March 28, 2000

Good morning, Mr. Chairman, Senator Feinstein, and Members of the Subcommittee. I am privileged to have this opportunity to discuss cybercrime -- one of the fastest evolving areas of criminal behavior and a significant threat to our national and economic security.

Twelve years ago the "Morris Worm" paralyzed half of the Internet, yet so few of us were connected at that time that the impact on our society was minimal. Since then, the Internet has grown from a tool primarily in the realm of academia and the defense/intelligence communities, to a global electronic network that touches nearly every aspect of everyday life at the workplace and in our homes. The recent denial of service attacks on leading elements of the electronic economic sector, including Yahoo!, Amazon.com, Buy.com, eBay, E*Trade, CNN, and others, had dramatic and immediate impact on many Americans. As Senator Bennett recently stated, "these attacks are only the tip of the iceberg. They are the part of the iceberg that is visible above the water-in clear view. But as everyone knows, the largest part of the iceberg, and possibly the most dangerous, lies beneath the surface of the water and is difficult to detect. This is true also with the range of threats to the Internet and those that rely upon it."

I would like to acknowledge the strong support this Subcommittee has provided to the FBI over the past several years for fighting cybercrime. Senator Kyl's strong support for vital cyber crime legislation such as the National Infrastructure Protection Act of 1996 and the Schumer-Kyl bill strengthening 18 U.S.C. 1030, is greatly appreciated. Senator Kyl and this committee have also been the strongest supporters of our National Infrastructure Protection Center. For that support, I would like to say thank you.

In my testimony today, I would like to first discuss the nature of the threat that is posed from cybercrime and highlight some recent cases. Then I will comment on our use of 18 U.S.C 1030 in fighting cybercrime and say a few words about the Schumer-Kyl bill. Finally, I would like to close by discussing several of the challenges that cybercrime and technology present for law enforcement.

Cybercrime Threats Faced by Law Enforcement

Before discussing the FBI's programs and requirements with respect to cybercrime, let me take a few minutes to discuss the dimensions of the problem. Our case load is increasing dramatically. In FY 1998, we opened 547 computer intrusion cases; in FY 1999, that had jumped to 1154. At the same time, because of the opening the National Infrastructure Protection Center (NIPC) in February 1998, and our improving ability to fight cyber crime, we closed more cases. In FY 1998, we closed 399 intrusion cases, and in FY 1999, we closed 912 such cases. However, given the exponential increase in the number of cases opened, cited above, our actual number of pending cases has increased by 39%, from 601 at the end of FY 1998, to 834 at the end of FY 1999. In short, even though we have markedly improved our capabilities to fight cyber intrusions, the problem is growing even faster.

A few days ago the Computer Security Institute released its fifth annual "Computer Crime and Security Survey." The results only confirm what we had already suspected given our burgeoning case load, that more companies surveyed are reporting intrusions, that dollar losses are increasing, that insiders remain a serious threat, and that more companies are doing more business on the Internet than ever before.

The statistics tell the story. Ninety percent of respondents detected security breaches over the last 12 months. At least 74 percent of respondents reported security breaches including theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or denial of service attacks. Information theft and financial fraud caused the most severe financial losses, put at $68 million and $56 million respectively. The losses from 273 respondents totaled just over $265 million. Losses traced to denial of service attacks were only $77,000 in 1998, and by 1999 had risen to just $116,250. Further, the new survey reports on numbers taken before the high-profile February attacks against Yahoo, Amazon and eBay,. Finally, many companies are experiencing multiple attacks; 19% of respondents reported 10 or more incidents.

Over the past several years we have seen a range of computer crimes ranging from defacement of websites by juveniles to sophisticated intrusions that we suspect may be sponsored by foreign powers, and everything in between. Some of these are obviously more significant than others. The theft of national security information from a government agency or the interruption of electrical power to a major metropolitan area have greater consequences for national security, public safety, and the economy than the defacement of a web-site. But even the less serious categories have real consequences and, ultimately, can undermine confidence in e-commerce and violate privacy or property rights. A website hack that shuts down an e-commerce site can have disastrous consequences for a business. An intrusion that results in the theft of credit card numbers from an online vendor can result in significant financial loss and, more broadly, reduce consumers' willingness to engage in e-commerce. Because of these implications, it is critical that we have in place the programs and resources to investigate and, ultimately, to deter these sorts of crimes.

The following are some of the categories of cyber threats that we confront today.

Insiders. The disgruntled insider (a current or former employee of a company) is a principal source of computer crimes for many companies. Insiders' knowledge of the target companies' network often allows them to gain unrestricted access to cause damage to the system or to steal proprietary data. The just-released 2000 survey by the Computer Security Institute and FBI reports that 71% of respondents detected unauthorized access to systems by insiders.

One example of an insider was George Parente. In 1997, Parente was arrested for causing five network servers at the publishing company Forbes, Inc., to crash. Parente was a former Forbes computer technician who had been terminated from temporary employment. In what appears to have been a vengeful act against the company and his supervisors, Parente dialed into the Forbes computer system from his residence and gained access through a co-worker's log-in and password. Once online, he caused five of the eight Forbes computer network servers to crash, and erased all of the server volume on each of the affected servers. No data could be restored. Parente's sabotage resulted in a two day shut down in Forbes' New York operations with losses exceeding $100,000. Parente pleaded guilty to one count of violating of the Computer Fraud and Abuse Act, Title 18 U.S.C. 1030.

In January and February 1999 the National Library of Medicine (NLM) computer system, relied on by hundreds of thousands of doctors and medical professionals from around the world for the latest information on diseases, treatments, drugs, and dosage units, suffered a series of intrusions where system administrator passwords were obtained, hundreds of files were downloaded which included sensitive medical "alert" files and programming files that kept the system running properly. The intrusions were a significant threat to public safety and resulted in a monetary loss in excess of $25,000. FBI investigation identified the intruder as Montgomery Johns Gray, III, a former computer programmer for NLM, whose access to the computer system had been revoked. Gray was able to access the system through a "backdoor" he had created in the programming code. Due to the threat to public safety, a search warrant was executed for Gray's computers and Gray was arrested by the FBI within a few days of the intrusions. Subsequent examination of the seized computers disclosed evidence of the intrusion as well as images of child pornography. Gray was convicted by a jury in December 1999 on three counts for violation of 18 U.S.C. 1030. Subsequently, Gray pleaded guilty to receiving obscene images through the Internet, in violation of 47 U.S.C. 223.

Hackers. Hackers (or "crackers") are also a common threat. They sometimes crack into networks simply for the thrill of the challenge or for bragging rights in the hacker community. Recently, however, we have seen more cases of hacking for illicit financial gain or other malicious purposes.

While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the World Wide Web and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. The distributed denial-of-service (DDOS) attacks last month are only the most recent illustration of the economic disruption that can be caused by tools now readily available on the Internet.

Another recent case illustrates the scope of the problem. On Friday authorities in Wales, acting in coordination with the FBI, arrested two individuals for alleged intrusions into e-commerce sites in several countries and the theft of credit card information on over 26,000 accounts. One subject used the Internet alias "CURADOR." Losses from this case could exceed $3,000,000. The FBI cooperated closely with the Dyfed-Powys Police Service in the United Kingdom, the Royal Canadian Mounted Police in Canada, and private industry. This investigation involved the Philadelphia Division, seven other FBI field offices, our Legal Attache in London, and the NIPC. This case demonstrates the close partnerships that we have built with our foreign law enforcement counterparts and with private industry.

We have also seen a rise recently in politically motivated attacks on web pages or email servers, which some have dubbed "hacktivism. In these incidents, groups and individuals overload e-mail servers or deface web sites to send a political message. While these attacks generally have not altered operating systems or networks, they have disrupted services, caused monetary loss, and denied the public access to websites containing valuable information, thereby infringing on others' rights to disseminate and receive information. Examples of "hacktivism" include a case in 1996, in which an unknown subject gained unauthorized access to the computer system hosting the Department of Justice Internet web site. The intruders deleted over 200 directories and their contents on the computer system and installed their own pages. The installed pages were critical of the Communications Decency Act (CDA) and included pictures of Adolf Hitler, swastikas, pictures of sexual bondage scenes, a speech falsely attributed to President Clinton, and fabricated CDA text.

Virus Writers. Virus writers are posing an increasingly serious threat to networks and systems worldwide. Last year saw the proliferation of several destructive computer viruses or "worms," including the Melissa Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The NIPC frequently sends out warnings or advisories regarding particularly dangerous viruses, which can allow potential victims to take protective steps and minimize the destructive consequences of a virus.

The Melissa Macro Virus was a good example of our two-fold response -- encompassing both warning and investigation -- to a virus spreading in the networks. The NIPC sent out warnings as soon as it had solid information on the virus and its effects; these warnings helped alert the public and reduce the potential destructive impact of the virus. On the investigative side, the NIPC acted as a central point of contact for the field offices who worked leads on the case. A tip received by the New Jersey State Police from America Online, and their follow-up investigation with the FBI's Newark Division, led to the April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one count of violating 18 U.S.C. § 1030 in Federal Court, and to four state felony counts. As part of his guilty plea, Smith stipulated to affecting one million computer systems and causing $80 million in damage. Smith is awaiting sentencing.

Criminal Groups. We are also seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain. In September, 1999, two members of a group dubbed the "Phonemasters" were sentenced after their conviction for theft and possession of unauthorized access devices (18 USC § 1029) and unauthorized access to a federal interest computer (18 USC § 1030). The "Phonemasters" were an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even the National Crime Information Center. Under judicially approved electronic surveillance orders, the FBI's Dallas Division made use of new data intercept technology to monitor the calling activity and modem pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card numbers, which he sold to a Canadian individual, who passed them on to someone in Ohio. These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy. Cantrell was sentenced to two years as a result of his guilty plea, while one of his associates, Cory Lindsay, was sentenced to 41 months.

The Phonemasters' methods included "dumpster diving" to gather old phone books and technical manuals for systems. They used this information to trick employees into giving up their logon and password information. The group then used this information to break into victim systems. It is important to remember that often "cyber crimes" are facilitated by old fashioned guile, such as calling employees and tricking them into giving up passwords. Good cyber security practices must therefore address personnel security and "social engineering" in addition to instituting electronic security measures.

Another example of cyber intrusions used to implement a criminal conspiracy involved Vladimir L. Levin and numerous accomplices who illegally transferred more than $10 million in funds from three Citibank corporate customers to bank accounts in California, Finland, Germany, the Netherlands, Switzerland, and Israel between June and October 1994. Levin, a Russian computer expert, gained access over 40 times to Citibank's cash management system using a personal computer and stolen passwords and identification numbers. Russian telephone company employees working with Citibank were able to trace the source of the transfers to Levin's employer in St. Petersburg, Russia. Levin was arrested in March 1995 in London and subsequently extradited to the U.S. On February 24, 1998, he was sentenced to three years in prison and ordered to pay Citibank $240,000 in restitution. Four of Levin's accomplices pleaded guilty and one was arrested but could not be extradited. Citibank was able to recover all but $400,000 of the $10 million illegally transferred funds.

Beyond criminal threats in cyber space, we also face a variety of significant national security threats

Terrorists. Terrorists groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. In his statement on the worldwide threat in 2000, Director of Central Intelligence George Tenet testified that terrorists groups, "including Hizbollah, HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida organization are using computerized files, e-mail, and encryption to support their operations." In one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. While we have not yet seen these groups employ cyber tools as a weapon to use against critical infrastructures, their reliance on information technology and acquisition of computer expertise are clear warning signs. Moreover, we have seen other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engage in attacks on foreign government web-sites and email servers. "Cyber terrorism" – by which I mean the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population – is thus a very real, though still largely potential, threat.

Foreign intelligence services. Not surprisingly, foreign intelligence services have adapted to using cyber tools as part of their espionage tradecraft. Even as far back as 1986, before the worldwide surge in Internet use, the KGB employed West German hackers to access Department of Defense systems in the well-known "Cuckoo's Egg" case. While I cannot go into specifics about more recent developments in an open hearing, it should not surprise anyone to hear that foreign intelligence services increasingly view computer intrusions as a useful tool for acquiring sensitive U.S. government and private sector information.

Information Warfare. The prospect of "information warfare" by foreign militaries against our critical infrastructures is perhaps the greatest potential cyber threat to our national security. We know that several foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. Knowing that they cannot match our military might with conventional or "kinetic" weapons, nations see cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heel – our growing dependence on information technology in government and commercial operations. For example, two Chinese military officers recently published a book that called for the use of unconventional measures, including the propagation of computer viruses, to counterbalance the military power of the United States. And a Russian official has also commented that an attack on a national infrastructure could, "by virtue of its catastrophic consequences, completely overlap with the use of [weapons] of mass destruction."

The categories described above involve computers used as weapons and as targets of a crime. We are also seeing computers used to facilitate more traditional forms of crime.

Internet Fraud. One of the most critical challenges facing the FBI and law enforcement in general, is the use of the Internet for fraudulent purposes. Understanding and using the Internet to combat Internet fraud is essential for law enforcement. The accessibility of such an immense audience coupled with the anonymity of the subject, require a different approach. The Internet is a perfect medium to locate victims and provide an environment where victims do not see or speak to the "fraudsters." Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet. Internet fraud does not have traditional boundaries as seen in the traditional schemes. The traditional methods of detecting, reporting, and investigating fraud fail in this environment. By now it is common knowledge that the Internet is being used to host criminal behavior. The top ten most frequently reported frauds committed on the Internet include Web auctions, Internet services, general merchandise, computer equipment/software, pyramid schemes, business opportunities/franchises, work at home plans, credit card issuing, prizes/sweepstakes and book sales.

Let me provide you with some specific examples. Securities offered over the Internet have added an entirely new dimension to securities fraud investigations. Investors are able to research potential investments and actually invest over the Internet with ease through electronic linkage to a number of services that provide stock and commodity quotations, as well as, critical financial information. The North American Securities Administrators Association has estimated that Internet-related stock fraud is results in approximately $10 billion per year (or $1 million per hour) loss to investors, this is currently the second most common form of investment fraud.

On April 7, 1999, visitors to an online financial news message board operated by Yahoo!, Inc. got a scoop on PairGain, a telecommunications company based in Tustin, California. An e-mail posted on the message board under the subject line "Buyout News" said that PairGain was being taken over by an Israeli company. The e-mail also provided a link to what appeared to be a website of Bloomberg News Service, containing a detailed story on the takeover. As news of the takeover spread, the company's publicly traded stock shot up more than 30 percent, and the trading volume grew to nearly seven times its norm. There was only one problem: the story was false, and the website on which it appeared was not Bloomberg's site, but a counterfeit site. When news of the hoax spread, the price of the stock dropped sharply, causing significant financial losses to many investors who purchased the stock at artificially inflated prices.

Within a week after this hoax appeared, the FBI arrested a Raleigh, North Carolina man for what was believed to be the first stock manipulation scheme perpetrated by a fraudulent Internet site. The perpetrator was traced through an Internet Protocol address that he used, and he was charged with securities fraud for disseminating false information about a publicly traded stock.

In another example, on March 5, 2000 nineteen people were charged in a multimillion-dollar New York-based inside trading scheme. In one of the first cases of its kind, the Internet took a starring role as allegedly about $8.4 million was illegally pocketed from secrets traded in cyberspace chat rooms. Richard Walker, director of enforcement for the Securities and Exchange Commission, called the case "one of the most elaborate insider trading schemes in history." At the core of the scheme, a disgruntled part-time computer graphics worker allegedly went online and found other disgruntled investors of the company in America Online chat rooms. He soon was passing inside information on clients of Goldman Sachs and Credit Suisse First Boston to two other individuals in exchange for a percentage of any profits they earned by acting on it. For 2-1/2 years, this employee passed inside information, communicating almost solely through online chats and instant messages. The part-time computer graphics worker received $170,000 in kickbacks while his partners made $500,000.

Other individuals also became involved as the three defendants who hatched the scheme passed the inside information. More and more individuals became aware of the insider information. For instance, one individual allegedly opened a brokerage account and told his broker, that he had inside information, and the broker then tipped off three of his customers, allowing them to earn more than $2.6 million.

There is a need for a proactive approach when investigating Internet fraud. There is an essential need to establish a central repository for complaints of Internet fraud. The FBI and the National White Collar Crime Center (NW3C) are addressing this need by cosponsoring the Internet Fraud Complaint Center (IFCC). This partnership will ensure that Internet fraud is addressed at all levels of law enforcement (local, state and federal). The IFCC is necessary to adequately identify, track, and investigate new fraudulent schemes on the Internet on a national and international level. IFCC personnel will collect, analyze, evaluate, and disseminate Internet fraud complaints to the appropriate law enforcement agency. The IFCC will provide a mechanism by which Internet fraud schemes are identified and addressed through a criminal investigative effort. The IFCC will provide analytical support, and aid in the development of a training module to address Internet fraud. The information obtained from the data collected will provide the foundation for the development of a national strategic plan to address Internet fraud. The IFCC will be open and fully operational on May 8, 2000.

Intellectual Property Rights. Intellectual property is the driver of the 21st century American economy. In many ways it has become what America does best. The United States is the leader in the development of creative, technical intellectual property. Violations of Intellectual Property Rights, therefore, threaten the very basis of our economy. Of primary concern is the development and production of trade secret information. The American Society of Industrial Security estimated the potential losses at $2 billion per month in 1997. Pirated products threaten public safety in that many are manufactured to inferior or non-existent quality standards. A growing percentage of IPR violations now involve the Internet. There are thousands of web sites solely devoted to the distribution of pirated materials. The FBI has recognized, along with other federal agencies, that a coordinated effort must be made to attack this problem. The FBI, along with the Department of Justice, U.S. Customs Service, and other agencies with IPR responsibilities, will be opening an IPR Center this year to enhance our national ability to investigate and prosecute IPR crimes through the sharing of information among agencies.

Distributed Denial of Service Attacks.

The recent distributed denial of service(DDOS) attacks have garnered a tremendous amount of interest in the public and in the Congress. Because we are actively investigating these attacks, I cannot provide a detailed briefing on the status of our efforts. However, I can provide an overview of our activities to deal with the DDOS threat beginning last year and of our investigative efforts over the last several weeks.

In the fall of 1999, the NIPC began receiving reports about a new threat on the Internet--Distributed Denial of Service Attacks. In these cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht (German for barbed wire) on a number of unwitting victim systems. Then when the hacker sends the command, the victim systems in turn begin sending messages against a target system. The target system is overwhelmed with the traffic and is unable to function. Users trying to access that system are denied its services.

Because of its concern about this new threat, the NIPC issued warnings to government agencies, private companies, and the public in December 1999. Moreover, in late December, the NIPC determined that a detection tool that it had developed for investigative purposes might also be used by network operators to detect the presence of DDOS agents or masters on their operating systems, and thus would enable them to remove an agent or master and prevent the network from being unwittingly utilized in a DDOS attack. Moreover, at that time there was, to our knowledge, no similar detection tool available commercially. The NIPC therefore decided to take the unusual and innovative step of releasing the tool to other agencies and to the public in an effort to reduce the level of the threat. The NIPC made the first variant of its software available on the NIPC web site on December 30, 1999. To maximize the public awareness of this tool, the FBI's National Press Office announced its availability in an FBI press release that same date. Since the first posting of the tool, the NIPC has posted three updated versions that have perfected the software and made it applicable to different operating systems.

The public has downloaded these tools tens of thousands of times from the web site, and has responded by reporting many installations of the DDOS software, thereby preventing their networks from being used in attacks and leading to the opening of criminal investigations both before and after the widely publicized attacks of the last few weeks. The NIPC's work with private companies has been so well received that the trade group SANS awarded their yearly Security Technology Leadership Award to members of the NIPC's Special Technologies Applications Unit.

Last month, the NIPC received reports that a new variation of DDOS tools was being found on Windows operating systems. One victim entity provided us with the object code to the tool found on its network. On February 18, the NIPC made the binaries available to anti-virus companies (through an industry association) and the Computer Emergency Response Team (CERT) at Carnegie Mellon University for analysis and so that commercial vendors could create or adjust their products to detect the new DDOS variant. Given the attention that DDOS tools have received in recent weeks, there are now numerous detection and security products to address this threat, so the NIPC determined that it could be most helpful by giving them the necessary code rather than deploying a detection tool itself.

Unfortunately, the warnings that the NIPC and others in the security community had issued about DDOS tools last year, while alerting many potential victims and reducing the threat, did not eliminate the threat. Quite frequently, even when a threat is known and patches or detection tools are available, network operators either remain unaware of the problem or fail to take necessary protective steps. In addition, in the cyber equivalent of an arms race, exploits evolve as hackers design variations to evade or overcome detection software and filters. Even security-conscious companies that put in place all available security measures therefore are not invulnerable. And, particularly with DDOS tools, one organization might be the victim of a successful attack despite its best efforts, because another organization failed to take steps to keep itself from being made the unwitting participant in an attack.

On February 7, 2000, the FBI received reports that Yahoo had experienced a denial of service attack. In a display of the close cooperative relationship the NIPC has developed with the private sector, in the days that followed, several other companies also reported denial of service outages. These companies cooperated with our National Infrastructure Protection and Computer Intrusion squads in the FBI field offices and provided critical logs and other information. Still, the challenges to apprehending the suspects are substantial. In many cases, the attackers used "spoofed" IP addresses, meaning that the address that appeared on the target's log was not the true address of the system that sent the messages.

The resources required in these investigations can be substantial. Several FBI field offices have opened investigations and almost all of our other offices are supporting these cases. The NIPC is coordinating the nationwide investigative effort, performing technical analysis of logs from victims sites and Internet Service Providers, and providing all-source analytical assistance to field offices. While the crime may be high tech, investigating it involves a substantial amount of traditional police work as well as technical work. For example, in addition to following up leads, NIPC personnel need to review an overwhelming amount of log information received from the victims. Much of this analysis needs to be done manually. Analysts and agents conducting this analysis have been drawn off other case work. In the coming years we expect our case load to substantially increase.

The Legal Landscape

To deal with this crime problem, we must look at whether changes to the legal procedures governing investigation and prosecution of cyber crimes are warranted. The problem of Internet crime has grown at such a rapid pace that the laws have not kept up with the technology. The FBI is working with the Department of Justice to propose a legislative package for your review to help keep our laws in step with these advances.

One example of some of the problems law enforcement is facing is the jurisdictional limitation of pen registers and trap-and-trace orders issued by federal district courts. These orders allow only the capturing of tracing information, not the content of communications. Currently, in order to track back a hacking episode in which a single communication is purposely routed through a number of Internet Service Providers that are located in different states, we generally have to get multiple court orders. This is because, under current law, a federal court can order communications carriers only within its district to provide tracing information to law enforcement. As a result of the fact that investigators typically have to apply for numerous court orders to trace a single communication, there is a needless waste of time and resources, and a number of important investigations are either hampered or derailed entirely in those instances where law enforcement gets to a communications carrier after that carrier has already discarded the necessary information. For example, Kevin Mitnick evaded attempts to trace his calls by moving around the country and by using cellular phones, which routed calls through multiple carriers on their way to the final destination. It was impossible to get orders quickly enough in all the jurisdictions to trace the calls.

With regards to additional legal mechanisms needed by law enforcement to help maintain our abilities to obtain usable evidence in an encrypted world, last September the Administration announced a "New Approach to Encryption." This new approach included significant changes to the nation's encryption export policies and, more importantly, recommended public safety enhancement to ensure "that law enforcement has the legal tools, personnel, and equipment necessary to investigate crime in an encrypted world." Specifically, the President, on behalf of law enforcement, transmitted to Congress a legislative proposal entitled the "Cyberspace Electronic Security Act of 1999" (CESA). CESA, if enacted would: 1) protect sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials involving encrypted evidence; 2) authorize $80 million for the FBI's Technical Support Center (TSC), which will serve as a centralized technical resource for federal, state and local law enforcement in responding to the increased use of encryption in criminal cases; and 3) ensure that law enforcement maintains its ability to access decryption information stored with third parties, while protecting such information from inappropriate release. The enactment of the CESA legislative proposal is supported by the law enforcement community, to include the International Association of Chiefs of Police, the National Sheriffs' Association and the National District Attorneys Association and I strongly encourage its favorable consideration by Congress.

Finally, we should consider whether current sentencing provisions for computer crimes provide an adequate deterrence. Given the degree of harm that can be caused by a virus, intrusion, or a denial of service -- in terms of monetary loss to business and consumers, infringement of privacy, or threats to public safety when critical infrastructures are affected -- it would be appropriate to consider, as S2092 does, whether penalties established years ago remain adequate.

Evaluation of the effectiveness of 18 U.S.C.§ 1030 and the tools to enforce it under both current law and under S. 2092.

Generally, 18 U.S.C. §1030 has enabled the FBI and other law enforcement agencies to investigate and prosecute persons who would use the power of the Internet and computers for criminal purposes. Nonetheless, just as computer crime has evolved and mutated over the years, so too must our laws and procedures evolve to meet the changing nature of these crimes.

One persistent problem is the need under current law to demonstrate at least $5,000 in damage for certain hacking offenses enumerated by 18 U.S.C. §1030(a)(5). In some of the cases investigated by the FBI, damages in excess of $5,000 on a particular system are difficult to prove. In other cases, the risk of harm to individuals or to the public safety posed by breaking into numerous systems and obtaining root access, with the ability to destroy the confidentiality or accuracy of crucial -- perhaps lifesaving information -- is very real and very serious even if provable monetary damages never approach the $5,000 mark. In investigations involving the dissemination or importation of a virus or other malicious code, the $5,000 threshold could potentially delay or hinder early intervention by Federal law enforcement.

S. 2092 significantly adjusts the $5,000 threshold and other provisions in the current law by: 1) creating a misdemeanor offense for those cases where damages are below $5,000, while simultaneously adjusting the minimum mandatory sentences under the Sentencing Guidelines; and 2) moving the aggravating factors previously included in the definition of "damage" under 18 U.S.C. §1030(e)(8) (such as impairment of medical diagnosis, physical injury to any person, threat to public health or safety or damage to nation security, national defense or administration of justice computers) to the general sentencing provisions of §1030© (where they will be on par in serious cases with the existing $5,000 threshold requirement and will expose offenders to an enhanced ten year period of imprisonment up from the current maximum of five years). The critical element here is that the criminal intended to cause damage, not the specific amount of damage he intended to cause.

Another issue involves the alarming number of computer hackers encountered in our investigations who are juveniles. Under current law, Federal authorities are not able to prosecute juveniles for any computer violations of 18 U.S. C. §1030. S. 2092 would authorize (but not require) the Attorney General to certify for juvenile prosecution in Federal court youthful offenders who commit the more serious felony violations of section 1030. Recognizing that this change will, over time, result in the prosecution of repeat offenders, S. 2092 also defines the term "conviction" under §1030 to include prior adjudications of juvenile delinquency for violations of that section. This is intended to provide greater specific deterrence to juveniles for are adjudicated delinquent for computer hacking. Similarly, a majority of the States have enacted criminal statutes prohibiting unauthorized computer access analogous to the provisions of section 1030. As State prosecutions for these offenses increase, the likelihood of encountering computer offenders in Federal investigations who have prior State convictions will similarly rise. , The Department is studying whether prior state adult convictions for comparable computer crimes justify enhanced penalties for violations of section 1030, just as prior State convictions for drug offenses trigger enhanced penalties for comparable Federal drug violations

Law enforcement also needs updated tools to investigate, identify, apprehend and successfully prosecute computer offenders. Today's electronic crimes, which occur at the speed of light, cannot be effectively investigated with procedural devices forged in the last millennium during the infancy of the information technology age. Statutes need to be rendered technology neutral so that they can be applied regardless of whether a crime is committed with pen and paper, e-mail, telephone or geosynchronous orbit satellite personal communication devices.

As discussed above, a critical factor in the investigation of computer hacking cases is law enforcement's ability to swiftly identify the source and the direction of a hacker's communications. Like all law enforcement agencies, the FBI relies upon the pen register and trap and trace provisions contained in 18 U.S.C. §3121 et seq. to seek court approval to acquire data identifying non-content information relating to a suspect's communications. Our ability to identify the perpetrators of crimes like computer hacking is directly proportional to our ability to quickly acquire the necessary court orders and quickly serve them upon one or more service providers in a communications chain. Under current law, however, valuable time is consumed in acquiring individual court orders in the name of each communications company for each newly discerned link in the communications chain even though the legal justification for the disclosure remains unchanged and undiminished. S. 2092 would amend 18 U.S.C. §3123(a) to authorize Federal courts to issue one nation-wide order which may then be served upon one or more service providers thereby substantially reducing the time necessary to identify the complete pathway of a suspect's communication. Second, S.2092 makes the statute more technology neutral by, among other things, inserting the terms "or other facility" wherever "telephone" appears. This change codifies Federal court decisions that apply the statute's provisions not merely to traditional telephone, but to an ever expanding array of other, communications facilities. Together, these are important changes that do not alter or lower the showing necessary for the issuance of the court order but which do enhance the order's usefulness to law enforcement.

We support the goal of S.2092 to strengthen the general deterrence aspects of the Computer Fraud and Abuse Act, and to provide some needed procedural enhancements to help us confront the expanding criminal threat in this dynamic and important part of our national economy while continuing to protect individual privacy interests. The FBI looks forward to working with the Committee on this important legislation.

Keeping Law Enforcement on the Cutting Edge of Cyber Crime

As Internet use continues to soar, cyber crime is also increasing exponentially. As I mentioned earlier, our case load reflects this growth. In FY 1998, we opened 547 computer intrusion cases; in FY 1999, that number jumped to 1154. Similarly, the number of pending cases increased from 206 at the end of FY 1997, to 601 at the end of FY 1998, to 834 at the end of FY 99, and to over 900 currently. These statistics include only computer intrusion cases, and do not account for computer facilitated crimes such as Internet fraud, child pornography, or e-mail extortion efforts. In these cases, the NIPC and NIPCI squads often provide technical assistance to traditional investigative programs responsible for these categories of crime.

We can clearly expect these upward trends to continue. To meet this challenge, we must ensure that we have adequate resources, including both personnel and equipment, both at the NIPC and in FBI field offices. Those personnel need specialized training to be effective. Like many programs, the NIPC computer intrusion program is squeezing the most out of every taxpayer dollar. Unfortunately, the NIPC and related field office program are not scheduled to receive any additional resources in FY.

At the NIPC, we currently have 101 personnel on board, including 82 FBI employees and 19 detailees from other government agencies. This cadre of investigators, computer scientists, and analysts perform the numerous and complex tasks outlined above, and provide critical coordination and support to field office investigations. As the crime problem grows, we need to make sure that we keep pace by whatever means necessary, including maintaining a full complement of authorized staff, consisting of both FBI personnel and detailees from other agencies and the private sector. Although expert personnel in this areas are scarce, it is imperative that our partner agencies participate in the NIPC to enhance our ability to coordinate interagency activities and share information effectively.

We currently have 193 agents in FBI field offices nationwide assigned to investigate computer intrusions (criminal and national security), denial of service, and virus cases, and to work infrastructure protection matters generally (which includes outreach to industry and state and local law enforcement, our Key Asset Initiative, and support to other investigative programs). Additional agents can be called in on investigations as required. In order to maximize investigative resources the FBI has taken the approach of creating regional squads in 16 field offices that have sufficient size to work complex intrusion cases and to assist those field offices without a NIPCI squad. In those field offices without squads, the FBI is building a baseline capability by having one or two agents to work NIPC matters.

In an effort to better use our resources and leverage the expertise of other agencies, we are creating cyber crime task forces in FBI field offices. Last week we unveiled the Pittsburgh High Tech Computer Crimes Task Force, a new task force aimed at fighting cyber crimes. The task force, one of the first in the nation, pools experts from local agencies such as the Pittsburgh police with federal agencies such as the FBI, Secret Service and the Internal Revenue Service into one room to combat the rapid growth of cyber crimes. The task force will use each agency's resources and obtain technical assistance from Carnegie Mellon's Computer Emergency Response Team (CERT). We plan to deploy similar task forces in every FBI field office.

In addition to putting in place the requisite number of agents, analysts, and computer scientists in the NIPC and in FBI field offices, we must fill those positions by recruiting and retaining personnel who have the appropriate technical, analytical, and investigative skills. This includes personnel who can read and analyze complex log files, perform all-source analysis to look for correlations between events or attack signatures and glean indications of a threat, develop technical tools to address the constantly changing technological environment, and conduct complex network investigations.

Training and continuing education are also critical, and we have made this a top priority at the NIPC. In FY 1999, we trained 383 FBI and other-government-agency students in NIPC sponsored training classes on network investigations and infrastructure protection. The emphasis for 2000 is on continuing to train federal personnel while expanding training opportunities for state and local law enforcement personnel. During FY 2000, we plan to train approximately 740 personnel from the FBI, other federal agencies, and state and local law enforcement.

The technical challenges of fighting crime in this arena are vast. We can start just by looking at the size of the Internet and its exponential growth. Today it is estimated that more than 60,000 individual networks with 40 million users are connected to the Internet. Thousands of more sites and people are coming on line every month. In addition, the power of personal computers is vastly increasing. The FBI's Computer Analysis Response Team (CART) examiners conducted 1,260 forensic examinations in 1998 and 1,900 in 1999. With the anticipated increase in high technology crime and the growth of private sector technologies, the FBI expects 50 percent of its caseload to require at least one computer forensic examination. By 2001, the FBI anticipates the number of required CART examinations to rise to 6,000.

Developing and deploying state-of-the-art equipment in support of the NIPC's mission is also very important. Conducting a network intrusion or denial-of-service investigation often requires investigative analysis of voluminous amounts of data. For example, one network intrusion case involving an espionage matter currently being investigated has required the analysis of 17.5 Terabytes of data. To place this into perspective, the entire collection of the Library of Congress, if digitized, would comprise only 10 Terabytes. The Yahoo DDOS attack involved approximately 630 Gigabytes of data, which is equivalent to enough printed pages to fill 630 pickup trucks with paper. The NIPC's technical analysis requires high capacity equipment to store, process, analyze, and display data. Again, as the crime problem grows, we must ensure that our technical capacity keeps pace.

Clearly, the FBI needs engineering personnel to develop and deploy sophisticated electronic surveillance capabilities in an increasingly complex and technical investigative environment, skilled CART personnel to conduct the computer forensics examinations to support an increasingly diverse set of cases involving computers, as well as expert NIPCI personnel to examine network log files to track the path an intruder took to his victim.

Moreover, the power of personal computers in increasing. During the last part of 1998, most computers on the market had hard drives of 6-8 gigabytes (GB). Very soon 13-27 GB hard drives will become the norm. By the end of 2000, we will be seeing 60-80 GB hard drives. All this increase in storage capacity means more data that must be searched by our forensics examiners, since even if these hard drives are not full, the CART examiner must review every bit of data and every area of the media to search for evidence.

Over the past three years, the FBI's Laboratory Division (LD) has been increasingly requested to provide data interception support for such investigative programs as: Infrastructure Protection, Violent Crimes (Exploitation of Children, Extortion), Counterterrorism, and Espionage. In fact, since 1997, the LD has seen a dramatic increase in field requests for assistance with interception of data communications. Unless the FBI increases its data interception capabilities, investigators and prosecutors will be denied timely access to valuable evidence that will solve crimes and support the successful prosecutions of child pornographers, drug traffickers, corrupt officials, persons committing fraud, terrorists, and other criminals.

Finally, one of the largest challenges to FBI computer investigative capabilities lies in the increasingly widespread use of strong encryption. The widespread use of digitally-based telecommunications technologies, and the unprecedented expansion of computer networks incorporating privacy features/capabilities through the use of cryptography (i.e. encryption), has placed a tremendous burden on the FBI's electronic surveillance technologies. Today the most basic communications employ layers of protocols, formatting, compression and proprietary coding that were non-existent only a few years ago. New cryptographic systems provide robust security to conventional and cellular telephone conversations, facsimile transmissions, local and wide area networks, Internet communications, personal computers, wireless transmissions, electronically stored information, remote keyless entry systems, advanced messaging systems, and radio frequency communications systems. The FBI is already encountering the use of strong encryption. In 1999, 53 new cases involved the use of encryption.

It is imperative that the FBI, on behalf of the law enforcement community, enhance its technical capabilities in the area of plaintext access to encrypted evidence. In order to do this, law enforcement needs Congressional support, both in terms of additional funding and authorizations, for developing, maintaining, and deploying technical capabilities that will provide law enforcement with these urgently need technical capabilities and meet the public safety challenges posed by the criminal use of encryption. Included in the Administration's "New Approach to Encryption" announcement last September was support for the creation of the FBI's Technical Support Center, which will serve as a centralized technical resource for federal, state and local law enforcement with the necessary technical capabilities to respond to the increased use of encryption in criminal cases. The Technical Support Center is envisioned as an expansion of the FBI's Engineering Research Facility (ERF) to take advantage of ERF's existing institutional and technical expertise in this area. The Administration's "Cyberspace Electronic Security Act of 1999 legislative proposal includes a provision authorizing $80 million over four years for the Technical Support Center. The President's FY 2001 budget includes $7 million enhancement for this effort.

Conclusion

I want to thank the subcommittees again for giving me the opportunity to testify here today. The cyber crime problem is real, and growing. The NIPC is moving aggressively to meet this challenge by training FBI agents and investigators from other agencies on how to investigate computer intrusion cases, equipping them with the latest technology and technical assistance, developing our analytic capabilities and warning mechanisms to head off or mitigate attacks, and closely cooperating with the private sector. We have already had significant successes in the fight. I look forward to working with Congress to ensure that we continue to be able to meet the threat as it evolves and grows. Thank you.