Statement for the Record Michael A Vatis Director National Infrastructure Protection Center Federal Bureau of Investigation before the Senate Armed Service Committee Subcommittee on Emerging Threats and Capabilities Washington D C March I 2000 Introduction Mr Chairman Senator Bingaman and Members of the Subcommittee Thank you for inviting me back to discuss the threats to our critical infrastructures and the approach to meeting those challenges Last year I testi ed about the role of the National In 'astructure Protection Center NIPC under Presidential Decision Directive-63 and impediments to critical infrastructure protection Much has happened since then to demonstrate the problem in very vivid terms including the spread of major computer viruses a major international intrusion into government computer networks and denial of-service attacks against some of the most popular e-commerce websites Today I will focus on the nature of the national security and criminal threats we face in cyberspace the progress we have made with our partners - particularly the Department of Defense - in meeting those threats and the continuing challenges we face in addressing national security threats in cyberspace The NIPC Let me begin with a brief recap of the mission and structure of the NIPC The NIPC is an interagency Center located at the FBI Created in 998 the NIPC serves as the focal point for the government's efforts to warn of and respond to cyber attacks particularly those that are directed at our nation's critical infrastructures These infrastructures include telecommunications and information energy banking and nance transportation government operations and emergency services In Presidential Decision Directive PDD 63 the President directed that the NIPC serve as a national critical in 'astructure threat assessment warning vulnerability and law enforcement investigation and response entity The PDD thher states that the mission of the NIPC will include providing timely warnings of intentional threats comprehensive analyses and law enforcement investigation and response To accomplish its goals the NIPC is organized into three sections The Computer Investigations and Operations Section C108 is the operational response arm of the Center It supports and where necessary coordinates computer investigations conducted by FBI eld of ces throughout the country provides expert technical assistance to network investigations and provides a cyber emergency response capability to coordinate the response to a national-level cyber incident The Analysis and Warning Section AWS serves as the indications and warning arm of the NIPC It provides tactical analytical support during a cyber incident and also develops strategic analyses of threats for dissemination to both government and private sector entities so that they can take appropriate steps to protect themselves Through its 24 7 watch and warning operation it maintains a real time situational awareness by reviewing numerous governmental and open sources of information and by maintaining communications with partner entities in the government and private sector Through its efforts the AWS strives to acquire indications of a possible attack assess the information and issue apprOpriate warnings to government and private sector partners as quickly as possible The Training Outreach and Strategy Section TOSS coordinates the vital training of cyber investigators in the FBI eld offices other federal agencies and state and local law enforcement It also coordinates outreach to private industry and government agencies to build the partnerships that are key to both our investigative and our warning missions In addition this section manages our efforts to catalogue information about individual key assets across the country which if successfully attacked could have signi cant repercussions on our economy or national security Finally the T088 handles the development of strategy and policy in conjunction with other agencies and the Congress Beyond the NIPC at FBI Headquarters we have also created a cyber crime investigative program in all FBI Field Offices called the National In astructure Protection and Computer Intrusion NIPCI Program This program managed by the NIPC consists of special agents in each FBI Field Of ce who are responsible for investigating computer intrusions viruses or denial of service attacks for implementing our key asset initiative and for conducting critical liaison activities with private industry They are also developing cyber crime task forces in partnership with state and local law enforcement entities within their jurisdiction to leverage the limited resources in this area The Broad Spectrum of Threats Over the past several years we have seen a wide range of cyber threats ranging 'om defacement of websites by juveniles to sophisticated intrusions that we suspect may be sponsored by foreign powers and everything in between Some of these are obviously more signi cant than others The theft of national security information 'om a government agency or the interruption of electrical power to a major metropolitan area would have greater consequences for national security public safety and the economy than the defacement of a web-site But even the less serious categories have real consequences and ultimately can undermine con dence in e- commerce and violate privacy or property rights A web site hack that shuts down an e commerce site can have disastrous consequences for a business An intrusion that results in the theft of credit card numbers -om an online vendor can result in signi cant nancial loss and more broadly reduce consumers' willingness to engage in e-commerce Because of these implications -2- it is critical that we have in place the programs and resources to investigate and ultimately to deter these sorts of crimes In addition because it is often difficult to determine whether an intrusion or denial of service attack for instance is the work of an individual with criminal motives or foreign nation state we must treat each case as potentially serious until we gather sufficient information to determine the nature purpose scepe and perpetrator of the attack The following are some of the categories of cyber threats that we con ont today Insiders The disgruntled insider a current or former employee of a company is a principal source of computer crimes for many companies Insiders' knowledge of the target companies network often allows them to gain unrestricted access to cause damage to the system or to steal proprietary data The 1999 Computer Security Institute FBI report notes that 55% of respondents reported malicious activity by insiders Hackers Hackers or crackers are also a common threat They sometimes crack into networks simply for the thrill of the challenge or for bragging rights in the hacker community Recently however we have seen more cases of hacking for illicit nancial gain or other malicious purposes While remote cracking once required a fair amount of skill or computer knowledge hackers can now download attack scripts and protocols 'om the World Wide Web and launch them against victim sites Thus while attack tools have become more sophisticated they have also become easier to use The distributed denial-of-service DDOS attacks earlier this month are only the most recent illustration of the economic disruption that can be caused by tools now readily available on the Internet We have also seen a rise recently in politically motivated attacks on web pages or email servers which some have dubbed hacktivism In these incidents groups and individuals overload e-mail servers or deface web sites to send a political message While these attacks generally have not altered operating systems or networks they have disrupted services caused monetary loss and denied the public access to websites containing valuable information thereby in 'inging on others' rights to disseminate and receive information Vims Transmitters Virus transmitters are posing an increasingly serious threat to networks and systems worldwide Last year saw the proliferation of several destructive computer viruses or worms including the Melissa Macro Virus the ExploreZip worm and the Chernobyl Virus The NIPC frequently sends out warnings or advisories regarding particularly dangerous viruses which can allow potential victims to take protective steps and minimize the destructive consequences of a virus The Melissa Macro Virus was a good example of our two-fold response - encompassing both warning and investigation - to a virus spreading in the networks The NIPC sent out warnings as soon as it had solid information on the virus and its effects these warnings helped alert the public and reduce the potential destructive impact of the virus On the investigative side the NIPC acted as a central point of contact for the eld offices who worked leads on the case A -3- tip received by the New Jersey State Police 'om America Online and their follow-up investigation with the FBI's Newark Division led to the April 1 I999 arrest of David L Smith Mr Smith pleaded guilty to one count of violating 18 U S C l030 in Federal Court and to four state felony counts As part of his guilty plea Smith stipulated to affecting one million computer systems and causing $80 million in damage Smith is awaiting sentencing Criminal Groups We are also seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain In September 1999 two members of a group dubbed the Phonemasters were sentenced after their conviction for theft and possession of unauthorized access devices l8 USC 1029 and unauthorized access to a federal interest computer 18 USC 1030 The Phonemasters were an international group of criminals who penetrated the computer systems of MCI Sprint Equifax and even the National Crime Information Center Underjudicially approved electronic surveillance orders the FBI's Dallas Division made use of new data intercept technology to monitor the calling activity and modem pulses of one of the suspects Calvin Cantrell Mr Cantrell downloaded thousands of Sprint calling card numbers which he sold to a Canadian individual who passed them on to someone in Ohio These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy Cantrell was sentenced to two years as a result of his guilty plea while one of his associates Cory Lindsay was sentenced to 41 months The Phonemasters methods included dumpster diving to gather old phone books and technical manuals for systems They used this information to trick employees into giving up their logon and password information The group then used this information to break into victim systems It is important to remember that often cyber crimes are facilitated by old fashioned guile such as calling employees and tricking them into giving up passwords Good cyber security practices must therefore address personnel security and social engineering in addition to instituting electronic security measures Unfortunately cyberspace provides new tools not only for criminals but for national security threats as well These include terrorists foreign intelligence agencies and foreign militaries Director of Central Intelligence George Tenet testi ed in February 2000 before the Senate Armed Services Commettee that many of the tools and weapons that can be used for information warfare purposes are available on the open market at relatively little cost The DCI went on to note that the critical threat of IW lies in its potential as a force multiplier for an adversary of the United States The development of the Internet and our dependence on information technology poses one of the most dif cult challenges to our national security and defense planners since the advent of the airplane forced planners to worry about controlling notjust the battle eld but the airspace over the battle eld The cyber revolution has permeated virtually every facet of the US military and our broader society Foreign militaries and intelligence services alike have been quick to embrace cyber tools The cyber environment offers opportunities for easy concealment and anonymity and transborder attacks at light Three major categories of threat actors pose a national security challenge to the United States in cyber space Terrorists Terrorists groups are increasingly using new information technology and the Internet to formulate plans raise mds spread propaganda and to communicate securely In his statement on the worldwide threat in 2000 Director of Central Intelligence George Tenet testi ed that terrorists groups including Hizbollah HAMAS the Abu Nidal organization and Bin Laden's al Qa ida organization are using computerized les e-mail and to support their operations In one example convicted terrorist Ramzi Yousef the mastermind of the World Trade Center bombing stored detailed plans to destroy United States airliners on les on his laptop computer While we have not yet seen these groups employ cyber tools as a weapon to use against critical in 'astructures their reliance on information technology and acquisition of computer expertise are clear warning signs Moreover we have seen other terrorist groups such as the Internet Black Tigers who are reportedly affiliated with the Tamil Tigers engage in attacks on foreign government web-sites and email servers Cyber terrorism by which I mean the use of cyber tools to shut down critical national infrastructures such as energy transportation or government operations for the purpose of coercing or intimidating a government or civilian population - is thus a very real though still largely potential threat Foreign intelligence services Not surprisingly foreign intelligence services have adapted to using cyber tools as part of their espionage tradecra Even as far back as 986 before the worldwide surge in Internet use the KGB employed West German hackers to access Department of Defense systems in the well-known Cuckoo's Egg case While I cannot go into speci cs about more recent developments in an open hearing it should not surprise anyone to hear that foreign intelligence services increasingly view computer intrusions as a useful tool for acquiring sensitive US government and private sector information Information Warfare The prospect of information warfare by foreign militaries against our critical in 'astructures is perhaps the greatest potential cyber threat to our national security We know that several foreign nations are developing information warfare doctrine programs and capabilities for use against the United States or other nations Knowing that they cannot match our military might with conventional or kinetic weapons nations see cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heel - our growing dependence on information technology in government and commercial operations For example two Chinese military of cers recently published a book that called for the use of unconventional measures including the propagation of computer viruses to counterbalance the military power of the United States And a Russian official has also commented that an attack on a national infrastructure could by virtue of its catastrophic consequences completely overlap with the use of weapons of mass destruction Distributed Denial of Service Tools The recent distributed denial of service DDOS attacks on e-commerce sites have garnered a tremendous amount of interest in the public and in the Congress Because we are actively investigating these attacks I cannot provide a detailed brie ng on the status of our efforts However I can provide an overview of our activities to deal with the DDOS threat beginning last year and of our investigative efforts over the last three weeks These attacks illustrate the growing availability of destructive yet easy-to-use exploits that are widely available on the Internet In the fall of last year the NIPC began receiving reports about a new set of exploits or attack tools collectively called distributed denial of service or DDOS tools DDOS variants include tools known as TrinOO Tribal Flood Net TFN and Stacheldraht German for barbed wire These tools essentially work as follows hackers gain unauthorized access to a computer system s and place software code on it that renders that system a master or a handler' The hackers also intrude into other networks and place malicious code which makes those systems into agents also known as zombies or 'daemons I or slaves Each Master is capable of controlling multiple agents In both cases the network owners normally are not aware that dangerous tools have been placed and reside on their systems thus becoming third- party victims to the intended crime The Masters are activated either remotely or by internal programming such as a command to begin an attack at a prescribed time and are used to send information to the agents activating their DDOS ability The agents then generate numerous requests to connect with the attack s ultimate target s typically using a ctitious or spoofed IP Internet Protocol address thus providing a falsi ed identity as to the source of the request The agents act in unison to generate a high volume of traffic om several sources This type of attack is referred to as a SYN ood as the SYN is the initial effort by the sending computer to make a connection with the destination computer Due to the volume of SYN requests the destination computer becomes overwhelmed in its efforts to acknowledge and complete a transaction with the sending computers degrading or denying its ability to complete service with legitimate customers - hence the term Denial of Service These attacks are especially damaging when they are coordinated om multiple sites - hence the term Distributed Denial of Service An analogy would be if someone launched an automated program to have hundreds of phone calls placed to the Capitol switchboard at the same time All of the good efforts of the staff would be overcome Many callers would receive busy signals due to the high volume of telephone traffic In November and December the NIPC received reports that universities and others were detecting the presence of hundreds of agents on their networks The number of agents detected clearly could have been only a small subset of the total number of agents actually deployed In addition we were concerned that some malicious actors might choose to launch a DDOS attack -5- around New Year's Eve in order to cause disruption and gain notoriety due to the great deal of attention that was being payed to the Y2K rollover Accordingly we decided to issue a series of alerts in December to government agencies industry and the public about the DDOS threat Moreover in late December we determined that a detection tool that we had developed for investigative purposes might also be used by network operators to detect the presence of DDOS agents or masters on their operating systems and thus would enable them to remove an agent or master and prevent the network from being unwittingly utilized in a DDOS attack Moreover at that time there was to our knowledge no similar detection tool available commercially We therefore decided to take the unusual step of releasing the tool to the Department of Defense other government agencies and to the public in an effort to reduce the level of' the threat We made the rst variant of our software available on the NIPC web site on December 30 999 To maximize the public awareness of this tool we announced its availability in an FBI press release that same date Since the rst posting of the tool we have posted three updated versions that have perfected the software and made it applicable to different operating systems The public has downloaded these tools tens of thousands of times from the web site and has reSponded by reporting many installations of' the DDOS software thereby preventing their networks from being used in attacks and leading to the opening of criminal investigations both before and after the widely publicized attacks of the last few weeks Our work with private companies has been so well received that the trade group SANS awarded their yearly Security Technology Leadership Award to members of the NIPC's Special Technologies Applications Unit Recently we received reports that a new variation of DDOS tools was being found on Windows Operating systems One victim entity provided us with the object code to the tool found on its network On February 18 we made the binaries available to anti-virus companies through an industry association and the Computer Emergency Response Team CERT at Carnegie Mellon University for analysis and so that commercial vendors could create or adjust their products to detect the new DDOS variant Given the attention that DDOS tools have received in recent weeks there are now numerous detection and security products to address this threat so we determined that we could be most helpful by giving them the necessary code rather than deploying a detection tool ourselves Unfortunately the warnings that we and others in the security community had issued about DDOS tools last year while alerting many potential victims and reducing the threat did not eliminate the threat Quite 'equently even when a threat is known and patches or detection tools are available network operators either remain unaware of the problem or fail to take necessary protective steps In addition in the cyber equivalent of an arms race exploits evolve as hackers design variations to evade or overcome detection software and lters Even security-conscious companies that put in place all available security measures therefore are not invulnerable And particularly with DDOS tools one organization might be the victim of a successful attack despite -7- its best efforts because another organization failed to take steps to keep itself from being made the unwitting participant in an attack On February 7 2000 the NIPC received reports that Yahoo had experienced a denial of service attack In a display of the close cooperative relationship that we have deveIOped with the private sector in the days that followed several other companies including Cable News Network eBay Amazon com Buy com and ZDNET also reported denial of service outages to the NIPC or FBI eld offices These companies cooperated with us by providing critical logs and other information Still the challenges to apprehending the suspects are substantial In many cases the attackers used spoofed IP addresses meaning that the address that appeared on the target's log was not the true address of the system that sent the messages In addition many victims do not keep complete network logs The resources required in an investigation of this type are substantial Companies have been victimized or used as hop sites in numerous places across the country meaning that we must deploy special agents nationwide to work leads We currently have seven FBI eld offices with cases opened and all the remaining of ces are supporting the offices that have opened cases Agents 'om these offices are following up literally hundreds of leads The NIPC is coordinating the nationwide investigative effort performing technical analysis of logs -om victims sites and lntemet Service Providers ISPs and providing all-source analytical assistance to eld offices Moreover parts of the evidentiary trail have led overseas requiring us to work with our foreign counterparts in several countries through our Legal Attaches Legats in US embassies While the crime may be high tech investigating it involves a substantial amount of traditional investigative work as well as highly technical work Interviews of network operators and con dential sources can provide very use Jl information which leads to still more interviews and leads to follow-up And victim sites and ISPs provide an enormous amount of log information that needs to be processed and analyzed by human Despite these challenges I am optimistic that the hard work of our agents and computer scientists the excellent cooperation and collaboration we have with private industry and universities and the teamwork we are engaged in with foreign partners will in the end prove success Jl Interagency Cooperation The broad Spectrum of cyber threats described earlier ranging 'om hacking to foreign eSpionage and information warfare requires not just new technologies and skills on the part of investigators but new organizational constructs as well In most cyber attacks the identity location and objective of the perpetrator are not immediately apparent Nor is the scope of his attack - whether an intrusion is isolated or part of a broader pattern affecting numerous targets This means it is often impossible to determine at the outset if an intrusion is an act of cyber vandalism organized crime domestic or foreign terrorism economic or traditional espionage or some form of strategic military attack The only way to determine the source nature and scope of the incident is to gather information from the victim sites and intermediate sites such as ISPs and telecommunications carriers Under our constitutional system such information typically can be gathered only pursuant to criminal investigative authorities This is why the NIPC is part of the FBI allowing us to utilize the legal authorities to gather and retain information and to act on it consistent with constitutional and statutory requirements But the dimension and varied nature of the threats also means that this is an issue that concerns not just the FBI and law enforcement agencies but also the Department of Defense the Intelligence Community and civilian agencies with irt astructiire-focused responsibility such as the Departments of Energy and Transportation It also is a matter that greatly affects state and local law enforcement This is why the NIPC is an interagency center with representatives detailed to the FBI from ntunerous federal agencies and representation from state and local law enforcement as well These representatives operate under the direction and authority of the FBI but bring with them expertise and skills from their respective home agencies that enable better coordination and cooperation among all relevant agencies consistent with applicable laws Let me stress in particular the very close working relationship that we have established with the Department of Defense Since the NIPC's founding in February 1998 due in considerable part to the leadership of Deputy Secretary of Defense Hamre and Assistant Secretary of Defense Art Money has been our close partner and consistent supporter The Deputy Director of the NIPC is a civilian detailee from the Of ce of the Secretary of Defense the Assistant Section Chief of our Computer Investigations and Operations Section is a civilian law enforcement of cial form the Air Force Of ce of Special Investigations the Chief of our Watch and Wanting Unit is a detailee from the U S Army and our Military Liaison is a detailee from the U S Navy In addition we have program managers investigators and detailed from several other components including the National Security Agency the Defense Criminal Intelligence Service the Air Intelligence Agency and the Naval Criminal Intelligence Service We are currently working with the Department's leadership to bolster and solidify DoD's participation in the NIPC The relationship is so important to us for several reasons First is all too often a target for cyber attacks and DoD's presence in the Center ensures that we can work closely with investigative components in responding to such attacks Second if a major cyber attack should occur the NIPC and FBI would be responsible for gathering information within the U S pursuant to the criminal investigative or foreign -9- authorities Only with such information would it be possible for us collectively to determine whether we were seeing a state-sponsored attack in which case the National Command Authority might determine that a military or some other offensive response were appropriate or a criminal attack warranting a law enforcement reSponse Third through its investigative and its intelligence components often has critical information that is invaluable to our ability to perform the NIPC's indications and warning mission Combining DoD's information with other information from open sources industry sources FBI investigations or intelligence sources allows us to see the fullest possible picture of ongoing activity or threats and to make a collective judgment about what we are seeing In addition to the detailees who work with at the Center the NIPC works very closely with through our liaison with Major General John Campbell and the Joint Task Force - Computer Network Defense D NIPC investigators stay in close contact with their counterparts providing mutual assistance on intrusion cases into DOD systems as well as other matters NIPC alerts warnings and advisories are coordinated with the JTF-CND We expect that this relationship will continue and grow to include a close working relationship with US Space Command now that it has been assigned the Computer Network Defense mission Two recent cases illustrate the depth and breadth of our inter-agency c00peration particularly with 000 mm The Solar Sunrise case is another eXample of close teamwork with other agencies In 1998 computer intrusions into US military computer systems occurred during the Iraq weapons inspection crisis Hackers exploited known vulnerabilities in Sun Solaris Operating systems Some of the intrusions appeared to be coming from the Middle East The timing nature and apparent source of some of the attacks raised concerns in the Pentagon and elsewhere that this could be a concerted effort by Iraq to interfere with US troop deployments NIPC coordinated a multi-agency investigation which included the FBI the Air Force Of ce of Special Investigations the National Aeronautics and Space Administration the Department of Justice the Defense Information Systems Agency the National Security Agency and the Central Intelligence Agency Within several days the investigation determined that the intrusions were not the work of Iraq but of several teenagers in the US and Israel Twojuveniles in Califomia pleaded guilty to the intrusions and several Israelis still await trial The leader of the Israeli group Ehud Tenenbaum has been indicted and is currently scheduled for trial in Israel in April In addition to proving the necessity and value of close interagency coordination by the NIPC in this type of investigation Solar Sunrise also demonstrated why it is necessary to gather information from victims and other sites within the US pursuant to applicable legal authorities before making conclusions about the likely identity of the attacker and determining what response to take Moonlight Maze -10- More recently we observed a series of intrusions into numerous Department of Defense and other federal government computer networks and private sector entities Investigation last year determined that the intrusions appear to have originated in Russia The intruder successfully accessed US Government networks and took large amounts of unclassi ed but sensitive information including defense technical research information The NIPC coordinated a multi- agency investigation working closely with FBI eld offices the Department of Defense and the Intelligence Community While I cannot go into more detail about this case here it demonstrates the very real threat we face in the cyber realm and the need for good teamwork and coordination among government agencies responsible for responding to the threat Private Sector Cooperation Our success in battling cyber crime also depends on close c00peration with private industry This is the case for several reasons First most of the victims of cyber crimes are private companies Therefore success il investigation and prosecution of cyber crimes depends on private victims reporting incidents to law enforcement and cooperating with the investigators Contrary to press statements by companies offering security services that private companies won't share information with law enforcement private companies have reported incidents and threats to the NIPC or FBI eld of ces The number of victims who have voluntarily reported 0008 attacks to us over the last few weeks is ample proof of this While there are undoubtedly companies that would prefer not to report a crime because of fear of public embarrassment over a security lapse the situation has improved markedly Companies increasingly realize that deterrence of crime depends on effective law enforcement and that the long-term interests of industry depend on establishing a good working relationship with government to prevent and investigate crime Testimony two weeks ago before the Senate Appropriations Subcommittee for Commerce State and Justice by Robert Chesnut Associate General Counsel for E-bay illustrates this point Prior to last week's attacks eBay had established a close working relationship with the computer crimes squad within the Northern California of ce of the Federal Bureau of Investigation E-Bay has long recognized that the best way to combat cyber crime whether it's mm or hacking is by working cooperatively with law enforcement Therefore last year we established procedures for notiiying the FBI in the event of such an attack on our web site As result of this preparation we were able to contact the FBI computer intrusion squad during the attack and provide them with information that we expect will assist in their investigation In the aftermath of the attack eBay has also been able to provide the FBI with additional leads that have come to our attention Second the network administrator at a victim company or ISP is critical to the success of an investigation Only that administrator knows the unique con guration of her system and she typically must work with an investigator to nd critical transactional data that will yield evidence of a criminal's activity Third the private sector has the technical expertise that is often critical to resolving an investigation It would be impossible for us to retain experts in every possible operating system or network con guration so private sector assistance is critical In addition many investigations require the development of unique technical tools to deal with novel problems Private sector assistance has been critical there as well To encourage private sector cooperation we have engaged in a concerted outreach effort to private industry providing threat brie ngs issuing analyses and threat warnings and speaking at industry conferences In another example of cooperation the Attorney General and the Information Technology Association of America announced a set of initiatives last year as part of a Cybercitizens Partnership between the government and the information technology IT industry One initiative involves providing IT industry representatives to serve in the NIPC to enhance our technical expertise and our understanding of the information and communications infrastructure We have several other initiatives devoted to private sector outreach that bear mentioning here The rst is called ln aGard This is an initiative that we have developed in concert with private companies and academia to encourage information-sharing about cyber intrusions exploited vulnerabilities and physical in 'astructure threats A vital component of In 'aGard is the ability of industry to provide information on intrusions to the local FBI eld of ce using secure e- mail communications in both a sanitized and detailed format The local FBI eld of ces can if appropriate use the detailed version to initiate an investigation while NIPC Headquarters can analyze that information in conjunction with other information we obtain to determine if the intrusion is part of a broader attack on numerous sites The NIPC can simultaneously use the sanitized version to inform other members of the intrusion without compromising the con dentiality of the reporting company The key to this system is that whether and what to report is entirely up to the reporting company A secure web site also contains a variety of analytic and warning products that we make available to the In aGard community The success of In 'aGard is premised on the notion that sharing is a two-way street the NIPC will provide threat information that companies can use to protect their systems while companies will provide incident information that can be used to initiate an investigation and to warn other companies Our Key Asset Initiative KAI is focused more speci cally on the owners and operators of critical components of each of the in 'astructure sectors It facilitates response to threats and incidents by building liaison and communication links with the owners and operators of individual companies and enabling contingency planning The KAI began in the l9805 and focused on physical vulnerabilities to terrorism Under the NIPC the KAI has been reinvigorated and expanded to focus on cyber vulnerabilities as well The KAI currently involves determining which assets are key within the jurisdiction of each FBI Field Of ce and obtaining 24-hour points of contact at each asset in cases of emergency Eventually if iture resources permit the initiative will include the development of contingency plans to respond to attacks on each asset exercises to test response plans and modeling to determine the effects of an attack on particular assets -12- FBI eld of ces are responsible for developing a list of the assets within their respective jurisdictions while the NIPC maintains the national database The KAI is being developed in coordination with DOD and other agencies Currently the database has about 2400 entries This represents 2400 contacts with key private sector nodes made by the NIPC and FBI eld offices A third initiative is a pilot program we have begun with the North American Electrical Reliability Council NERC Under the pilot program electric utility companies and other power entities transmit cyber incident reports in near real time to the NIPC These reports are analyzed and assessed to determine whether an NIPC warning alert or advisory is warranted Electric power participants in the pilot program have stated that the information and analysis provided by the NIPC back to the power companies fully justify their participation in the program It is our expectation that the Electrical Power Indications and Warning System will provide a full-fledged model for the other critical infrastructures Much has been said over the last few years about the importance of information sharing Since our founding the NIPC has been actively engaged in building concrete mechanisms and initiatives to make this sharing a reality and we have built up a track record of actually sharing useful information These efforts belie the notions that private industry won't share with law enforcement in this area or that the government won't provide meaningful threat data to industry As companies continue to gain experience in dealing with the NIPC and FBI eld offices as we continue to provide them with important and useful threat information and as companies recognize that cyber crime requires ajoint effort by industry and government together we will continue to make real progress in this area Meeting the Growing Cyber Threat As Internet use continues to soar the number of cyber attacks is also increasing exponentially Our case load re ects this growth In FY 1998 we opened 547 computer intrusion cases in FY 1999 that numberjumped to 54 Similarly the number of pending cases increased from 206 at the end of FY I9971998over 900 currently These statistics include only computer intrusion cases and do not account for computer facilitated crimes such as Internet fraud child pornography or e-mail extortion efforts In these cases the NIPC and squads often provide technical assistance to traditional investigative programs responsible for these categories of crime We can clearly expect these upward trends to continue and for the threats to become more serious While insiders hackers and criminal groups make up much of our case load at the moment we can anticipate a growing number of national security cases in the near rture To meet this challenge we must ensure that we have adequate resources including both personnel and equipment both at the NIPC and in FBI eld offices We currently have I93 agents nationwide dedicated to investigating computer intrusion and virus cases In order to maximize investigative resources the FBI has taken the approach of creating regional squads in 16 eld of ces that have suf cient size to work complex intrusion cases and to assist those eld of ces without a NIPCI squad In those eld offices without squads the FBI is building a baseline capability by having one or two agents to work NIPC matters i e computer intrusions criminal and national security viruses In aGard state and local liaison etc At the NIPC we currently have 101 personnel on board including 82 FBI employees and I9 detailees from other government agencies This cadre of investigators computer scientists and perform the numerous and complex tasks outlined above and provide critical coordination and support to eld of ce investigations As the crime problem grows we need to make sure that we keep pace by bringing on board additional personnel including from other agencies and the private sector In addition to putting in place the requisite number of agents and computer scientists in the NIPC and in FBI eld offices we must ll those positions by recruiting and retaining personnel who have the appropriate technical analytical and investigative skills This includes personnel who can read and analyze complex log les perform all-source analysis to look for correlations between events or attack signatures and glean indications of a threat develop technical tools to address the constantly changing technological environment and conduct complex network investigations There is a very tight market for information technology professionals The Federal Government needs to be able to recruit the very best people into its programs Fortunately we can offer exciting cutting-edge work in this area and can offer agents and computer scientists the opportunities to work on issues that no one else addresses and to make a difference to our national security and public safety In addition Congress provided the FBI with a pilot program that exempts certain technical personnel from the Title civil service rules which allows us to pay more competitive salaries and recruit and retain top notch personnel Unfortunately this pilot is scheduled to expire in November unless extended Training and continuing education are also critical and we have made this a top priority at the NIPC In FY I999 we trained 383 FBI and other-government-agency students in NIPC sponsored training classes on network investigations and in astructure protection The emphasis for 2000 is on continuing to train federal personnel while expanding training opportunities for state and local law enforcement personnel During FY 2000 we plan to train approximately 740 personnel om the FBI other federal agencies and state and local law enforcement Developing and deploying the best equipment in support of the mission is also very important Not only do investigators and need the best equipment to conduct -14- investigations in the rapidly evolving cyber system but the must be on the cutting edge of cyber research and development Conducting a network intrusion or denial-of-service investigation often requires analysis of voluminous amounts of data For example one network intrusion case involving an espionage matter currently being investigated has required the analysis of 17 5 Terabytes of data To place this into perspective the entire collection of the Library of Congress if digitized would comprise only 10 Terabytes The Yahoo DDOS attack involved approximately 630 Gigabytes of data which is equivalent to enough printed pages to fill 630 pickup trucks with paper Technical analysis requires high capacity equipment to store process analyze and display data Again as the crime problem grows we must ensure that our technical capacity keeps pace We are also working closely with other agencies to ensure that we leverage existing resources to the rllest extent possible Challenges in Combating Cyber Intrusions The burgeoning problem of cyber intrusions viruses and denial of service attacks poses unique challenges to both the NIPC and the Defense Department These challenges require novel solutions close teamwork among agencies and with the private sector and adequate human and technical resources Idemyjring the Intruder One major difficulty that distinguishes cyber threats from physical threats is determining who is attacking your system why how and from where This difficulty stems om the ease with which individuals can hide or disguise their tracks by manipulating logs and directing their attacks through networks in many countries before hitting their ultimate target The Solar Sunrise case illustrates this point This will continue to pose a problem as long as the Internet remains rife with vulnerabilities and allows easy anonymity and concealment Jurisdictional Issues Another signi cant challenge we face is intrusions involving multiplejurisdictions A typical investigation involves victim sites in multiple states and often many countries This is the case even when the hacker and victim are both located in the United States In the United States we can subpoena records engage in judicially approved electronic surveillance and execute search warrants on suspects' homes seize evidence and examine it We can do none of those things ourselves overseas rather we depend on the local authorities to assist us In some cases the local police forces simply do not understand or cannot cope with the technology In other cases these nations simply do not have laws against computer intrusions and are therefore limited in their ability to help us FBI Legal Attaches in 35 embassies abroad provide critical help in building bridges with local law enforcement to enhance cooperation on cyber crime and in working leads on investigations As the lntemet spreads to even more countries we will see greater demands placed on the Legats to support computer crime investigations The also has held international computer crime conferences and offered cyber crime training classes to foreign law enforcement of cials to develop liaison contacts and bring these of cials up to speed on cyber crime issues -15- The most dif cult situation will arise however in which a foreign country with interests adverse to our own simply re rses to cooperate In such a situation we could nd that an investigation is stymied unless we nd an alternative method of tracing the activity back to its source Conclusion I want to thank the subcommittee again for giving me the opportunity to testify here today The cyber threat is real multifarious and growing The is moving aggressively to meet this challenge by training investigators and to investigate computer intrusion cases equipping them with the latest technology developing our analytic capabilities and warning mechanisms to head off or mitigate attacks and closely c00perating with the private sector A close partnership with 000 will remain vital to our success We have already made considerable progress in developing our capabilities to protect public safety and national security in the Information Age 1 look forward to working with Congress to ensure that we continue to be able to meet the threat as it evolves and grows Thank you