IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

STATEMENT OF

MICHAEL CHERTOFF

ASSISTANT ATTORNEY GENERALCRIMINAL DIVISION

U.S. DEPARTMENT OF JUSTICE

BEFORE THE SUBCOMMITTEE ON CRIME

COMMITTEE ON THE JUDICIARY

U.S. HOUSE OF REPRESENTATIVES

JUNE 12, 2001




Mr. Chairman and Members of the Subcommittee, thank you for this opportunity to testify about the Department of Justice's efforts to fight cybercrime. The issue before this Subcommittee today is one of singular importance, and I commend the Subcommittee for holding this hearing.

In my testimony today, I would like to outline briefly the nature of the cybercrime problem and the Department's current efforts to combat that problem. As this is only my second week as head of the Criminal Division, I have not yet had the opportunity to undertake a full review of the problem and how we can best confront it. However, it is clear to me that cybercrime is an extremely serious threat, and that its complexity and constant evolution present a tremendous challenge to law enforcement.

The nature and severity of cybercrime

Over the last decade, use of computers and the Internet has grown exponentially. Indeed, for many individuals it is an integral part of their daily lives. With little more than a click of a mouse, people can communicate, transfer information, engage in commerce, and expand their educational opportunities. Unfortunately, criminals exploit these same technologies to commit crimes and harm the safety, security, and privacy of us all. Indeed, as more people go online, more criminals are realizing that online crime can be lucrative, especially given the amount of valuable commercial and personal information now being stored electronically.

So-called "cybercrime" can be divided into two categories. On the one hand, we are seeing the migration of "traditional" crimes from the physical to the online world. These crimes include threats, child pornography, fraud, gambling, extortion, and theft of intellectual property. Simply put, criminals are migrating online because they can reach more victims quickly, can collaborate with other criminals, can disguise their identities, and can use the global nature of the Internet to remain anonymous.

On the other hand, the Internet has spawned an entirely new set of criminal activity that targets computer networks themselves. Included in this category are such crimes as hacking, releasing viruses, and shutting down computers by flooding them with unwanted information (so-called "denial of service" attacks). Our vulnerability to - and the damages caused by - this type of crime are astonishingly high.

For example, in May of last year, the "I Love You" Virus began to infect computers on the Internet. Within a short period of time, it had disrupted the communications of hundreds of thousands of computers, causing losses estimated in the billions of dollars. Just as disturbing, this virus demonstrated a new capability: when it infected a computer, it accessed the user's computer passwords and sent them electronically to a computer in a foreign country. The implications of this virus - and the many viruses that have followed it - are staggering.

In March of this year, the FBI's National Infrastructure Protection Center issued a warning that an organized group of hackers from Russia and Eastern Europe had committed a series of intrusions into more than forty banks and e-commerce companies in the United States. The hackers stole over 1,000,000 credit card numbers from the companies' data bases. They then embarked on extortion of many of the companies, threatening to disclose confidential information or damage the victims' computer systems. Evidence suggests that the hackers then sold many of the credit card numbers to organized crime groups.

This crime - the investigation into which the Treasury Department participated and which has to date resulted in two arrests - has grave implications. Not only did it cause financial losses for the companies, but it harmed the privacy and security of the ordinary citizens whose credit cards numbers and personal data were stolen. Individuals victimized by these sorts of crimes rightfully fear the ramifications of criminals' gaining access to their private financial and personal data. Moreover, this kind of crime strikes at the confidence of consumers, threatening the vital growth of e-commerce.

Network crimes not only affect the security of individuals and businesses, they can also threaten our nation's critical infrastructures. Our power and water supply systems, telecommunications networks, financial sector, and critical government services, such as emergency and national defense services, all rely on computer networks. This reliance on computer networks creates new vulnerabilities.

For example, for a real-world terrorist to blow up a dam, he would need tons of explosives, a delivery system, and a surreptitious means of evading armed security guards. For a cyberterrorist, the same devastating result could be achieved by hacking into the control network and commanding the computer to open the floodgates. This is not a purely hypothetical scenario. Several years ago, a juvenile hacker gained unauthorized access to the computers controlling the operations of the Roosevelt Dam in Arizona.

Although there are as yet no definitive statistics on the scope of the problem, there is no doubt that the number of crimes involving computers and the Internet is rising dramatically. For example, the CERT Coordination Center, which was created to warn about computer attacks and viruses, received over 21,000 network crime incident reports last year. This is more than double the number of reports it received the year before. Similarly, a survey conducted by the FBI and the Computer Security Institute recently revealed substantial increases in computer crime. Over 85 percent of the companies and government agencies surveyed reported computer security breaches within the preceding twelve months, up from 70 percent last year. Moreover, researchers at the University of California at San Diego recently reported a methodology that enabled them to count the numbers of denial of service attacks. Their research revealed that 4,000 attacks occur every week. Responding to these threats is a daunting challenge.

Justice Department Responses to Cybercrime

While there is little question that combating cybercrime is a tremendous challenge, it is one the Justice Department must be prepared to meet. I can assure you that the Department is committed to arresting and prosecuting those individuals who operate in cyberspace to threaten the security and privacy of our citizens, to disrupt and damage commerce, and to compromise the integrity and availability of the Internet itself. I am very encouraged by the extent to which our investigators and prosecutors have been building a good enforcement foundation. One need only look at the many success stories reflected on the website of the Computer Crime and Intellectual Property Section, www.cybercrime.gov, to see their efforts in this area.

From my perspective, as I begin my assessment of our cybercrime efforts and the direction they should take in the future, at least three themes or elements seem to emerge as particularly important to success in confronting cybercrime: developing specialized expertise, building teamwork and partnerships, and assuring we have legal authorities which are both effective and appropriate in the unique and ever-evolving setting of computers and the Internet.

Developing specialized expertise

Combating computer crime requires a team of professionals, including investigators, forensic experts, and prosecutors, all of whom have technical expertise. In addition to traditional investigative skills, cybercrime investigators must be well versed in the intricacies of technology to insure that evidence is not lost or overlooked. Forensic experts must know how to handle electronic evidence to protect its integrity for later use at trial, as well as how to recover and analyze digital evidence from computers with hard drives that store gigabytes of data. And prosecutors must understand the jargon and complexities of high-technology crimes and be able to translate technical evidence into a form understandable to a judge and jury.

In response to the escalating problem, our law enforcement agencies have devoted significant resources to developing cadres of investigators and forensic experts who have the specialized skills needed for cybercrime investigations. The FBI and Secret Service, which have particularly important investigative responsibilities with respect to Internet and computer-related crimes, have certainly been in the forefront of this effort.

On the prosecution side, I am pleased that the Criminal Division has played a particularly important role, not only as a source of specialized cybercrime expertise, but as a key player in the training of local, state and federal agents and prosecutors in the laws governing cybercrime.

At the center of this effort is the Criminal Division's Computer Crime and Intellectual Property Section ("CCIPS"). This team of attorneys focuses exclusively on issues relating to computer and intellectual property crime, allowing them to serve as the nationally recognized source of advice and expertise on cybercrime law. In addition to responding daily to requests for information and advice from the field, CCIPS coordinates multi-district cases, and works extensively with international counterparts to improve legal and operational support for multi-national cases, such as the nationwide investigation of the distributed denial of service attacks in February 2000 that eventually led to the arrest of an individual in Canada. The Section's important outreach and education mission includes publication of significant reference materials for prosecutors such as Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations and Prosecuting Intellectual Property Crimes and an extensive training program in which, last year alone, CCIPS' twenty-one attorneys gave over 200 presentations to prosecutors, agents, judges, technical experts, and government and industry groups.

A particularly important aspect of developing, and then sharing expertise in the field is our nationwide network of federal prosecutors called Computer and Telecommunications Coordinators (or "CTCs") - at least one from each district - who serve as the district's prosecutorial expert on computer crime cases. The CTC initiative was started by CCIPS in 1995, and has been strongly supported by our U.S. Attorneys. CCIPS trains and supports these coordinators specially, so that they, in turn, can serve as a resource for their offices and the law enforcement authorities and concerned industry in their regions of the country.

In the Criminal Division, specialized expertise in combating cybercrime is not confined to CCIPS. Other sections have developed this expertise as traditional forms of criminality have moved onto the Internet.

For example, the Department has seen dramatic growth in various types of fraudulent online schemes, and the Criminal Division's Fraud Section has played a critical role in the Justice Department's response, including overseeing a Department-wide Internet Fraud Initiative begun in 1999. Its work to date has included (1) advising and supporting federal prosecutors throughout the country, including maintenance of an Internet fraud brief bank; (2) developing specialized training on Internet fraud for courses at the Department's National Advocacy Center; (3) publishing extensive materials on the Department's website, www.internetfraud.usdoj.gov, in order to promote public understanding of Internet fraud schemes and how to deal with them; and (4) supporting improvements in federal agencies' investigative and analytical resources, including the Internet Fraud Complaint Center, a joint project of the FBI and the National White Collar Crime Center. The Department has also been involved in the related problem of identity theft, in part by providing national coordination of governmental efforts through the Identity Theft Subcommittee of the Attorney General's Council on White Collar Crime.

Of course, one of the most disturbing facets of cybercrime is the exploitation and abuse of children, whether through distribution of child pornography over the Internet or through the horrific conduct of sexual predators who operate online. The FBI, the U.S. Attorneys' Offices, and the Division's Child Exploitation and Obscenity Section have developed special expertise in investigating and prosecuting these crimes and currently devote significant resources to the online aspects of child pornography and luring cases. Moreover, in this area and others, the Department's Office of Legal Education, in conjunction with various components of the Criminal Division, regularly sponsors classes regarding computer crime and electronic evidence.

Building Partnerships

As I noted at the beginning of my statement, the second element which seems particularly important to our efforts against cybercrime is partnership building. Of course, from years as a prosecutor, I know that teamwork is essential to any successful crime-fighting effort. But it strikes me that in the area of cybercrime the need for effective partnerships, is not only especially important but also requires partnerships well outside the traditional law enforcement community.

Certainly the complexity of cybercrime and the breadth, or potential breadth of its impact, are part of the reason. However, another factor is the diversity of interests at play in the cyberworld, and hence in our efforts to combat cybercrime. These include, among others, law enforcement interests, national security interests, privacy interests, and commerical interests. Without partnership, or at least dialogue, we will allow those interests to conflict and collide in ways destructive of our efforts to combat cybercrime.

I would like to briefly describe some of the efforts already underway in the Department to build partnerships at the national and international levels and to engage consumers, organizations and business in a cooperative effort against Internet and computer related crime.

Because of the borderless and real-time nature of the Internet, and thus of cybercrime, we at the federal level need effective partnerships with our law enforcement colleagues at the federal, state and local levels, as well as overseas. A good example of cooperation of the federal level, "Operation Cyber Loss," is described in detail in the testimony of FBI Deputy Assistant Director Kubic.

Certainly, within the United States, an important part of our partnership with state and local counterparts is supporting them in developing the specialized expertise I have already described as so important to our cybercrime efforts. For example, the Department founded and funds the National Cybercrime Training Partnership, a ground-breaking consortium of federal, state, and local entities dedicated to improving the technical competence of law enforcement agents and prosecutors. In addition, we have worked with the National Association of Attorneys General to create a 50-state list of state and local computer crime specialists, posted on the web, so that agents and prosecutors from one jurisdiction can call upon their colleagues in another jurisdiction for assistance in cybercrime matters. Also, our AUSAs specializing in cybercrime - the CTCs - are working in their jurisdictions to train state and local agents and prosecutors.

The challenges on the international level are greater. When we deal with a transborder cybercrime, we need foreign law enforcement counterparts who not only have the necessary technical expertise, but who are accessible and responsive, and who have the necessary legal authority to cooperate with us and assist us in our investigations and prosecutions. The Criminal Division has played a central role in attempting to build these sorts of partnerships internationally, and I expect it to continue to do so.

For example, within the larger law enforcement frame work of the G-8's Lyon Group, there is a Subgroup on High-tech Crime which, from its inception, has been chaired by a senior attorney from CCIPS. One of its important accomplishments was the development of a "24/7 network" which allows law enforcement contacts in each participating country to reach out - 24 hours a day, seven days a week - to counterparts in other countries for rapid assistance in investigating computer crime and preserving electronic evidence. The Subgroup has also to date sponsored many meetings, including three major conferences, that have brought together government and private sector representatives of all the G-8 countries to discuss cybercrime issues.

As part of our efforts to forge an effective framework for international partnership, the Department, and in particular the Criminal Division, has been engaged in the lengthy and still ongoing process of negotiating a cybercrime treaty in the Council of Europe. Since those negotiations have not yet concluded, I believe it would be premature to discuss the treaty in detail. Nonetheless, if a solid text emerges, it would be a significant legal instrument to assist us in combating cybercrime.

One aspect of our work on the treaty I do want to note especially, however, is the extent to which we have sought to engage the private sector, some elements of which had expressed concerns about aspects of the evolving draft and about the process at the Council of Europe, whose proceedings in this context have not been open to the public. The United States delegation pressed hard for the COE to depart from past practice and publish working drafts of the text, which it began to do more than a year ago. Thereafter, representatives of the Justice Department, along with those from the State and Commerce Departments - the agencies that form our delegation - met on numerous occasions with industry and privacy groups to hear their concerns. As a result, our delegation worked hard, and with a large measure of success, to obtain a number of changes to the treaty sought by industry and privacy groups.

Of course, our dialogue with industry on the international front is part of a much broader partnership between law enforcement and industry to combat cybercrime and protect the nation's critical infrastructures.

As the builders and owners of the infrastructure that supports cyberspace, private sector companies have primary responsibility for securing and protecting the Internet. CCIPS, the National Infrastructure Protection Center (NIPC), and the CTC network have engaged in regular outreach to industry to ensure that communications channels are open between government and the private sector and to encourage cooperation on efforts to prevent and combat computer and intellectual property crimes. For example, the NIPC, in conjunction with the private sector, has developed the "InfraGard" initiative to expand direct contacts between government and private sector infrastructure owners and operators, and to share information about computer intrusions, vulnerabilities, and infrastructure threats.

Consumers, as the users of the infrastructure, also play an important role in securing the Internet. In the real world, most people understand their responsibilities regarding property: one should take appropriate steps to lock one's doors, but one should not enter other peoples' homes without permission even if they leave their doors unlocked. The Department has been working with the private sector and consumers to promote the same kind of safety precautions and ethics in the online world. One program we initiated with the Information Technology Association of America is the Cybercitizen Partnership, a national campaign to raise awareness about using computers responsibly and to provide educational resources to empower concerned citizens. The Partnership has developed a website, www.cybercitizenship.org, which provides information to parents, teachers, and children about online ethics.

Certainly, one of the partnerships most important to our cybercrime efforts - one I believe we strengthen through hearings such as this - is the partnership between the Executive and Legislative branches. Of course, it is in the context of this partnership that we will focus on the third important element in our fight against cybercrime, and that is assuring that we have appropriate and effective legal tools.

Assuring an effective legal framework

Given my very recent arrival as head of the Criminal Division, I am not in a position today to make specific recommendations about legislation. However, we are looking at this area closely, and are aware that members of Congress are doing so as well.

What I would like to do is to describe in general terms certain areas where our career investigators and prosecutors have raised concerns about our current legal framework for investigating and prosecuting cybercrime. For example, the adequacy of the penalties for certain computer crimes has been questioned, particularly in the aftermath of the "Melissa" virus case. In that case, even though the defendant caused tens of millions, if not billions of dollars of damage. the maximum penalty was five years imprisonment. Also, some prosecutors have expressed concern that the particular statutory approach for computing the minimum thresholds of damage in computer hacking cases, may in fact allow some significant criminals to go unpunished.

There have also been questions about whether procedural statutes, some enacted more than a decade ago, have withstood the changes brought about by the advance of technology. The Pen Register and Trap and Trace Statute is a good example. The "pen/trap statute" establishes a set of procedures by which law enforcement authorities can collect the non-content information associated with a communication. For telephones, this means the source or destination of calls placed to or from a particular phone. Congress enacted this statute in 1986 to protect privacy by requiring that the law enforcement authorities apply for a court order, allowing only government attorneys (not agents) to apply for such orders, and creating a criminal offense for any who use pen/trap devices without authority.

With the advances in technology, law enforcement authorities and the courts have applied the pen/trap statute to new communications media, such as e-mail. In this context, pen/trap devices can uncover the source - but not the content - of a particular Internet communication. For example, law enforcement authorities obtained a pen/trap order on an e-mail account that was central to locating and arresting James Kopp, who had evaded arrest for three years after being indicted for killing a doctor in front of his wife and child in their home near Buffalo, New York, in 1998.

Although numerous courts across the country have applied the pen/trap statue to communications on computer networks, no federal district or appellate court has explicitly ruled on its propriety. However, certain litigants have begun to challenge the application of the pen/trap statute to such electronic communications. The pen/trap statute protects privacy and is an important investigative tool. Its application to the cyberworld is vital.

Also, this legislation was passed in an era when telecommunication networks were configured in such a way that, in most cases, the information sought could be obtained by issuing an order to a single carrier. With deregulation, however, a single communication may now be carried by multiple providers. For example, a telephone call may be carried by a competitive local exchange carrier, which passes it to a switch to a local Bell Operating Company, which passes it to a long distance carrier, which hands it to a local exchange carrier elsewhere in the U.S., which in turn may finally hand it to a cellular carrier. Under the structure of the current statute, where a court may only authorize the installation of a pen register or trap device "within the jurisdiction of the court," identifying the ultimate source may require obtaining information from a host of providers located throughout the country - each requiring a separate order. Indeed, in one case the Justice Department needed four separate orders to trace a hacker's communications. You can imagine the concern of our investigators and prosecutors about complying with this procedure when confronted with an urgent need for information to prevent a serious crime or trace one in progress.

Another procedural statute that Congress should consider examining is the Cable Communications Policy Act (the "Cable Act") (47 U.S.C. § 551). Technological advances - and uncertainty about the Cable Act's application to them - have created roadblocks for important law enforcement investigations.

In 1984, Congress passed the Cable Act to regulate government access to records pertaining to cable television service. Of course, at that time, cable companies did not offer Internet access or telephone service. Today, they do. Yet a totally separate legal regime governs government access to records pertaining to telephones and the Internet. These laws include the wiretap statute (18 U.S.C. § 2510 et seq.), the Electronic Communications Privacy Act ("ECPA") (18 U.S.C. § 2701 et seq.), and the pen/trap statute (18 U.S.C. § 3121 et seq.). Cable companies have expressed concern that they may expose themselves to liability for violating the Cable Act if they comply with subpoenas and court orders for telephone or Internet records. This complication has at times delayed or frustrated time-sensitive investigations. It makes little sense for the rules governing law enforcement access to the records of communications customers to depend on the method by which the customer connects to the Internet.

These are only a few of the legislative issues we are now reviewing. I know there are other areas of concern, for example, with respect to further protections for children and safeguarding personal information from unauthorized and even criminal use. Moreover, part of our agenda will inevitably concern resources. Future budget requests for the Division will make adequate resources for our efforts against cybercrime a priority.

Conclusion

Mr. Chairman, I want to thank you again for this opportunity to testify about our efforts to fight crime on the Internet. Citizens are deeply concerned about their safety and security when using the Internet, and we unfortunately have already encountered many examples of serious crimes against individuals and businesses and serious invasions of their privacy by criminals. Enhancing the ability of law enforcement to fight cybercrime both promotes Internet users' safety and security and enhances their privacy by deterring and punishing criminals. The Department of Justice stands ready to work with the Members of this Subcommittee to achieve these important goals.

Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.