 |
|
TESTIMONY of Michael
A. Vatis before
a hearing
Protecting the Nation's critical infrastructures and combating computer intrusions is by necessity a cooperative effort. National governments must work within themselves, across agencies; with regional and local law enforcement; with private industry; and with foreign governments to combat the problem. If cooperation is lacking in any one of these areas, the whole effort will fall short. Yet if cooperation is effective across all of these areas, then we can gain the upper hand against cyber criminals around the world and ensure that the Internet is a safe place for electronic commerce and communication. Cooperative Structures in the United States The U.S. government approach to protecting the nation's critical infrastructures is outlined in Presidential Decision Directive (PDD) 63, issued in May 1998. That Directive forms a series of cooperative arrangements. In particular, PDD-63 categorizes our infrastructures into several sectors and designates federal "Lead Agencies," which are responsible for working cooperatively with private industry from each sector to develop mechanisms and plans for securing that sector against cyber attacks and for recovering should an attack occur. The PDD also gives a significant coordinating role for operational matters to the National Infrastructure Protection Center (NIPC), which I head. The PDD places the NIPC at the core of the government's warning, investigation, and response system for threats to, or attacks on, the nation's critical infrastructures. The NIPC is the focal point for gathering information on threats to the infrastructures as well as "facilitating and coordinating the Federal Government's response to an incident." The PDD further specifies that the NIPC should include "elements responsible for warning, analysis, computer investigation, coordinating emergency response, training, outreach, and development and application of technical tools." The NIPC has a vital role in collecting and disseminating information from all relevant sources. The PDD directs the NIPC to "sanitize law enforcement and intelligence information for inclusion into analyses and reports that it will provide, in appropriate form, to relevant federal, state, and local agencies; the relevant owners and operators of critical infrastructures; and to any private sector information sharing and analysis entity." The NIPC is also charged with issuing "attack warnings or alerts" to the owners and operators of critical infrastructures in the private sector. In order to perform its role, the NIPC has established, and is continuing to expand, a network of cooperative relationships with a wide range of entities in both the government and the private sector. First, the Center, while located at the FBI, is interagency in its composition, bringing together representatives from the law enforcement, defense, and intelligence communities, as well as from many of the lead agencies specified in the PDD. The Center currently has representatives from the following federal entities: Navy, Air Force, Army, Air Force Office of Special Investigations, Naval Criminal Investigative Service, Defense Security Service, National Security Agency, United States Postal Service, Federal Aviation Administration, General Services Administration, Central Intelligence Agency, Critical Infrastructure Assurance Office, and Sandia National Laboratory. In addition, the Center has had state law enforcement officials detailed on a rotating basis. So far we have had representatives from the Oregon State Police and the Tuscaloosa County (Alabama) Sheriff's Department. We also have international liaison officials who work with the Center. This interagency composition facilitates the NIPC's ability to share pertinent information among agencies and to coordinate agencies' activities in the event of an attack. Second, pursuant to the PDD, the NIPC has electronic links to the rest of the government in order to facilitate the sharing of information and the issuance of warnings. Third, the PDD directs all executive departments and agencies to "share with the NIPC information about threats and warning of attacks and actual attacks on critical government and private sector infrastructures, to the extent permitted by law." Fourth, to bolster our technical capabilities the Center selectively employs private sector contractors. By bringing other agencies directly into the Center and building direct communication linkages to government agencies and the private sector, the Center provides a means of coordinating the government's cyber expertise and ensuring full sharing of information, consistent with applicable laws and regulations. In addition, in its role under Presidential Decision Directive (PDD) 63 as the lead agency for the "Emergency Law Enforcement Sector" (ELES), the NIPC has been working with state and local law enforcement to develop a plan to protect that sector from cyber attack and reduce its vulnerabilities. As part of that effort, the NIPC's alerts and warnings are regularly sent to state and local law enforcement agencies via the National Law Enforcement Telecommunications System (NLETS) and through NIPC e-mail via the Law Enforcement Online system. Sharing with state and local law enforcement is critical because they are often the first responders when an incident occurs. To fulfill its mandate under PDD-63, the NIPC's goal is to develop a comprehensive "indications and warning" system that will be capable of timely collection of indicators of an imminent or ongoing cyber attack, analysis of the information, and the timely issuance of alerts and warnings. This will require additional resources, both personnel and equipment. It will also require participation by the Intelligence Community; the Department of Defense; the sector "Lead Agencies"; other government agencies; federal, state and local law enforcement; and the private sector owners and operators of the infrastructures. As I will discuss further in a moment, the NIPC is currently working with industry to develop a methodology and system for detecting and warning of attacks on the national telecommunications and electric power sectors. These will provide a model for possible systems for the other sectors. Finally, the NIPC, as the national entity responsible for government's warning, investigation, and response system for threats to, or attacks on, the nation's critical infrastructures, works on national planning initiatives with the National Security Council and the Critical Infrastructure Assurance Office. To accomplish its goals under the PDD, the NIPC is organized into three sections:
To facilitate our ability to investigate and respond to attacks, the FBI has created the National Infrastructure Protection and Computer Intrusion (NIPCI) Program in the 56 FBI Field Offices across the country. We currently have 193 agents nationwide dedicated to investigating computer intrusion, denial of service, and virus cases (less than 2% of all FBI agents nationwide). In order to leverage these resources most efficiently, we have taken the approach of creating 16 regional squads that have sufficient size to work complex intrusion cases and to assist those field offices without a full NIPCI squad. In those field offices without squads, the FBI has established a baseline capability by having at least one or two agents to work NIPCI matters, i.e. computer intrusions (criminal and national security), viruses, the InfraGard and Key Asset Initiatives, and state and local liaison. In addressing cyber incidents, the NIPC and the 56 FBI field offices work cooperatively with their federal, state and local law enforcement partners and with the private sector. For example, in the Melissa Macro Virus investigation, the NIPC issued public warnings that helped alert the public, government agencies, and private industry to the virus and stem the damage to computer networks. In addition, the FBI's Newark office worked closely with the New Jersey State Police, the New Jersey Attorney General's Office, and the U.S. Attorney's Office in New Jersey in the investigation, arrest, and prosecution of David L. Smith. The NIPC supported the overall investigation which spanned the nation. In other cases where there is concurrent jurisdiction, the FBI and other agencies often work cases jointly. For example, the FBI and the U.S. Secret Service worked together on a series of hacks into the White House Homepage. Eric Burns, a.k.a Zyklon, hacked into the White House web site as well as other sites. He was caught and pled guilty to one count of 18 U.S.C.1030. In November 1999 he was sentenced to 15 months in prison, 3 years supervised release, and ordered to pay $36,240 in restitution and a $100 fine. While I cannot discuss it in open hearings, the NIPC also works closely with other agencies in foreign counter intelligence investigations involving cyber attacks. Government-Industry Cooperation As I noted earlier, however, it is critical for the government not just to work cooperatively within itself, but also with the private sector. The NIPC is engaged in several initiatives to work cooperatively with the private sector, principally in the area of information sharing. First, the NIPC, in conjunction with the private sector, has developed an initiative call "InfraGard" to expand direct contacts with the private sector infrastructure owners and operators and to share information about cyber intrusions, exploited vulnerabilities, and infrastructure threats. The initiative encourages and facilitates the exchange of information by government and private sector members through the formation of local InfraGard chapters within the jurisdiction of each FBI Field Office. Chapter membership includes representatives from the FBI, private industry, other government agencies, state and local law enforcement, and the academic community. The critical component of InfraGard is the ability of industry to provide information on intrusions to the NIPC and to the local FBI Field Office, using secure communications, in both a "sanitized" and detailed format. The local FBI Field Offices can, if appropriate, use the detailed version to initiate an investigation; the NIPC, in turn, can analyze that information in conjunction with other law enforcement, intelligence, and industry information to determine if the intrusion is part of a broader attack on numerous sites. The Center can simultaneously use the sanitized version to inform other members of the threat and the techniques used, without compromising the confidentiality of the reporting company. The secure website also contains a variety of analytic and warning products that we make available to the InfraGard community. We believe InfraGard, once fully implemented, will be a significant step forward in enhancing the ability of the private sector and the government to share information with each other. The government has access to unique sources of information through its intelligence and law enforcement activities. These need to be shared, in appropriately sanitized form, with private sector owners and operators so that they can protect themselves against threats that we become aware of. Conversely, the private sector is often the victim of cyber attacks and threats that are highly relevant to our mission to protect that nation's critical infrastructures from attack. Only by bringing these governmental and private sources of information together can we get a sense of the full picture of threats and incidents, draw linkages, and engage in effective "indications and warning" regarding cyber attacks. In contrast to efforts to share information solely within one industry sector, InfraGard provides a vehicle for sharing information across sectors and between the government and industry generally. A second effort involving cooperation with the private sector is the Key Asset Initiative (KAI). A key asset can be defined as an organization, system, group of organizations or systems, or physical plant, the loss of which would have widespread and dire economic or social impact on a national, regional, or local basis. The KAI initially involves determining which assets are "key" within the jurisdiction of each FBI Field Office and obtaining 24-hour points of contact at each asset in case of an emergency. Eventually, contingent on future funding, the KAI will include the development of contingency plans to respond to attacks on each asset, exercises to test response plans, and modeling to determine the effects of an attack on particular assets. FBI Field Offices are responsible for developing a list of the assets within their respective jurisdictions, while the Center maintains a national database. This initiative serves the critical needs of developing lists of the key assets within each critical infrastructure and also of developing the communications and liaison links necessary for the collection of information and the dissemination of warnings to the infrastructure owners and operators. Another initiative is a pilot program we have developed with the North American Electrical Reliability Council (NERC) to develop an "Indications and Warning" System for physical and cyber attacks. Under the pilot program, electric utility companies and other power entities transmit incident reports to the NIPC. These reports are analyzed and assessed to determine whether an NIPC alert, advisory, or assessment is warranted to the electric utility community. Electric power participants in the pilot program have stated that the information and analysis provided by the NIPC back to the power companies make this program especially worthwhile. NERC has recently decided to expand this initiative nationwide. We see this initiative as a good example of government and industry working together to share information and it is our expectation that the Electrical Power Indications and Warning System will provide a model for the other critical infrastructures. We are currently working with industry on developing an Indications and Warning program for the telecommunications sector. The NIPC has also been working on a set of outreach conferences under the auspices of the Department of Justice and the Information Technology Association of America. In April, 2000 the Attorney General, representatives from the NIPC, Special Agents from FBI Field Offices, and other law enforcement officials met with west coast industry representatives at Stanford University. Last month, we met with east coast industry representatives at EDS in Herndon, Virginia. At both conferences the Attorney General stressed ways that industry and law enforcement need to work together against computer hackers and intrusions. It was clear at both conferences, too, that industry wants a good, cooperative relationship with law enforcement to share information about threats and incidents, and to investigate cyber attacks successfully. A number of initiatives stemming from those conferences are currently underway to further this cooperative relationship. NIPC representatives spend a significant portion of our time speaking across the country and around the world to private sector and government groups, as part of our effort to raise awareness about the cyber threat and to foster cooperation between industry and law enforcement. For example, we have recently participated in meetings of the National Security Telecommunications Advisory Committee (NSTAC), a private sector advisory committee to the President whose purpose is to provide advice and expertise on national security and emergency preparedness telecommunications policy); the System Administration, Networking, and Security (SANS) Institute, a cooperative research and education organization founded in 1989 for the purpose of sharing information among system administrators, security professionals, and network administrators; the Information Security Forum, an association of organizations who share best practices and other solutions to information security problems; the National Governors Association; the American Society for Industrial Security (ASIS), a 32,000 member organization for professionals responsible for security; and the American Bar Association (ABA). Finally, the NIPC is working with the Critical Infrastructure Assurance Office in the Department of Commerce on outreach initiatives. All of these efforts are critical to the goal of building a partnership between industry and the government for the purpose of securing our nation's critical infrastructures and reducing our vulnerability to cyber crime. NIPC and International Cooperation Most pertinent to this hearing is the issue of cooperation across national borders. A typical cyber investigation can involve victim sites in multiple states and often many countries, and can require tracing an evidentiary trail that crosses numerous state and international boundaries. Even intrusions into U.S. systems by a perpetrator operating within the U.S. often require international investigative activity because the attack is routed through Internet Service Providers and computer networks located outside the United States. When evidence is located within the United States, we can subpoena records, conduct electronic surveillance, execute search warrants, seize evidence, and examine it. We can do none of those things ourselves overseas to solve a U.S. criminal case. Instead, we must depend on the local authorities to assist us. This means that effective international cooperation is essential to our ability to investigate cyber crime. International investigations pose special problems. First, while the situation has improved markedly in recent years, many countries lack substantive laws that specifically criminalize computer crimes. This means that those countries often lack the authority not only to investigate or prosecute computer crimes that occur within their borders, but also to assist us when evidence might be located in those countries. Moreover, the quickly evolving technological aspects of these investigations can exceed the capabilities of local police forces in some countries. Finally, even when countries have the requisite laws and have developed the technical expertise necessary to conduct cyber investigations, successful investigation in this arena requires more expeditious response than has traditionally been the case in international matters, because electronic evidence is fleeting and, if not secured quickly, can be lost forever. NIPC International Outreach The NIPC is working with its international partners on several fronts to address the issues outlined above. The first area consists of outreach activities designed to raise awareness about the cyber threat, encourage countries to address the threat through substantive legislation, and provide advice on how to organize to deal with the threat most effectively. Almost weekly the NIPC hosts a foreign delegation to discuss topics ranging from current cases to the establishment of NIPC-like entities in other nations. Since the NIPC was founded, Japan, the United Kingdom, Canada, Germany, and Sweden have formed or are in the process of forming interagency entities like the NIPC. The NIPC has briefed visitors from the United Kingdom, Germany, France, Norway, Canada, Japan, Denmark, Sweden, Israel, and other nations over the past year. In addition, to promote understanding of the NIPC mission, an "open house" for embassy personnel was held in March 2000. Abroad, the FBI's Legal Attaches (Legats) are often the first officials contacted by foreign law enforcement should an incident occur. We are providing training to our Legats on how to coordinate computer intrusion and infrastructure protection matters with us to make them more effective. In addition, NIPC personnel are in almost daily contact with Legats around the world to assist in coordinating requests for information. NIPC International Training In order to help make our foreign partners more capable to assist our international investigations and to address cyber crime within their own countries, the NIPC has also provided training to investigators from several nations. Much of this training takes place at the International Law Enforcement Academies in Budapest, Hungary and Bankok, Thailand. In addition, a small number of select international investigators receive training in NIPC sponsored classes in the United States. The NIPC also holds workshops with other nations to share information on techniques and trends in cyber intrusions. For example, in September 1999 the NIPC sponsored an International Cyber Crime Conference in New Orleans to provide training to international law enforcement officers and forge links between foreign law enforcement officers and personnel representing: the NIPC, FBI field offices, FBI Legats, the U.S. Secret Service, the Naval Criminal Investigative Service, the Air Force Office of Special Investigations, and the U.S. Postal Inspection Service. The G-8 High-Tech Crime Working Group Another international initiative that the NIPC has been involved in is the G-8's High-Tech Crime Subgroup of the G-8 "Lyon Group." A representative of the NIPC serves as a member of the United States delegation to the Subgroup, which has been considering several issues concerning international cyber crime investigations, including the establishment of a 24/7 high-tech crime points of contact network, international training conferences, review of legal systems in G-8 countries, and the development of the G-8 principles on transborder access to stored computer data. The 24/7 high-tech points of contact network was established in March 1998. Each of the G-8 countries identified a point of contact for law enforcement in each of their respective countries. These contacts are required to be available twenty-four hours a day, seven days a week, in order to respond to requests for assistance in important high-tech crime investigations in which electronic evidence may either be altered or destroyed. With regard to training, the subgroup hosted an international computer crime training conference in November 1998, for law enforcement investigators of the G-8 countries. This conference addressed law enforcement issues relating to high-tech crime investigations and the technical issues involved in these specific types of investigations. In addition, the subgroup has compiled a collection of the substantive and procedural laws regarding computer crimes in each of the G-8 countries. Regarding the critical issue of transborder access to stored data, the subgroup has provided recommendations for principles of transborder access to stored computer data. In addition, the subgroup has written principles that provide a mechanism to secure the rapid preservation of stored data in computer systems. These recommendations will attempt to prevent instances where computer data of possible evidentiary value is altered or deleted while a formal request for assistance under a Mutual Legal Assistance Treaty (MLAT) is processed. Lastly, the G-8 subgroup has referred the task of developing common terms and common formats for forensic requests and developing international standards for the retrieval and processing of electronic evidence to the International Organization of Computer Evidence (IOCE), which has representation in most of the G-8 countries. In May 2000, the NIPC attended a G-8 industry/law enforcement conference in Paris, France. This meeting, which included individuals representing industry and consumer groups, was structured to allow both industry and law enforcement officials to share ideas and concerns regarding the security of the Internet. Each participating country's contingent consisted of industry and government representatives, from a variety of agencies, and each country had one industry and one government representative make a presentation to the group about issues concerning their nation. Government officials were sensitized to the concerns of both industry and consumers, and industry and the public representatives were exposed to some of the challenges facing law enforcement and other government agencies in their struggle to provide a safe, secure environment for e-commerce. A subsequent meeting building on the success of the Paris forum is planned for October 2000. The NIPC and International Investigations Since the creation of the NIPC in February 1998, we have seen a significant increase in the number of investigations requiring international cooperation. The NIPC has provided an effective vehicle for coordinating these investigations. I will provide a few examples to demonstrate the issues raised by such investigations and how they have been addressed by the NIPC. One example is the Solar Sunrise case, the code name for a multi-agency investigation of intrusions into more than 500 military, civilian government, and private sector computer systems in the United States during February and March 1998. These intrusions occurred just as the NIPC was being established. The intrusions took place during the build-up of United States military personnel in the Middle East in response to tensions with Iraq over United Nations weapons inspections. The intruders penetrated at least 200 unclassified U.S. military computer systems, including seven Air Force bases and four Navy installations, Department of Energy National Laboratories, NASA sites, and university sites. The timing of the intrusions, and the fact that some activity appeared to come from an ISP in the Middle East, led many U.S. military officials to suspect that this might be an instance of Iraqi information warfare. The NIPC coordinated an extensive interagency investigation involving FBI Field Offices, the Department of Defense, NASA, Defense Information Systems Agency, Air Force Office of Special Investigations, the Department of Justice, and the Intelligence Community. Internationally the NIPC worked closely with the Israeli law enforcement authorities. Within several days, the investigation determined that two juveniles in Cloverdale, California, and individuals in Israel were the perpetrators. This case demonstrated the critical need for an interagency center to coordinate our investigative efforts to determine the source of such intrusions and the need for strong international cooperation. Israeli authorities are preparing to prosecute the chief defendant in their case in the summer of 2000. More recent cases demonstrate how much international cooperation has improved in this area. In February 2000, the NIPC received reports that CNN, Yahoo, Amazon. Com, e-Bay, and other e-commerce sites had been subject to "Distributed Denial of Service" (DDOS) attacks. The NIPC had issued warnings in December 1999 about the possibility of such attacks, and even created and released a tool that victims could use to detect whether their system had been infiltrated by an attacker for use against other systems. When attacks did occur in February, companies cooperated with the NIPC and our National Infrastructure Protection and Computer Intrusion Squads in several FBI field offices (including Los Angeles and Atlanta) and provided critical logs and other information. Within days, the FBI and NIPC had traced some of the attacks to Canada, and subsequently worked with the Royal Canadian Mountain Police to identify the suspect. The Royal Canadian Mounted Police (RCMP) arrested a juvenile subject in April 2000, and charges are expected to be brought shortly for at least some of the attacks. The unprecedented speed and scope of this investigation was evidence of the great improvement made in our ability to conduct large scale, complex international investigations. Another example involves the compromise between January and March 2000 of multiple e-commerce websites in the U.S., Canada, Thailand, Japan and the United Kingdom by a hacker known as "Curador." Curador broke into the sites and apparently stole as many as 28,000 credit card numbers, with losses estimated to be at least $3.5 million. Thousands of credit card numbers and expiration dates were posted to various Internet websites. After an extensive investigation, on March 23, 2000, the FBI assisted the Dyfed Powys (Wales, UK) Police Service in a search at the residence of "Curador," whose real name is Raphael Gray. Mr. Gray, age 18, was arrested in the UK along with a co-conspirator under the UK's Computer Misuse Act of 1990. This case was predicated on the investigative work by the FBI, the Dyfed Powys Police Service in the United Kingdom, Internet security consultants, the RCMP, and the international banking and credit card industry. This case illustrates the benefits of law enforcement and private industry, around the world, working together in partnership on computer crime investigations. Most recently, companies and individuals around the world by the "Love Bug," a virus (or, technically, a "worm") that traveled as an attachment to an e-mail message and propagated itself extremely rapidly through the address books of Microsoft Outlook users. Investigative work by the FBI's New York Field Office, with assistance from the NIPC, traced the source of the virus to the Phillippines within 24 hours. The FBI then worked, through the LEGAT in Manila, with the Phillippines' National Bureau of Investigation, to identify the perpetrator. The investigation in the Phillippines was hampered by the lack of a specific computer crime statute. Nevertheless, Onel de Guzman was charged on June 29, with fraud, theft, malicious mischief, and violation of the Devices Regulation Act. The speed with which the virus was traced back to its source is unprecedented. As a postscript, it is important to note that the Phillippines' government on June 14, 2000 approved the E-Commerce Act, which now specifically criminalizes computer hacking and virus propagation. In addition to the matters mentioned above, we are currently working on numerous cases that require international cooperation. Because these are all pending matters, I cannot comment on them in this hearing. But I can say that the percentage of cases with an international element is increasing significantly. These cases all illustrate the tremendous progress that has been made in the international arena. Countries around the world are addressing the cyber crime problem by creating new computer crime laws, establishing organizations and capabilities to handle investigations, and forging ties across international borders to facilitate investigations. While much work remains to be done, we can point with pride to the considerable advances that have been made in a very short time to strengthen international cooperation against cyber crime. Conclusion Cooperation among governments and between government and industry is the key to combating crime in cyberspace and making the Internet a safe and secure environment for e-commerce and communications. The NIPC has played an important role in fostering such cooperation. With the support of this committee and Congress as a whole, we hope to continue to build on this success. Thank you. 
|
