- Leslie G. Wiser, Jr
- Chief, Training, Outreach, and Strategy Section, National Infrastructure Protection Center
- Federal Bureau of Investigation
- Before the House Subcommittee on Government Efficiency, Financial Management, and Intergovernment Relations
- Washington, D.C.
- August 29, 2001
Good morning Chairman Horn, thank you for inviting me here today to discuss cyber security issues. While I am going to discuss broad aspects of cyber security and the role of the NIPC in helping to secure the nation's critical infrastructures, I am going to focus on some recent incidents that demonstrate the success we can have when government partners with other nations and with the private sector. I will then discuss the NIPC’s role in cyber security with respect to predicting, preventing, detecting, and responding to incidents with an emphasis on computer viruses and worms. The final part of my statement will focus on some of the recent virus and worm cases we have faced.
A virus is malicious computer code embedded within an executable program that victims activate on their machines, usually by opening an e-mail attachment. Often viruses are sent with notes instructing recipients to open the attachment, such as the note with the Melissa Macro Virus which stated "here is the document you requested," or with a tantalizing title such as "sexxxy.jpg," or "naked wife." Worms, on the other hand, require no action by the victims to activate. They spread on their own from system to system without need for the victim to do anything. The Code Red Worm, for example, automatically sends itself to 99 IP addresses it generates. Once activated, viruses and worms can do anything from deleting files to sending themselves, together with documents on your hard drive, to some or all of the names in your address book or to any internet protocol address.
Arrest in Leave Worm case
On June 23, 2001, the NIPC issued “Advisory 01-014,” “New Scanning Activity (with W32-Leave.worm) Exploiting SubSeven Victims,” regarding the Leave Worm activity. This particular worm allowed the intruder access to an infected system while the victim machine was connected to the Internet. It is believed that home-users’ computers, without updated anti-virus software, were the systems primarily infected by this worm. Current anti-virus software will detect the presence of the W32-Leave.worm. Full descriptions and removal instructions can be found at various anti-virus web sites.
A 24-year-old male was arrested on July 23, 2001, in the United Kingdom for violation of its “Computer Misuse Act 1990.” The announcement of his arrest was delayed to avoid potentially compromising the ongoing investigation. This individual who, under British Law, cannot be identified at this time, was arrested in connection with designing and propagating malicious code, known as the W32-Leave.worm, or Leaves worm, into Windows-based computer systems. This individual has been released from custody and ordered to return to New Scotland Yard on September 24, 2001.
This malicious code was discovered by the analytical efforts of the employees of the Systems Administration and Network Security (SANS) Institute and reported by SANS to the NIPC. This arrest came as a result of a joint FBI/New Scotland Yard, UK, investigation, and illustrates the benefits of law enforcement and private industry working together.
Ongoing Efforts on Code Red
The Code Red Worm was discovered in the wild on July 13, 2001, by network administrators who were experiencing a large number of attacks targeting the buffer overflow vulnerability first reported in June, 2001. On June 19, 2001, the NIPC and FedCIRC issued a joint advisory about the buffer overflow vulnerability that targeted Microsoft Windows NT and Microsoft Windows 2000 operating systems running IIS 4.0 and 5.0. On July 19, 2001, the NIPC issued an advisory on the code red worm. The advisory stated that, "the activity of the Ida Code Red Worm has the potential to degrade services running on the Internet." In one day alone the Code Red Worm infected more than 250,000 systems in just nine hours. The Code Red Worm, which was first reported by eEye Digital Security, takes advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permit the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer’s time clock. The trigger time for the DOS execution of the Code Red Worm was at midnight on July 20, 2001. Upon successful infection, the worm proceeded to use the time thread in an effort to bring down the www.whitehouse.gov domain by having the infected systems simultaneously send 100 connections to port 80 of the White House’s Internet Protocol address.
The original variant of the worm also placed the words "Welcome to worm.com! Hacked by Chinese!" on the victim sites. Two other variants of the original worm do not deface victim web sites. The NIPC, along with its government and private sector partners, realized that persons using Microsoft Windows NT and Microsoft Windows 2000 operating systems running IIS 4.0 and 5.0 needed to be warned to patch their systems for the safety of the entire Internet. Officials from the following organizations were all involved in the response effort working through the weekend of July 28-29: National Infrastructure Protection Center (NIPC) of the FBI, Critical Infrastructure Assurance Office (CIAO) of the Department of Commerce, Federal Computer Incident Response Center (FedCIRC) of the General Services Administration, Computer Emergency Response Team Coordination Center (CERT/CC) of Carnegie Mellon University, Systems Administration and Network Security (SANS) Institute, Microsoft, Internet Security Systems, Inc. (ISS), Cisco Systems, Inc., Partnership for Critical Infrastructure Security (PCIS), Information Technology Association of America (ITAA), Digital Island, Inc., Information Technology Information Sharing and Analysis Center (IT-ISAC), Internet Security Alliance (ISA), UUNet, and America Online.
On Sunday July 29, the NIPC, Microsoft Corporation, Federal Computer Incident Response Center (FedCIRC), the Information Technology Association of America (ITAA), CERT Coordination Center (CERT/CC), SANS Institute, Internet Security Systems (ISS), and the Internet Security Alliance (ISA) issued a joint warning message about Code Red.
The NIPC posted the warning and numerous updates on its public website (www.nipc.gov) and pushed the warning to InfraGard members through the InfraGard communications network, to state and local police through the National Threat Warning System, and to tens of thousands of private sector companies via the FBI's Awareness National Security Issues and Response (ANSIR) network. By forwarding the warning message to those who may need it, the NIPC strives to ensure that those who are part of its information sharing networks receive the information as quickly as possible with minimal effort on their part. In other cases InfraGard has already prevented cyber attacks by discretely alerting InfraGard members to compromises on their systems. For efforts such as the one made on Code Red, the InfraGard initiative recently received the 2001 WorldSafe Internet Safety Award from the Safe America Foundation.
On July 30 a joint news conference was held at the Ronald Reagan Building in Washington, D.C. The presence of representatives of agencies, companies, and organizations which produced the Code Red warning demonstrated the seriousness of the threat and the public-private partnership that has developed with regard to protecting our information systems from attack. The urgency of the news conference lay in the fear that the spread of the worm could absorb so much bandwidth as to degrade the overall functioning of the Internet. Since business, medical, and government professionals increasingly depend on the Internet's functioning to conduct normal operations, service degradation poses an emerging threat to America's economy and security.
Microsoft has developed a patch for the identified vulnerability. According to Microsoft, over 2 million copies of the IIS patch have been downloaded. The July 30 news conference no doubt accelerated this process. Since the patches can be downloaded and installed on a number of machines, the actual number of systems patched may be higher than 2 million. The NIPC and its partners have received much positive feedback from the user community regarding these efforts on Code Red.
We are hopeful that the worst of the damage feared was averted based on this awareness campaign. Nevertheless Computer Economics, a California-based Internet research organization, estimates that the worm has already cost $2.4 billion in economic impact, including $1 billion to cleanse, inspect, patch, and return systems to normal service, and $1.4 billion for other support functions related to lost productivity due to the worm. As of August 8, the SANS Internet Storm Center noted that 661,044 unique IP addresses have been infected, with 150-175,000 machines infected (machines can have more than one associated IP address). While all of these figures are subject to revision, two trends seem clear. First, the rate of infections from the original worm have been substantial, although not at the same rate as in July. Second, the aggressive efforts on the part of the government and private sector urging computer users to patch their systems seems to have paid off.
Self-propagating worms that exploit vulnerabilities in commonly used software platforms will continue to pose a security challenge. These worms require no social engineering (i.e. no one needs to be tricked into revealing any information) and require no action on the part of users (i.e. the opening of attachments). As we saw with Code Red, they can hurt us in two ways: they can consume Internet bandwidth during their propagation phase if enough machines are infected, and they can carry harmful payloads, like the instructions to launch against a chosen target. Anyone can be the next target as future worms may result in much more destructive activity.
There is another worm we have been tracking since early August dubbed “Code Red II.” This worm exploits the same vulnerability as the original Code Red Worm and its variants, but instead of compromising a system to launch Denial of Service attacks, it installs a backdoor into infected systems that can be accessed by anyone knowing that the victim system has been compromised.
On August 16 the NIPC released an assessment entitled "Code Red Reminder and Clarification, Assessment 01-018." That assessment clarifies issues related to which operating systems and software are vulnerable to Code Red and also makes clear that, contrary to some reports, we have not yet identified a Code Red III.
The NIPC Approach to the Problem
Because the NIPC is an interagency Center, it could quickly react to the recent infections of the Leave and Code Red Worms. Senior leadership positions in the NIPC are held by personnel from several agencies. The NIPC Director is a senior FBI executive. The Deputy Director of the NIPC is a two-star Navy Rear Admiral and the Executive Director is detailed from the Air Force Office of Special Investigations. The Section and Unit Chiefs in the Computer Investigation and Operations Section and the Training, Outreach, and Strategy Section are from the FBI. The Assistant Section Chief for Training, Outreach and Strategy is detailed from the Defense Criminal Investigative Service. The Section Chief of the Analysis and Warning Section is from the CIA and his deputy is a senior FBI agent. The head of the NIPC Watch and Warning Unit is reserved for a uniformed service officer, and the head of the Analysis and Information Sharing Unit is reserved for a National Security Agency manager. This breadth of leadership has meant that when worms such as Code Red appear, coordination across the civilian and military agencies of the government is rapid and efficient.
But it is not just in the leadership ranks that the NIPC has broad representation. Currently the Center has representatives from the following agencies: FBI, Office of the Secretary of Defense, Army, Air Force Office of Special Investigations, Defense Criminal Investigative Service, National Security Agency, United States Postal Service, Department of Transportation/Federal Aviation Administration, Central Intelligence Agency, Department of Commerce/Critical Infrastructure Assurance Office, and the Department of Energy. This representation has given us the unprecedented ability to reach back to the parent organizations of our interagency detailees on intrusions and infrastructure protection matters in order to provide and receive information. In addition, we have formed an interagency coordination cell at the Center which holds monthly meetings with U.S. Secret Service, U.S. Customs Service, representatives from DoD investigative agencies, the Offices of Inspector General of NASA, Social Security Administration, Departments of Energy, State, and Education, and the U.S. Postal Service, to discuss topics of mutual concern.
This representation is not enough, however. The NIPC would like to see all lead agencies represented in the Center. The more broadly representative the NIPC is, the better job it can do in responding to viruses, worms, and other intrusions into critical U.S. systems.
We have established four strategic directions for our capability growth: prediction, prevention, detection, and mitigation/response. None of these are new concepts but the NIPC will renew its focus on each of them in order to strengthen our strategic analysis capabilities. The NIPC will work to further strengthen its longstanding efforts on the early detection and mitigation of cyber attacks. These strategic directions will be significantly advanced by our intensified cooperation with federal agencies and the private sector.
Our most ambitious strategic directions, prediction and prevention, are intended to forestall attacks before they occur. We are seeking ways to forecast or predict hostile capabilities in much the same way that the military forecasts weapons threats. The goal here is to forecast these threats with sufficient warning to prevent them. A key to success in these areas will be strengthened cooperation with intelligence collectors and the application of sophisticated new analytic tools to better learn from day-to-day trends. The strategy of prevention is reminiscent of traditional community policing programs but with our infrastructure partners and key systems vendors. As the recent Leave and Code Red Worm incidents demonstrate, our working relations have never been closer with key federal agencies, like FedCIRC, NSA, CIA, and the Joint Task Force - Computer Network Operations (JTF-CNO), and private sector groups such as SANS, the anti-virus community, major Internet Service Providers, and the backbone companies. These close relationships aid in predicting events before they happen.
Our role in preventing the spread of computer viruses and worms as well as other cyber intrusions into critical U.S. systems is not to provide advice on what hardware or software to use or to act as a federal systems administrator. Rather, our role is to provide information about threats, ongoing incidents, and exploited vulnerabilities so that government and private sector system administrators can take the appropriate protective measures. The NIPC has a variety of products to inform the private sector and other domestic and foreign government agencies of the threat, including: alerts, advisories, and assessments; biweekly CyberNotes; monthly Highlights; and topical electronic reports. These products are designed for tiered distribution to both government and private sector entities consistent with applicable law and the need to protect intelligence sources and methods, and law enforcement investigations. For example, Highlights is a publication for sharing analysis and information on critical infrastructure issues. It provides analytical insights into major trends and events affecting the nation’s critical infrastructures. It is usually published in an unclassified format and reaches national security and civilian government agency officials as well as infrastructure owners and operators. CyberNotes is another NIPC publication designed to provide security and information system professionals with timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information, and other critical infrastructure-related best practices. It is published on our website and disseminated in hardcopy to government and private sector audiences.
The NIPC has elements responsible for both analysis and warning. What makes the NIPC unique is that it has access to law enforcement, intelligence, private sector, foreign liaison, and open source information. No other entity has this range of information. Complete and timely reporting of incidents from private industry and government agencies allows NIPC analysts to make the linkages between government and private sector intrusions. We are currently working on integrating our databases consistent with the law to allow us to more quickly make the linkages among seemingly disparate intrusions. This database will leverage both the unique information available to the NIPC through FBI investigations and information available from the intelligence community and open sources. Having these analytic functions at the NIPC is a central element of its ability to carry out its preventive mission.
The NIPC also shares information via its InfraGard Initiative. All 56 FBI field offices now have InfraGard chapters. Just in the last six months the InfraGard Initiative has added over 1000 new members to increase the overall membership to over 1800. It is the most extensive government-private sector partnership for infrastructure protection in the world, and is a service we provide to InfraGard members free of charge. InfraGard expands direct contacts with the private sector infrastructure owners and operators and shares information about cyber intrusions and vulnerabilities through the formation of local InfraGard chapters within the jurisdiction of each of the 56 FBI Field Offices and several of its Resident Agencies (subdivisions of the larger field offices).
A key element of the InfraGard initiative is the confidentiality of reporting by members. The reporting members edit out the identifying information about themselves on the notices that are sent to other members of the InfraGard network. This process is called sanitization and it protects the information provided by the victim of a cyber attack. Much of the information provided by the private sector is proprietary and is treated as such. InfraGard provides its membership with the capability to write an encrypted sanitized report for dissemination to other members. This measure helps to build a trusted relationship with the private sector and at the same time encourages other private sector companies to report cyber attacks to law enforcement.
InfraGard held its first national congress from June 12-14, 2001. This conclave provided an excellent forum for NIPC senior managers and InfraGard members to exchange ideas. InfraGard's success is directly related to private industry's involvement in protecting its critical systems, since private industry owns most of the infrastructures. The dedicated work of the NIPC and the InfraGard members is paying off. InfraGard has already prevented cyber attacks by discretely alerting InfraGard members to compromises on their systems.
The NIPC is also working with the Information Sharing and Analysis Centers (ISACS) established under the auspices of PDD-63. The North American Electric Reliability Council (NERC) serves as the electric power ISAC. The NIPC has developed a program with the NERC for an Indications and Warning System for physical and cyber attacks. Under the program, electric utility companies and other power entities transmit incident reports to the NIPC. These reports are analyzed and assessed to determine whether an NIPC alert, advisory, or assessment is warranted to the electric utility community. Electric power participants in the program have stated that the information and analysis provided by the NIPC makes this program especially worthwhile. NERC has recently decided to expand this initiative nationwide. This initiative will serve as a good example of government and industry working together to share information, and the Electric Power Indications and Warning System will provide a model for the other critical infrastructures.
With the assistance of NERC, the NIPC conducted a six-month pilot program and a series of workshops to familiarize participants with the program's operating procedures. The workshops included hands-on table-top exercises that required program participants to work through simulated scenarios dealing with credible cyber and physical attacks directed against the power industry. In the summer of 2000, a half-day table-top exercise was held for companies in NERC's Mid-Atlantic region allowing them to role-play in responding to simulated incidents pre-scripted by NIPC and company representatives. Since October 2000, the NIPC supported by NERC conducted three workshops around the country in order to provide program participants with hands-on experience in responding to attacks against the electric power grid. Eventually, the NIPC will strive to have similar models and exercises for all the infrastructures.
The NIPC serves as sector liaison for the Emergency Law Enforcement Services (ELES) Sector at the request of the FBI. The NIPC completed the ELES Sector Plan in February, 2001. The ELES Sector Plan was the first completed sector report under PDD-63 and was delivered to the White House on March 2, 2001. At the Partnership for Critical Infrastructure Security in Washington, D.C., in March, 2001, the ELES Plan was held up as a model for the other sectors. The NIPC also sponsored the formation of the Emergency Law Enforcement Services Sector Forum, which meets quarterly to discuss issues relevant to sector security planning. The Forum contains federal, state, and local representatives. The next meeting of the Forum is scheduled for September, 2001.
The Plan was the result of two years' work in which the NIPC surveyed law enforcement agencies concerning the vulnerabilities of their infrastructure, in particular their data and communications systems. Following the receipt of the survey results, the NIPC and the ELES Forum produced the ELES Sector Plan. The NIPC also produced a companion "Guide for State and Local Law Enforcement Agencies" that provides guidance and a "toolkit" that law enforcement agencies can use when implementing the activities suggested in the Plan.
The importance of the ELES Sector Plan and the Guide cannot be overstated. These documents will aid some 18,000 police and sheriff’s departments located in towns and neighborhoods to better protect themselves from attack by providing them with useful checklists and examples of procedures they can use to improve their security. Since the local police are usually among the first responders to any incident threatening public safety, their protection is vital.
Also, the NIPC has prepared model agreements to promote information sharing and has presented them for negotiation to the following existing or potential ISACs: Association of Metropolitan Water Agencies (AMWA), Financial Services, Information Technology, National Association of State Chief Information Officers (NASCIO), National Coordinating Center (NCC) for Telecommunications, National Emergency Management Association (NEMA), National Petroleum Council (NPC), and US Fire Administration (USFA). Offers for information sharing arrangements will be made to the emerging Rail and Aviation ISACs. We are promoting the establishment of an ISAC for the Public Health Services Sector. With respect to the federal agencies, NIPC has developed a model agreement for use in promoting information sharing with the other 70 plus executive branch agencies, and will soon launch a campaign to formalize these arrangements.
Given the ubiquitous vulnerabilities in existing Commercial Off-the-Shelf (COTS) software, intrusions into critical systems are inevitable for the foreseeable future. Thus detection of these viruses, worms, and other intrusions is crucial if the U.S. Government and critical infrastructure owners and operators are going to be able to respond effectively. To improve our detection capabilities, we first need to ensure that we are fully collecting, sharing, and analyzing all extant information. It is often the case that intrusions can be discerned simply by collecting bits of information from various sources; conversely, if we do not collate these pieces of information for analysis, we might not detect the intrusions at all. Thus the NIPC's role in collecting information from all sources and performing analysis in itself serves the role of detection.
Federal Agency system administrators need to work with NIPC. PDD-63 makes clear the importance of such reporting. It states, “All executive departments and agencies shall cooperate with the NIPC and provide such assistance, information and advice that the NIPC may request, to the extent permitted by law. All executive departments shall also share with the NIPC information about threats and warning of attacks and about actual attacks on critical government and private sector infrastructures, to the extent permitted by law.”
In order to carry out this mandate, the NIPC is working closely with FedCIRC and the anti-virus community. The NIPC and the Computer Emergency Response Team (CERT) at Carnegie Mellon University have formed a mutually beneficial contractual relationship. The NIPC receives information from the CERT that it incorporates into strategic and tactical analyses and utilizes as part of its warning function. The NIPC is routinely in telephonic contact with CERT/CC and the anti-virus community for purposes of sharing vulnerability and threat information on a real-time basis. CERT/CC input is often sought when an NIPC warning is in production. The NIPC also provides information to the CERT that it obtains through investigations and other sources, using CERT as one method for distributing information (normally with investigative sources sanitized) to security professionals in industry and to the public. The Watch also provides the NIPC Daily Report to the CERT/CC via Internet e-mail. On more than one occasion, the NIPC provided CERT with the first information regarding a new threat, and the two organizations have often collaborated in putting information out about incidents and threats.
The NIPC has an excellent relationship with the General Services Administration’s Federal Computer Incident Response Center (FedCIRC). NIPC and FedCIRC are both crucial to effective cyber defense but serve different roles. When an agency reports an incident, FedCIRC works with the agency to identify the type of incident, mitigate any damage to the agency's system, and provide guidance to the agency on recovering from the incident. FedCIRC has detailed a person to the NIPC Watch Center. In addition, the NIPC sends draft alerts, advisories, and assessments on a regular basis to FedCIRC for input and commentary prior to their release. NIPC and FedCIRC information exchange assists both centers with their analytic products. The NIPC and FedCIRC are currently discussing ways to improve the flow of information between the two organizations and encourage federal agency reporting of incident information to the NIPC.
In response to victim reports, the NIPC sponsored the development of tools to detect malicious software code. For example, in December 1999, in anticipation of possible Y2K related malicious conduct, the NIPC posted a detection tool on its web site that allowed systems administrators to detect the presence of certain Distributed Denial of Service (DDoS) tools on their networks. In those cases, hackers planted tools named Trinoo, Tribal Flood Net (TFN), TFN2K, and Stacheldraht (German for barbed wire) on a large number of unwitting victim systems. Then when the hacker sent a particular command, the victim systems in turn began sending messages against target systems. The target systems became overwhelmed with the traffic and were unable to function. Users trying to access the victim system were denied its services. The NIPC’s detection tools were downloaded thousands of times and have no doubt prevented many DDoS attacks. In fact, in this cutting edge area of network security, the NIPC’s Special Technologies and Applications Unit (STAU) received the 2000 SANS Award.
If we determine that an intrusion is imminent or underway, the NIPC Watch is responsible for formulating assessments, advisories, and alerts, and quickly disseminating them. The substance of those products will come from work performed by NIPC analysts. We can notify both private sector and government entities using an array of mechanisms so they can take protective steps. In some cases these warning products can prevent a wider attack; in other cases warnings can mitigate an attack already underway. This was the case both with our warnings regarding e-commerce vulnerabilities and the more recent warnings posted about Code Red. Finally, these notices can prevent attacks from ever happening in the first place. For example, the NIPC released an advisory on March 30, 2001, regarding the “Lion Internet Worm,” which is a DDoS tool targeting Unix-based systems. Based on all-source information and analysis, the NIPC alerted systems administrators how to look for this compromise of their system and what specific steps to take to remove the tools if they are found. This alert was issued after consultation with FedCIRC, JTF-CNO, a private sector ISAC, and other infrastructure partners.
Despite our efforts, we know that critical U.S. systems will continue to be attacked. The perpetrators could be criminal hackers, teenagers, cyber protestors, terrorists, or foreign intelligence services. In order to identify an intruder, the NIPC coordinates an investigation that gathers information using either criminal investigative or foreign counter-intelligence authorities, depending on the circumstances. We also rely on the assistance of other nations when appropriate.
In the cyber world, determining the “who, what, where, when, and how” is difficult. An event could be a system probe to find vulnerabilities or entry points, an intrusion to steal data or plant sniffers or malicious code, the spreading of a virus or worm, an act of teenage vandalism, an attack to disrupt or deny service, or even an act of war. The crime scene itself is totally different from the physical world in that it is dynamic--it grows, contracts, and can change shape. Further, the tools used to perpetrate a major infrastructure attack can be the same ones that are freely available on the Internet and used for other cyber intrusions (such as simple hacking, foreign intelligence gathering, or organized crime activity to steal property), making identification more difficult. Obtaining reliable information is necessary not only to identify the perpetrator but also to determine the size and nature of the intrusion and what information security response may prevent further attack: how many systems are affected, what techniques are being used, and what is the purpose of the intrusions--disruption, economic espionage, theft of money, etc..
Relevant information could come from existing criminal investigations or other contacts at the FBI Field Office level. It could come from the U.S. Intelligence Community, other U.S. Government agency information, private sector contacts, the media, other open sources, or foreign law enforcement contacts. The NIPC’s role is to coordinate, collect, analyze, and disseminate this information. Indeed this is one of the principal reasons the NIPC was created.
Because the Internet by its nature embodies a degree of anonymity, our government’s proper response to an attack first requires significant investigative steps. Investigators typically need a full range of criminal and/or national security authorities to determine who launched the attack or authored the malicious code. There are many federal statutes that criminalize unauthorized conduct over the Internet. The law prohibits a wide variety of acts conducted with computers, some of which are traditional crimes (such as wire fraud and pornography) and others of which are more technology-specific crimes, such as hacking.
The primary Federal statute that criminalizes breaking into computers and spreading malicious viruses and worms is the Computer Fraud and Abuse Act, codified at Title 18 of the United States Code, Section 1030. Other statutes that are typically implicated in a hacking case include Section 1029 of Title 18, which criminalizes the misuse of computer passwords, and Section 2511 of Title 18, which criminalizes those hackers that break into systems and install "sniffers" to illegally intercept electronic communications. In order to investigate these violations, law enforcement relies on traditional sources and techniques to gather evidence, ranging from the public's voluntary assistance to court authorized searches and court authorized surveillance. We have similar investigative capabilities when pursuing cases in which foreign powers or terrorist organizations are impairing the confidentiality, integrity, or availability of our networks, although in these cases our legal authority typically is derived from the National Security Act of 1947 and the Foreign Intelligence Surveillance Act (FISA), both codified in Title 50 of the United States Code, rather than pursuant to the Federal Criminal Code.
The FBI has designated the NIPC to act as the program manager for all of its computer intrusion investigations, and the NIPC has made enormous strides in developing this critical nationwide program. In that connection, the NIPC works closely with the Department of Justice Criminal Division’s Computer Crime and Intellectual Property Section, Office of Intelligence Policy and Review, and the U.S. Attorney’s Offices in coordinating legal responses.
In the event of a national-level set of intrusions into significant systems or a major virus outbreak, the NIPC will form a Cyber Crisis Action Team (C-CAT) to coordinate response activities and use the facilities of the FBI's Strategic Information and Operations Center (SIOC). The team will have expert investigators, computer scientists, analysts, watch standers, and other U.S. government agency representatives. Part of the U.S. government team might be physically located at FBI Headquarters and part of the team may be just electronically connected. The C-CAT will immediately contact field offices responsible for the jurisdictions where the attacks are occurring and where the attacks may be originating. The C-CAT will continually assess the situation and support/coordinate investigative activities, issue updated warnings, as necessary, to all those affected by or responding to the crisis. The C-CAT will then coordinate the investigative effort to discern the scope of the attack, the technology being used, and the possible source and purpose of the attack.
The NIPC’s placement in the FBI’s Counterterrorism Division will allow for a seamless FBI response in the event of a terrorist action that encompasses both cyber and physical attacks. The NIPC and the other elements of the FBI’s Counterterrorism Division have conducted joint operations and readiness exercises in the FBI’s SIOC. We are prepared to respond when called upon.
As the Worm Turns
Over the past several years we have seen a wide range of cyber threats ranging from defacement of websites by juveniles to devastating worms and viruses released on the Internet. Some of these are obviously more significant than others. The theft of national security information from a government agency, or the interruption of electrical power to a major metropolitan area would have greater consequences for national security, public safety, and the economy than the defacement of a web-site. But even the less serious categories have real consequences and, ultimately, can undermine confidence in e-commerce and violate privacy or property rights. A web site hack that shuts down an e-commerce site can have disastrous consequences for a business. An intrusion that results in the theft of credit card numbers from an online vendor can result in significant financial loss and, more broadly, reduce consumers’ willingness to engage in e-commerce. Because of these implications, it is critical that we have in place the programs and resources to investigate and, ultimately, to deter these sorts of crimes.
Virus attacks have become more prevalent in recent years. While tens of thousands of viruses and worms exist in the wild, the vast majority of them are not serious threats. But just a few of them have unleashed havoc on the networks. A survey by InformationWeek and PriceWaterhouseCoopers conducted in the summer of 2000 estimated viruses would cause $1.6 trillion worth of damage in the year 2000 worldwide. That figure is larger than the gross domestic product of all but a handful of nations and demonstrates the huge economic costs that viruses and worms can have on the global economy.
In addition, because it is often difficult to determine whether a virus outbreak or worm propagation is the work of an individual with criminal motives or a foreign power, we must treat certain cases for their potential as a national security matter until we gather sufficient information to determine the nature, purpose, scope, and perpetrator of the attack. While we cannot discuss ongoing investigations, we can discuss closed cases that involve FBI and other agency investigations in which the intruder’s methods and motivation were similar to what we are currently seeing. A few illustrative cases are described below:
As discussed above, Code Red infected over 150,000 systems and has yet to be stopped. But this is only the most recent in a growing list of computer worms. The first worm to get the attention of the computer users community was the Morris worm, released on November 2, 1988, by Robert Tappan Morris, a 23-year-old graduate student at Cornell University. The infant Internet community had never seen anything like this worm. In a matter of hours it had infected 6,000 machines and, while it did not damage files, it clogged the machines and made them unusable. The machines had to be disconnected from the Internet and repaired. Morris was convicted of violating the Computer Fraud and Abuse Act and sentenced to three years probation, 400 hours of community service, and fined $10,500.
In May 2000 companies and individuals around the world were stricken by the “Love Bug,” a virus (or, technically, a “worm”) that traveled as an attachment to an e-mail message and propagated itself extremely rapidly through the victim’s address books. The virus/worm also reportedly penetrated at least 14 federal agencies including the Department of Defense (DOD), the Social Security Administration, the Central Intelligence Agency, the Immigration and Naturalization Service, the Department of Energy, the Department of Agriculture, the Department of Education, the National Aeronautics and Space Administration (NASA), along with the House and Senate.
Investigative work by the FBI’s New York Field Office, with assistance from the NIPC, traced the source of the virus to the Philippines within 24 hours. The FBI then worked, through the FBI Legal Attaché in Manila, with the Philippines’ National Bureau of Investigation, to identify the perpetrator. The speed with which the virus was traced back to its source is unprecedented. The prosecution in the Philippines was hampered by the lack of a specific computer crime statute. Nevertheless, Onel de Guzman was charged on June 29, 2000, with fraud, theft, malicious mischief, and violation of the Devices Regulation Act. However, those charges were dropped in August by Philippine judicial authorities. As a postscript, it is important to note that the Philippines’ government on June 14, 2000, reacted quickly and approved the E-Commerce Act, which now specifically criminalizes computer hacking and virus propagation. Also, the NIPC continues to work with other nations to provide guidance on the need to update criminal law statutes.
In some cases, we have been able to prevent the release of malicious code viruses against public systems. On March 29, 2000, FBI Houston initiated an investigation when it was discovered that certain small businesses in the Houston area had been targeted by someone who was using their Internet accounts in an unauthorized manner and causing their hard drives to be erased. The next day, FBI Houston conducted a search warrant on the residence of an individual who allegedly created a computer "worm" that seeks out computers on the Internet. This "worm" looked for computer networks that have certain enabled sharing capabilities, and uses them for the mass replication of the worm. The worm caused the hard drives of randomly selected computers to be erased. The computers whose hard drives are not erased actively scan the Internet for other computers to infect and force the infected computers to use their modems to dial 911. Because each infected computer can scan approximately 2,550 computers at a time, this worm could have the potential to create a denial of service attack against the 911 system. The NIPC issued a warning to the public through the NIPC webpage, SANS, InfraGard, and teletypes to government agencies. On May 15, 2000, Franklin Wayne Adams of Houston was charged by a federal grand jury with knowingly causing the transmission of a program onto the Internet that caused damage to a protected computer system by threatening public health and safety and by causing loss aggregated to at least $5000. Adams was also charged with unauthorized access to electronic or wire communications while those communications were in electronic storage. On April 5, 2001, Adams was sentenced to 5 years probation and fined $12,353 restitution. Under the terms of his sentencing, Adams is restricted to using a computer only for work and educational purposes.
National security threats remain our top concern. As Dr. Lawrence Gershwin, National Intelligence Officer for Science and Technology, told the Joint Economic Committee in June, 2001, "For attackers, viruses and worms are likely to become more controllable, precise, and predictable--making them more suitable for weaponization. Advanced modeling and simulation technologies are likely to assist in identifying critical nodes for an attack and conducting battle damage assessments." The NIPC is concerned about three specific categories of national security intruders: terrorists, foreign intelligence services, and information warriors. As Gershwin noted in June, "Most U.S. adversaries have access to the technology needed to pursue computer network operations."
Terrorists groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. In his statement on the worldwide threat in 2000, Director of Central Intelligence George Tenet testified that terrorists groups, “including Hizbollah, HAMAS, the Abu Nidal organization, and Bin Laden’s al Qa’ida organization are using computerized files, e-mail, and encryption to support their operations.” In one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. While we have not yet seen these groups employ cyber tools as a weapon to use against critical infrastructures, their reliance on information technology and acquisition of computer expertise are clear warning signs. During the riots on the West Bank in the fall of 2000, Israeli government sites were subjected to e-mail flooding and "ping" attacks. The attacks originated with sympathetic Islamic elements trying to inundate the systems with email messages. As one can see from these examples overseas, “cyber terrorism” which refers to malicious conduct in cyberspace to commit or threaten to commit acts dangerous to human life, or against a nation’s critical infrastructures, such as such as energy, transportation, or government operations in order to intimidate or coerce a government or civilian population, or any segment thereof, in furtherance of political or social objectives - is a very real threat.
Foreign intelligence services have adapted to using cyber tools as part of their information gathering tradecraft. While I cannot go into specific cases, there are overseas probes against U.S. government systems every day. It would be naive to ignore the possibility or even probability that foreign powers were behind some or all of these probes. The motivation of such intelligence gathering is obvious. By coordinating law enforcement and intelligence community assets and authorities in one Center, the NIPC can work with other agencies of the U.S. government to detect these foreign intrusion attempts.
The prospect of "information warfare" by foreign militaries against our critical infrastructures is perhaps the greatest potential cyber threat to our national security. We know that many foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. In testimony in June, 2001, National Intelligence Officer Gershwin stated that "for the next 5 to 10 years or so, only nation states appear to have the discipline, commitment, and resources to fully develop the capabilities to attack critical infrastructures."
While the NIPC has accomplished much over the last three years in building the first national-level operational capability to respond to cyber intrusions, much work remains. We have learned from cases that successful network investigation is highly dependent on expert investigators and analysts, with state-of-the-art equipment and training. We have had the resources to build some of that capability both in the FBI Field Offices and at the NIPC, but we have much work ahead if we are to build our resources and capability to keep pace with the changing technology and growing threat environment, while at the same time being able to respond to several major incidents at once.
We are building the agency to agency, government to private sector, foreign liaison, and law enforcement partnerships that are vital to this effort. The NIPC is well suited to foster these partnerships since it has analysis, information sharing, outreach, and investigative missions. We are working with the executives in the infrastructure protection community to foster the development of safe and secure networks for our critical infrastructures. While this is a daunting task, we are making progress.
Within the federal sector, we have seen how much can be accomplished when agencies work together, share information, and coordinate their activities as much as legally permissible. But on this score, too, more can be done to achieve the interagency and public-private partnerships called for by PDD-63. We need to ensure that all relevant agencies are sharing information about threats and incidents with the NIPC and devoting personnel and other resources to the Center so that we can continue to build a truly interagency, "national" center. Finally, we must work with Congress to make sure that policy makers understand the threats we face in the Information Age and what measures are necessary to secure our Nation against them. I look forward to working with the Members and Staff of this Subcommittee to address these vitally important issues.