And I 
think that we have come a long way in getting at that sweet 
spot where we now have an appropriate mechanism by which we 
share information, where we deconflict with law enforcement, 
both domestically and internationally, to achieve the greatest 
impact possible in these takedowns.
    Chairman Whitehouse. Thank you very much.
    A final good word to Microsoft, just lawyer to lawyer. You 
were among the earliest companies--probably all three of you 
were involved over the years; a lot of people were connected to 
Microsoft here--in the first civil takedowns, and just as a 
lawyer, to read those early complaints and see the statutory 
grounds based on very modern, complicated electronic privacy 
statutes, and at the same time doctrines of English common law 
that were transplanted to America when we formed our country 
and that are part of the common law history dating back to the 
1400s side by side as a separate count, it was--it must have 
been a lot of fun. It was terrific legal work, and it had a 
wonderful effect. So I compliment you on it. And I assume that 
you would want--you know, we are legislators, and so we think 
about legislating. It is like the story about the hammer. Every 
solution that a hammer sees requires a nail. And so we tend to 
think in terms of new and amended statutes. But I gather you 
would want to make sure that we left room for traditional 
common law remedies to maintain themselves as a part of the 
repertoire here and to allow the natural development that the 
common law permits. Is that fair to say?
    Mr. Boscovich. Absolutely, Senator. One of the beauties 
behind the common law system is its ability to adapt constantly 
to new facts. And what we are looking at here is a threat which 
is constantly adapting, something that is always moving, always 
morphing. And the beauty behind common law and trespass to 
chattels, tortious interference with a contractual 
relationship, these are theories that we could use over and 
over again and are part of a system that in it at its core is 
able to adapt quickly. So, yes, I think that I would love to 
see the standard common law principles remain intact as we 
tackle these.
    Now, having said that, it does not mean that there is not 
always room for improvement in both present statutes and 
potentially even new statutes. And we would gladly take a look 
at any type of amendment and/or proposed legislation that 
Congress and yourself may have and give our comments so that 
you could have the best insight possible, from us at least.
    Chairman Whitehouse. Well, certainly when they first came 
up with trespass upon chattels, it was well before anybody had 
an inkling there could ever be an Internet, so that certainly 
has been a lasting doctrine.
    Let me thank all of the witnesses for this hearing. I 
appreciate very much your input. I look forward to the 
responses to the question for the record. I think that we have 
a very strong, bipartisan group of Senators who are very 
interested in this issue and are looking forward to coming up 
with legislation that can pass and help you all in your 
important pursuits to protect our economy and your clients and 
your companies from the kind of attacks that we are seeing, 
largely from overseas.
    So Godspeed to you all in your work. Thank you very much 
for what you have done and for your testimony today. We will 
keep the record open for 1 week for anybody who cares to add 
anything to the record and for those question-for-the-record 
responses to come in.
    And, with that, we are adjourned.
    [Whereupon, at 4:24 p.m., the Subcommittee was adjourned.]
    [Additional material submitted for the record follows.]

                            A P P E N D I X

              Additional Material Submitted for the Record

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]