Chairman Gregg and other
Members of the Subcommittee, I want to thank you for this opportunity to
testify on our efforts to combat the growing problem of cybercrime, particularly
in light of the recent denial-of-service attacks on several major Internet
sites.
Need for Five-Year Strategy
The recent attacks demonstrate the importance of developing a long-term, coordinated strategy for dealing with cybercrime. The strategy must address the challenges we face, both domestically and abroad, the need for personnel with expertise and the latest cybercrime-fighting equipment, the importance of cooperation and sharing with state and local law enforcement and our international counterparts, the need for educating our young people and others about the responsible use of the Internet, and all of this must be done in a manner that respects and upholds our cherished privacy and freedoms.
Recently, I outlined a 10-point
plan that identifies the key areas where we need to develop our cybercrime
capability. The key points of this plan include:
Comments on the Recent Attacks
I would be happy to address
your questions on the recent attacks, to the extent I can do so without
compromising our investigation. At this point, I would simply say
that we are taking the attacks very seriously and that we will do everything
in our power to identify those responsible and bring them to justice.
In addition to the malicious disruption of legitimate commerce, so-called
"denial of service" attacks involve the unlawful intrusion into an unknown
number of computers, which are in turn used to launch attacks on the eventual
target computer, in this case the computers of Yahoo, eBay, and others.
Thus, the number of victims in these types of cases can be substantial,
and the collective loss and cost to respond to these attacks can run into
the tens of millions of dollars - or more.
Overview of Investigative Efforts and Coordination
As Director Freeh will discuss, computer crime investigators in a number of FBI field offices are investigating these attacks. They are coordinating information with the National Infrastructure Protection Center (NIPC). The agents are also working closely with our network of specially trained computer crime prosecutors who are available 24 hours a day/7 days a week to provide legal advice and obtain whatever court orders are necessary. Attorneys from the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) are coordinating with the Assistant United States Attorneys in the field. We are also obtaining information from victim companies and security experts, who, like many in the Internet community, condemn these recent attacks. I am proud of the efforts being made in this case, including the assistance we are receiving from a number of federal agencies.
The Challenge of Fighting Cybercrime
The recent attacks highlight some of the challenges we face in combating cybercrime. The challenges come in many forms: technical problems in tracing criminals operating online; resource issues facing federal, state, and local law enforcement in being able to undertake online criminal investigations and obtain evidence stored in computers; and legal deficiencies caused by changes in technology. I will discuss each of these briefly.
As a technical matter, the attacks like the ones we saw last week are easy to carry out and hard to solve. The tools available to launch such attacks are widely available. In addition, too many companies pay inadequate attention to security issues, and are therefore vulnerable to be infiltrated and used as launching pads for this kind of destructive programs. Once the attacks are carried out, it is hard to trace the criminal activity to its source. Criminals can use a variety of methods to hide their tracks, allowing them to operate anonymously or through masked identities. This makes it difficult - and sometimes impossible - to hold the perpetrator criminally accountable.
Even if criminals do not hide identities online, we still might be unable to find them. The design of the Internet and practices relating to retention of information means that it is often difficult to obtain traffic data critical to an investigation. Without information showing which computer was logged onto a network at a particular point in time, the opportunity to determine who was responsible may be lost.
There are other technical challenges, as well, that we must consider. The Internet is a global medium that does not recognize physical and jurisdictional boundaries. A hacker - armed with no more than a computer and modem - can access computers anywhere around the globe. They need no passports and pass no checkpoints as they commit their crimes. While we are working with our counterparts in other countries to develop an international response, we must recognize that not all countries are as concerned about computer threats as we are. Indeed, some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become "safe havens" for cybercriminals.
Resource issues are also critical. We must ensure that law enforcement has an adequate number of prosecutors and agents - assigned to the FBI, to the Department of Justice, to other federal agencies, and to state and local law enforcement - trained in the necessary skills and properly equipped to effectively fight cybercrime, whether it is hacking, fraud, child porn, or other forms.
Finally, legal issues are
critical. We are finding that both our substantive laws and procedural
tools are not always adequate to keep pace with the rapid changes in technology.
Current Efforts Against Cybercrime
While these challenges are daunting, the Department has accomplished much in building the infrastructure to combat cybercrime. Director Freeh will discuss the work of the NIPC and the Computer Crime Squads established around the country. Similarly, in the Department, we have a cadre of trained prosecutors, both in headquarters and in the field, who are experts in the legal, technological, and practical challenges involved in investigating and prosecuting cybercrime.
The cornerstone of our prosecutor cybercrime program is the Criminal Division's Computer Crime and Intellectual Property Section, known as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, and was elevated into a Section in 1996. With the help of this Subcommittee, CCIPS has grown from five attorneys in January of 1996, to eighteen attorneys today. CCIPS works closely on computer crime cases with Assistant United States Attorneys known as "Computer and Telecommunications Coordinators" (CTCs) in U.S. Attorney's Offices around the country. Each CTC is given special training and equipment, and serves as the district's expert in computer crime cases.
The responsibility and accomplishments of CCIPS and the CTC program include:
Litigating Cases:
Additional Resources and Tools Are Needed
We appreciate the Subcommittee's support for many of the efforts described above, but I also need your help to refocus resources provided for FY 2000. The level of funding provided in the FY 2000 enacted appropriation for the General Legal Activities (GLA) appropriation is insufficient to cover the base program needs of all the litigating components funded from GLA, with the exception of the Civil Rights Division. In particular, the specific amounts provided to the Criminal Division's has serious implications for the Division's ability to support its computer crime efforts.
Yesterday, we submitted a request to reprogram resources appropriated to GLA which would make base resource funding available to all the GLA accounts.
We especially need full base funding restored to the Criminal Division in order to avoid a reduction Criminal Division staffing by 83 positions, including critical positions in the Computer Crime and Intellectual Property Section.
We must have prosecutors, both in the field and here, in Washington, to deal with cybercrime investigations.
The Division has shifted more of its resources than ever to combat cybercrime. Attorneys in the Fraud Section are now focusing on internet fraud cases, attorneys in the Child Exploitation and Obscenity Section are doing more to combat on-line child pornography. We simply cannot support the demand for more anti-cybercrime positions at our current funding level.
For FY 2001, I am asking
for $37 million in funding enhancements to expand he Department's staffing,
training and technological capabilities to continue the fight against computer
crime. These enhancements include:
We must also ensure that
in upgrading our computer-crime fighting laws, we ensure that appropriate
privacy safeguards are maintained and, where possible, strengthened.
For example, recent investigations have revealed serious violations of
privacy by hackers, who have obtained individual's personal data, such
as credit cards and passwords. An increase in the penalty for violations
of invasions into private stored communications may be appropriate.
We would like to work with Congress to develop a thoughtful and effective
package of tools that allow us to keep pace with cybercriminals, update
the laws that allow us to locate and identify cybercriminals, and ensure
that privacy safeguards are respected and, where possible, strengthened.
Finally, I believe one important
answer lies in educating our youth and others in society, that computer
hacking is not only illegal, but ethically wrong. Most of us know
that we should not break into a neighbor's house or read his mail, but
many have not applied these same values to their online activities.
Last April, I announced that the Department, along with the Information
Technology Association of America had formed the Cybercitizen Partnership,
a national campaign to educate and raise awareness of computer responsibility.
We hope the Partnership will announce a nationwide public awareness and
education campaign in the near future.
I look forward to working
with the Subcommittee to ensure we have a robust and effective long-term
strategy for combating cybercrime, protecting our nation's infrastructure,
and ensuring that the Internet reaches its full potential for expanding
communications, facilitating commerce, and bringing countless other benefits
to our society.
Go to . . . CCIPS Home Page || Justice Department Home Page