ASSISTANT ATTORNEY GENERALCRIMINAL DIVISION
U.S. DEPARTMENT OF JUSTICE
BEFORE THE SUBCOMMITTEE ON CRIME
COMMITTEE ON THE JUDICIARY
U.S. HOUSE OF REPRESENTATIVES
JUNE 12, 2001
Mr. Chairman and Members of the Subcommittee, thank you for this
opportunity to testify about the Department of Justice's efforts
to fight cybercrime. The issue before this Subcommittee today
is one of singular importance, and I commend the Subcommittee
for holding this hearing.
In my testimony today, I would like to outline briefly the nature
of the cybercrime problem and the Department's current efforts
to combat that problem. As this is only my second week as head
of the Criminal Division, I have not yet had the opportunity to
undertake a full review of the problem and how we can best confront
it. However, it is clear to me that cybercrime is an extremely
serious threat, and that its complexity and constant evolution
present a tremendous challenge to law enforcement.
The nature and severity of cybercrime
Over the last decade, use of computers and the Internet has grown
exponentially. Indeed, for many individuals it is an integral
part of their daily lives. With little more than a click of a
mouse, people can communicate, transfer information, engage in
commerce, and expand their educational opportunities. Unfortunately,
criminals exploit these same technologies to commit crimes and
harm the safety, security, and privacy of us all. Indeed, as more
people go online, more criminals are realizing that online crime
can be lucrative, especially given the amount of valuable commercial
and personal information now being stored electronically.
So-called "cybercrime" can be divided into two categories. On
the one hand, we are seeing the migration of "traditional" crimes
from the physical to the online world. These crimes include threats,
child pornography, fraud, gambling, extortion, and theft of intellectual
property. Simply put, criminals are migrating online because they
can reach more victims quickly, can collaborate with other criminals,
can disguise their identities, and can use the global nature of
the Internet to remain anonymous.
On the other hand, the Internet has spawned an entirely new set
of criminal activity that targets computer networks themselves.
Included in this category are such crimes as hacking, releasing
viruses, and shutting down computers by flooding them with unwanted
information (so-called "denial of service" attacks). Our vulnerability
to - and the damages caused by - this type of crime are astonishingly
For example, in May of last year, the "I Love You" Virus began
to infect computers on the Internet. Within a short period of
time, it had disrupted the communications of hundreds of thousands
of computers, causing losses estimated in the billions of dollars.
Just as disturbing, this virus demonstrated a new capability:
when it infected a computer, it accessed the user's computer passwords
and sent them electronically to a computer in a foreign country.
The implications of this virus - and the many viruses that have
followed it - are staggering.
In March of this year, the FBI's National Infrastructure Protection
Center issued a warning that an organized group of hackers from
Russia and Eastern Europe had committed a series of intrusions
into more than forty banks and e-commerce companies in the United
States. The hackers stole over 1,000,000 credit card numbers from
the companies' data bases. They then embarked on extortion of
many of the companies, threatening to disclose confidential information
or damage the victims' computer systems. Evidence suggests that
the hackers then sold many of the credit card numbers to organized
This crime - the investigation into which the Treasury Department
participated and which has to date resulted in two arrests - has
grave implications. Not only did it cause financial losses for
the companies, but it harmed the privacy and security of the ordinary
citizens whose credit cards numbers and personal data were stolen.
Individuals victimized by these sorts of crimes rightfully fear
the ramifications of criminals' gaining access to their private
financial and personal data. Moreover, this kind of crime strikes
at the confidence of consumers, threatening the vital growth of
Network crimes not only affect the security of individuals and
businesses, they can also threaten our nation's critical infrastructures.
Our power and water supply systems, telecommunications networks,
financial sector, and critical government services, such as emergency
and national defense services, all rely on computer networks.
This reliance on computer networks creates new vulnerabilities.
For example, for a real-world terrorist to blow up a dam, he
would need tons of explosives, a delivery system, and a surreptitious
means of evading armed security guards. For a cyberterrorist,
the same devastating result could be achieved by hacking into
the control network and commanding the computer to open the floodgates.
This is not a purely hypothetical scenario. Several years ago,
a juvenile hacker gained unauthorized access to the computers
controlling the operations of the Roosevelt Dam in Arizona.
Although there are as yet no definitive statistics on the scope
of the problem, there is no doubt that the number of crimes involving
computers and the Internet is rising dramatically. For example,
the CERT Coordination Center, which was created to warn about
computer attacks and viruses, received over 21,000 network crime
incident reports last year. This is more than double the number
of reports it received the year before. Similarly, a survey conducted
by the FBI and the Computer Security Institute recently revealed
substantial increases in computer crime. Over 85 percent of the
companies and government agencies surveyed reported computer security
breaches within the preceding twelve months, up from 70 percent
last year. Moreover, researchers at the University of California
at San Diego recently reported a methodology that enabled them
to count the numbers of denial of service attacks. Their research
revealed that 4,000 attacks occur every week. Responding to these
threats is a daunting challenge.
Justice Department Responses to Cybercrime
While there is little question that combating cybercrime is
a tremendous challenge, it is one the Justice Department must
be prepared to meet. I can assure you that the Department is committed
to arresting and prosecuting those individuals who operate in
cyberspace to threaten the security and privacy of our citizens,
to disrupt and damage commerce, and to compromise the integrity
and availability of the Internet itself. I am very encouraged
by the extent to which our investigators and prosecutors have
been building a good enforcement foundation. One need only look
at the many success stories reflected on the website of the Computer
Crime and Intellectual Property Section, www.cybercrime.gov, to
see their efforts in this area.
From my perspective, as I begin my assessment of our cybercrime
efforts and the direction they should take in the future, at least
three themes or elements seem to emerge as particularly important
to success in confronting cybercrime: developing specialized expertise,
building teamwork and partnerships, and assuring we have legal
authorities which are both effective and appropriate in the unique
and ever-evolving setting of computers and the Internet.
Developing specialized expertise
Combating computer crime requires a team of professionals, including
investigators, forensic experts, and prosecutors, all of whom
have technical expertise. In addition to traditional investigative
skills, cybercrime investigators must be well versed in the intricacies
of technology to insure that evidence is not lost or overlooked.
Forensic experts must know how to handle electronic evidence to
protect its integrity for later use at trial, as well as how to
recover and analyze digital evidence from computers with hard
drives that store gigabytes of data. And prosecutors must understand
the jargon and complexities of high-technology crimes and be able
to translate technical evidence into a form understandable to
a judge and jury.
In response to the escalating problem, our law enforcement agencies
have devoted significant resources to developing cadres of investigators
and forensic experts who have the specialized skills needed for
cybercrime investigations. The FBI and Secret Service, which have
particularly important investigative responsibilities with respect
to Internet and computer-related crimes, have certainly been in
the forefront of this effort.
On the prosecution side, I am pleased that the Criminal Division
has played a particularly important role, not
only as a source of specialized cybercrime expertise, but as a
key player in the training of local, state and federal agents
and prosecutors in the laws governing cybercrime.
At the center of this effort is the Criminal Division's Computer
Crime and Intellectual Property Section ("CCIPS"). This team of
attorneys focuses exclusively on issues relating to computer and
intellectual property crime, allowing them to serve as the nationally
recognized source of advice and expertise on cybercrime law. In
addition to responding daily to requests for information and advice
from the field, CCIPS coordinates multi-district cases, and works
extensively with international counterparts to improve legal and
operational support for multi-national cases, such as the nationwide
investigation of the distributed denial of service attacks in
February 2000 that eventually led to the arrest of an individual
in Canada. The Section's important outreach and education mission
includes publication of significant reference materials for prosecutors
such as Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations and Prosecuting Intellectual
Property Crimes and an extensive training program in which, last
year alone, CCIPS' twenty-one attorneys gave over 200 presentations
to prosecutors, agents, judges, technical experts, and government
and industry groups.
A particularly important aspect of developing, and then sharing
expertise in the field is our nationwide network of federal prosecutors
called Computer and Telecommunications Coordinators (or "CTCs")
- at least one from each district - who serve as the district's
prosecutorial expert on computer crime cases. The CTC initiative
was started by CCIPS in 1995, and has been strongly supported
by our U.S. Attorneys. CCIPS trains and supports these coordinators
specially, so that they, in turn, can serve as a resource for
their offices and the law enforcement authorities and concerned
industry in their regions of the country.
In the Criminal Division, specialized expertise in combating
cybercrime is not confined to CCIPS. Other sections have developed
this expertise as traditional forms of criminality have moved
onto the Internet.
For example, the Department has seen dramatic growth in various
types of fraudulent online schemes, and the Criminal Division's
Fraud Section has played a critical role in the Justice Department's
response, including overseeing a Department-wide Internet Fraud
Initiative begun in 1999. Its work to date has included (1) advising
and supporting federal prosecutors throughout the country, including
maintenance of an Internet fraud brief bank; (2) developing specialized
training on Internet fraud for courses at the Department's National
Advocacy Center; (3) publishing extensive materials on the Department's
website, www.internetfraud.usdoj.gov, in order to promote public
understanding of Internet fraud schemes and how to deal with them;
and (4) supporting improvements in federal agencies' investigative
and analytical resources, including the Internet Fraud Complaint
Center, a joint project of the FBI and the National White Collar
Crime Center. The Department has also been involved in the related
problem of identity theft, in part by providing national coordination
of governmental efforts through the Identity Theft Subcommittee
of the Attorney General's Council on White Collar Crime.
Of course, one of the most disturbing facets of cybercrime is
the exploitation and abuse of children, whether through distribution
of child pornography over the Internet or through the horrific
conduct of sexual predators who operate online. The FBI, the U.S.
Attorneys' Offices, and the Division's Child Exploitation and
Obscenity Section have developed special expertise in investigating
and prosecuting these crimes and currently devote significant
resources to the online aspects of child pornography and luring
cases. Moreover, in this area and others, the Department's Office
of Legal Education, in conjunction with various components of
the Criminal Division, regularly sponsors classes regarding computer
crime and electronic evidence.
As I noted at the beginning of my statement, the second element
which seems particularly important to our efforts against cybercrime
is partnership building. Of course, from years as a prosecutor,
I know that teamwork is essential to any successful crime-fighting
effort. But it strikes me that in the area of cybercrime the need
for effective partnerships, is not only especially important but
also requires partnerships well outside the traditional law enforcement
Certainly the complexity of cybercrime and the breadth, or potential
breadth of its impact, are part of the reason. However, another
factor is the diversity of interests at play in the cyberworld,
and hence in our efforts to combat cybercrime. These include,
among others, law enforcement interests, national security interests,
privacy interests, and commerical interests. Without partnership,
or at least dialogue, we will allow those interests to conflict
and collide in ways destructive of our efforts to combat cybercrime.
I would like to briefly describe some of the efforts already
underway in the Department to build partnerships at the national
and international levels and to engage consumers, organizations
and business in a cooperative effort against Internet and computer
Because of the borderless and real-time nature of the Internet,
and thus of cybercrime, we at the federal level need effective
partnerships with our law enforcement colleagues at the federal,
state and local levels, as well as overseas. A good example of
cooperation of the federal level, "Operation Cyber Loss," is described
in detail in the testimony of FBI Deputy Assistant Director Kubic.
Certainly, within the United States, an important part of our
partnership with state and local counterparts is supporting them
in developing the specialized expertise I have already described
as so important to our cybercrime efforts. For example, the Department
founded and funds the National Cybercrime Training Partnership,
a ground-breaking consortium of federal, state, and local entities
dedicated to improving the technical competence of law enforcement
agents and prosecutors. In addition, we have worked with the National
Association of Attorneys General to create a 50-state list of
state and local computer crime specialists, posted on the web,
so that agents and prosecutors from one jurisdiction can call
upon their colleagues in another jurisdiction for assistance in
cybercrime matters. Also, our AUSAs specializing in cybercrime
- the CTCs - are working in their jurisdictions to train state
and local agents and prosecutors.
The challenges on the international level are greater. When
we deal with a transborder cybercrime, we need foreign law enforcement
counterparts who not only have the necessary technical expertise,
but who are accessible and responsive, and who have the necessary
legal authority to cooperate with us and assist us in our investigations
and prosecutions. The Criminal Division has played a central role
in attempting to build these sorts of partnerships internationally,
and I expect it to continue to do so.
For example, within the larger law enforcement frame work of
the G-8's Lyon Group, there is a Subgroup on High-tech Crime which,
from its inception, has been chaired by a senior attorney from
CCIPS. One of its important accomplishments was the development
of a "24/7 network" which allows law enforcement contacts in each
participating country to reach out - 24 hours a day, seven days
a week - to counterparts in other countries for rapid assistance
in investigating computer crime and preserving electronic evidence.
The Subgroup has also to date sponsored many meetings, including
three major conferences, that have brought together government
and private sector representatives of all the G-8 countries to
discuss cybercrime issues.
As part of our efforts to forge an effective framework for international
partnership, the Department, and in particular the Criminal Division,
has been engaged in the lengthy and still ongoing process of negotiating
a cybercrime treaty in the Council of Europe. Since those negotiations
have not yet concluded, I believe it would be premature to discuss
the treaty in detail. Nonetheless, if a solid text emerges, it
would be a significant legal instrument to assist us in combating
One aspect of our work on the treaty I do want to note especially,
however, is the extent to which we have sought to engage the private
sector, some elements of which had expressed concerns about aspects
of the evolving draft and about the process at the Council of
Europe, whose proceedings in this context have not been open to
the public. The United States delegation pressed hard for the
COE to depart from past practice and publish working drafts of
the text, which it began to do more than a year ago. Thereafter,
representatives of the Justice Department, along with those from
the State and Commerce Departments - the agencies that form our
delegation - met on numerous occasions with industry and privacy
groups to hear their concerns. As a result, our delegation worked
hard, and with a large measure of success, to obtain a number
of changes to the treaty sought by industry and privacy groups.
Of course, our dialogue with industry on the international front
is part of a much broader partnership between law enforcement
and industry to combat cybercrime and protect the nation's critical
As the builders and owners of the infrastructure that supports
cyberspace, private sector companies have primary responsibility
for securing and protecting the Internet. CCIPS, the National
Infrastructure Protection Center (NIPC), and the CTC network have
engaged in regular outreach to industry to ensure that communications
channels are open between government and the private sector and
to encourage cooperation on efforts to prevent and combat computer
and intellectual property crimes. For example, the NIPC, in conjunction
with the private sector, has developed the "InfraGard" initiative
to expand direct contacts between government and private sector
infrastructure owners and operators, and to share information
about computer intrusions, vulnerabilities, and infrastructure
Consumers, as the users of the infrastructure, also play an
important role in securing the Internet. In the real world, most
people understand their responsibilities regarding property: one
should take appropriate steps to lock one's doors, but one should
not enter other peoples' homes without permission even if they
leave their doors unlocked. The Department has been working with
the private sector and consumers to promote the same kind of safety
precautions and ethics in the online world. One program we initiated
with the Information Technology Association of America is the
Cybercitizen Partnership, a national campaign to raise awareness
about using computers responsibly and to provide educational resources
to empower concerned citizens. The Partnership has developed a
website, www.cybercitizenship.org, which provides information
to parents, teachers, and children about online ethics.
Certainly, one of the partnerships most important to our cybercrime
efforts - one I believe we strengthen through hearings such as
this - is the partnership between the Executive and Legislative
branches. Of course, it is in the context of this partnership
that we will focus on the third important element in our fight
against cybercrime, and that is assuring that we have appropriate
and effective legal tools.
Assuring an effective legal framework
Given my very recent arrival as head of the Criminal Division,
I am not in a position today to make specific recommendations
about legislation. However, we are looking at this area closely,
and are aware that members of Congress are doing so as well.
What I would like to do is to describe in general terms certain
areas where our career investigators and prosecutors have raised
concerns about our current legal framework for investigating and
prosecuting cybercrime. For example, the adequacy of the penalties
for certain computer crimes has been questioned, particularly
in the aftermath of the "Melissa" virus case. In that case, even
though the defendant caused tens of millions, if not billions
of dollars of damage. the maximum penalty was five years imprisonment.
Also, some prosecutors have expressed concern that the particular
statutory approach for computing the minimum thresholds of damage
in computer hacking cases, may in fact allow some significant
criminals to go unpunished.
There have also been questions about whether procedural statutes,
some enacted more than a decade ago, have withstood the changes
brought about by the advance of technology. The Pen Register and
Trap and Trace Statute is a good example. The "pen/trap statute"
establishes a set of procedures by which law enforcement authorities
can collect the non-content information associated with a communication.
For telephones, this means the source or destination of calls
placed to or from a particular phone. Congress enacted this statute
in 1986 to protect privacy by requiring that the law enforcement
authorities apply for a court order, allowing only government
attorneys (not agents) to apply for such orders, and creating
a criminal offense for any who use pen/trap devices without authority.
With the advances in technology, law enforcement authorities
and the courts have applied the pen/trap statute to new communications
media, such as e-mail. In this context, pen/trap devices can uncover
the source - but not the content - of a particular Internet communication.
For example, law enforcement authorities obtained a pen/trap order
on an e-mail account that was central to locating and arresting
James Kopp, who had evaded arrest for three years after being
indicted for killing a doctor in front of his wife and child in
their home near Buffalo, New York, in 1998.
Although numerous courts across the country have applied the
pen/trap statue to communications on computer networks, no federal
district or appellate court has explicitly ruled on its propriety.
However, certain litigants have begun to challenge the application
of the pen/trap statute to such electronic communications. The
pen/trap statute protects privacy and is an important investigative
tool. Its application to the cyberworld is vital.
Also, this legislation was passed in an era when telecommunication
networks were configured in such a way that, in most cases, the
information sought could be obtained by issuing an order to a
single carrier. With deregulation, however, a single communication
may now be carried by multiple providers. For example, a telephone
call may be carried by a competitive local exchange carrier, which
passes it to a switch to a local Bell Operating Company, which
passes it to a long distance carrier, which hands it to a local
exchange carrier elsewhere in the U.S., which in turn may finally
hand it to a cellular carrier. Under the structure of the current
statute, where a court may only authorize the installation of
a pen register or trap device "within the jurisdiction of the
court," identifying the ultimate source may require obtaining
information from a host of providers located throughout the country
- each requiring a separate order. Indeed, in one case the Justice
Department needed four separate orders to trace a hacker's communications.
You can imagine the concern of our investigators and prosecutors
about complying with this procedure when confronted with an urgent
need for information to prevent a serious crime or trace one in
Another procedural statute that Congress should consider examining
is the Cable Communications Policy Act (the "Cable Act") (47 U.S.C.
§ 551). Technological advances - and uncertainty about the Cable
Act's application to them - have created roadblocks for important
law enforcement investigations.
In 1984, Congress passed the Cable Act to regulate government
access to records pertaining to cable television service. Of course,
at that time, cable companies did not offer Internet access or
telephone service. Today, they do. Yet a totally separate legal
regime governs government access to records pertaining to telephones
and the Internet. These laws include the wiretap statute (18 U.S.C.
§ 2510 et seq.), the Electronic Communications Privacy Act ("ECPA")
(18 U.S.C. § 2701 et seq.), and the pen/trap statute (18 U.S.C.
§ 3121 et seq.). Cable companies have expressed concern that they
may expose themselves to liability for violating the Cable Act
if they comply with subpoenas and court orders for telephone or
Internet records. This complication has at times delayed or frustrated
time-sensitive investigations. It makes little sense for the rules
governing law enforcement access to the records of communications
customers to depend on the method by which the customer connects
to the Internet.
These are only a few of the legislative issues we are now reviewing.
I know there are other areas of concern, for example, with respect
to further protections for children and safeguarding personal
information from unauthorized and even criminal use. Moreover,
part of our agenda will inevitably concern resources. Future budget
requests for the Division will make adequate resources for our
efforts against cybercrime a priority.
Mr. Chairman, I want to thank you again for this opportunity
to testify about our efforts to fight crime on the Internet. Citizens
are deeply concerned about their safety and security when using
the Internet, and we unfortunately have already encountered many
examples of serious crimes against individuals and businesses
and serious invasions of their privacy by criminals. Enhancing
the ability of law enforcement to fight cybercrime both promotes
Internet users' safety and security and enhances their privacy
by deterring and punishing criminals. The Department of Justice
stands ready to work with the Members of this Subcommittee to
achieve these important goals.
Mr. Chairman, that concludes my prepared statement. I would
be pleased to answer any questions that you may have at this time.