Introductory Statement:
Good
morning Chairman McCain, and other members of the Committee.
On behalf of the FBI, I would like to thank you for this
opportunity to address the FBI's role in anti-spam initiatives.
Cyber
crime, in its many forms, continues to receive priority
attention from the FBI. A paramount objective of the
Cyber Division has been to arm field investigators with
the necessary resources to identify and combat evolving
cyber crime matters. Over the past 18 months, the FBI
has supported the establishment of more than 50 multi-jurisdictional
task forces nationwide. Partnerships with federal, state,
and local law enforcement are vital to the success of
these teams, because cyber crime, by its nature, does
not respect jurisdictional boundaries and we need to
leverage existing resources to effectively and efficiently
fight cybercrime.
In
addition to law enforcement partnerships, another prime
objective of the FBI's Cyber Division is to establish
active partnerships with subject matter experts from
the private sector. Such experts are often better equipped
to identify cyber crimes at their earliest stages. Early
identification of cyber crimes is an absolute must, and
directly correlates to ultimate successes in investigating
and prosecuting cyber criminals.
In
keeping with this approach, and even before passage of
the CAN-SPAM Act by Congress, the FBI had begun work
in a Public/Private Alliance to specifically target the
growing spam problem. The Internet Crime Complaint Center
(IC3), working in coordination with industry, developed "SLAM-Spam," an
initiative that began operation last fall. This initiative
targets significant criminal spammers, as well as companies
and individuals that use spammers and their techniques
to market their products. It also investigates the techniques
and tools used by spammers to expand their targeted audience,
to circumvent filters and other countermeasures implemented
by consumers and industry, and to defraud customers with
misrepresented or non-existent products.
Enforcement
Before and After the CAN-SPAM Act:
Before
Congress passed the CAN-SPAM Act of 2003, some schemes
perpetrated by spam could have been pursued as violations
of statutes such as Title 18, United States Code, Section
1030 (fraud and related activity in connection with computers)
Title 18, United States Code, Section 2319 (criminal
Infringement of a copyright) or Title 18, United States
Code, Section 1343 (wire fraud), as well as through several
other existing criminal or civil statutes. No existing
statute, however, directly addressed some typical behaviors
of spammers, including: using widely-available "open
proxies" to bounce e-mail traffic through intermediary
computers with the intent to hide the true location of
the sender, the abuse of free e-mail services to send
out spam from accounts with false registration information,
and the use of tools to forge the return address and
other headers associated with the e-mail. Prior to the
CAN-SPAM Act, law enforcement lacked the legal tools
to address the spam problem directly. Because of this,
many investigators and prosecutors viewed cases based
primarily on the sending of spam as unlikely to result
in successful investigations and prosecutions. As the
economic impact attributable to spam, and the use of
spam to send unwanted pornographic images have become
known, however, law enforcement interest increased. Similarly,
investigations of computer intrusions and viruses have
uncovered that infecting computers with viruses is now
often being done to facilitate spam. In the SoBig.F computer
intrusion investigation, we learned that millions of
computers were infected globally, primarily to convert
those computers into spam relays.
The
CAN SPAM Act now allows law enforcement to apply criminal
leverage to spammers, who previously were viewed as "facilitators" of
fraudulent schemes, but who would disclaim any knowledge
of the fraudulent or pornographic nature of the products
they were advertising. CAN-SPAM's provisions address
the most significant fraudulent and sexually explicit
spam, and provide both civil and criminal tools to combat
them.
Project
SLAM-Spam:
In
response to the growing number of complaints it was receiving
about fraudulent and pornographic spam, the Internet
Crime Complaint Center began development of a project
to address the spam problem. The Center has developed
extensive experience in taking complaints relating to
all types of crime occurring over the Internet, analyzing
them for significant patterns, and then referring appropriate
case leads out to the field for further investigation.
The IC3 receives more than 17,000 complaints every month
from consumers alone, and additionally receives a growing
volume of referrals from key e-commerce stakeholders.
The use of spam is a substantial component of these schemes,
which includes reports of identity theft schemes, fraudulent
pitches and "get rich quick" schemes, and unwanted
pornography. Currently, over 25 percent of all complaints
to the IC3 involve some use of spam electronic mail.
To
develop the project, the IC3 coordinated with industry
Subject Matter Experts and representatives of the Direct
Marketing Association (DMA), which have provided essential
expertise and resources to the project. The IC3 has also
consulted with the Federal Trade Commission, which has
several years of working with consumers on the spam problem.
This project has also identified a significant list of
the methods used by subjects to advance their individual
schemes. I will describe some of the efforts and summarize
the primary accomplishments of this project over the
past six months, and project future accomplishments,
consistent with the overall project plan. This include
a national initiative in which suitable cases developed
or advanced through this project, will be highlighted
as part of our overall effort against those who have
committed criminal and civil violations of the CAN-SPAM
Act.
The
first several months of the project focused on building
support structures to support the initiative. The IC3
identified and consulted with Subject Matter Experts
from Internet Service Providers, anti-spam organizations,
and other groups. They defined responsibilities of participants,
and began weekly strategy meetings to ensure that progress
and priorities were consistent and clear. Experts developed
communications channels and databases to exchange information
quickly and robustly among the experts in the alliance.
Finally, a list of potential subjects was developed by
analysts from the Internet Crime Complaint Center (IC3),
and compared against existing IC3 referrals to determine
if law enforcement had already initiated investigations
of subjects, and if those investigations were making
progress.
After
the effective date of the CAN-SPAM Act, the IC3 helped
organize and participated in three regional training
conferences on a number of subjects relating to cybercrime.
At these conferences, representatives of the FBI and
Department of Justice gave presentations designed to
familiarize agents specializing in cyber crime with the
SLAM-Spam initiative, the techniques used by spammers
to falsify their identity, and the additional criminal
prohibitions in the CAN-SPAM Act.
Identifying
the most significant subjects involved in criminal spam
scenarios is a prime objective of the SLAM-Spam initiative.
Equally significant has been developing those cases so
that they can be further investigated and prosecuted
by field offices, cyber task forces, and United States
Attorneys' Offices around the United States. Accordingly,
while a growing number of Internet crime schemes use
spam to target larger pools of victims, the Cyber Division's
task force capabilities have increased as well. Cyber
Crime squads in our field divisions are trained in quickly
investigating computer intrusions and virus attacks.
When they are available, these resources can also be
used to investigate the source of unwanted fraudulent
and pornographic spam.
Project SLAM-Spam is on course and on schedule to achieve substantial results
against individuals and organizations that are complicit in criminal (and
potentially civil) schemes where spam is used. As a result of these activities,
more than 20 Cyber Task Forces are actively pursuing criminal and in some
cases joint civil proceedings against subjects identified to date. We expect
that this number will continue to rise, as successful actions are brought
under this act.
We
are also improving our cooperation with the FTC, State
Attorneys General, and industry partners, because we
understand that criminal enforcement is only one aspect
of the fight against spam. While we cannot share every
detail of ongoing criminal investigations, we can and
will share our knowledge about tools and techniques used
by spammers, their current primary targets of opportunity,
and the types of schemes they are favoring.
Notable
Early Accomplishments of SLAM-Spam:
The
SLAM-Spam initiative has now moved beyond the planning
stages, and has begun identifying and packaging investigations
from the field. Within the last few months, the Initiative
has:
