|| Newsletters | Articles | Presentations | Meetings | Web Links | Calendar |
STATEMENT OF JANET RENO ATTORNEY GENERAL OF THE UNITED STATES BEFORE THE UNITED STATES SENATE COMMITTEE ON APPROPRIATIONS SUBCOMMITTEE ON COMMERCE, JUSTICE, AND STATE THE JUDICIARY AND RELATED AGENCIES
Chairman Gregg and other Members of the Subcommittee, I want to thank you for this opportunity to testify on our efforts to combat the growing problem of cybercrime, particularly in light of the recent denial-of-service attacks on several major Internet sites.
Need for Five-Year Strategy
The recent attacks demonstrate the importance of developing a long-term, coordinated strategy for dealing with cybercrime. The strategy must address the challenges we face, both domestically and abroad, the need for personnel with expertise and the latest cybercrime-fighting equipment, the importance of cooperation and sharing with state and local law enforcement and our international counterparts, the need for educating our young people and others about the responsible use of the Internet, and all of this must be done in a manner that respects and upholds our cherished privacy and freedoms.
Recently, I outlined a 10-point plan that identifies the key areas where we need to develop our cybercrime capability. The key points of this plan include:
I would like to work with you, Chairman Gregg, and the Members of the Subcommittee to develop a comprehensive, five-year plan with FY 2001 as our baseline to prevent cybercrime and, when it does occur, to locate, identify, apprehend and bring to justice those responsible for these types of crimes.
Comments on the Recent Attacks
I would be happy to address your questions on the recent attacks, to the extent I can do so without compromising our investigation. At this point, I would simply say that we are taking the attacks very seriously and that we will do everything in our power to identify those responsible and bring them to justice. In addition to the malicious disruption of legitimate commerce, so-called "denial of service" attacks involve the unlawful intrusion into an unknown number of computers, which are in turn used to launch attacks on the eventual target computer, in this case the computers of Yahoo, eBay, and others. Thus, the number of victims in these types of cases can be substantial, and the collective loss and cost to respond to these attacks can run into the tens of millions of dollars or more.
Overview of Investigative Efforts and Coordination
As Director Freeh will discuss, computer crime investigators in a number of FBI field offices are investigating these attacks. They are coordinating information with the National Infrastructure Protection Center (NIPC). The agents are also working closely with our network of specially trained computer crime prosecutors who are available 24 hours a day/7 days a week to provide legal advice and obtain whatever court orders are necessary. Attorneys from the Criminal Divisions Computer Crime and Intellectual Property Section (CCIPS) are coordinating with the Assistant United States Attorneys in the field. We are also obtaining information from victim companies and security experts, who, like many in the Internet community, condemn these recent attacks. I am proud of the efforts being made in this case, including the assistance we are receiving from a number of federal agencies.
The Challenge of Fighting Cybercrime
The recent attacks highlight some of the challenges we face in combating cybercrime. The challenges come in many forms: technical problems in tracing criminals operating online; resource issues facing federal, state, and local law enforcement in being able to undertake online criminal investigations and obtain evidence stored in computers; and legal deficiencies caused by changes in technology. I will discuss each of these briefly.
As a technical matter, the attacks like the ones we saw last week are easy to carry out and hard to solve. The tools available to launch such attacks are widely available. In addition, too many companies pay inadequate attention to security issues, and are therefore vulnerable to be infiltrated and used as launching pads for this kind of destructive programs. Once the attacks are carried out, it is hard to trace the criminal activity to its source. Criminals can use a variety of methods to hide their tracks, allowing them to operate anonymously or through masked identities. This makes it difficult and sometimes impossible to hold the perpetrator criminally accountable.
Even if criminals do not hide identities online, we still might be unable to find them. The design of the Internet and practices relating to retention of information means that it is often difficult to obtain traffic data critical to an investigation. Without information showing which computer was logged onto a network at a particular point in time, the opportunity to determine who was responsible may be lost.
There are other technical challenges, as well, that we must consider. The Internet is a global medium that does not recognize physical and jurisdictional boundaries. A hacker armed with no more than a computer and modem can access computers anywhere around the globe. They need no passports and pass no checkpoints as they commit their crimes. While we are working with our counterparts in other countries to develop an international response, we must recognize that not all countries are as concerned about computer threats as we are. Indeed, some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become "safe havens" for cybercriminals.
Resource issues are also critical. We must ensure that law enforcement has an adequate number of prosecutors and agents assigned to the FBI, to the Department of Justice, to other federal agencies, and to state and local law enforcement trained in the necessary skills and properly equipped to effectively fight cybercrime, whether it is hacking, fraud, child porn, or other forms.
Finally, legal issues are critical. We are finding that both our substantive laws and procedural tools are not always adequate to keep pace with the rapid changes in technology.
Current Efforts Against Cybercrime
While these challenges are daunting, the Department has accomplished much in building the infrastructure to combat cybercrime. Director Freeh will discuss the work of the NIPC and the Computer Crime Squads established around the country. Similarly, in the Department, we have a cadre of trained prosecutors, both in headquarters and in the field, who are experts in the legal, technological, and practical challenges involved in investigating and prosecuting cybercrime.
The cornerstone of our prosecutor cybercrime program is the Criminal Divisions Computer Crime and Intellectual Property Section, known as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, and was elevated into a Section in 1996. With the help of this Subcommittee, CCIPS has grown from five attorneys in January of 1996, to eighteen attorneys today. CCIPS works closely on computer crime cases with Assistant United States Attorneys known as "Computer and Telecommunications Coordinators" (CTCs) in U.S. Attorneys Offices around the country. Each CTC is given special training and equipment, and serves as the districts expert in computer crime cases.
The responsibility and accomplishments of CCIPS and the CTC program include:
Infrastructure Protection, Policy and Legislation
Overall, the Department has the prosecutorial infrastructure in place to combat cybercrime. We need the resources to keep the program growing to keep pace with the growing problem.
Additional Resources and Tools Are Needed
We appreciate the Subcommittees support for many of the efforts described above, but I also need your help to refocus resources provided for FY 2000. The level of funding provided in the FY 2000 enacted appropriation for the General Legal Activities (GLA) appropriation is insufficient to cover the base program needs of all the litigating components funded from GLA, with the exception of the Civil Rights Division. In particular, the specific amounts provided to the Criminal Divisions has serious implications for the Divisions ability to support its computer crime efforts.
Yesterday, we submitted a request to reprogram resources appropriated to GLA which would make base resource funding available to all the GLA accounts.
We especially need full base funding restored to the Criminal Division in order to avoid a reduction Criminal Division staffing by 83 positions, including critical positions in the Computer Crime and Intellectual Property Section.
We must have prosecutors, both in the field and here, in Washington, to deal with cybercrime investigations.
The Division has shifted more of its resources than ever to combat cybercrime. Attorneys in the Fraud Section are now focusing on internet fraud cases, attorneys in the Child Exploitation and Obscenity Section are doing more to combat on-line child pornography. We simply cannot support the demand for more anti-cybercrime positions at our current funding level.
For FY 2001, I am asking for $37 million in funding enhancements to expand he Departments staffing, training and technological capabilities to continue the fight against computer crime. These enhancements include:
Together, these enhancements will increase the Departments 2001 funding base for computer crime of $138 million, 28 percent more than in 2000.
We also need to consider additional tools to locate and identify cybercriminals. For example, we may need to strengthen the Computer Fraud and Abuse Act by closing a loophole that allows computer hackers who have caused a large amount of damage to a network of computers to escape punishment if no individual computer sustained over $5,000 worth of damage. We may also need to update our trap and trace laws, under which we are able to identify the origin and destination of telephone calls and computer messages. Under current law, in some instances we must obtain court orders in multiple jurisdictions to trace a single communication. It might be extremely helpful, for instance, to provide nationwide effect for trap and trace orders.
We must also
ensure that in upgrading our computer-crime fighting laws, we ensure that appropriate
privacy safeguards are maintained and, where possible, strengthened. For example,
recent investigations have revealed serious violations of privacy by hackers, who have
obtained individuals personal data, such as credit cards and passwords. An
increase in the penalty for violations of invasions into private stored communications may
be appropriate. We would like to work with Congress to develop a thoughtful and
effective package of tools that allow us to keep pace with cybercriminals, update the laws
that allow us to locate and identify cybercriminals, and ensure that privacy safeguards
are respected and, where possible, strengthened.
I look forward to working with the Subcommittee to ensure we have a robust and effective long-term strategy for combating cybercrime, protecting our nations infrastructure, and ensuring that the Internet reaches its full potential for expanding communications, facilitating commerce, and bringing countless other benefits to our society.