[Senate Hearing 113-891] [From the U.S. Government Publishing Office] S. Hrg. 113-891 TAKING DOWN BOTNETS: PUBLIC AND PRIVATE EFFORTS TO DISRUPT AND DISMANTLE CYBERCRIMINAL NETWORKS ======================================================================= HEARING before the SUBCOMMITTEE ON CRIME AND TERRORISM of the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION __________ JULY 15, 2014 __________ Serial No. J-113-70 __________ Printed for the use of the Committee on the Judiciary [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] U.S. GOVERNMENT PUBLISHING OFFICE 28-403 PDF WASHINGTON : 2018 COMMITTEE ON THE JUDICIARY PATRICK J. LEAHY, Vermont, Chairman DIANNE FEINSTEIN, California CHUCK GRASSLEY, Iowa, Ranking CHUCK SCHUMER, New York Member DICK DURBIN, Illinois ORRIN G. HATCH, Utah SHELDON WHITEHOUSE, Rhode Island JEFF SESSIONS, Alabama AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina AL FRANKEN, Minnesota JOHN CORNYN, Texas CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas MAZIE HIRONO, Hawaii JEFF FLAKE, Arizona Kristine Lucius, Chief Counsel and Staff Director Kolan Davis, Republican Chief Counsel and Staff Director ------ Subcommittee on Crime and Terrorism SHELDON WHITEHOUSE, Rhode Island, Chairman DIANNE FEINSTEIN, California LINDSEY GRAHAM, South Carolina, CHUCK SCHUMER, New York Ranking Member DICK DURBIN, Illinois TED CRUZ, Texas AMY KLOBUCHAR, Minnesota JEFF SESSIONS, Alabama MICHAEL S. LEE, Utah Ayo Griffin, Democratic Chief Counsel David Glaccum, Republican Chief Counsel C O N T E N T S ---------- JULY 15, 2014, 2:31 P.M. STATEMENTS OF COMMITTEE MEMBERS Page Graham, Hon. Lindsey O., a U.S. Senator from the State of South Carolina....................................................... 3 Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode Island......................................................... 1 prepared statement........................................... 85 WITNESSES Witness List..................................................... 31 Boscovich, Richard, Boscovich, Assistant General Counsel, Digital Crimes Unit, Microsoft Corporation, Redmond, Washington........ 16 prepared statement........................................... 54 Caldwell, Hon. Leslie R., Caldwell, Assistant Attorney General, Criminal Division, U.S. Department of Justice, Washington, DC.. 4 prepared statement........................................... 32 Demarest, Joseph, Jr., Assistant Director, Cyber Division, Federal Bureau of Investigation, Washington, DC................ 6 prepared statement........................................... 47 McGuire, Cheri F., Vice President, Global Government Affairs and Cybersecurity Policy, Symantec Corporation, Mountain View, California..................................................... 17 prepared statement........................................... 63 Spiezle, Craig D., Executive Director and Founder, Online Trust Alliance, Bellevue, Washington................................. 22 prepared statement........................................... 78 Vixie, Paul, Ph.D., Chief Executive Officer, Farsight Security, San Mateo, California.......................................... 19 prepared statement........................................... 71 QUESTIONS Questions submitted to Richard Boscovich by Senator Whitehouse... 87 Questions submitted to Cheri F. McGuire by Senator Whitehouse.... 88 Questions submitted to Craig D. Spiezle by Senator Whitehouse.... 89 Questions submitted to Paul Vixie, Ph.D., by Senator Whitehouse.. 90 ANSWERS [Note: At the time of printing, after several attempts to obtain responses to the written questions, the Committee had not received responses from Richard Boscovich.] Responses of Cheri F. McGuire to questions submitted by Senator Whitehouse..................................................... 91 Responses of Craig D. Spiezle to questions submitted by Senator Whitehouse..................................................... 93 Responses of Paul Vixie, Ph.D., to questions submitted by Senator Whitehouse..................................................... 95 TAKING DOWN BOTNETS: PUBLIC AND PRIVATE EFFORTS TO DISRUPT AND DISMANTLE CYBERCRIMINAL NETWORKS ---------- TUESDAY, JULY 15, 2014 United States Senate, Subcommittee on Crime and Terrorism, Committee on the Judiciary, Washington, DC. The Subcommittee met, pursuant to notice, at 2:31 p.m., in room SD-226, Dirksen Senate Office Building, Hon. Sheldon Whitehouse, Chairman of the Subcommittee, presiding. Present: Senators Whitehouse, Coons, and Graham. OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR FROM THE STATE OF RHODE ISLAND Chairman Whitehouse. I will call this hearing of the Judiciary Committee's Subcommittee on Crime and Terrorism to order, and I thank everyone for being here. I have the permission of my Ranking Member to get underway. He will be joining us shortly, but allowing for opening statements and so forth, I think it is probably the best way to do this, to simply proceed and get underway. Today's hearing is entitled, ``Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks.'' We are going to be hearing testimony about these botnets and about the threat that they pose to our economy, to our personal privacy, and to our national security. A botnet is a simple thing. It is a network of computers connected over the Internet that can be instructed to carry out specific tasks. The problem with botnets is that typically the owners of those computers do not know that they are carrying out those tasks. Botnets have existed in various forms for well over a decade, and they are now recognized as a weapon of choice for cyber criminals, and it is easy to see why. A botnet can increase the computing resources at a hacker's disposal exponentially, all while helping conceal the hacker's identity. A cyber criminal with access to a large botnet can command a virtual army of millions, most of whom have no idea that they have been conscripted. Botnets enable criminals to steal individuals' personal and financial information, to plunder bank accounts, to commit identity theft on a massive scale. For years, botnets have sent most of the spam that we all receive. The largest botnets are capable of sending billions of spam messages every day. Botnets are also used to launch distributed denial-of- service--or DDOS--attacks, which can shut down websites by simply overwhelming them with incoming traffic. This is a constant danger for businesses in every sector of our economy, but we have seen this strategy used against everything from businesses to sovereign nations. The only limit to the malicious purposes for which botnets can be used is the imagination of the criminal who controls them. And when a hacker runs out of uses for a botnet, he can simply sell it to another criminal organization to use for an entirely new purpose. It presents a virtual infrastructure of crime. Let us be clear. The threat from botnets is not just a threat to our wallets. Botnets are effective weapons not merely for those who want to steal from us, but also for those who wish to do us far more serious harm. Experts have long feared that the next 9/11 may be a cyber attack. If that is the case, it is likely that a botnet will be involved. Simply put, botnets threaten the integrity of our computer networks, our personal privacy, and our national security. In recent years, the Government and the private sector have launched aggressive enforcement actions to disrupt and to disable individual botnets. The techniques used to go after these botnets have been as varied as the botnets themselves. Many of these enforcement actions used the court system to obtain injunctions and restraining orders, utilizing innovative legal theories, combining modern statutory claims under statutes such as the Computer Fraud and Abuse Act with such ancient common law claims as trespass to chattels. In 2011, the Government obtained for the first time a court order that allowed it to seize control of a botnet using a substitute command and control server. As a result, the FBI launched a successful takedown of the Coreflood botnet, freeing 90 percent of the computers Coreflood had infected in the United States. Microsoft, working with law enforcement, has obtained several civil restraining orders to disrupt and in some cases take down individual botnets, including the Citadel botnet, which was responsible for stealing hundreds of millions of dollars. And earlier this year, the Justice Department and the FBI, working with the private sector and law enforcement agencies around the world, obtained a restraining order allowing them to take over the Gameover Zeus botnet. This action was particularly challenging because the botnet relied on a decentralized command structure that was designed to thwart efforts to stop it. Each of our witnesses today has played a role in efforts to stop botnets. I look forward to learning more about these and other enforcement actions and the lessons that we should take away from them. We must recognize that enforcement actions are just one part of the answer, so I am interested in hearing also about how we can better inform computer users of the dangers of botnets and what other hygiene steps we can take to address this threat. My hope is that this hearing starts a conversation among those dealing day to day with the botnet threat and those of us in Congress who are deeply concerned about that threat. Congress, of course, cannot and should not dictate tactics for fighting botnets. That must be driven by the expertise of those on the front lines of the fight. But Congress does have an important role to make sure that there is a solid legal foundation for enforcement actions against botnets and clear standards governing when they can occur. We must also ensure that botnet takedowns and other actions are carried out in a way that protects consumers' privacy, all while recognizing that botnets themselves represent one of the greatest privacy threats that computer users face today. They can actually hack into your computer and look at you through your webcam. And we must make sure that our laws respond to a threat that is constantly evolving and encourage rather than stifle innovation to disrupt cyber criminal networks. I look forward to starting this conversation today and to continuing it in the months ahead. I thank my distinguished Ranking Member for being such a terrific colleague on these cyber issues. We hope that a good piece of botnet legislation can emerge from our work together. I thank you all for participating in this hearing and for your efforts to protect Americans from this dangerous threat, and before we hear from our witnesses, I will yield to my distinguished Ranking Member, Senator Lindsey Graham. OPENING STATEMENT OF HON. LINDSEY GRAHAM, A U.S. SENATOR FROM THE STATE OF SOUTH CAROLINA Senator Graham. Thank you, Mr. Chairman. I just want to acknowledge your work on this issue and everything related to cyber threats. There is no stronger, clearer voice in the Senate than Sheldon Whitehouse in terms of the threats we face on the criminal front and the terrorist front that come from cyber misdeeds, and Congress is having a difficult time organizing ourselves to combat both threats. But to make sure that this is not an academic exercise, I guess it was last year--or it might even have been a bit longer, but the Department of Revenue in South Carolina was hacked into by--we do not know all the details, but a criminal enterprise that stole millions of Social Security numbers and information regarding companies' charters, revenue, and that has required the State of South Carolina to purchase protection. I think it was a $35 million per year allocation to protect those who had their Social Security numbers stolen, we believe by a criminal enterprise. So it happened in South Carolina. It can happen to any company, any business, any organization in America, and our laws are not where they should be, so the purpose of this hearing is to gather information and hopefully come out and be a friend of law enforcement. So, Senator Whitehouse, you deserve a lot of credit in my view about leading the effort in the United States Senate, if not the Congress as a whole, on this issue. Thank you. Chairman Whitehouse. I am delighted now to welcome our administration witnesses. Before we do, his timing is perfect. Senator Chris Coons has joined us and yields on making an opening statement, so let us go ahead to the witnesses. The first is Leslie Caldwell. She is the head of the Criminal Division at the Department of Justice and was confirmed on May 15, 2014. She oversees nearly 600 attorneys who prosecute Federal criminal cases across the country. She has dedicated most of her professional career to handling Federal criminal cases, previously having served as the Director of the Justice Department's Enron Task Force and as a Federal AUSA in U.S. Attorneys' Offices in both New York and California. And after her testimony, we will hear from Joseph Demarest, who is the Assistant Director for the FBI's Cyber Division. He joined the FBI as a special agent in 1988 and has held several leadership positions within the Bureau, serving as, for instance, head and Assistant Director of the International Operations Division and as the Assistant Director in charge of the New York Division. He was appointed to his current position in 2012, and I have to say that I have had the chance to work very closely with Mr. Demarest, and I appreciate very much the energy and determination that he has brought to this particular arena of combat against the criminal networks of the world. And I look forward to his testimony. We begin with Assistant Attorney General Caldwell. STATEMENT OF HON. LESLIE R. CALDWELL, ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC Ms. Caldwell. Thank you, Chairman Whitehouse, Ranking Member Graham, and Senator Coons. Thank you for the opportunity to discuss today the Justice Department's fight against botnets, and I particularly want to thank the Chair for holding this hearing and for his continued leadership on these important issues. The threat from botnets--defined in simple terms as networks of hijacked computers surreptitiously infected with malicious software, or malware, which are controlled by an individual or an organized group for criminal purposes, has increased dramatically over the past several years. Criminals are using state-of-the-art techniques, seemingly drawn from science fiction movies, to take control of thousands or even hundreds of thousands of victim computers, or bots. They can then command these bots to do various things, as Senator Whitehouse indicated. They can flood an Internet site with junk data. They can knock it offline by doing that. They can steal banking credentials, credit card numbers, other personal information, other financial information; send fraudulent spam email; or even spy on unsuspecting computer users through their webcams. Botnet attacks are intended to undermine Americans' privacy and security and to steal from unsuspecting victims. If left unchecked, they will succeed in doing so. As cyber criminals have become more sophisticated in recent years, the Department of Justice, working through highly trained prosecutors at the Computer Crime and Intellectual Property Section of the Criminal Division, which I will call ``CCIPS,'' the National Security Division of the Justice Department, U.S. Attorneys' Offices across the country, and the FBI and other law enforcement agencies, we have likewise adapted and advanced our tactics to meet this threat. As just one example, in May of this year, CCIPS, the U.S. Attorney for the Western District of Pennsylvania, and the FBI, in partnership with other Federal and private sector organizations, disrupted the Gameover Zeus botnet and indicted a key member of that group that operated that botnet. Until its disruption, Gameover Zeus was widely regarded as the most sophisticated criminal botnet in existence worldwide. From 2011 through 2014, Gameover Zeus infected between 500,000 and 1 million computers, and it caused more than $100 million in financial loss. Put simply, the botmaster stole personal information from victim computers and with the click of a mouse, used that stolen information to empty bank accounts and rob small businesses, hospitals, and other victims by transferring funds from the victims' accounts to the criminals' own accounts. They also used Gameover Zeus to install CryptoLocker, which is a type of malware known as ``ransomware.'' That was installed on infected computers, and CryptoLocker enabled these criminals to encrypt key files on the infected computers and to charge victims a ransom for the release of their own files. In the short period between its emergence and our action, CryptoLocker infected more than 260,000 computers worldwide. The Department's operation against Gameover Zeus began with a complex international investigation conducted in close partnership with the private sector. It continued through the Department's use of a combination of a court-authorized criminal and civil legal process to stop infected computers from communicating with one another and with other servers around the world. The investigation and operation ultimately permitted the team not only to identify and charge one of the leading perpetrators, but also to cripple the botnet and to stop the ransomware from functioning. Moreover, the FBI was able to identify victims and, working with the Department of Homeland Security, foreign governments, and private sector partners, was able to facilitate the removal of malware from many victim computers. As we informed the court last week, at present the Gameover Zeus botnet remains inoperable and out of the criminals' hands. Gameover Zeus infections are down 30 percent, and CryptoLocker remains non- operational. As the successful operation demonstrates, we are employing investigative and remedial tools that Congress has given us to protect our citizens and businesses. We have leveraged our strengths by partnering with agencies all over the world and in the private sector. If we want to remain effective in protecting our citizens and businesses, however, our laws and resources must keep pace with the increasingly sophisticated tactics and growing numbers of our adversaries. Our adversaries are always adapting. So must we. In my written statement, I describe several legislative proposals and resource increases that will assist the Department in its efforts to counter this threat. These proposals include an amendment to the Computer Fraud and Abuse Act and several other proposals. We very much look forward to working with the Committee to address these issues. We also need additional resources at the Department to continue to disrupt botnets, including hiring new attorneys, as indicated in my statement. Thank you again for the opportunity to discuss our work in this area, and I look forward to answering any questions you might have. [The prepared statement of Ms. Caldwell appears as a submission for the record.] Chairman Whitehouse. Thank you, Assistant Attorney General Caldwell. And now, Mr. Demarest, Director Demarest. STATEMENT OF JOSEPH DEMAREST, JR., ASSISTANT DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC Mr. Demarest. Good afternoon, Chairman Whitehouse, Ranking Member Senator Graham, and Senator Coons. Thank you for holding this hearing, Chairman Whitehouse, and I look forward to discussing the progress the FBI has made on campaigns to disrupt and disable our significant botnets that you know that we target. Cyber criminal threats pose very real risks to the economic security and private sector of the United States and its citizens. The use of botnets is on the rise. Industry experts estimate that botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major businesses. They also affect universities, hospitals, defense contractors, government, and even private citizens. The ``weapons'' of a cyber criminal are tools, like botnets, which are created with malicious software that is readily available for purchase on the Internet. Criminals distribute this malicious software, also known as `malware,' that can turn a computer into a bot. When this occurs, a computer can perform automated tasks over the Internet, without any direction from its rightful user. A network of these infected computers is called a ``botnet,'' as you pointed out. Botnets can be used for organized criminal activity, covert intelligence collection, or even attacks on critical infrastructure. The impact of this global cyber threat has been significant. According to industry estimates, botnets have caused over $9 billion in losses to U.S. victims and over $110 billion in losses globally. Approximately 500 million computers are infected each year, translating into 18 victims per second. The FBI, with its law enforcement partners and private sector partners, to include the panel of distinguished presenters today from Microsoft, Symantec, and Farsight, has had success in taking down a number of large botnets. But our work is never done, and by combining the resources of Government and the private sector, and with the support of the public, we will continue to improve cybersecurity by identifying and catching those who threaten it. Due to the complicated nature of today's cyber threat, the FBI has developed a strategy to systematically identify cyber criminal enterprises and individuals involved in the development, distribution, facilitation, and support of complex criminal schemes impacting U.S. systems. The complete strategy involves a holistic look at the entire cyber underground ecosystem and all facilitators of a computer intrusion. The FBI has initiated an aggressive approach to disrupt and dismantle most significant botnets threatening the U.S. economy and our national security. The initiative, coined ``Operation Clean Slate,'' is spearheaded by the FBI, our National Cyber Investigative Joint Task Force, along with a host of USG partners to include DHS and the private sector. It is a comprehensive, public-private effort engineered to eliminate the most significant botnets jeopardizing U.S. interests by targeting the bot infrastructure and at the same time the coders or those who are responsible for creating them. This initiative incorporates all facets of the USG, as I mentioned, international partners, major ISPs, the U.S. financial sector, and other private sector stakeholders like the many cybersecurity services. Again, I would point out Dell Secure Works being one of the main, and we talked about Gameover Zeus. Operation Clean Slate has three objectives: to degrade or disrupt the actor's ability to exfiltrate sensitive information from victims; to increase the actor's cost of business; and to seed uncertainty in the actor's cyber activity by causing concern about potential or actual law enforcement action against them. Just a brief description about some of the successes of late. In December 2012, the FBI disrupted an international organized cybercrime ring related to Butterfly Botnet, which stole computer users' credit card, bank account, and other personally identifiable information. The Butterfly Botnet compromised more than 11 million computer systems and resulted in over $850 million in losses. The FBI, along with international law enforcement partners, executed numerous search warrants, conducted interviews, and arrested 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States-- all of this not possible without DOJ, CCIPS in particular, and local U.S. Attorneys' Offices. In June 2013, again, the formal debut of Operation Clean Slate, the team, in coordination with Microsoft and financial service industry leaders, disrupted the Citadel Botnet that you pointed out, which had facilitated unauthorized access to computers of individuals and financial institutions to steal online banking credentials, credit card information, and other PII. Citadel was responsible for the loss of over a half billion dollars. Over 1,000 Citadel domains were seized, accounting for more than 11 million victim computers worldwide. Building on that success of the disruption of Citadel, in December 2013, the FBI and Europol, together with Microsoft and, again, the Operation Clean Slate team and other industry partners, disrupted the ZeroAccess botnet. ZeroAccess was responsible for infecting more than 2 million computers, specifically targeting search results on Google, Bing, and Yahoo search engines, and is estimated to have cost online advertisers $2.7 million each month. Again, in April 2014, the Operation Clean Slate team investigative efforts resulted in the indictments of nine alleged members of a wide-ranging racketeering enterprise and conspiracy that infected thousands of business computers with malicious software known as ``Zeus'' or ``Jabba Zeus,'' which is malware that captured passwords, account numbers, and other information necessary to log into online banking accounts. The conspirators allegedly used the information captured by Zeus to steal millions of dollars from account-holding victims' bank accounts. Later, in June 2014, yet another operation by the Clean Slate team announced a multinational effort to disrupt the Gameover Zeus botnet, the most sophisticated botnet that the FBI and its allies had ever attempted to disrupt. Gameover Zeus is believed to be responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world. This effort to disrupt it involved impressive cooperation with the private sector--namely, Dell Secure Works--and international law enforcement. Gameover Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects. In the case of Gameover Zeus, its primary purpose is to capture banking credentials from infected computers, then use those credentials to initiate or redirect wire transfers to accounts overseas that are controlled by the criminals. Losses attributable to Gameover Zeus are estimated to be more than $100 million. Much like the FBI's other investigative priorities and programs, our focus is impacting the leaders of the criminal enterprises and terrorist organizations we pursue. We are focusing the same effort on the major cyber actors behind the botnets. We remain focused on defending the United States against these threats, and we welcome the opportunity like the one today to discuss our efforts. We are grateful for the Committee's support, and yours in particular, Senator Whitehouse, and we look forward to working closely with you as we continue to forge aggressive campaigns against botnets. [The prepared statement of Mr. Demarest appears as a submission for the record.] Chairman Whitehouse. Thank you very much. Assistant Director Demarest, there have to be, what, hundreds of thousands, millions of botnets out there? Mr. Demarest. Yes. Chairman Whitehouse. One could say, ``So many botnets, so little time.'' So given that, what are your factors for prioritizing which ones to go after through the Clean Slate program or just generally? Mr. Demarest. So by Operation Clean Slate, it was to forge an alliance with the private sector and Government and then prioritize the most egregious botnets that are out there in the wild that we know about. So working with not only Government, DHS being principal, and friends in the intelligence community, but also I will say in the private sector, Microsoft being chief, and looking across, you know, the world, and those botnets that are seemingly causing the most damage, economic damage or other means or potentially physical damage, and prioritizing those and then developing a campaign about going after not only the infrastructure but the actors behind that botnet or those botnets. Chairman Whitehouse. Assistant Attorney General Caldwell, one of the--this pre-dates you, but I have had some concerns based on my time in the Department of Justice as a U.S. Attorney about the way in which the Department has responded to the botnet threat. I think you are doing a good job, but there is a cultural divide sometimes between the criminal prosecutors and the civil attorneys for the Government. These cases that take down the botnet tend to be civil cases in nature, so I have worried a bit about the extent to which it is instinctive on the part of criminal prosecutors to think that that is a lesser task and a lesser pursuit than what they are doing and whether that gets in the way of adequately pursuing the civil remedies that shut these botnets down. The second is that when the Coreflood takedown took place, it appeared to me that that was kind of an ad hoc group of very talented people who were brought together to address themselves to Coreflood and to succeed at taking it down; but once the operation was complete, they went back to their individual AUSA slots in offices around the country, and the effort was dispersed. I think that the botnet problem is a continuing one. I think as soon as you strip out, as Mr. Demarest said, some of the worst offenders, others pop up into the next most wanted botnet slot. And I am interested first in how you are making sure that this is prioritized, despite the civil nature of the legal proceeding that cures the botnet problem, that strips it out of the system, and what you have done to try to establish a permanent, lasting institutional presence for taking down botnets without having to reassemble teams each time a botnet rears its head as a target. Ms. Caldwell. Thank you, Senator. I think that the Gameover Zeus operation is the perfect example of how we see this going forward. Although I would not dispute that there are some criminal Assistant U.S. Attorneys who may think that the civil Assistant U.S. Attorneys have a less exciting job, we do not see it that way. The civil component, as you indicated, is a very critical part of this, but there are different ways to approach botnets. They are all different, as you indicated earlier. In Gameover Zeus, we used a combination of civil and criminal authorities, and I think that is--again, it is not one size fits all, but I think that is likely what we will continue to see in the future. As you know, the leading perpetrator of that particular botnet was actually indicted criminally, and the civil injunctions were obtained at the same time. It was very carefully coordinated. There was a lot of communication between the civil prosecutors who were handling the injunction paperwork and the criminal prosecutors who were--it was really all one team. So I think the civil tool is a very important tool, and we expect to continue to use it. There are some holes in that tool. Right now we are permitted to get a civil injunction against fraud and a civil injunction against wiretapping. But as you indicated in your opening remarks, botnets are not always engaged in fraud and wiretapping. They are engaged in other things, too. So one thing that we would like to see happen is an amendment to the statute to permit injunctions in other circumstances in which we see botnets operating. Then on the issue of the institutional knowledge, the Computer Crime and Intellectual Property Section is really the receptacle--that is a bad word, but where all that knowledge is based. The Computer Crime and Intellectual Property Section has a headquarters component. It has field components. It has a lot of institutional knowledge about botnets, so that if one prosecutor leaves, the knowledge is not going to leave. We coordinate regularly with the FBI, and there is a lot of coordination. There is a lot of coordination with the Computer Hacking Intellectual Property Network in the U.S. Attorneys' Offices. And there really is an institutional base of knowledge about botnets. So even---- Chairman Whitehouse. In a nutshell, you feel right now that that task has been adequately institutionalized in the Department, that there will be continuity and persistence rather than ad hoc efforts? Ms. Caldwell. Yes, and I think that although they were not as prominent, there were at least a half-dozen other botnet takedowns in the last couple of years between Coreflood and Gameover Zeus. So there is definitely--it is definitely a priority, and there is definitely a focus, and there is a lot of knowledge among the CCIPS prosecutors and their counterparts at the FBI about these botnets. And they will keep coming, and we will keep attacking them. Chairman Whitehouse. I will yield to my Ranking Member, but my impression was that some of those were sort of sporadic and ad hoc takedowns that appeared in individual U.S. Attorneys' Offices and not necessarily consistent with a continuing, lasting, persistent presence stripping down one botnet after another. And I am glad that you have gotten to where you have gotten, so thank you. Senator Graham. Senator Graham. Are you the Eliot Ness of botnets? [Laughter.] Senator Graham. Do we have an Eliot Ness of botnets? Ms. Caldwell. I think he is the Eliot Ness of botnets. Senator Graham. Okay. Well, no matter what kind of behavior you are dealing with, you try to deter it, make people think, ``If I do this, I am going to get caught, and if I get caught, bad things are going to happen.'' What do you think the deterrence is like right now, Mr. Demarest? Mr. Demarest. Well, I think it is significant now, and in years past, maybe not as much so, where they did travel and they felt they could take some actions with impunity. And we are finding today, based on some of the actions, enforcement actions that were successful, we are causing impact because we actually see that in other collections, them talking amongst each other, and concern about traveling now, which is a way of containing some of the threats that we see in individuals today. Senator Graham. What nation states do we need to worry about in terms of being involved in this activity? Mr. Demarest. I would say the Nation states of EurAsia, principally. We have seen a lot of the criminal actors coming from that area of the world. Senator Graham. Okay. Are they reliable partners, the governments? Mr. Demarest. We are opening dialogue, I will say on that front. I think you will find some of our Russian counterparts in law enforcement are a bit more agreeable, but, you know, as in any new relationship, I think especially in this space, we are working toward improving them. Senator Graham. If it is possible, maybe by the end of the year could you provide the Committee with a list of countries that you think have been good partners and the list of countries you think have been resistant. Mr. Demarest. Yes, easily done, based on our activities or working with the countries we do work with. Senator Graham. Well, once we identify them, maybe we can change their behavior. There are all kinds of ways of getting people's attention. Was this a problem 5 years ago? How long ago has this been a problem? Mr. Demarest. This has existed for years, and probably we are just now--you know, this is the tip of the iceberg. And I think as we get more sophisticated internally in the U.S. Government in seeing and being able to identify---- Senator Graham. What made us aware of it today more than, say, 5 years ago? Just the consequences? Mr. Demarest. I think the consequences, I think victim reporting, I think major losses occurring to private industry. Senator Graham. Is there any end to this? How far can these people go? Mr. Demarest. They will keep on going. As you can see, each bot will evolve. We take actors off. Now they will change. We see a complete evolution. But, again, we are actually placing-- at least there is a price to pay for actually engaging in this activity now. Senator Graham. Are terrorist organizations involved in this? Mr. Demarest. We track them very closely. I would say there is an interest. But much further than that, Senator Graham, probably in a different setting we could give you a further briefing. Senator Graham. Ms. Caldwell, on the civil-criminal aspect of this, what are the couple things that you would like Congress to do to enhance your ability to protect our Nation? I am sure you have got this written down somewhere, but just for the average person out there listening to this hearing, what are the couple things you would like to see us do? Ms. Caldwell. Well, one is the one that I already mentioned, which is changing the civil injunction ability so that we will have the capability to enjoin botnets other than those that are engaged in fraud and wiretapping, because there are, for example, distributed denial-of-service attacks. Right now we cannot get an injunction against that. So we would like to be able to do that. Senator Graham. Do we need to increase penalties? Ms. Caldwell. That is an interesting question, Senator, and I think that we have been seeing increased penalties being imposed by courts. So---- Senator Graham. I mean statutorily, Mr. Demarest, do we need to change any statutes to make this bite more? Mr. Demarest. I will defer to Ms. Caldwell, but--I will defer to you. Ms. Caldwell. Yes, I think that the maximum sentences under most of the statutes are adequate. I do not think we need any kind of mandatory minimums because we have been seeing judges imposing sentences around the 7-, 8-, and 9-year range, which is, I think, a very substantial sentence. There are a couple other things that we would like to see. Right now there is no law that explicitly covers the sale or transfer of a botnet that is already in existence, and we have seen evidence that a lot of folks sell botnets. They rent them out, and we would like to see a law that addresses that. One other thing which is a little bit off point but I think is still relevant to botnets, is that right now there is no law that prohibits the overseas sale of U.S. credit cards unless there has been some action taken in the United States or unless money is being transferred from overseas to the United States. So we see credit card--situations where people have millions of credit cards from U.S. financial institutions, but they never set foot in the United States. That is currently not covered by our existing law. Senator Graham. So you could steal my credit card information from overseas and basically be immune. Ms. Caldwell. Correct, unless you transferred proceeds of your scheme back to the United States. Senator Graham. Okay. One last question here. When they basically seize your computer, hijack your computer, the information contained therein, they actually hold--I mean, they make a ransom demand? How does that work? Ms. Caldwell. Under CryptoLocker what happened--and I am certainly not a technical expert, so jump in--you would be on your computer, and you would see something flash up on your screen that basically told you all your files were encrypted and would remain encrypted until you paid a ransom. And you had to pay the ransom within X hours, and if you did not pay, your files would all be deleted. Mr. Demarest. In a payment made through Bitcoin or whatever. Whatever the established venue is, they expected payment within a given amount of time, and if not, your box would be encrypted. Senator Graham. Do people pay? Mr. Demarest. They do. Senator Graham. What is the biggest payout you have seen? Mr. Demarest. Well, of all CryptoLocker and then Cryptowall now, and where there is a major concern, they have paid probably in excess of $10,000. But they are focused more now on major concerns, businesses, and entities as opposed to single victims. Senator Graham. Is that extortion under our law? Ms. Caldwell. Yes. Senator Graham. So you do not need to change that statute? Ms. Caldwell. No. The problem is, though, as with a lot of these cybercrimes, most of the people who are engaged in this activity are overseas. Senator Graham. Thank you. Chairman Whitehouse. Let me recognize Senator Coons, who has been very interested and dedicated to this topic and whose home State is very energized on this topic because the Delaware National Guard actually has a cyber wing that is very active, and they are one of the best cyber National Guard detachments in the country. I say ``one of the best'' because Rhode Island has one, too. Senator Coons. Senator Coons. Thank you very much. Thank you, Chairman Whitehouse, and thank you, Senator Graham. You have both been great and engaged and effective leaders on this issue. So to the point raised by the Chairman, given the persistency of this threat, given its trajectory, its scope, its scale, and the resources that you are having to deploy in order to take down these botnets and in order to break up the criminal gangs, is it acceptable, is it possible for us to deal with this threat with a Federal law enforcement response alone? Do we need a partnership from State and local law enforcement? I assume the answer is yes. And how are we doing at delivering an integrated capability, Federal, State, and local, first? Second, what kind of capabilities do businesses and individuals and the private sector and citizens have? And what are we doing to help scale up that? Because the resiliency of our country, our ability to respond to these threats, as we all know, much as it is with natural disasters or with terrorism threats, requires a sort of ``everybody engaged'' response that engages our private sector, engaged entrepreneurs, and engages State and local as well as Federal law enforcement? So I would be interested in your answer to that question. Mr. Demarest. Sure. Thank you, Senator Coons. So on the State and local question, we have cyber task forces throughout each of our offices. There are 56 out there. Each office is engaging at the local level to bring State and local authorities aboard, whether investigator or net defenders from the organizations they represent. It is very difficult because of resources being somewhat constrained at the State and local level and fully understanding and appreciating what the threat is. Operation Wellspring is an effort we kicked off, and what that is, it is focused on Internet fraud, whether defrauding the elderly, it is real estate fraud, and working with State and local, having them either bring an officer or investigator aboard, or an analyst. We work closely with them to foster their skills or to develop their skill in this area working cybercrime. It has worked well in some of the initial offices in Salt Lake City, with the Utah Department of Public Safety, and down in Dallas with some of the local departments, the Dallas Police Department. We have got a long way to go in that space and for them to fully appreciate what the threats are today facing the public or the citizens they are responsible for. In the private sector, we have worked far and wide and somewhat limited in force. We have now focused on those priority sectors, if you will, that are most threatened. But we have found time and time again the most threatened and the most vulnerable are those small to medium-sized business owners where they may have one single person that is responsible for Internet security or cybersecurity, information assurance and the like. So it is not--it is how do we target that band and actually bring them aboard when we are still working through-- we actually had health care, representatives from the health care industry in our headquarters working through what that relationship would look like with health care, because we have focused on, as you can imagine, finance, energy, the IT, telecommunications and the like over the past 2 years, and now how do we broaden that effort out? Senator Coons. Implicitly, from your reference to health care, I share your concern that as we have transitioned to electronic medical records, we now have an online treasure trove of data for cyber criminals to go after? Ms. Caldwell. Ms. Caldwell. Yes, I think any online data base is vulnerable. Some obviously have more security protections than others. And as you indicated, Senator Coons, the health care data bases obviously have a lot of very sensitive personal information. So we have seen, I know, in some of the botnets that we have seen over the years, including, if I am not mistaken, Gameover Zeus, some of the victims were hospitals. So that is a very serious area of concern, which we are very concerned about. Senator Coons. Let me just ask one other question. As Senator Whitehouse referenced, both of our States are blessed to have network warfare squadrons of the National Guard. The Air National Guard in Delaware has stood up and grown and developed this National Guard capability which takes advantage of the fact that we have a fairly sophisticated financial services community. We have large data centers. We have a lot of credit card processing, and as a result, there is a lot of fairly capable and sophisticated online security and financial services security professionals who can then also serve in a law enforcement and national security, first responder context through the National Guard. What lessons do you think we could learn from that partnership, that collaboration in our two home States? And how could that lead us to a better scale-up of the needed Federal work force to respond to and deal with these law enforcement challenges? Mr. Demarest. There is a treasure trove of skill in the Guard and Reserve forces. We participated, actually hosted down at the FBI Academy the Cyber Guard exercise in 2014. We brought personnel in from around the field, at least 50 from our local cyber task forces that corresponded with the local Guard units that were in. Great capability there. Our Director, along with the Deputy Director, had a meeting with the combatant command, cyber command, OSD, and joint staff about how we better correlate or collaborate in this space. Tomorrow we actually have another meeting with the combatant commanders at my level to actually put this in place along with the Reserve and Guard units. As you know, Admiral Rogers held a meeting at NSA recently to talk through what that looks like in working with cyber command, the Guard forces, and Reserve forces, and what skills they bring, how that may assist the FBI in our operations, and also training opportunities that we can leverage with one another. Senator Coons. Terrific. Thank you for your testimony. I look forward to hearing more about the development of this partnership. I just want to thank you for your leadership in this area, Senator Whitehouse. Chairman Whitehouse. Well, I will let you two go. I am sure we could ask you questions all afternoon. This is such a fascinating and emerging area of criminal law enforcement. I appreciate very, very much the work that you do, and I want you to pass on to Attorney General Holder my congratulations for the dedication that he has brought to this pursuit, particularly as exemplified by the Gameover Zeus takedown and by the indictment of the Chinese PLA officials. Those were both very welcome steps, and I am looking forward to seeing more criminal prosecution of foreign cyber hackers. I think the opening gambit with the indictment of the Chinese PLA folks was really terrific. So congratulations to you both. Thank you for your good work, and we will release you and call the next panel forward. Chairman Whitehouse. All right. Thank you all so much for being here. This is a really terrific private sector panel on this issue, and I am grateful that you have all joined. I will make the formal introductions right now of everyone, and then we can just go right across with your statements. Our first witness is going to be Richard Boscovich, who is the assistant general counsel on Microsoft's Digital Crimes Unit, a position where he developed the legal strategies used in the takedowns and disruptions of several botnets, including the Citadel, Zeus, and Zeus Access botnets. He previously served for over 17 years at the Department of Justice as an Assistant U.S. Attorney in Florida's Southern District, where he directed the district's Computer Hacking and Intellectual Property Unit. We will next hear from Cheri McGuire, the vice president of global government affairs & cybersecurity policy at Symantec Corporation, which is one of our leading cybersecurity providers in this country. She is responsible for Symantec's global public policy agenda and government engagement strategy, including cybersecurity, data integrity, critical infrastructure protection, and privacy. Before she joined Symantec in 2010, she was director for critical infrastructure and cybersecurity in Microsoft's Trustworthy Computing Group, and before that she served in numerous positions at the Department of Homeland Security, including as Acting Director and Deputy Director of the National Cyber Security Division and the US-CERT. We will then hear from Dr. Paul Vixie, who is the chief executive officer of Farsight Security, which is a commercial Internet security company. He previously served as the chief technology officer for Abovenet, an Internet service provider, and as the founder and CEO of MAPS, the first anti-spam company, and as the operator of the ``F'' DNS root name server. Dr. Vixie is the author of several Internet standards related to DNS and was the maintainer of BIND, a popular open-source DNS software system, for 11 years. And he was recently inducted into the Internet Hall of Fame. Finally, we will hear from Craig Spiezle, who is the executive director, founder, and president of the Online Trust Alliance. The Online Trust Alliance encourages best practices to help protect consumer trust, and he works to protect the vitality and innovation of the Internet. Prior to founding the Online Trust Alliance, he worked at Microsoft, again--the fraternity--where he drove development of anti-spam, anti- phishing, anti-malware, and privacy-enabling technologies. He is on the board of the Identity Theft Council and was appointed to the FCC's Communications Security, Reliability, and Interoperability Council. He is also a member of InfraGard, which is the partnership between the FBI and the private sector. So these are immensely knowledgeable and experienced witnesses, and let me begin with Richard Boscovich. We are so glad you are here. Thank you. STATEMENT OF RICHARD BOSCOVICH, ASSISTANT GENERAL COUNSEL, DIGITAL CRIMES UNIT, MICROSOFT CORPORATION, REDMOND, WASHINGTON Mr. Boscovich. Chairman Whitehouse, Ranking Member Graham, and Members of the Subcommittee, my name is Richard Domingues Boscovich, and I am an assistant general counsel in Microsoft's Digital Crimes Unit. Thank you for the opportunity to discuss Microsoft's approach to fighting and detecting botnets. We also thank you for your leadership in focusing attention to this complicated and important topic. Botnets are groups of computers remotely controlled by hackers without their owners' knowledge or consent, enabling criminals to steal information and identities, to disrupt the operation of computer networks, and to distribute malicious software and spam. I will describe for you how Microsoft, one, works with partners to fight botnets; two, raises costs for cyber criminals by disrupting their tools; and, three, carefully designs these operations to protect consumers. To understand the devastating impact of botnets, we can look at how they affected one victim. Consider Eunice Power, a chef in the United Kingdom, who turned on her laptop 1 day to find a warning that she could not access her files unless she paid a ransom to cyber criminals within 72 hours. When she failed to meet the deadline, all of her photos, financial account information, and other data were permanently deleted. All this was caused by a botnet. She later told a reporter, ``[i]f someone had robbed my house it would have been easier.'' Indeed, botnets conduct the digital equivalent of home invasions, but on a massive scale. Botnet operators quietly hijack webcams to spy on people in their own homes and later sell explicit photographs of the unsuspecting victims on the black market. They use malicious software to log every keystroke that users enter on their computers--including credit card numbers, Social Security numbers, work documents, and personal emails. They send deceptive messages designed to appear as though they were sent by banks that convince people to disclose their financial account information. Now, Microsoft has long partnered with other companies and global law enforcement agencies to battle malicious cyber criminals such as those who operate botnets. We do not and cannot fight botnets alone. As the title of this hearing suggests, fighting botnets requires efforts from both the private and the public sector. We routinely work with other companies and domestic and international law enforcement agencies to dismantle botnets that have caused billions of dollars in worldwide economic damage. I joined efforts to demonstrate that public-private partnerships are highly effective at combating cybercrime. In reality, problems as complex as botnets cannot be addressed without partnerships. Microsoft's philosophy to fighting botnets is simple: We aim for their wallets. Cyber criminals operate botnets to make money. We disrupt botnets by undermining cyber criminals' ability to profit from their malicious attacks. Microsoft draws on our deep technical and legal expertise to develop carefully planned and executed operations that disrupt botnets pursuant to court-approved procedures. In general terms, Microsoft asks a court for permission to sever the command-and-control structures of the most destructive botnets. This breaks the connection between the botnets and the infected computers to control. Traffic generated by infected computers is either disabled or routed to domains controlled by Microsoft where the IP addresses of the victims can be identified. Now, privacy is a fundamental value in Microsoft's anti- botnet actions. When we execute an operation, we are required to work within the bounds of the court order. We never have access to email or other content of victim communications from infected computers. Instead, Microsoft receives the IP address used by the infected computers to identify the victims. We give domestic IP addresses to Internet service providers in the United States so they can alert their customers directly. We give the rest to the Computer Emergency Response Teams, commonly referred to as ``CERTS,'' in countries where those victims are located. The owners are then notified of the infections and offered assistance in cleaning their computers. In summary, through the course of anti-botnet operations, Microsoft has worked with partners to protect millions of people and their computers against malicious cyber criminals. This has led to the disruption and shutdown of some of the most menacing threats to public trust and security on the Internet. Cyber criminals continue to evolve their tactics. They keep developing more sophisticated tools to profit from the online chaos that they themselves create. We remain firmly committed to working with other companies and law enforcement to disrupt botnets and make the Internet a more trusted and secure environment for everyone. Thank you for your time, Senator, and I am happy to answer any questions you may have. [The prepared statement of Mr. Boscovich appears as a submission for the record.] Chairman Whitehouse. Ms. McGuire. STATEMENT OF CHERI F. McGUIRE, VICE PRESIDENT, GLOBAL GOVERNMENT AFFAIRS AND CYBERSECURITY POLICY, SYMANTEC CORPORATION, MOUNTAIN VIEW, CALIFORNIA Ms. McGuire. Chairman Whitehouse, thank you for the opportunity to testify today. I am especially pleased to be here with you again to focus attention on botnets and cybercrime and how industry and Government are working together to address these serious issues. As the largest security software company in the world, Symantec protects much of the world's information, but botnets today are the foundation of the cyber criminal ecosystem. And as was discussed earlier, the uses for malicious botnets are only limited by the imagination of the criminal botmasters. These can range, as you mentioned, from distributed denial-of- service attacks to Bitcoin mining to distribution of malware and spam. Botmasters also rent out their botnets as well as use them for stealing passwords, credit card data, intellectual property, or other confidential information, which is then sold to other criminals. Until now, virtually all botnets have been networks of infected laptop and desktop computers. However, in the past few years we have seen botnets made up of mobile devices, and we fully expect that the coming ``Internet of Things'' will bring with it a future of ``thingbots,'' ranging from appliances to home routers to video recorders--and who knows what else. Taking down a botnet is technically complex and requires a high level of expertise. But despite these obstacles, law enforcement and the private sector working together have made significant progress in the past several years. Symantec's work to bring down the ZeroAccess botnet, one of the largest botnets in history at 1.9 million infected devices, is a good example of how coordination can yield results. ZeroAccess was designed for click fraud and Bitcoin mining, with an estimated economic impact of tens of millions of dollars lost per year. And the electricity alone to run that botnet cost as much as $560,000 per day. One year ago today, Symantec began to sinkhole ZeroAccess infections, which quickly resulted in the detachment of more than half a million bots. This meant that these bots could no longer receive any commands and were effectively unavailable to the botmaster for updating or installing new revenue generation malware. Another significant win came last month with the major operation against the financial fraud botnet Gameover Zeus, as several witnesses have testified to. As part of this effort, Symantec worked in a broader coalition to provide technical insights into the operation and impacts of this botnet. As a result, authorities were able to seize a large portion of the criminals' infrastructure. In our view, the approach used in the Gameover Zeus operation was the most successful to date and should serve as a model for the future. A group of more than 30 international organizations from law enforcement, the security industry, academia, researchers, and ISPs all cooperated to collectively disrupt this botnet. This successful model of public and private cooperation should be repeated in the future. While ZeroAccess and Gameover Zeus were successes for law enforcement and industry, there are undoubtedly more criminal rings operating today. Unfortunately, there are just not enough resources. As you said, so many botnets, so little time. As criminals migrate online, law enforcement needs more skilled personnel dedicated to fighting cybercrime. At Symantec, we take numerous steps to assist victims of botnets and cybercrime and to aid law enforcement around the world. In the interest of time, I will mention only victimvoice.org, a new online assistance program that we unveiled in April with the National White Collar Crime Center. This site helps cybercrime victims file complaints and understand the investigation process. And in particular, I would like to thank you again, Senator Whitehouse, for your support and participation in that launch. It has already helped many victims of cybercrime. To combat botnets and cybercrime, cooperation is key. In the private sector, we need to know that we can work with Government and industry partners to disrupt botnets without undue legal barriers. To be clear, I am not talking about a blank check. But consistent with privacy protections and legal parameters, we need to be able to share cyber threat information and coordinate our efforts quickly. Information-sharing legislation will go a long way to do this. But it also must address the considerable privacy concerns and must include a civilian agency lead and data minimization requirements for both the Government and industry. Last, the laws governing cybercrime should be modernized. In the U.S., we need to amend laws such as the Electronic Communications Privacy Act, the CFAA, and others that were written before our modern Internet and e-commerce was envisioned. In addition, Mutual Legal Assistance Treaties and their process that allows governments to cooperate take far too long to address the real-time nature of international cybercrime and should be streamlined. As this Subcommittee knows so well, we still face significant challenges in our efforts to take down botnets and dismantle cybercrime networks. But while there remains much work to be done, we have made progress. At Symantec, we are committed to improving online security across the globe, and we will continue to work collaboratively with our customers, industry, and governments on ways to do so. Thank you again for the opportunity to testify today, and I will be happy to answer any questions you may have. [The prepared statement of Ms. McGuire appears as a submission for the record.] Chairman Whitehouse. Thank you, Ms. McGuire, and thank you for Symantec's leadership in this area. I am going to briefly recess the hearing and then return. We have a vote on the Senate floor that started 15 minutes ago, and I have 15 minutes to get there and vote, so I have zero time. But with any luck, that means I can get over there, vote, vote on the next vote, and then come right back. And then we will be able to proceed in uninterrupted fashion. So please just relax in place. It probably is going to be 5 to 10 minutes, and we will resume. Thank you. [Whereupon, at 3:28 p.m., the Subcommittee was recessed.] [Whereupon, at 3:45 p.m., the Subcommittee reconvened.] Chairman Whitehouse. All right. The hearing will come back to order. I appreciate everybody's courtesy while I got those two votes done. And now, Dr. Vixie, we welcome your testimony. We welcome you here. Please proceed. STATEMENT OF PAUL VIXIE, Ph.D., CHIEF EXECUTIVE OFFICER, FARSIGHT SECURITY, SAN MATEO, CALIFORNIA Mr. Vixie. Thank you, Mr. Chairman. Thank you for inviting me to testify on the subject of botnets. I am speaking today in my personal capacity based on a long history of building and securing Internet infrastructure, including domain name system infrastructure. I am also here at the behest of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), a nonprofit Internet security association whose international membership is actively working to improve the Internet security condition worldwide. Let me start by reviewing some successful botnet takedowns in recent years, since they may prove instructive. They are successes, after all. In 2008 the Conficker worm was discovered, and by mid-2009 there were over 10 million infected computers participating in this botnet. That was the largest to that time. I had a hands- on-keyboard role in operating the data collection and measurement infrastructure for the takedown team, in which competing commercial security companies and Internet service providers--most of which were members of M3AAWG--cooperated with each other and with the academic research and law enforcement communities to mitigate this global threat. Then in 2011, the U.S. Department of Justice led ``Operation Ghost Click'' in which a criminal gang headquartered in Estonia was arrested and charged with wire fraud, computer intrusion, and conspiracy. The DNS Changer botnet included at that time at least 600,000 infected computers, and the mitigation task was made complicated by the need to keep all of these victims online while shutting off the criminal infrastructure the victims depended on. My employer was the court-appointed receiver for the criminal's Internet connectivity and resources, and I personally prepared, installed, and operated the replacement DNS servers necessary for that takedown. In each of these examples we see an ad hoc public-private partnership in which trust was established and sensitive information, including strategic planning, was shared without any contractual framework. These takedowns were so-called handshake deals where personal credibility, not corporate or government heft, was the glue that held it together and made it work. And in each case the trust relationships we had formed as members of M3AAWG were key enablers for rapid and coherent reaction. Each of these takedowns is also an example of modern multilateralism in which intent, competence, and merit were the guiding lights. The importance of multilateralism cannot be overemphasized. We have found that when a single company or a single agency or nation goes it alone in a takedown action, the result has usually been catastrophe, because the Internet is richly interdependent and many of the rules governing its operation are unwritten. Now, the ad hoc nature of these public-private partnerships may seem like cause for concern, but I hope you will consider the following: First, this is how the Internet was built and how the Internet works. Second, this is how criminals work with other criminals. We would not get far by trying to solve these fast-evolving global problems with top-down control or through Government directives and rules. Let me explain what makes botnets possible. As you yourself pointed out in your opening remarks, a botnet is literally a network of robots, where by ``robot'' we mean a computer that has been captured and made to run software neither provided by the computer's maker nor authorized or installed by its owner. Every Internet-connected device has some very complex software including an operating system, installed applications, and so forth. The only hard and fast requirement for any of this software is interoperability, meaning it merely has to work. Now, the cost of the Internet's spectacular growth is that much of the software we run was not adequately tested. The challenge for the Internet is that today there is perhaps more assurance that a UL-listed toaster oven will not burn down our house than there is that some of our vastly more expensive and powerful Internet-connected devices are insulated from becoming a tool of online criminals. These are consumer devices in a competitive and fast-moving market, so time to market is often the difference between success and bankruptcy. This is a very brief overview, and I would like to leave you with the following thoughts: Number one, the Internet is the greatest invention in recorded history, in my opinion, in terms of its positive impact on human health, education, freedom, and on every national economy. Number two, the Internet is also the greatest invention in recorded history in terms of its negative impact on human privacy and freedom, as evidenced by the massive and continuing intrusions that have been described here today. Number three, our democratic commitment to the rule of law has very little traction on the Internet compared to how it works in the real world. The Internet is borderless, and yet it carries more of the world's commerce every year. Number four, takedown of criminal infrastructure, including botnets, must be approached not just as reactions after the fact but also as prevention by attacking underlying causes. Number five, the U.S. Department of Justice is the envy of the world in its approach to takedown and its awareness of the technical and social subtleties involved, and I want to give a special nod to NCFTA, a public-private partnership with strong FBI ties, located in Pittsburgh. Number six, and finally, no legislative or regulatory relief is sought in these remarks. The manner in which Government and industry have coordinated and cooperated on botnet takedown efforts has underscored the effectiveness of public-private partnerships as currently practiced in this field. Mr. Chairman, this concludes my oral statement. Thank you for this opportunity to speak before you, and I would be happy to answer your questions. [The prepared statement of Mr. Vixie appears as a submission for the record.] Chairman Whitehouse. Thank you very much. Finally, Mr. Spiezle. But before I let you begin your statement, my apologies for the mispronunciation earlier. And let me also say that, without objection, everybody's complete statements will be made a part of the record, and I appreciate the abbreviated version that allows the testimony to proceed expeditiously at the hearing. STATEMENT OF CRAIG D. SPIEZLE, EXECUTIVE DIRECTOR AND FOUNDER, ONLINE TRUST ALLIANCE, BELLEVUE, WASHINGTON Mr. Spiezle. Thank you very much. Chairman Whitehouse, Ranking Member Graham, and Members of the Committee, thank you for the opportunity to testify before you today. I also would like to thank you for your leadership in focusing attention to this important topic which is impacting users and businesses throughout this country. My name is Craig Spiezle, and I am the executive director and president of the Online Trust Alliance. OTA is a global nonprofit, with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the Internet. Botnets pose a significant risk to businesses and governments, and one of my specific concerns is the impact to small and medium businesses that are often defenseless. Increasingly bots are deploying loggers, malvertising, and ransomware driving identity theft and bank account take-overs and holding users and their data hostage. It is important to recognize that fighting bots is not a domestic issue. Criminals are leveraging the jurisdictional limitations of law enforcement and often operate with impunity. Left unabated, they are a significant threat to our Nation's critical infrastructure and to our economy. In my brief testimony, I will touch on five key areas: status of industry efforts, a holistic anti-bot strategy, the role and issues of takedowns, the role of data sharing, and the importance of privacy safeguards. I should note efforts to combat botnets have been embraced by a range of public and private efforts. An example is the FCC's Communications Security, Reliability and Interoperability Council (CSRIC), which last year developed a voluntary Anti- Botnet Code of Conduct for ISPs. This is a first step and example of the industry's ability to self-regulate. In parallel, the OTA has facilitated several multi- stakeholder efforts, bringing in leaders throughout the world. We have published specific remediation and notification best practices and anti-bot guidelines for hosters and cloud service providers. The initial adoption of these practices are now paying dividends helping to protect users' data and their privacy. Fighting botnets requires a global strategy. As outlined here in Exhibit A, OTA advocates a six-pronged (1) framework, (2) prevention, (3) detection, (4) notification, (5) remediation, and (6) recovery. Within each one of these, we have outlined a partial list of tactics, which underscores the increased need for collaboration, research, and data sharing between both the public and private sectors. In the bottom of this slide, it points out the role of consumers and education. We need to help them update their device and look to how we can help educate them on the risks of botnets. As outlined, law enforcement is an important part here as well, and it serves three major functions: disrupting cyber criminals, gathering intelligence, and bringing criminals to justice. But law enforcement cannot act on this alone. A trusted partnership is required, and progress has been made with industry leaders, including Microsoft, Symantec, and others. But takedowns need to be taken with respect to three major considerations: one, the risk of collateral damage; two, the errors in identifying targets for mitigation; and, three, the importance of respecting users' privacy. For example, when taking down a web hoster because they have a handful of bad customers, there is a risk of collateral damage. At the same time, service providers cannot hide behind bad actors, and they must take steps to prevent the harboring of such criminals. It is also important to note that all anti-abuse and security tactics all run similar risks. The anti-spam community often blocks legitimate senders. Web browsers can misidentify phishing sites and AV solutions can mistakenly block downloads. Recognizing these possibilities, risk assessment procedures must be pre-established with processes in place to remediate any unintended impact. Data sharing has the promise of being one of the most impactful tools in our arsenal, yet it must be reciprocal. Collaboration is required in all sectors, including retail, financial services, and advertising. In this void, criminals move from one industry to another, sending malicious spam one day and perpetrating click fraud and malvertising the next. The privacy landscape is also rapidly evolving, creating perceived obstacles to data sharing. Privacy needs to be at the foundation of all fraud prevention and data-sharing practices. I believe these can be easily addressed. When data is used and collected for threat detection, entities should be afforded a ``safe harbor.'' Conversely, industry needs assurances that law enforcement will not use any data for any other purposes. As Exhibit A outlines, every stakeholder has a responsibility. Progress has been made, but a renewed commitment needs to be required by all stakeholders. As the Internet of Things, mobile, the smart grid, and wearable technologies becomes prevalent, we need to look beyond the desktop. In summary, it is important to recognize that there is no absolute defense. Both the public and private sectors need to increase investments in data sharing and adopt privacy- enhancing practices while finding new approaches to work with law enforcement and expand international cooperation. Working together we can make the Internet more trustworthy, secure, and resilient. Thank you, and I look forward to your questions. [The prepared statement of Mr. Spiezle appears as a submission for the record.] Chairman Whitehouse. Thank you very much, Mr. Spiezle, and thank you all. Let me start with a question that I will ask each of you for the record, which means if you could provide a written response, and that is that, as you have heard, Senator Graham and I are working on legislation in this area. As you heard from the first panel, the Department of Justice and the Federal Bureau of Investigation have a number of suggestions. I would like to ask you to provide your comments, if any, to the suggestions that have been made so far and add any suggestions that you may have of your own for this legislation so that we can build a good legislative record to support our proposal going forward. [The information referred to appears as a submission for the record.] Chairman Whitehouse. I am also interested in your thoughts. As a lay person, it strikes me that botnets are becoming more dangerous, that their capabilities are growing. My first exposure to botnets was when they were spam propagators, and then they became distributed denial-of-service vectors to swamp individual websites. But now they seem--so many additional capabilities have been listed in this hearing, right up to and including having people spy on you through your webcam on your computer while you are going about your business and tracking your keystrokes individually so that they can know your passwords and have access to your accounts. Is my lay reading that botnets are becoming more dangerous or the criminals behind them are learning more dangerous capabilities a correct one? And what do you think the rate is of that change, if I am correct? Let me start with Mr. Boscovich. Mr. Boscovich. Yes, Senator, I think the observation is correct. I think that we are seeing an ever-changing sophistication on the part of cyber criminals. I would like to point out one particular case which really demonstrates how creative cyber criminals are, and in this particular case, which was the Bamital case, if my memory serves me correctly, one of our industry partners was Symantec on that case. It was a case in with the botherders had actually developed code which actually took a step backward. And one of the reasons why they did that is because technical countermeasures that had been put in place by Bing, Google, and other companies to detect click fraud relied upon a certain type of algorithm. The criminals understood that, and they had to reintroduce a human element into their code. In essence, what they did is that they have changed their code, and they took one step back to take two steps forward in such a way that now the user would actually be using his mouse or her mouse, and while he or she thought he was actually clicking or looking for something, the reality was that they were, in fact, clicking on ads that the user was not even seeing, was appearing behind the screen that they were looking at, introducing a certain variation that was consistent with human behavior. So the observation that criminals are, in fact, always learning, always changing, is an accurate one, and I think this example really underscores how sophisticated these cyber criminals are. Chairman Whitehouse. And in both dimensions. I mean, in terms of if you view a botnet as an infrastructure for criminal activity, it is one that has to be maintained and groomed, and they are getting more sophisticated at that. They are also getting more sophisticated at the type of criminal payload, if you will, that they deliver through that botnet as well. Is that correct, Ms. McGuire? Ms. McGuire. That is correct. I think your summary is quite accurate, that these have begun to progress and become much more sophisticated over the last 5 years. For example, the type of technology or infrastructure that they are using now, moving from central command and control, simple command and control servers to peer-to-peer networks, which are much more difficult to take down because of their complexity, is the type of morphing that we are seeing by the cyber criminals to use all avenues at their availability. Chairman Whitehouse. Dr. Vixie, you mentioned that in the face of this threat, prevention was something that we should be looking at, and you used the phrase in your testimony ``underlying causes,'' that we should be prepared to address the underlying causes that allow this to occur even before the harm of a particular botnet is made manifest. What did you mean by ``underlying causes''? And what would you recommend, if anything, that we do to get ahead of this more by going after those underlying causes, as you have defined them? Mr. Vixie. I think that the reason that botnets have gotten stronger is because our computers have gotten stronger, better CPUs, more memory, more storage, et cetera. Our network has also gotten stronger, so it is possible to get a lot more work done with each computer you steal now compared to 5 years ago or 5 years before that. If we wanted to start kicking the dependencies under botnets, we would need to somehow address the lack of testing. I mentioned in my written remarks that this last week there was an Internet of Things, I think it was a wireless light bulb that has a terrible security flaw in it, and I understand how that can happen. I have tried to get things--software products out the door myself, and it is difficult to say let us hold it back for another couple of weeks while we try to attack it every which way. Really what you want to do is get it out there and put it in customers' hands and so forth. That is not going to work. We have got to find a way to test this software the way the bad guys do. We have to do the so-called Red Team test where you try to break in, and if you can, you get some sort of internal prize. We have got to find a way to encourage that. Chairman Whitehouse. So when electricity was the new technology and people were trying to get stuff out the door that caught fire if you left it on too long, as you pointed out, with respect to the toaster, Underwriters Laboratories was established to make sure that appliances met basic standards, and as a result, toaster fires and things like that have not been a very prominent concern for Americans for quite some time. Do you think that an equivalent to an Underwriters Laboratories is possible on the Internet? And how would you see it as being overseen? Mr. Vixie. I do not think a direct equivalent is possible. When you are doing this kind of testing, you are looking for combinations and permutations of sort of how you set the knobs, what you put in the toaster, other conditions. And, you know, every one of those conditions is a State variable, and the problem is that my laptop has more complexity of that kind than all the computers on the planet had 30 years ago. And so coming up with a direct analog of the way UL tests our electric devices I think is misleading. I think standards in software development, standards in testing, possibly getting away from some of the older programming languages that almost encourage the type of defects that we see in our monthly updates are going to be better approaches. But I do want to say---- Chairman Whitehouse. How would those approaches be administered? Mr. Vixie. Excuse me? Chairman Whitehouse. How would those proposals be best administered? Through the Government? Through the Internet governance system? Through a rating that you can advertise you have on your product if you have been through it voluntarily? Mr. Vixie. In that sense, the Underwriters Laboratories system is perfect because it is voluntary. If you want to sell a device that is not listed, then that is up to you. And if people would not buy as many--if fewer people want to buy it because it does not have that stamp, that is up to them. So I think there is room for someone to step into that role, but it is not a Government role. Chairman Whitehouse. Got you. And, Mr. Spiezle, you said that you felt that there were steps that consumers, individuals, could take to better acquaint themselves with this threat and to better protect themselves from this threat. What would your recommendations be? This seems like such a giant and complex and very high tech type of crime, and if you are an innocent user of your own computer going about your own business and doing what you are good at, which may not be anything to do with computers, how can you--what sensible steps should people be thinking about who are not computer whizzes to defend themselves and their computers? Mr. Spiezle. Let me clarify. My point is that we all have a shared responsibility, not unlike driving a car. We have a responsibility of driving safely. We need to make sure our car is maintained and we have new tires on it. That was the point there. I think realistically, though, education has a limited effect here. These attacks are--social engineering exploits are very hard to identify. They are drive-by, so just by their very nature of going to a trusted website that someone types in a URL, there can be malicious ads served on them. So it is a shared responsibility, but I do not put the faith that education is going to be the solution, but it should be one part. I do want to address one point in your original question about the sophistication. Clearly, in the technical aspect, botmasters are more and more sophisticated. They are leveraging big data, data mining capability and analytics. So that adds to the profitability. Their ability to use that data, append data from other sources, and then trade in the underground economy makes it very profitable. They have become very nimble, become good marketers in a sense, and they are learning from business. So those are some of the challenges we must address. Chairman Whitehouse. Two final questions. The first is that many of the perpetrators in this area are foreigners, and we are obviously going to work with the Department of Justice and the Federal Bureau of Investigation to make sure that they have the capabilities that they need to be as strong as they can be in terms of pursuing foreign criminals. But none of you are involved as law enforcement officials. You are involved representing private companies and organizations, and in that sense, when you bring a civil action to close down a botnet, you may have civil remedies against individuals overseas that are different than what a prosecutor would be looking at. Are there recommendations that you would have as to how we could strengthen overseas enforcement against the individuals and organizations that are running the botnets that would supplement just the technical capability to take down the botnets? Let me start with you, Mr. Boscovich. Mr. Boscovich. Well, Senator, I think that obviously as a private company, as you mentioned, our main sphere of influence is only using the civil process, and even in the civil process, once we get default judgments, there actually is a procedure in which we could seek to, for example, localize a U.S. judgment overseas. But it is a complex and lengthy process. In all of the actions that we take with our partners, we then go ahead and always refer the cases and the evidence that is the basis of the information that we arrive at through the civil process to law enforcement. The process that law enforcement uses, of course, has been around for quite some time, and I believe some of the representatives of DOJ and the FBI were here earlier today, and they made references to the MLAT process and things of that sort. And these are procedures that have been around for a very long time. And in terms of how quickly these things could turn around, there has always been a question. I could only talk about my experiences when I was at Justice, that it does take time to turn this information request around. But from the civil perspective, I think---- Chairman Whitehouse. Particularly if the coordinating country is of two minds as to how much they want to take down this industry. Mr. Boscovich. Well, that is why the partnership, the private and public partnership is important, because what we try to focus on, of course, is the immediate cessation of the harm to people on the Internet. And to sever that communication, to stop the harm, and then notify the victims and then try to do something to remediate and clean their computers, working through ISPs and country CERTs, that is the job that we believe we can do, and do very well, with industry partners and with the Government as well. In terms of the criminal side, I would have to defer to, you know, my former colleagues at the Justice Department. Chairman Whitehouse. No, I was thinking more of the civil side and pursuing personal liability and accountability of foreigners who have done harm to your companies. Ms. McGuire, any thoughts on that? Ms. McGuire. Just this week we have seen reports, for example, that Gameover Zeus, that modifications to that particular malware are already being used by a new criminal gang or perhaps the original perpetrator, who fled to Eastern Europe, to launch new criminal activity. This is the kind of thing where, if we had a faster, speedier MLAT process, we could potentially address these kinds of issues at the speed of the Internet as opposed to what I have been told by law enforcement partners can take anywhere from 6 months to never. And so those are the kinds of enhancements, modernizations to these international treaties that we really need in order to go after---- Chairman Whitehouse. Again, you are comfortable relying on the law enforcement process for that and at this point do not have any interest in pursuing civil liability on the part of your private sector companies against foreign individuals to-- as a deterrent or to recover for the damages that they have caused you? Ms. McGuire. Most of our activity is on the sharing of information and notification to both our international law enforcement and CERT partners so that they can then take the action that they need within their jurisdictions. Chairman Whitehouse. And what have each of you seen in terms of the coordination that has been your experience between the private sector and between law enforcement? It has emerged, and it seems to me from what I hear to be in a pretty good place right now. There are a number of mechanisms through which the FBI in particular but other Federal law enforcement agencies cooperate with the private sector and exchange information and deconflict activities. I think there has been a lot of improvement there, but I would like to hear from each of you how close you think we are to what we should be doing and whether there is any specific recommendations you have. Let me start from this side, Mr. Spiezle. Mr. Spiezle. Thank you. I think we have had great success, but I think there is a whole other layer of information sharing that we are not getting today, and we need to bring other data sources together. So more data sharing between the financial services, and certainly we are seeing progress with the FS- ISAC. We are seeing more breaches experienced in the retail sector. We get data from them. And the reason this is important is it is connecting the dots. And so it is not always just from the ISPs and other sectors. So we need to get that. We need to open the dialogue, but also to remove the burden of whether it is antitrust, the concerns of privacy, or the concerns of regulatory authorities coming after them. So how do we open up that dialogue even domestically so we can get a higher level of granularity and telemetry from other data sources? Chairman Whitehouse. Dr. Vixie. Mr. Vixie. So I mentioned in my remarks that the Internet is borderless, and you mentioned in this question that the criminals are borderless, and I think that firmly points to the fact that our solutions have to be borderless. So I will say again NCFTA in Pittsburgh has a huge international outreach program. I go and do some training there of the international law enforcement community every summer. But they do it year- round, and it is a huge thing, because a lot of the other countries where the cybercrime is originating right now do not have the capability to train their people locally. They do not necessarily have the budget for the tools that are needed and so forth. So I think I really want to encourage more outreach of that kind, possibly not just by NCFTA but by other U.S. agencies who are leading in the world. I do not have an answer for civil lawsuits. I know that it can be used if you are trying to get at somebody and you do not know who they are. You can often get a court order using a John Doe. But it is messy, and it has not really produced consistent results. Chairman Whitehouse. Ms. McGuire. Ms. McGuire. I would also echo that the NCFTA is a terrific organization, particularly on the international front, as well as working with industry and between law enforcement partners and Government agencies. But in particular to your question on information sharing and has it gotten better with the FBI and the Department of Justice, we have seen significant improvements, frankly, over the last 2 years in our ability to work with them, their responsiveness to the information that we are sharing with them about indicators of compromise, about just the process that they are using. And as I think I mentioned earlier, Gameover Zeus we think is the best example so far where they reached out to more than 30 international organizations, including industry, governments, researchers, ISPs, brought all of them together so that collectively we could be ready and work the takedown once the injunctions and the appropriate actions were taken. So that is, I think, the model---- Chairman Whitehouse. The borderless response, to Dr. Vixie's point. Ms. McGuire. Yes, borderless response, exactly. And I think that is the model we need to work toward in the future, and we have one now as a proof point for the future. Chairman Whitehouse. Mr. Boscovich, last thoughts. Mr. Boscovich. I think deconfliction is one of the key components of a successful private-public partnership, and in cases such as Citadel, Gameover Zeus, and more recently the Shylock-Capshaw operation recently that went down in Europe is a perfect example of public-private partnerships, civil process complementing criminal process, all while stopping the harm immediately, working to help the victims, yet at the same time allowing the criminal side to do what they do best, the deterrent effect, going out and arresting individuals. And I think that we have come a long way in getting at that sweet spot where we now have an appropriate mechanism by which we share information, where we deconflict with law enforcement, both domestically and internationally, to achieve the greatest impact possible in these takedowns. Chairman Whitehouse. Thank you very much. A final good word to Microsoft, just lawyer to lawyer. You were among the earliest companies--probably all three of you were involved over the years; a lot of people were connected to Microsoft here--in the first civil takedowns, and just as a lawyer, to read those early complaints and see the statutory grounds based on very modern, complicated electronic privacy statutes, and at the same time doctrines of English common law that were transplanted to America when we formed our country and that are part of the common law history dating back to the 1400s side by side as a separate count, it was--it must have been a lot of fun. It was terrific legal work, and it had a wonderful effect. So I compliment you on it. And I assume that you would want--you know, we are legislators, and so we think about legislating. It is like the story about the hammer. Every solution that a hammer sees requires a nail. And so we tend to think in terms of new and amended statutes. But I gather you would want to make sure that we left room for traditional common law remedies to maintain themselves as a part of the repertoire here and to allow the natural development that the common law permits. Is that fair to say? Mr. Boscovich. Absolutely, Senator. One of the beauties behind the common law system is its ability to adapt constantly to new facts. And what we are looking at here is a threat which is constantly adapting, something that is always moving, always morphing. And the beauty behind common law and trespass to chattels, tortious interference with a contractual relationship, these are theories that we could use over and over again and are part of a system that in it at its core is able to adapt quickly. So, yes, I think that I would love to see the standard common law principles remain intact as we tackle these. Now, having said that, it does not mean that there is not always room for improvement in both present statutes and potentially even new statutes. And we would gladly take a look at any type of amendment and/or proposed legislation that Congress and yourself may have and give our comments so that you could have the best insight possible, from us at least. Chairman Whitehouse. Well, certainly when they first came up with trespass upon chattels, it was well before anybody had an inkling there could ever be an Internet, so that certainly has been a lasting doctrine. Let me thank all of the witnesses for this hearing. I appreciate very much your input. I look forward to the responses to the question for the record. I think that we have a very strong, bipartisan group of Senators who are very interested in this issue and are looking forward to coming up with legislation that can pass and help you all in your important pursuits to protect our economy and your clients and your companies from the kind of attacks that we are seeing, largely from overseas. So Godspeed to you all in your work. Thank you very much for what you have done and for your testimony today. We will keep the record open for 1 week for anybody who cares to add anything to the record and for those question-for-the-record responses to come in. And, with that, we are adjourned. [Whereupon, at 4:24 p.m., the Subcommittee was adjourned.] [Additional material submitted for the record follows.] A P P E N D I X Additional Material Submitted for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]