|Cybercrime, Transnational Crime, and Intellectual Property Theft (3) |
Cybercrime, Transnational Crime, and Intellectual Property Theft (3)
Statement for the Record: Michael A. Vatis, Deputy Assistant Director and Chief, National Infrastructure Protection Center, Federal Bureau of Investigation, before the Congressional Joint Economic Committee, Washington, D.C., March 24, 1998.
Chairman Saxton, Vice Chairman Mack, and Members of the Joint Economic Committee: Thank you for this opportunity to discuss cybercrime, the vulnerabilities of our Nation's critical infrastructures to increasing cyber threats, and what the Federal Bureau of Investigation (FBI) is doing to combat these problems.
As we continue to rush into the Information Age, our society is moving increasingly on-line. We use computers, the Internet, and other new "information technologies" to conduct business, perform scientific research, engage in personal communications, and do just about anything else that inventive minds can think of. But as society as a whole is moving on-line, so are criminals. Criminals use computers to facilitate crimes committed in the physical world. For example, they can use computers and the Internet to communicate with co-conspirators or to keep accounts of their illicit gains. Criminals also use these tools to engage in criminal activity on-line. For example, they use the Internet to defraud unsuspecting senior citizens, disseminate child pornography, steal credit card numbers, and rob banks by electronically shifting funds to their own off-shore accounts.
But the Internet and other advances in information technology do not merely give criminals new means to commit traditional crimes like theft or fraud. They also allow criminals and other malicious actors to cause new types of harm that go well beyond the potential loss to the individual victim and can affect our national economy and, indeed, our national security.
What type of harm am I talking about? The everyday functioning of our economy depends on the delivery of certain critical services. While we once got along fine without electrical power, think of the consequences if the power went out for a week -- not just in one town or city, but across the whole Eastern Seaboard. And while plenty of people made their fortunes before the telephone, imagine what would happen to the Fortune 500 if they were deprived of telephone service for a few days.
There are several services whose availability we may take for granted, but which are truly critical to the smooth functioning of our society. We call these vital services our "critical infrastructures." Executive Order 13010, signed in 1996, lists the following eight infrastructures as "critical" to our economic health and our national security: telecommunications, banking and finance, transportation (including roads, railroads, airplanes and airports, mass transit, ports and harbors), electrical energy, gas and oil supply, water supply, emergency services (fire, health, police), and government operations. These infrastructures are defined as "critical" because their debilitation or destruction would have a significant adverse impact on our national economy or national security.
In the United States, we are able to expect things to work because our infrastructures are highly developed and efficient. Individuals and families can wake up in the morning confident that the lights will work, water will flow from the tap, and the trains will run. Businesses, too, can plan their activities and investments around the certainty that they will have ready access to telecommunications, that gas or oil will supply power to their factories, that their goods will be transported by truck, rail or airplane, and that funds can be safely deposited or withdrawn from their bank accounts. It is a given, in both our personal and professional lives, that essential goods and services will be available when needed.
Not so long ago, our dependence on these infrastructures did not pose a significant problem because there was little risk that these vital services would be knocked out. Only a rare and isolated occurrence, such as an earthquake or tornado or an accidental power outage could knock out a critical service over a broad area. The physical breadth of the infrastructures made it difficult for a potential malefactor to cause anything other than an isolated disturbance. And physical security measures adopted to prevent theft or vandalism generally also kept out those who would seek to destroy an infrastructure's ability to continue operating. A strong fence and a good security staff fended off not only thieves and vandals, but also terrorists. Moreover, our geographic isolation from other countries made it difficult for foreign adversaries to launch an attack on our infrastructures.
The Information Age, however, has changed things dramatically. For while information technologies create dramatic increases in efficiency and productivity, our dependence on them creates new vulnerabilities.
All critical infrastructures now rely on computers, advanced telecommunications, and, to an ever increasing degree, the Internet, for the control and management of their own systems, for their interaction with other infrastructures, and for communications with their suppliers and their customer base. For example, electric power grids and natural gas pipelines are controlled by computer systems, and those computers may be linked to each other and to the company headquarters by publicly-accessible telecommunications systems and commercially available information technologies to allow efficient management of power generation and smooth delivery to consumers. Billions of shares are traded each day over the telephone or Internet, and the stock exchanges could not function today without their vast networks of computers. Banks no longer rely on ledger books and safe deposit boxes to account for and secure their holdings, but depend on computerized accounting systems to manage depositors' accounts. The telecommunications system itself no longer uses operators to manually plug in calls to a switchboard but depends on computerized switching stations to handle the billions of calls placed each day. The government also relies on computers and publicly available communications systems to conduct the nation's business. Public and private networks and databases use the same technology, and vulnerabilities that affect one also affect the other.
But this reliance on new technologies comes with a price, and that price is a new vulnerability to those who would cause harm. For just as the new technologies make it easier for companies to communicate and control their businesses, they also make it easier for malicious actors to cause harm. The new vulnerability stems in part from the fact that the Internet and modern telecommunications systems are inherently open and accessible. That means that, with a certain amount of technical skill, one can use these communications media to get inside a company's or a government agency's computer system without ever physically penetrating its four walls. Moreover, the increased centralization of command and control systems afforded by the new technologies also means that, once inside that system, a potential malefactor can use those same technologies to cause harm over a much broader area than he ever could have hoped using physical weapons such as a bomb.
This vulnerability is exacerbated by several factors. First, most of our infrastructures rely on commercially available, off-the-shelf technology. This means that a vulnerability in hardware or software is not limited to one company, but is likely to be widespread, affecting every entity that uses the same equipment. A malefactor with knowledge of this one vulnerability can therefore attack multiple victims across the country, with just a few strokes on a keyboard.
Second, our infrastructures are increasingly interdependent and interconnected with one another. For example, the banking system depends on the availability and reliability of the telecommunications system and the Internet, which in turn rely on electrical power. Our transportation system depends on the availability of gas and oil supplies, which in turn are controlled through the use of new information technologies. The infrastructures are thus increasingly interdependent, so much so that it is difficult to predict the cascading effects that the disruption of one infrastructure would have on others.
Third, our telecommunications infrastructure is now truly global. Satellite communications, the Internet, and foreign ownership of telecommunications carriers in the U.S. have all combined to undermine the notion of a "National" Information Infrastructure. This means that our geographic isolation no longer acts as a moat to fend off foreign adversaries. Instead, it is now as easy to break into an infrastructure's network from St. Petersburg, Russia, as St. Petersburg, Florida. A personal computer and a telephone connection to an Internet Service Provider anywhere in the world are enough to conduct an attack.
Software is one weapon of cyber attacks. Such software includes, among others, computer viruses, Trojan Horses, worms, logic bombs, and eavesdropping "sniffers" that can be used to obtain passwords that allow hackers "root access" control of a computer system. Advanced electronic hardware also can be used in cyber attacks, including such items as high-energy radio frequency (RF) weapons, electromagnetic pulse weapons, RF jamming equipment, or RF interception equipment. These weapons can be used to destroy property and data; intercept communications or modify traffic; degrade the integrity of data, communications, or navigation systems; and deny crucial services to users of information and telecommunications systems.
So that's the vulnerability picture in the cyber world. But what about the corresponding threat? In the physical world, the range of people or groups that would have the means and motive to cause widespread destruction of an infrastructure are relatively limited -- terrorist groups and hostile nations are the most likely actors. But the accessibility of the information infrastructure, global connectivity, and the rapid growth of a computer-literate population combine to ensure that millions of people around the world possess the means to engage in a cyber attack. The spectrum of threats in this new cyber world is staggeringly broad and varied, including: the disgruntled insider seeking revenge against his employer; the recreational hacker out to test his "cracking" skills; organized crime groups seeking illicit financial gain; domestic or international terrorist groups bent on causing harm to send a political message; foreign intelligence services seeking companies' proprietary data or sensitive government information; and hostile nation states utilizing information warfare as part, or instead, of a strategic military attack. Let me discuss each of these threats in a little more detail.
Perhaps the most imminent threat today comes from insiders. Insiders have the advantage of not needing to break into computer systems from the outside, but only to use, or abuse, their legitimate access. Many of the computer intrusion reports the FBI and other law enforcement organizations receive have at their core an employee, former employee, consultant, or temporary employee who has exceeded his or her access, often in revenge for some perceived wrong.
These individuals often have intimate knowledge of where the most sensitive information is stored, how to access the information, and how to steal or damage the data.
Recreational hackers are also increasingly dangerous, in part because of the widespread availability of "cracking" tools on hacker websites. One no longer needs to have a sophisticated understanding of computers and the Internet to successfully crack into a company's systems. Rather, one needs only to download an automated hacking tool from a website, compile the source code using a program readily available on the Internet, and click on a button to launch an attack on any number of target sites.
Moreover, the problem is exacerbated by our continued romanticization of hackers as technical whizzes who are not really doing anything wrong but are actually providing a service by pointing out the vulnerabilities in an individual's or a company's or government agency's system. But do we praise the burglar for demonstrating the vulnerability of our home security by breaking in and stealing our cash or jewelry? Even if he does not steal or break anything, the simple invasion of our private property causes a feeling of violation and vulnerability that would send chills down all our spines. Or do we thank the vandal who breaks into the corner store and defaces or destroys someone else's property? Of course not. But, similarly, we should not tolerate or condone analogous acts committed with computers. These are not acts that occur in some ethereal "cyberspace" that is somehow divorced from the real world. These are acts that are very real, and can cause serious harm. It is no joke when an individual's private E-mail communications are intercepted, or when a company's proprietary data is stolen or destroyed, or when a government agency's sensitive data is compromised. And these acts can have serious physical consequences. No one would laugh if a hacker caused air traffic control to go down at an airport, as happened in a case in Massachusetts that recently resulted in a plea bargain. Or if a hacker tied up 911 emergency phone services, potentially denying critical aid to people with true emergencies, as happened in a recent case in Florida. Our society has to do a better job of educating our children and young adults that breaking into someone else's computer system has serious real-world consequences, and is a serious crime.
Where hackers formerly may have been motivated by the technical challenge of breaking into a computer system, the motivation may now be shifting more toward hacking for profit. As more and more money is transferred through computer systems, as more fee-based computer services are introduced, and as more sensitive proprietary economic and commercial information is stored and exchanged electronically, we will see criminal hackers use their computer skills
for illicit gain.
Terrorists and transnational criminals also rapidly are becoming aware of and exploiting the power of cyber tools. This has been true in the past as new means of communication and secrecy have been introduced to the public. For example, narcotics traffickers began using communications advances such as pagers, cellular phones, and unbreakable encryption soon after their introduction to the public. The fantastic growth of the Internet and other global information networks grants increasing numbers of users with hostile intentions access to global networks -- and to those United States networks upon which critical infrastructures depend.
Finally, as our nation's defense and intelligence agencies increasingly rely on commercially available information technologies and publicly accessible communications systems for their everyday work, foreign intelligence services and hostile nation states will increasingly seek to acquire and use cyber tools to conduct espionage or engage in "information warfare" against us. Several different commissions, including the President's Commission on Critical Infrastructure Protection and the National Defense Panel, have recognized that no nation or group hostile to the United States can match us in traditional military firepower. Because of this, they would not be expected to take us on in a frontal or "symmetrical" attack. Rather, they would utilize irregular, "asymmetrical" attacks that hit us where we are most vulnerable. And one of those vulnerabilities is our reliance on information technologies for command and control of our national security activities as well as for the daily functioning of our privately-owned critical infrastructures. This vulnerability is particularly attractive to foreign enemies in that it is just as easy to crash a system from a computer terminal overseas as it is from one in the United States.
Some would say that this vulnerability is overstated, that there are sufficient technological security tools to protect against malicious hackers and crackers, and that infrastructures have built in redundancies to their systems to prevent catastrophic system failures in the event of a successful intrusion. I'm afraid that the facts prove otherwise. Although we have not experienced the electronic equivalent of a Pearl Harbor or Oklahoma City as some have foretold, the statistics and our cases demonstrate our dangerous vulnerabilities to cyber attacks.
A 1998 study by the Computer Security Institute shows that 64% of companies polled reported information system security breaches -- an increase of 16% over last year. The total financial losses from the 241 organizations that could put a dollar figure on them adds up to $136,822,000. This figure represents a 36% increase in reported losses over the 1997 figure of $100,115,555 in losses.
While the Carnegie Melon CERT/Coordination Center reported a small reduction in security incidents (2,134 in 1997, down from 2,573 in 1996), the type and scope of attacks indicates a disturbing increase in the use of automated scripts, enabling malevolent network users to attack very large numbers of systems with much greater efficiency.
A study of 300 Australian companies by Deloitte Touche Tohmatsu found that over 37 percent of the companies experienced some form of security compromise in 1997, with the highest percentage of intrusions (57%) occurring in the banking and finance industry.
A 1996 survey by the American Bar Association of 1,000 companies showed that 48 percent had experienced computer fraud in the last five years. Company losses were reported to have ranged from $2-10 million.
In 1996 the Defense Information Systems Agency (DISA) estimated that as many as 250,000 attacks on DOD systems may have occurred in 1995. DISA indicates that the number of attacks has been increasing each year for the past few years, and that trend is expected to continue.
Finally, we at the FBI have seen significant increase in the number of pending computer intrusion investigations and in the number of successful prosecutions. Pending cases have increased 133% from the beginning of FY 1997, from 206 to 480. In FY 1997, there was a 110% increase in informations and indictments (from 10 to 21), a 950% increase in arrests (from 4 to 42), and an 88% increase in convictions (from 16 to 30).
As a caveat, let me state that it is not clear what accounts for these increases in our own case statistics or in the numbers reported by the private studies. It may be that systems administrators have simply gotten better at detecting intrusions, or that companies have become more willing to share information about their own exploited vulnerabilities. Or, it may be that the number of intrusions has risen significantly. Most likely, in my view, all three things are occurring. Regardless of the cause, however, these numbers clearly indicate significant vulnerabilities to cyber attacks.
Let me now give you a few examples of the types of computer crimes we have seen in recent years to further illustrate the problem:
You are undoubtedly aware of the recent series of intrusions into Department of Defense and other government agency computers across the country. This case involved widespread illegal intrusions into government systems using holes in the systems' software. I cannot go into detail on this matter because it is a pending case, but the FBI recently identified two juveniles in California who appear to have been responsible for many of the intrusions. And the Israeli National Police, working with FBI, Air Force, and NASA investigators, this week placed under house arrest one individual who also appears responsible for many of the intrusions. While we are still determining the extent of harm caused by these intrusions, the potential harm was obviously enormous. Even the unclassified systems used by DoD and other government agencies contain an enormous amount of important and sensitive data, the loss or alteration of which would have serious adverse consequences for our national security.
Many of you have also probably read about the plea bargain in Massachusetts this week of a teenage hacker who was able to break into the former NYNEX (now Bell Atlantic) system and, through it, disable telecommunications at a regional airport, cut off services to the airport's control tower, and prevent incoming planes from turning on the runway lights. This case is a wake-up call for those who would argue that hacking is simply harmless fun.
In 1994, foreign crime groups operating in several different countries were able to hack into the Citibank Cash Management System, which is used for banking functions such as wire transfers. The criminals compromised passwords to impersonate account holders worldwide, and attempted 40 transfers totaling $10 million. As a result of early detection by Citibank officials, and close cooperation between Citibank investigators, payee banks, foreign police, and the FBI, the perpetrators were tracked down and arrested, and actual losses were limited to $400,000. But imagine if the hackers had been intent not simply on stealing funds, but on destroying Citibank's account records or denying service to Citibank customers. The effects in such a scenario would have had much more serious and widespread consequences.
In another case, hackers from Germany recently captured the customer credit card files of a Miami company. The hackers threatened to distribute all the credit card numbers unless they were paid ransom. When one of the hackers tried to pick up the money, he was arrested by German authorities. If the hackers had chosen to use the numbers instead of trying extortion, law enforcement may not have been able to stop them before they had caused significant financial loss.
An international computer hacker organization headquartered in Dallas, Texas successfully penetrated the networks of several telecommunications providers and acquired unlisted telephone numbers, personal addresses, credit information, and National Crime Information Center data, causing losses in excess of $500,000. The hackers installed a sniffer which compromised at least 15 telephone company systems including records, maintenance, and operational control system, and also illegally wiretapped the phone lines. The advanced level of expertise of the hackers was comparable to telephone company experts, and suggests that they could have disrupted telecommunications on a national basis if they had wanted to.
In July, 1997, the owner of a computer communications company sent, or caused to be sent, malicious computer code which resulted in the redirection of computer communications away from the computers of one of his competitors. This redirection of computer communications resulted in a direct loss to the victim company of at least $1,500,000. Additionally, millions of Internet users were denied access to various affected Internet sites.
These are just a few examples of the computer crime problem that we are seeing. But they illustrate the growing problem of cybercrime, the international dimension of the problem, and the increasing threat to our critical infrastructures. And, as I stated earlier, they demonstrate that this is not simply a problem of enforcing the law against imaginative criminals, but of protecting our economic health and national security.
Now let me tell you what the FBI is doing about it. On February 26 of this year, the FBI created the National Infrastructure Protection Center (NIPC). The NIPC's mission is to detect, deter, prevent, assess, warn, respond to, and investigate unlawful acts involving computer and information technologies and unlawful acts, both physical and cyber, that threaten or target our critical infrastructures. This means we do not simply investigate and respond to attacks after they occur, but we try to learn about them and prevent them beforehand. This requires the collection and analysis of information gathered from all available sources, and the dissemination of our analyses and of warnings of possible attacks to potential victims, whether in the government or private sector.
This broader mission also means that we in the FBI, and indeed law enforcement as a whole, cannot do this alone. Rather, this mission requires the combined efforts of many different agencies. The Defense Department has a critical role to play because its reliance on information technologies makes it a prime target for our adversaries and because it holds much of the government's expertise in defending against cyber attacks. Our intelligence agencies have an important role because of their responsibility for gathering information about threats from abroad. And other civilian agencies with jurisdiction over critical infrastructures, such as the Departments of Treasury, Energy, and Transportation, have similarly significant roles.
But this is also not just a role for the federal government. State governments must be involved because they own and operate some of the critical infrastructures and because their agencies are often the first responders in the event of a crisis.
And, perhaps most importantly, this mission requires the intensive involvement of the private sector. Private industry owns and operates most of the infrastructures, so it must be involved in helping us defend them. And it also has the greatest expertise in the technical problems and solutions.
In recognition of the vital roles all of these entities must play, the NIPC is founded on the notion of a partnership. It creates a partnership by including representatives from the other critical federal agencies, from state and local law enforcement, and from private industry. This will foster the sharing of information and expertise, and improve coordination among all the relevant actors in the event of a crisis. And it will augment the physical presence of these representatives by establishing electronic connectivity to the many different entities in government and industry who might have, and need, information about threats to our infrastructures.
Let me say at this point something about what we are not. We are not the Nation's super-systems administrator, responsible for physically securing everyone's systems against intruders or advising on the latest security software or patches to fix vulnerabilities. That role clearly must be filled by systems administrators in each company, by chief information officers in government agencies, and by industry groups and other entities with expertise in reducing vulnerabilities and restoring service. Rather, our role is to help prevent intrusions and attacks by gathering information about threats from sources that are uniquely available to the government (such as from law enforcement and intelligence sources), combining it with information voluntarily provided by the private sector or obtained from open sources, conducting analysis, and disseminating our analyses and warnings to all relevant consumers. And if an attack does occur, our role is to serve as the federal government's focal point for crisis response and investigation. That job is big and difficult enough, so I don't want to create any unwarranted expectations about what else we might do.
The NIPC incorporates and expands the mission and personnel of the FBI's former Computer Investigations and Infrastructure Threat Assessment Center (CITAC) which was created in 1996 to coordinate the FBI's investigations and response to the increasing problem of computer crime. The NIPC, located at FBI Headquarters in Washington, D.C., consists of three sections. The Computer Investigations and Operations Section (CIOS) is responsible for managing support to computer intrusion investigations conducted by our Field Offices, providing and coordinating technological support to all FBI investigations involving computers and information technologies, and for developing and managing an interagency Cyber Emergency Support Team (CEST) analogous to the Domestic Emergency Support Team and Foreign Emergency Support Teams that are responsible for responding to terrorist acts in the U.S. or abroad. In addition, CIOS provides and coordinates subject matter experts, equipment, and technological support to cyber investigators from our Field Offices and other federal, state or local government agencies.
The Analysis and Warning Section (AWS) provides analytical support for computer investigations, and serves as the information clearing-house for research and analysis about physical and cyber threats and unlawful acts that target the critical infrastructures of the United States. It is charged with obtaining relevant information from all sources -- law enforcement investigations, intelligence sources, open sources, and voluntarily provided industry data -- analyzing it, and disseminating its analyses and tactical warnings to relevant consumers.
The Training, Administration, and Outreach Section (TAOS) has at its core the responsibility for coordinating the training and continuing education of cyber investigators in the FBI Field Offices, in other federal agencies, and in state and local law enforcement; and of personnel in the public and private sector involved in infrastructure protection. It also will direct our extensive outreach efforts to FBI Field Offices, other government agencies, industry, and academia, which are necessary to encourage the sharing of information about threats, vulnerabilities, and technological developments. In
addition, the TAOS provides the administrative support that underlies and is necessary to all of the other activities of the Center.
Let me note, finally, that we have been in existence less than a month, so we are still very much in the early stages of building the Center. We have a lot of work to do in order to establish the necessary liaison with other agencies and the private sector, and to put in place our pesonnel and equipment. This will take time. But the Department of Justice and the FBI have taken an important first step in establishing this Center, in recognizing the need for an interagency and public-private partnership, and in realizing that the new challenges of the next century require new ways of thinking and creative solutions.