Chairman Gregg and other Members of the Subcommittee, I want to thank you for this opportunity to testify on our efforts to combat the growing problem of cybercrime, particularly in light of the recent denial-of-service attacks on several major Internet sites.
Need for Five-Year Strategy
The recent attacks demonstrate the importance of developing a long-term, coordinated strategy for dealing with cybercrime. The strategy must address the challenges we face, both domestically and abroad, the need for personnel with expertise and the latest cybercrime-fighting equipment, the importance of cooperation and sharing with state and local law enforcement and our international counterparts, the need for educating our young people and others about the responsible use of the Internet, and all of this must be done in a manner that respects and upholds our cherished privacy and freedoms.
Recently, I outlined a 10-point plan that identifies the key areas where we need to develop our cybercrime capability. The key points of this plan include:
Developing a round-the-clock network of federal, state and local law enforcement officials with expertise in, and responsibility for, investigating and prosecuting cybercrime.
Developing and sharing expertise - personnel and equipment - among federal, state and local enforcement agencies.
Dramatically increasing our computer forensic capabilities, which are so essential in computer crime investigations - both hacking cases and cases where computers are used to facilitate other crimes, including drug trafficking, terrorism, and child pornography.
Reviewing whether we have adequate legal tools to locate, identify, and prosecute cybercriminals. In particular, we need to explore new and more robust procedural tools to allow state authorities to more easily gather evidence located outside their jurisdictions. We also need to explore whether we have adequate tools at the federal level to effectively investigate cybercrime.
Because of the borderless nature of the Internet, we need to develop effective partnerships with other nations to encourage them to enact laws that adequately address cybercrime and to provide assistance in cybercrime investigations. A balanced international strategy for combating cybercrime should be at the top of our national security agenda.
We need to work in partnership with industry to address cybercrime and security. This should not be a top-down approach through excessive government regulation or mandates. Rather, we need a true partnership, where we can discuss challenges and develop effective solutions that do not pose a threat to individual privacy.
And we need to teach our young people about the responsible use of the Internet.
I would like to work with you, Chairman Gregg, and the Members of the Subcommittee to develop a comprehensive, five-year plan - with FY 2001 as our baseline - to prevent cybercrime and, when it does occur, to locate, identify, apprehend and bring to justice those responsible for these types of crimes.
Comments on the Recent Attacks
I would be happy to address your questions on the recent attacks, to the extent I can do so without compromising our investigation. At this point, I would simply say that we are taking the attacks very seriously and that we will do everything in our power to identify those responsible and bring them to justice. In addition to the malicious disruption of legitimate commerce, so-called "denial of service" attacks involve the unlawful intrusion into an unknown number of computers, which are in turn used to launch attacks on the eventual target computer, in this case the computers of Yahoo, eBay, and others. Thus, the number of victims in these types of cases can be substantial, and the collective loss and cost to respond to these attacks can run into the tens of millions of dollars - or more.
Overview of Investigative Efforts and Coordination
As Director Freeh will discuss, computer crime investigators in a number of FBI field offices are investigating these attacks. They are coordinating information with the National Infrastructure Protection Center (NIPC). The agents are also working closely with our network of specially trained computer crime prosecutors who are available 24 hours a day/7 days a week to provide legal advice and obtain whatever court orders are necessary. Attorneys from the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) are coordinating with the Assistant United States Attorneys in the field. We are also obtaining information from victim companies and security experts, who, like many in the Internet community, condemn these recent attacks. I am proud of the efforts being made in this case, including the assistance we are receiving from a number of federal agencies.
The Challenge of Fighting Cybercrime The recent attacks highlight some of the challenges we face in combating cybercrime. The challenges come in many forms: technical problems in tracing criminals operating online; resource issues facing federal, state, and local law enforcement in being able to undertake online criminal investigations and obtain evidence stored in computers; and legal deficiencies caused by changes in technology. I will discuss each of these briefly.
As a technical matter, the attacks like the ones we saw last week are easy to carry out and hard to solve. The tools available to launch such attacks are widely available. In addition, too many companies pay inadequate attention to security issues, and are therefore vulnerable to be infiltrated and used as launching pads for this kind of destructive programs. Once the attacks are carried out, it is hard to trace the criminal activity to its source. Criminals can use a variety of methods to hide their tracks, allowing them to operate anonymously or through masked identities. This makes it difficult - and sometimes impossible - to hold the perpetrator criminally accountable.
Even if criminals do not hide identities online, we still might be unable to find them. The design of the Internet and practices relating to retention of information means that it is often difficult to obtain traffic data critical to an investigation. Without information showing which computer was logged onto a network at a particular point in time, the opportunity to determine who was responsible may be lost.
There are other technical challenges, as well, that we must consider. The Internet is a global medium that does not recognize physical and jurisdictional boundaries. A hacker - armed with no more than a computer and modem - can access computers anywhere around the globe. They need no passports and pass no checkpoints as they commit their crimes. While we are working with our counterparts in other countries to develop an international response, we must recognize that not all countries are as concerned about computer threats as we are. Indeed, some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become "safe havens" for cybercriminals.
Resource issues are also critical. We must ensure that law enforcement has an adequate number of prosecutors and agents - assigned to the FBI, to the Department of Justice, to other federal agencies, and to state and local law enforcement - trained in the necessary skills and properly equipped to effectively fight cybercrime, whether it is hacking, fraud, child porn, or other forms.
Finally, legal issues are critical. We are finding that both our substantive laws and procedural tools are not always adequate to keep pace with the rapid changes in technology.
Current Efforts Against Cybercrime
While these challenges are daunting, the Department has accomplished much in building the infrastructure to combat cybercrime. Director Freeh will discuss the work of the NIPC and the Computer Crime Squads established around the country. Similarly, in the Department, we have a cadre of trained prosecutors, both in headquarters and in the field, who are experts in the legal, technological, and practical challenges involved in investigating and prosecuting cybercrime.
The cornerstone of our prosecutor cybercrime program is the Criminal Division's Computer Crime and Intellectual Property Section, known as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, and was elevated into a Section in 1996. With the help of this Subcommittee, CCIPS has grown from five attorneys in January of 1996, to eighteen attorneys today. CCIPS works closely on computer crime cases with Assistant United States Attorneys known as "Computer and Telecommunications Coordinators" (CTCs) in U.S. Attorney's Offices around the country. Each CTC is given special training and equipment, and serves as the district's expert in computer crime cases.
The responsibility and accomplishments of CCIPS and the CTC program include:
CCIPS attorneys have litigating responsibilities, taking a lead role in some computer crime and intellectual property investigations, and a coordinating role in many national investigations, such as the denial of service investigation that is ongoing currently. As law enforcement matures into the Information Age, CCIPS is a central point of contact for investigators and prosecutors who confront investigative problems with emerging technologies. This year, CCIPS assisted with wiretaps over computer networks, as well as traps and traces that require agents to segregate Internet headers from the content of the packet. CCIPS has also coordinated an interagency working group consisting of all the federal law enforcement agencies, which developed guidance for law enforcement agents and prosecutors on the many problems of law, jurisdiction, and policy that arise in the online environment.
Working with the U.S. Attorney's office in the District of New Jersey and the FBI, as well as with state prosecutors and investigators, CCIPS attorneys helped ensure that David Smith, the creator of the Melissa virus, pled guilty to a violation of the computer fraud statute and admitted to causing damages in excess of $80 million.
CCIPS is also a key component in enforcing the "Economic Espionage Act," enacted in 1996 to deter and punish the theft of valuable trade secrets. CCIPS coordinates approval for all the charges under the theft of trade secret provision of this Act, and CCIPS attorneys successfully tried the first jury case ever under the Act, culminating in guilty verdicts against a company, its Chief Executive Officer, and another employee.
The CTCs have been responsible for the prosecution of computer crimes across the country, including the prosecution of the notorious hacker, Kevin Mitnick, in Los Angeles, the prosecution of the hacker group "Global Hell" in Dallas, and the prosecution of White House web page hacker, Eric Burns, in Alexandria, Virginia.
CCIPS has spearheaded efforts to train local, state, and federal agents and prosecutors on the laws governing cybercrime, and last year alone gave over 200 presentations to a wide variety of audiences. In addition, CTCs across the country are training prosecutors and agents in their districts in a variety of fora. CCIPS also chairs the National Cybercrime Training Partnership (NCTP), a ground-breaking consortium of federal, state, and local entities dedicated to improving the technical competence of law enforcement in the information age. The NCTP has made great strides in creating a comprehensive prototype training curriculum for agents and prosecutors in a full range of infotech topics.
The borderless nature of computer crime requires a large role for CCIPS in international negotiations. CCIPS chairs the G-8 Subgroup on High-tech Crime, which has established a 24 hours a day/7 days a week point of contact with 15 countries for mutual assistance in computer crime. CCIPS also plays a leadership role in the Council of Europe Experts' Committee on Cybercrime, and in a new cybercrime project at the organization of American States.
Infrastructure Protection, Policy and Legislation
CCIPS provided expert legal and technical instruction and advice for exercises and seminars to senior personnel on information warfare, infrastructure protection, and other topics for the Department of Defense, the National Security Agency, the Central Intelligence Agency, and others. Further, the Naval War College invited CCIPS to give a featured presentation at a high-level, invitation-only conference on cyberwarfare and international law. CCIPS also led the Department's efforts to counter cyberterrorism through its work on PDD-63, the Five-Year Counterterrorism Strategy, its support to the National Infrastructure Protection Center.
CCIPS works on a number of policy issues raised at the intersection of law and technology. CCIPS attorneys meet regularly with a number of industry groups to discuss issues of common concerns, and helped establish the Cybercitizen Partnership in cooperation with high-tech industries to help identify industry expertise which may be needed in a complex investigation, to initiate personnel exchanges and to help safeguard our children.
CCIPS attorneys propose and comment on legislation that affects their high-tech mission.
Other Sections of the Criminal Division - including the Fraud Section, the Child Exploitation and Obscenity Section, and the Terrorism and Violent Crime Section - are responding as crimes within their areas of expertise move online.
Overall, the Department has the prosecutorial infrastructure in place to combat cybercrime. We need the resources to keep the program growing to keep pace with the growing problem.
Additional Resources and Tools Are Needed
We appreciate the Subcommittee's support for many of the efforts described above, but I also need your help to refocus resources provided for FY 2000. The level of funding provided in the FY 2000 enacted appropriation for the General Legal Activities (GLA) appropriation is insufficient to cover the base program needs of all the litigating components funded from GLA, with the exception of the Civil Rights Division. In particular, the specific amounts provided to the Criminal Division's has serious implications for the Division's ability to support its computer crime efforts.
Yesterday, we submitted a request to reprogram resources appropriated to GLA which would make base resources funding available to all the GLA accounts.
We especially need full base funding restored to the Criminal Division in order to avoid a reduction Criminal Division staffing by 83 positions, including critical positions in the Computer Crime and Intellectual Property Section.
We must have prosecutors, both in the field and here, in Washington, to deal with cybercrime investigations.
The Division has shifted more of its resources than ever to combat cybercrime. Attorneys in the Fraud Section are now focusing on internet fraud cases, attorneys in the Child Exploitation and Obscenity Section are doing more to combat online child pornography. We simply cannot support the demand for more anti-cybercrime positions at our current funding level.
For FY 2001, 1 am asking for $37 million in funding enhancements to expand the Department's staffing, training and technological capabilities to continue the fight against computer crime. These enhancements include:
$5.094 million for 59 new Assistant U.S. Attorneys and 9 additional attorneys in the Criminal Division to prosecute computer and child pornography crimes, and to provide guidance to federal, state and local agencies on effective responses to the threat of computer crime.
$8.75 million to provide critically needed computer crime investigation and prosecution training to state and local law enforcement agencies.
$11.4 million for 100 new FBI Computer Analysis and Response Team (CART) members who will be dispatched to support investigations into computer related crimes, as well as expanding the use of the Automated Computer Examination System, which aids in computer forensics examinations.
Finally, we intend to enhance law enforcement's ability to deal with evidence available on computers by developing up to 10 new Regional Computer Forensic Labs.
Together, these enhancements will increase the Department's 2001 funding base for computer crime of $138 million, 28 percent more than in 2000.
We also need to consider additional tools to locate and identify cybercriminals. For example, we may need to strengthen the Computer Fraud and Abuse Act by closing a loophole that allows computer hackers who have caused a large amount of damage to a network of computers to escape punishment if no individual computer sustained over $5,000 worth of damage. We may also need to update our trap and trace laws, under which we are able to identify the origin and destination of telephone calls and computer messages. Under current law, in some instances we must obtain court orders in multiple jurisdictions to trace a single communication. It might be extremely helpful, for instance, to provide nationwide effect for trap and trace orders.
We must also ensure that in upgrading our computer-crime fighting laws, we ensure that appropriate privacy safeguards are maintained and, where possible, strengthened. For example, recent investigations have revealed serious violations of privacy by hackers, who have obtained individual's personal data, such as credit cards and passwords. An increase in the penalty for violations of invasions into private stored communications may be appropriate. We would like to work with Congress to develop a thoughtful and effective package of tools that allow us to keep pace with cybercriminals, update the laws that allow us to locate and identify cybercriminals, and ensure that privacy safeguards are respected and, where possible, strengthened.
Finally, I believe one important answer lies in educating our youth and others in society, that computer hacking is not only illegal, but ethically wrong. Most of us know that we should not break into a neighbor's house or read his mail, but many have not applied these same values to their online activities. Last April, I announced that the Department, along with the Information Technology Association of America had formed the Cybercitizen Partnership, a national campaign to educate and raise awareness of computer responsibility. We hope the Partnership will announce a nationwide public awareness and education campaign in the near future.
I look forward to working with the Subcommittee to ensure we have a robust and effective long-term strategy for combating cybercrime, protecting our nation's infrastructure, and ensuring that the Internet reaches its full potential for expanding communications, facilitating commerce, and bringing countless other benefits to our society.