[Senate Hearing 112-167]
[From the U.S. Government Publishing Office]
S. Hrg. 112-167
CYBER SECURITY: RESPONDING TO THE THREAT OF CYBER CRIME AND TERRORISM
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CRIME AND TERRORISM
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
APRIL 12, 2011
__________
Serial No. J-112-16
__________
Printed for the use of the Committee on the Judiciary
_____
U.S. GOVERNMENT PRINTING OFFICE
71-412 PDF WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York JON KYL, Arizona
DICK DURBIN, Illinois JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas
AL FRANKEN, Minnesota MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
Bruce A. Cohen, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Counsel and Staff Director
------
Subcommittee on Crime and Terrorism
SHELDON WHITEHOUSE, Rhode Island, Chairman
HERB KOHL, Wisconsin JON KYL, Arizona
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
DICK DURBIN, Illinois JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina
CHRISTOPHER A. COONS, Delaware
Stephen Lilley, Democratic Chief Counsel
Stephen Higgins, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona.......... 3
Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode
Island......................................................... 1
WITNESSES
Baker, Stewart A., Partner, Steptoe & Johnson, LLP, Washington,
DC............................................................. 29
Martinez, Pablo A., Deputy Special Agent In Charge, Criminal
Investigation Division, U.S. Secret Service.................... 8
Savage, John E., Professor of Computer Science, Brown University,
Providence, Rhode Island....................................... 27
Schneck, Phyllis, vice President and Chief Technology Officer,
Global Public Sector, McAfee Inc., Reston, Virginia............ 24
Snow, Gordon M., Assistant Director, Cyber Division, Federal
Bureau of Investigation........................................ 6
Weinstein, Jason, Deputy Assistant Attorney General, Criminal
Division, U.S. Department of Justice........................... 4
QUESTIONS AND ANSWERS
Responses of Stewart A. Baker to questions submitted by Senator
Hatch.......................................................... 38
Responses of Pablo A. Martinez to questions submitted by Senators
Whitehouse and Feinstein....................................... 39
Responses of Pablo A. Martinez and Gordon M. Snow to questions
submitted by Senators Hatch and Klobuchar...................... 41
Responses of Gordon M. Snow to questions submitted by Senators
Feinstein, Whitehouse, Klobuchar and Hatch..................... 46
Responses of John E. Savage to questions submitted by Senator
Hatch.......................................................... 56
Responses of Phyllis Schneck to questions submitted by Senator
Hatch.......................................................... 59
Responses of Jason Weinstein to questions submitted by Senators
Hatch and Whitehouse........................................... 61
SUBMISSIONS FOR THE RECORD
Baker, Stewart A., Partner, Steptoe & Johnson, LLP, Washington,
DC............................................................. 63
Global Energy Cyberattacks: ``Night Dragon'', McAfee Foundstone,
February 10, 2011, report...................................... 70
Martinez, Pablo A., Deputy Special Agent In Charge, Criminal
Investigation Division, U.S. Secret Service.................... 89
Savage, John E., Professor of Computer Science, Brown University,
Providence, Rhode Island....................................... 98
Schneck, Phyllis, Vice President and Chief Technology Officer,
Global Public Sector, McAfee Inc., Reston, Virginia............ 106
Snow, Gordon M., Assistant Director, Cyber Division, Federal
Bureau of Investigation........................................ 120
Weinstein, Jason, Deputy Assistant Attorney General, Criminal
Division, U.S. Department of Justice........................... 130
CYBER SECURITY: RESPONDING TO THE THREAT OF CYBER CRIME AND TERRORISM
----------
TUESDAY, APRIL 12, 2011
U.S. Senate,
Subcommittee on Crime and Terrorism,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 2:38 p.m. in room
SD-226, Dirksen Senate Office Building, Hon. Sheldon
Whitehouse, Chairman of the Subcommittee, presiding.
Present: Senators Whitehouse, Feinstein, Klobuchar, Coons,
Blumenthal, Kyl, and Hatch.
OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR
FROM THE STATE OF RHODE ISLAND
Chairman Whitehouse. Good afternoon, everyone. Thank you
all for being here. Today's hearing takes on a topic of vital
importance: Cyber Security: Responding to the Threat of Cyber
Crime and Terrorism.
We live in the most connected and technologically advanced
country in the world. Our electrical engineers, computer
scientists, and technology companies have changed the way that
the world does business, made our daily lives safer and more
enjoyable, empowered free speech in repressive states, and
brought the world closer together. These remarkable innovations
unfortunately also have given criminals, terrorists, and
hostile states new opportunities to steal American property,
disrupt our way of life, and compromise our National security.
American consumers are now subject to endless swindles
achieved by spear phishing e-mails, malware that turns their
computers into unwitting bots sending out malicious spam, or
the many varieties of identity theft cooked up by cyber crooks
to steal hard-working Americans' privacy and money.
Our country's businesses likewise are under assault by
foreign agents who seek to steal American intellectual
property, a crime that has reportedly led to the loss of over
$1 trillion of value to date; and by criminal hackers who seek
to empty out corporate accounts or to blackmail companies by
threatening to release stolen trade secrets. These crimes hurt
companies' bottom lines and they rob us of American jobs,
shuttering small businesses by stealing their core intellectual
property, making a new product line unprofitable by letting a
foreign company reap the benefit of American research and
development, or even preventing the next great American company
from bringing the next great innovation to market.
Key elements of our Nation's critical infrastructure such
as our electrical grid, financial services system, and
telecommunications networks have been probed by malicious
actors and in some cases compromised, with the possibility that
hostile state actors have buried latent attacks that they can
trigger when it would hurt us most. Even our Government,
civilian, and military networks are under constant and
successful attack.
We need to do more to defeat the massive and worsening
cyber threat. I am not alone in this belief. The Majority
Leader has recognized that the Senate should act on cyber
security legislation. The Commerce, Homeland Security,
Intelligence, and Armed Services Committees have been hard at
work. This Committee, under Chairman Leahy's leadership, has
reported data breach legislation and last week held a hearing
that has considered reform of the Electronic Communications
Privacy Act. And we hope and expect the administration to weigh
in shortly with its proposals to improve our Nation's cyber
security.
The Senate has important work ahead. It may be hard and
complicated work, but I believe that we can accomplish this
task in a bipartisan and well-considered fashion. I
particularly look forward to working on this vital national
issue with the Ranking Member of this Committee, Senator Jon
Kyl.
I know that this is a topic of serious interest and prior
work for you, Senator Kyl, and I believe we will make a lot of
progress together.
I am very happy, for example, to be working with you to
improve public awareness of the cyber security threats facing
our Nation on a bill that I hope we can file shortly, and to go
on to work on legislation to provide a safe space for joint
defense by our private industries to take place.
Today's hearing will explore the nature, scale, source, and
sophistication of cyber attacks against consumers, Government
agencies, and businesses and industries and compare that to the
resources that our Government currently brings to bear on these
attacks, as well as investigative and prosecutorial successes
and limitations. And it will consider the ways in which the
private sector is able to collaborate with law enforcement to
defend against and respond to cyber attacks.
We are lucky to have two very strong panels of expert
witnesses from inside and outside the administration, including
a distinguished professor from Brown University in my home
State of Rhode Island, which I am happy to note is already at
the forefront of the cyber security field. I thank all of the
witnesses for being here today.
Before I turn to Senator Kyl, let me flag my serious
concern that our prosecutorial and investigative resources are
not appropriately scaled to the threat we face. Even in this
time of budget cutting, given the enormous stakes, the cyber
threat is simply too dangerous to leave underresourced.
Again, I thank the witnesses for being here and now turn to
the Ranking Member, Senator Kyl, for his opening statement.
Senator Kyl.
STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF
ARIZONA
Senator Kyl. Thank you, Mr. Chairman, not only for holding
this hearing today but for the remarks that you just made.
As one former member of the Intelligence Committee to
another, I have been deeply impressed by your commitment to
cyber security and your command of the associated issues and
look forward to what will be the first of many hearings on this
subject before this Subcommittee.
I am also pleased to have been able to work with you to
draft the forthcoming legislation that you mentioned regarding
cyber security awareness. While this bill may be considered
chiefly a place holder for things to come, I think it is an
important step because of the multitude of topics that it
covers, and that multitude speaks to a larger point and
problem.
I know of your frustration that Congress has waited for so
long to get cyber security legislative proposals from the White
House. This delay has complicated the Congress' task of passing
comprehensive cyber security legislation. By my count, there
are more than seven full committees on the Senate side alone,
including the Judiciary Committee, that will be involved in
drafting a comprehensive bill. This will take time, and we are
long overdue for the President to share his proposals for cyber
security legislation so that we can get started.
I am eager to hear from our expert witnesses about how they
think Congress should differentiate cyber crime and cyber
warfare directed by a state or terrorist group, especially
since, I would argue, it does not much matter if a crippling
attack on our electric grid, banking system, or other critical
infrastructure, or the wholesale theft of billions of dollars
of U.S. intellectual property, defense related or purely
commercial, is being directed by a cyber mafia or a cyber army.
It is the responsibility of this Government to stop the attack
either way. If we are just focusing on prosecuting these
attacks of cyber crime, then I would say we have failed.
So I look forward to the testimony of our witnesses, Mr.
Chairman, and I hope there will be stimulating and informative
rounds of questions thereafter. Thank you.
Chairman Whitehouse. Thank you, Senator Kyl.
If I could ask the witnesses to stand for the oath. Do you
affirm that the testimony you are about to give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you God?
Mr. Weinstein. I do.
Mr. Snow. I do.
Mr. Martinez. I do.
Chairman Whitehouse. Thank you very much. Please be seated.
We will just go right across the table with the witnesses,
beginning with Jason Weinstein. Jason Weinstein currently
serves as Deputy Assistant Attorney General in the Department
of Justice's Criminal Division where he oversees the Division's
efforts to combat computer crime and intellectual property
crime, as well as anti-gang and violent crime efforts and human
rights and human-smuggling programs.
Before joining the Criminal Division, Mr. Weinstein served
as chief of the Violent Crimes Section of the U.S. Attorney's
Office in Baltimore and before that as an Assistant United
States Attorney in the U.S. Attorney's Office for the Southern
District--the Sovereign District--of New York. We are delighted
that he is here, and your full statement will be a matter of
record, so if you could please make whatever statement you
would like to make orally within the allotted time, I would
appreciate that.
STATEMENT OF JASON WEINSTEIN, DEPUTY ASSISTANT ATTORNEY
GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE
Mr. Weinstein. Thank you, Mr. Chairman. The Sovereign
District of New York jokes got a lot funnier after I moved to
Baltimore.
Good afternoon, Chairman Whitehouse, Ranking Member Kyl,
and other members of the Subcommittee, and I thank you for the
opportunity to appear before you today.
As we all know, the explosive growth of the Internet and
other modern forms of communication has revolutionized nearly
every aspect of our daily lives. But at the same time, it has
also revolutionized crime, and increasingly the Internet has
being exploited by criminals throughout the world to commit a
staggering array of crimes.
From around the corner or around the globe, skilled hackers
work every single day, and many times every day, to access the
computer systems of Government agencies, of universities,
banks, merchants, and credit card companies to steal large
volumes of personal information and to perpetrate large-scale
data breaches that leave tens of millions of Americans at risk
of identity theft.
Our information infrastructure is under constant attack
from these criminals as well as from terrorists and nation
states that seek to exploit our dependency on information
technology to threaten both our economic and our National
security.
So for these reasons, now more than ever cyber security has
to be a national priority. This administration is committed to
implementing a comprehensive framework that will allow us to
bring all appropriate tools, criminal and otherwise, to bear
against cyber criminals, terrorists, and other malicious
actors. And the Department of Justice plays a critical role in
that effort.
The Justice Department works closely with our partners
throughout the Government to support the Nation's efforts to
support cyberspace, including by providing legal support and
helping to ensure that we vigorously protect privacy and civil
liberties. The Department also plays a leading role in
counterintelligence and national security investigations that
uncover threats to our computer networks from terrorists and
state actors.
But perhaps one of the Department's most important
contributions to the Nation's overall cyber security is the
investigation and prosecution of cyber criminals as we seek to
incapacitate and punish the cyber criminals of today and to
deter the cyber criminals of tomorrow. And in that important
work, our prosecutors from the Criminal Division, from the
National Security Division, and from the U.S. Attorney's
Offices enjoy very strong relationships with our law
enforcement agency partners, and in particular with the other
two agencies represented on the panel with me today--the FBI
and the Secret Service.
Those strong relationships and the dedication and skill of
our prosecutors and our agents have led to a number of major
enforcement successes, including the following:
In August of 2008, the Department, working with the Secret
Service, announced one of the largest hacking and identity
theft cases ever prosecuted, in which charges were brought by
the U.S. Attorney's Offices in three different districts--
Massachusetts, Southern California, and Eastern New York--
against 11 members of an international ring responsible for the
theft and sale of more than 40 million credit and debit card
numbers that had been stolen from major retailers.
The defendants were from all over the world--from the U.S.,
from Estonia, Ukraine, China, and Belarus--and they included
one of the world's top hackers, Albert Gonzalez. Gonzalez pled
guilty to the charges and was sentenced to 20 years in prison,
which is one of the longest sentences ever imposed in a hacking
case.
In November 2009, following a year-long investigation led
by the FBI, the Department announced the indictment in the
Northern District of Georgia of a hacking ring responsible for
executing a global fraud scheme involving defendants from
Estonia, Russia, and Moldova. The defendants were charged with
hacking into a network operated by the credit card processing
company RBS WorldPay, compromising its data encryption and then
providing a network of cashers throughout the world with
counterfeit payroll debit cards. Those cashers used those cards
to withdraw over $9 million from more than 2,100 ATM machines
in at least 280 cities worldwide, and they conducted that
coordinated global cashing operation in less than 12 hours.
Those cases as well as the others referred to in my written
testimony illustrate the scope of the Department's efforts to
pursue cyber criminals. But, significantly, they also reveal
the global nature and the global reach that cyber criminals can
have.
The criminals responsible for those and other large-scale
intrusions often live in and operate from foreign
jurisdictions. It is often literally impossible to identify,
arrest, and prosecute the offenders or to obtain critical
evidence that we need to prosecute the offenders without the
assistance of foreign law enforcement. And for that reason, our
work does not stop at our shores.
Due to the transnational nature of most cyber security
incidents, continued close coordination and cooperation with
our foreign partners is critical to our success. And in that
connection, we rely on the International Convention on Cyber
Crime to provide a framework for efficient cooperation among
nations involving electronic crime.
The Department is proud of these cases and all of our cyber
security efforts, but there should be no doubt, as the Chairman
and the Ranking Member said, that the cyber threats to our
Nation are growing and evolving, and we must remain vigilant
and prepared to confront them, and we will continue to work
with our Government and private sector partners and the
Congress to meet that challenge.
Thank you for the opportunity to be here today to discuss
this issue with you, and I would be pleased to answer your
questions.
[The prepared statement of Mr. Weinstein appears as a
submission for the record.]
Chairman Whitehouse. Thank you very much. We are delighted
to have you with us.
We will go on next to Gordon Snow, who is the Assistant
Director of the Cyber Division at the Federal Bureau of
Investigation. He was named section chief of the Bureau's Cyber
Division on January 2008 and now leads the Division's Cyber
National Security Section and the National Cyber Investigative
Joint Task Force. From January 2008 to January 2009, he was
detailed to the Director of National Intelligence on the
National Counterintelligence Executive. During that assignment,
he led the effort in drafting the goverment-wide Cyber
Counterintelligence Plan under the Comprehensive National Cyber
Initiative.
Prior to that, Mr. Snow's work with the FBI took him to
Afghanistan as the FBI's on-scene commander for the
Counterterrorism Division, to Silicon Valley working on the
High Value Computer Crimes Task Force, and to Yemen and East
Africa.
Thank you, Mr. Snow. Glad to have you with us.
STATEMENT OF GORDON M. SNOW, ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION
Mr. Snow. Good afternoon, Chairman Whitehouse, Ranking
Member Kyl, and members of the Subcommittee. I am pleased to
appear before you today to discuss the cyber threats facing our
Nation and how the FBI and our partners are working together to
respond to the threat of cyber crime and terrorism.
As the Committee is aware, cyber attacks have increased
over the past 5 years and are expected to grow. We have reached
the point that, given enough time and motivation and funding, a
determined adversary will likely be able to penetrate any
system that is accessible directly from the Internet. The FBI
has identified the most significant cyber threats to our Nation
as those with high intent and high capability to inflict damage
or death in the U.S., to illegally obtain sensitive or
classified information, or to illicitly acquire assets.
I would like to focus my remarks today on a few of the many
threats facing the private sector, including threats against
infrastructure, intellectual property, individual businesses,
and our partnerships to address these threats.
U.S. critical infrastructure faces a growing cyber threat
due to the advancements in the availability and sophistication
of malicious software tools. The recent security breach by
unauthorized intruders into the parent company of NASDAQ is an
example of the kind of breaches directed against important
financial infrastructure.
Industrial control systems, which operate the physical
processes of the Nation's pipelines, railroads, and other
critical infrastructures, are at great risk of cyber
exploitation.
Similarly, new ``smart grid'' and ``smart home'' products
could also be exploited by cyber criminals, nation states, and
terrorists. These systems need to be developed and implemented
in ways that will provide protection from unauthorized use.
Intellectual property rights violations, including theft of
trade secrets, digital piracy, and trafficking in counterfeit
goods, also represent high cyber criminal threats, resulting in
losses of billions of dollars in profits annually. These
threats pose significant risk to U.S. public health and safety
via counterfeit pharmaceuticals, electrical components,
aircraft parts, and automobile parts.
Cyber criminals are forming private, trusted, and organized
groups to conduct cyber crime. The adoption of specialized
skill sets and professionalized business practices by these
criminals is steadily increasing the complexity of cyber crime.
One facet of this are botnets, or networks of compromised
computers controlled remotely by an attacker. Criminals use
botnets to facilitate online schemes that steal funds or data,
to anonymize online activities, and to deny access by others to
online resources. The botnets run by criminals could be used by
cyber terrorists or nation states to steal sensitive data,
raise funds, limit attribution of cyber attacks, or disrupt
access to critical national infrastructure.
The potential economic consequences are severe. Often
businesses are unable to recover their losses, and it may be
impossible to estimate the damage. Many companies prefer not to
disclose that their systems have been compromised, making it
impossible to accurately quantify. Consequently, these damages
estimates have ranged from millions to hundreds of billions.
Thanks to Congress and the administration, the FBI is
devoting significant resources to this threat. Our partnerships
with industry, academia, and across all of government have led
to a dramatic improvement in our ability to combat this threat.
The FBI's statutory authority, expertise, and ability to
combine resources across multiple programs make it uniquely
situated to investigate, collect, and disseminate intelligence
about and counter cyber threats from criminals, nation states,
and terrorists.
The FBI has cyber squads in each of its 56 field offices,
with more than 1,000 advanced cyber-trained FBI agents,
analysts, and forensic examiners.
However, the FBI cannot combat the threat alone. Through
the FBI-led National Cyber Investigative Joint Task Force, we
coordinate our efforts with over a dozen Federal partners
throughout the intelligence community and the Department of
Defense. We also partner through NCIJTF with other Federal law
enforcement agencies to include most prominently the United
States Secret Service. The FBI has also embedded cyber staff in
other intelligence community agencies through joint duty and
detailee assignments.
In addition to our 61 legal attaches overseas, we currently
have FBI agents embedded full-time in five foreign police
agencies to assist with cyber investigations. These cyber
agents have identified organized crime groups, supported FBI
investigations, and trained foreign law enforcement officers
for more than 40 nations.
InfraGard is a prime example of the success of public-
private partnerships. Under this initiative, private industry
leaders work with the FBI to ward off attacks against critical
infrastructure. Over the last 15 years, this initiative has
grown from a single chapter to more than 86 chapters in 56
field offices with 42,000 members.
In addition to InfraGard, the FBI partners with the
National White Collar Crime Center and the Internet Crime
Complaint Center and the National Cyber Forensic and Training
Alliance. We also partner with the information-sharing and
analysis centers through the Department of Homeland Security
and the National Center for Missing and Exploited Children.
Chairman Whitehouse, Ranking Member Kyl, and members of the
Subcommittee, in the interest of time today, I have touched
upon a few of the more significant cyber threats facing our
Nation. I appreciate the opportunity to come before you and
share the work the FBI and our partners in the community are
doing to address the cyber threat in this country and am happy
to answer any questions you may have.
[The prepared statement of Mr. Snow appears as a submission
for the record.]
Chairman Whitehouse. Thank you, Assistant Director Snow.
Our next witness, Pablo Martinez, is Deputy Special Agent
in Charge of the Criminal Investigation Division, Cyber Crime
Operations, at the United States Secret Service. In this
capacity, he develops and implements policy for all cyber
investigations conducted by the Secret Service. Mr. Martinez
began his career at the Service in 1991, and in 1999 was
transferred to the Presidential Protective Division. In 2003,
Mr. Martinez was promoted to the supervisory ranks of the
Criminal Investigative Division, where he was tasked with
expanding the Service's Electronic Crimes Task Force. During
that time, he oversaw the first major cyber operation conducted
by the Secret Service, Operation Firewall, in which over 30
online criminals were apprehended worldwide in a simultaneous
round-up.
Glad to have you with us, Agent Martinez.
STATEMENT OF PABLO A. MARTINEZ, DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATION DIVISION, U.S. SECRET SERVICE
Mr. Martinez. Good afternoon, Chairman Whitehouse, Ranking
Member Kyl, and distinguished members of the Subcommittee.
Thank you for the opportunity to testify on the role of the
Secret Service in cyber investigations.
On February 1, 2010, the Department of Homeland Security
delivered the Quadrennial Homeland Security Review, which
established a framework for homeland security missions and
goals. I would like to share just a few sentences from the QHSR
because it underscores the need for a safe and secure
cyberspace:
``As we migrate more of our economic and societal
transactions to cyberspace, these benefits come with increasing
risk. We face a variety of adversaries who are working day and
night to use our dependence on cyberspace against us.
Sophisticated cyber criminals pose great cost and risk both to
our economy and national security. They exploit vulnerabilities
in cyberspace to steal money and information, and to destroy,
disrupt, or threaten the delivery of critical services.''
In order to maintain a safe and secure cyberspace, we have
to disrupt the criminal organizations and other malicious
actors engaged in high consequence or wide-scale cyber crime.
To address the threats posed by these transnational cyber
criminals, the Secret Service has adopted a multi-faceted
approach to investigate these crimes while working to prevent
future attacks. A central component of our approach is the
training provided through our Electronic Crimes Special Agent
Program, which gives our special agents the tools they need to
conduct computer forensic examinations on electronic evidence
obtained from computers, personal data assistants, and other
electronic devices. To date, more than 1,400 special agents are
ECSAP trained. In fact, the Secret Service values this training
so highly that the basic level is now incorporated as a part of
the curriculum that all special agent trainees receive at our
James J. Rowley Training Center.
In addition, since 2008, the Secret Service has provided
similar training to 932 State and local law enforcement
officials, prosecutors, and judges, through the National
Computer Forensics Institute, located in Hoover, Alabama. The
Secret Service's commitment to sharing information and best
practices with our partners, the private sector, and academia
is perhaps best reflected through the work of our 31 Electronic
Crime Task Forces, including two located overseas in Rome,
Italy, and London, England.
To coordinate these complex investigations at the
headquarters level, the Secret Service has enhanced our cyber
intelligence section to identify transnational cyber criminals
involved in network intrusions, identity theft, credit card
fraud, bank fraud, and other computer-related crimes. In the
past 2 years, CIS has directly contributed to the arrest of 41
transnational cyber criminals who were responsible for the
largest network intrusion cases ever prosecuted in the United
States. These intrusions resulted in the theft of hundreds of
millions of credit card numbers and the financial loss of
approximately $600 million to financial and retail
institutions.
As an example, the partnerships developed through our
ECTFs, the support provided by our CIS, the liaison established
by our overseas offices, and the training provided to our
special agents via ECSAP were all instrumental to the Secret
Service's successful investigation into the network intrusion
of Heartland Payment Systems. The August 2009 indictment
alleged that a transnational organized criminal group used
various network intrusion techniques to breach security,
navigate the credit card processing environment, and plant a
collection device to capture payment transaction data.
Our investigation revealed data from more than 130 million
credit card accounts were at risk of being compromised and
exfiltrated to a command and control server operated by an
international group. Furthermore, the Secret Service uncovered
that this international group committed other intrusions into
multiple corporate networks to steal credit and debit card
data.
As a result of our investigation, the three suspects in the
case were indicted for various computer-related crimes. The
lead defendant in the indictment pled guilty and was sentenced
to 20 years in Federal prison. This investigation is ongoing
with over 100 additional victim companies identified. The
Secret Service is working with its law enforcement partners
both domestically and overseas to apprehend the two defendants
who are still at large.
Chairman Whitehouse, Ranking Member Kyl, and distinguished
members of the Subcommittee, the Secret Service is committed to
our mission of safeguarding the Nation's cyber infrastructure
and will continue to aggressively investigate cyber and
computer-related crimes to protect American consumers and
institutions from harm.
This concludes my prepared statement. Thank you again for
this opportunity to testify on behalf of the Secret Service.
[The prepared statement of Mr. Martinez appears as a
submission for the record.]
Chairman Whitehouse. Thank you, Agent Martinez. I
appreciate having you here.
One of the purposes of this hearing is to look into the
comparison between the size of the threat and the resource that
is dedicated to it, and if I may, Mr. Weinstein, let me ask--I
have some numbers here about Criminal Division deployment at
the Department of Justice. And just by way of comparison, we
have looked at OCDETF, the Organized Crime Drug Enforcement
Task Force program; we have looked at the Organized Crime Task
Force, dedicated to traditional Mafia organized crime; and we
have looked at the cyber staff. And the numbers that I have are
that there are just under 90 attorneys in the Criminal Division
dedicated to traditional organized crime. There are 13
attorneys in the Criminal Division dedicated to the OCDETF
program, but the OCDETF program is very much a field-based
program, and so they are sort of the local touch point for over
1,000 staff out in the field, including more than 550 attorneys
out in the field. So it is a pretty robust field program behind
those 13 attorneys at Main Justice.
In the context of that range, we have been told that there
are 40 attorneys in the Criminal Division who are dedicated to
computer intrusions and other hacking cases. There are
additional attorneys who are dedicated to child exploitation,
to appellate cases, to other crimes that may have a computer
component but are not the direct hacking cases.
It strikes me that if the numbers are correct that there is
as much as $1 trillion, I contend that we are on the losing end
of the biggest transfer of wealth in the history of humankind
through theft and piracy in this country right now, that it is
being done through cyber crime, and that it is a very, very
significant national security and economic challenge.
Senator Feinstein and Senator Kyl and I all have also
served on the Intelligence Committee, and while much of what we
know from that Committee is classified, in the public hearing
the Director of National Intelligence Jim Clapper listed the
national security threats that he felt he was obliged to
address as the new DNI, and he put cyber security No. 1 above
everything else.
And so that was kind of noteworthy, and in that context it
strikes me that having fewer attorneys dedicated to computer
intrusions at Main Justice than are dedicated to old-fashioned,
traditional organized crime is a sign that we here in Congress
need to provide you with more resources to focus on the cyber
threat.
What is your sense of that?
Mr. Weinstein. Let me, before I answer your question, put
those numbers in a little bit of context.
You are right in observing that the OCDETF program is
mostly a field-based program, so it is not unexpected that that
is a relatively low number dedicated to that.
The organized crime number which you quoted, which is about
89 attorneys, actually it was organized crime broadly defined.
That is to say, it is traditional organized crime like LCN,
Mafia-type cases; it is gang cases; it is drug-related
organized crime like drug cartel cases, which are pursued as
enterprises; and it includes international organized crime. And
in that sense, especially with international organized crime,
there is some overlap with our cyber security and cyber crime
efforts.
I actually also, along with another Deputy AG, oversee the
organized crime program, and increasingly the priority of our
international organized crime program is to go after
transnational crime groups that involve cyber threats. So there
is some overlap.
The other thing I would add is that the 40 attorneys that
you quoted that are cyber specific, those are the attorneys who
are in the Computer Crime and IP Section, which I have had the
honor to supervise. There are a substantial number of other
attorneys, like in the Fraud Section, who also in the course of
their fraud work focus on fraud cases that have a cyber
component.
Having said all that, it is really undeniable that the
scope of the problem, which is growing every day, far outpaces
the resources that are available to pursue it currently. And so
I think that this is the kind of problem that takes a dedicated
stream of resources, but it also takes dedicated training and
expertise so we can keep pace with the methods that our cyber
actors are using.
I would add that in the President's 2011 budget, which I
think now is a collector's item, there was a request for four
additional cyber attorneys. In the 2012, there is actually a
request for six, and those six attorneys are CHIP prosecutors,
computer hacking and IP prosecutors. But for the first time,
they will be CHIP prosecutors who are placed overseas, I think
to reflect the recognition that fighting this problem requires
going beyond our borders to do it.
The President's proposal, the President's budget proposal,
would put six of these CHIPs, who we would call ICHIPs,
international CHIPs, in regions throughout the world that have
a high concentration of cyber crime and IP theft activity so
that they can not only help American prosecutors at home on
their cases but also help those contractors beef up their own
capacity to pursue cyber criminals in their own borders.
Chairman Whitehouse. My time has expired, but let me ask
just one more question before I turn to Senator Kyl because
there is also field staff, attorneys out in the U.S. Attorneys'
Offices, who are dedicated to this. But it is my understanding
that the--if you could confirm this, it is my understanding
that the AUSAs who are your cyber designees are obliged to
participate in conferences on cyber, be a point of contact for
the office on cyber; if there are conference calls, they are
the person for the office who would participate, but they need
not direct their prosecutive attention to cyber cases. They are
to be deployed as the U.S. Attorney and the first assistant and
the head of the Criminal Division see fit, and in that sense it
is something of an overcount to describe them as full-time--it
would be something of an overcount to describe them as full-
time cyber prosecutors, would it not?
Mr. Weinstein. I think, Senator, it depends on where--Mr.
Chairman, it depends on where they are. In some districts,
especially districts with very active FBI or Secret Service
cyber squads in them, and with a heavy concentration of these
cases, the CHIP prosecutors work exclusively on those cases.
Chairman Whitehouse. But in some they may not----
Mr. Weinstein. Some districts they may not. And the role
really has three or four aspects to it. One is to work on this
case----
Chairman Whitehouse. Well, since I am over my time----
Mr. Weinstein. OK.
Chairman Whitehouse [continuing]. And since I have my
Ranking Member waiting, let me--we can pursue that in the----
Mr. Weinstein. OK.
Chairman Whitehouse [continuing]. Later discussion.
Senator Kyl.
Senator Kyl. Well, thank you, Mr. Chairman. These are all
right-on questions, and in a related area, it is not only
resources but also authority.
Agent Martinez, I would like to ask you a question about
comments you made in your testimony in which you referred to
going dark, the going-dark problem, whereby there is a gap
between the legal authority that you have to intercept
electronic communications and the provider's practical ability
to intercept those communications. And you quoted and endorsed
the statement by the FBI Chief Counsel, who had testified in
the House of Representatives, that there is--excuse me. She
said, ``There are significant law enforcement challenges in
light of the pace of technological advancements.''
Are there specific tools that you think Congress could
provide you and your counterparts in domestic law enforcement
and intelligence to better mitigate this problem? Can you share
them with us today? If not, could I ask all three of you really
to provide to this Committee your proposals for improving the
authorities that all of you need to tackle the problems that
you have identified here today?
Mr. Martinez. Yes, Senator Kyl, we did endorse Chief
Counsel's statements on that. We believe that cyber criminals
are at the tip of the spear when it comes to exploiting
technology. The types of communications that cyber criminals
use or have been using for many years are now just starting to
come into the forefront of crimes being committed by
traditional criminals. So cyber criminals have been using
instant message, have been using VOIP systems, have been
communicating via the computer for many, many years, and we
believe as technology continues to develop you are going to
continue to see cyber criminals exploiting that capability
because they seem to have the most knowledge when it comes to
utilizing devices like that.
I believe right now there are several working groups that
have been established, you know, at the request of the
administration, both at the legislative level and at the
technical working group level. The Secret Service participates
in a technical working group being led by the FBI, and we are
in the process right now of finalizing some of our
recommendations that I believe the administration is looking to
put forward.
Senator Kyl. Great. We will appreciate that, hearing from
FBI, Justice Department, and Secret Service, whomever, to
assist us in giving you the authority you need.
Assistant Director Snow, I would like to ask you, could you
explain the FBI's role in the so-called Team Telecom? And then
I've got a couple specific questions about what I understand
that team is engaged in, the advisory role to the Federal
Communications Commission by the FBI. Is that not a term you
are familiar with?
Mr. Snow. Sir, I apologize. It is not a term I am familiar
with. It usually runs out of our Operational Technology
Division, which would, along with our Office of General
Counsel----
Senator Kyl. OK. Well, let me just ask you to generally
describe concerns that you all have about telecommunications
computers that have links to foreign governments or foreign
militaries providing telecommunications equipment, software,
network management services and the like here in the United
States.
Mr. Snow. Sir, I guess the best way to answer that is in
another forum we could probably go more in-depth, and I would
be more than willing to provide you the personnel and myself
and availability to address those questions.
Senator Kyl. Well, is it fair to say that there is a
significant concern about this and that you do play a role,
that the FBI does play a role along with other intelligence
services in advising our Government departments with respect to
these threats?
Mr. Snow. Yes, sir, absolutely. Always a concern from any
facet, a country adversary that comes in and that would either
manipulate or use our supply chain to our disadvantage. So if
so many things in the supply chain, whether it is a counterfeit
part, a counterfeit CHIP, something that could be implanted, an
executable piece of malware, a piece of additional code that
would be in our telecom system.
Senator Kyl. When you review the offer of such a company to
open themselves up to third-party or independent review to deal
with those supply chain kinds of problems, is it possible for
you to go through millions of lines of software code to make
100 percent certain that there is not anything malicious built
in that is capable of being activated at a moment of a cyber
criminal's or cyber warrior's choosing?
Mr. Snow. I do not think, sir, that we have that capability
right now in the U.S. Government to go through millions of
lines of code. It is very work intensive. I think we know that
code now is cobbled together from many pieces. I think
sometimes even the programmers and people that design that code
are not even sure what is in that code. They will use other
pieces, freely available pieces on the outside to assemble that
program. And we do provide under the CFIUS process counsel,
guidance, direction, and information to the decisionmakers
across the Government in order to make those decisions, along
with the Department of Justice that runs the CFIUS program.
Senator Kyl. I appreciate it. Thank you.
Chairman Whitehouse. Senator Coons.
Senator Coons. Thank you, Senator, and thank you to both
Senator Whitehouse and Senator Kyl for convening this hearing
today, and to our panel.
You have all testified to the different ways in which your
respective agencies are working together with State and local
law enforcement, and to some extent, the private sector, the
intelligence agencies, and our armed forces to combat cyber
crimes, and I am just interested initially in your opinion
whether States and local law enforcement have the right
resources, have the right training, have the right capabilities
to buildup their investigative capabilities as well as their
defensive capabilities.
You made reference, Agent Martinez, in your testimony to
the National Computer Forensics Institute and where the 900
folks have been trained. I think that is a great start. There
was also a reference, I think by Mr. Snow, to 42,000 members of
the FBI's InfraGard.
If you could, in order to speak to the training standards
we are trying to hit, the resources State and local law
enforcement and Government have, and what additional resources
do we need in order to be able to develop a nationwide
professional cadre of folks in law enforcement, in the
intelligence community, and, frankly, in the private sector?
Please.
Mr. Martinez. Thank you, Senator. From our perspective in
law enforcement, what we have basically done is taken our ECSAP
model--that is a three-tier model, BICEP, NITRO, and computer
forensics--and we have mirrored that curriculum at the National
Computer Forensics Institute where we not only teach law
enforcement but also prosecutors and judges. We are firm
believers that you not only have to train the agents or the law
enforcement officers, but you have to make sure that they can
explain or they can articulate in a layman's term the case to a
prosecutor who can then also explain the facts in layman
fashion to a judge who you are going to have to get the
warrants signed to. So that is why it has been--it is important
for us to train all three aspects.
So far, like I stated in my statement, we are over 900. We
are looking to try to expand the amount of law enforcement
personnel that we train. What we try to focus on, since we have
the 31 Electronic Crime Task Forces, we try to focus on
individuals who are members not only of our task force, but
potentially a State and local cyber task force or an FBI task
force because they are in the most need of having this
specialized training. We believe that by doing that we are
multiplying our resources, and we can force multiply and work
investigations not only at the Federal level but at the State
and local level.
And like I said, we continue to work with these partners at
the State and local level to try to get them a better
understanding of some of the issues with cyber crime and some
of the ways to tackle the problem.
Senator Coons. Mr. Snow.
Mr. Snow. Sir, as Mr. Martinez talked about, the good news
portion of the story is that we are making progress on trying
to help assist and train those personnel. I think inwardly,
though, if we are more reflective, it is a difficult task to
make sure that all our personnel are trained, not only that
they are trained but what is the process that we used in order
to make sure that we keep them current and how we retain those
personnel.
So I would not want to classify all State and local law
enforcement officers as being in the position we were in about
10 years ago. We talked recently about the going-dark issue,
and we also talk about how difficult it is to bring those
people up to speed. But I would say--because I know we have
very talented individuals from State and local entities that
are in our regional computer forensic labs that are run
nationally across the country.
However, many of those departments and agencies, you know,
hundreds of thousands of sworn law enforcement officers across
the country, have a difficult time coming up with that money,
that training, the availability of their personnel as they try
just to meet hiring and payrolls.
Senator Coons. And if I could, just a follow-on question to
the Deputy Assistant Attorney General, Mr. Weinstein. One of
the areas I am most concerned about is intellectual property
theft, particularly trade secrets. American companies are some
of the most innovative in the world. In your written testimony,
there was an example of a successful theft from Dow Chemical
that had significant long-term consequences for them.
Where are we in terms of providing coordination, resources,
and standards for training that will help the private sector
understand how to defend against these threats and then the
prosecutorial resources to, as you put it, once these better
locks are broken, actually then capture the CMS who have broken
them?
Mr. Weinstein. Well, Senator, perhaps in IP crime, unlike
any other type of crime, we rely heavily on the victim
companies to report the crimes to us and to be able to
recognize them when they occur, then to provide us with access
to the information we need to successfully investigate and
prosecute them.
One of the things that CCIPS does in conjunction with the
CHIP prosecutors throughout the country is conduct extensive
outreach with potential victim companies in various regions. In
the Pacific Northwest it might be Microsoft, or computer
companies in Delaware and other States, it may be, you know,
companies that are the significant industries in those States.
And what we try to do is explain to them where the risks are,
how to recognize when there is a potential trade secret theft
or other IP crime, and then how to make a referral to us,
either to us directly or to the FBI or to the IPR Rights
Center, which is jointly operated by ICE and by the FBI.
So we do that nationally, and we do that regionally. We go
region by region throughout the country to try to make sure
that companies that are at the greatest risk are aware of what
is going on out there and how to protect themselves from it;
and then if they are violated, how to report it to us so we can
pursue it.
Senator Coons. Thank you.
Chairman Whitehouse. Senator Hatch.
Senator Hatch. Well, thank you, Mr. Chairman, Chairman
Whitehouse. I thank you and applaud you for your efforts in
this area.
The distinguished witnesses represent a balance of all
those affected by cyber criminal and terrorism--Government, the
private sector, and, of course, academia. For successful cyber
security policy, we must encourage partnerships among many
sectors. This cannot be solely a Government-led initiative.
Now, Mr. Snow, China is directing the single largest, most
intensive foreign intelligence gathering effort since the cold
war against the United States. Methods for conducting
informational warfare to advance the goals of a nation state
might also involve secretly sponsoring terrorists.
Now, China is often cited as providing Government support
to computer hackers, and as Richard Clarke, a former White
House adviser for infrastructure protection and
counterterrorism, discusses in his book, ``Cyber War,'' the
Chinese military has placed a new emphasis on information
warfare methods. Specifically, they have proposed to attack
enemy financial markets, civilian electricity networks, and
telecommunication networks by way of computer viruses and, of
course, hacker detachments.
Now, it remains very difficult to determine the true
identity, purpose, or sponsor of a cyber attacker. Can you tell
me, does the FBI have sufficient capability to identify an
attack that is state sponsored versus a criminal enterprise?
Mr. Snow. Senator, obviously, once again, in a different
forum we can go more in-depth to your question, but let me
answer it in a form that I can today.
Senator Hatch. Sure.
Mr. Snow. Through the National Cyber Investigative Joint
Task Force, which I mentioned in my opening statement, we have
18 intelligence community agencies and others there. We use a
concept that is called the threat focus cell concept where we
bring all individuals from the community that would address a
threat. The successes that we have had have been many. The
problem with it is that there are still some very high profile
cases that we have seen just by looking through the Wall Street
Journal and any other media outlet we have out there where we
still do not know to this day who the attacker is, what state
we can attribute it to, or who that person behind the keyboard
was, who that human person was that actually controlled that
attack or directed that attack.
Senator Hatch. Mr. Martinez, several months ago, as
Chairman of the Senate Republican High-Tech Task Force, I
requested that the Secret Service provide an extensive briefing
on transnational organized crime and international cyber
investigations. I thought that briefing was pretty helpful.
Now, while that briefing was not classified, it certainly was
law enforcement sensitive and provided the task force members a
fantastic overview of the transnational crime groups, primarily
located in Russia and Eastern Europe.
During that briefing Secret Service officials profiled a
particular hacker known as ``BadB,'' who was an accomplished
hacker in Russian cyber crime circles. Fortunately, he was
arrested overseas based on the investigative work of the Secret
Service.
Now, I want to take this opportunity to applaud you and the
Secret Service for its work in that case and others, including
the Nation's largest identity theft case that occurred at TJX
and Heartland Systems. That case had an extensive international
cyber crime connection.
Now, No. 1, what presence does the Secret Service have
overseas in countries such as China and Russia? And, No. 2,
what other mechanisms does the Secret Service have in place to
identify countries with the potential for cyber crime?
Mr. Martinez. Thank you, Senator Hatch. Yes, the Secret
Service has, I believe--and it is in my written statement. I
believe it is 22 overseas offices. And in countries where we do
not have an office, we take a regional approach where we have
agents that are specifically assigned to those countries. We do
have an office in Russia, and I am glad to announce that 2
weeks ago we got our long-term visa to open up our office in
Beijing, so we are very happy about that.
In addition to that, though, we rely a lot on our foreign
law enforcement partners, and as I stated earlier, we have two
foreign electronic crime task forces. So what we have done is
we have taken the concept of the domestic Electronic Crime Task
Force that Congress enacted back in 2002, and we have used that
same approach to our overseas offices. In doing so, we
collaborate a lot with our foreign law enforcement partners.
Just like the FBI does, we have agents embedded into cyber
crime units, and specifically agencies in specific hot spots
around the world.
We believe it has been very successful, and we have
capitalized on the relationships and partnerships with these
law enforcement organizations in order to apprehend some of
these high-value targets.
But in addition to that, one of the things we have recently
done, as we did last year, we did what is called the Verizon/
Secret Service 2010 Data Breach Investigative Report, where we
take information for our investigations and we publish that out
to the private sector. Well, the 2011 study that is about to
come out in 2 months not only includes data from Secret Service
and Verizon investigations, but it also includes information
from the National High-Tech Crimes Unit in Holland.
So, once again, there we are leveraging the resources and
the abilities of our foreign law enforcement partners, and the
lessons learned, the best practices, and the information that
we have obtained through our criminal investigations, we are
pushing that out to the private sector through things such as
the DBI Report.
Senator Hatch. Mr. Chairman, could I just make a short set
of remarks?
Chairman Whitehouse. Of course, Senator.
Senator Hatch. Thank you very much, both of you. I did not
have time to ask you any questions, Mr. Weinstein, but I
appreciate the work you are doing.
There is no doubt that we need to have a coordinated effort
between Government and the private sector to address cyber
crime abroad, and that is why last Congress I introduced, with
my colleague Senator Gillibrand, an international cyber crime
bill.
Now, our common-sense approach was widely supported amongst
those who are affected by these crimes on a daily basis. In the
coming weeks we plan to introduce this bill which will improve
and strengthen the Government's response to international cyber
crime. I would like you to look at that and tell us where we
can make it better and what your suggestions are for us so
that, when we introduce it, it will be truly something that
will be bipartisan and everybody can support.
Thank you, Mr. Chairman. I appreciate it.
Chairman Whitehouse. Of course, Senator.
Our next questioner is not only a distinguished member of
this Committee but also the Chairman of the Intelligence
Committee. Senator Feinstein.
Senator Feinstein. Thank you very much. I want to thank
you, Senator Whitehouse for your work in this area. As Chair of
Intel, I asked you to head a cyber task force, along with
Senator Mikulski and Senator Snowe, and I want everybody to
know that the three of you did a wonderful job, and our
information is much fuller and richer because of it. So thank
you for the work.
One of the things that apparently you accomplished was the
declassification of a lot of material of some of the robberies
that had taken place going back to 2008 that we on Intel knew
about--excuse me, I have a cold--but could not talk about. And
on January 3rd of this year, the Director of National
Intelligence wrote you a letter essentially saying that we have
compiled unclassified and in some cases declassified material
designed to explain the variety of cyber threats and to provide
real-world examples of damage in non-technical terms.
This was provided to the Congress and other elements of the
executive branch. I want to go over some of it which has now
been declassified.
In 2008, the Royal Bank of Scotland lost almost $10 million
withdrawn from ATMs in 49 cities worldwide.
Citibank, a cyber theft scheme resulted in over $10 million
in losses. Now, that is according to news reports.
Nationwide retailer T.J. Maxx, 45 million credit and debit
cards stolen in 2007.
Heartland Payment Systems, tens of millions of credit card
numbers compromised in 2009. And it goes on and on and on.
Mr. Snow, I believe in your testimony you indicated that in
2010 you arrested 202 individuals for criminal intrusions, up
from 159 in 2009, and obtained a record level of financial
judgments for cases amounting to $115 million compared to $85
million in 2009.
Now, we have looked at some of this and seen a lot of
attacks coming from Russia, from criminal elements in Russia,
from China, and from other countries, but I think those were
the two big ones.
I would like to ask this question: Where do you see the
majority of major attacks emanating from? And what is being
done to stop this?
Mr. Snow. Senator, right now we see on the criminal side a
majority of attacks coming from the individuals that are
located in Russia, obviously different from the Russian state,
and Eastern European countries. We see a very strong network of
a cyber underground, very closely associated with almost an
eBay or an Amazon type system where, you know, once you receive
a service from one of these cyber criminals, which are able to
just combine together in chat rooms in this cyber underground,
which are allowed to buy different pieces that they need to
carry out the attack, to execute the attack, to have the
cashers, the mules to receive the funds from the attack. They
are all graded and rated.
So we see that very large part of the world that is
extremely connected being an area where a lot of the threat is
coming from on the criminal side right now.
Senator Feinstein. How many arrests have been made? And how
do they get made? And how do individuals get prosecuted?
Mr. Snow. They get prosecuted--and I will refer back to DOJ
after I finish my statement, but they get prosecuted in
different realms. Some countries, depending on what the MLAT or
the extradition treaty is, will either agree to extradite an
individual if we have provided the information for them. As Mr.
Martinez talked about, with the collaboration that we are
working with these other countries, some will abide by the
extradition treaties that we have and bring the people back
here to the United States.
Senator Feinstein. Are the Russians cooperative in that
regard?
Mr. Snow. We have not had the Russians--they have been
cooperative in the joint prosecution arena.
Senator Feinstein. Have any Russian Mafia people been
arrested and prosecuted?
Mr. Snow. I would defer the Mafia side, but are you talking
cyber organized crime?
Senator Feinstein. Yes.
Mr. Snow. Yes, ma'am.
Senator Feinstein. And has Russia cooperated with the
United States in going after them?
Mr. Snow. Russia has helped in large part in many of the
cases that we have been involved in. We have exchanged
information with the Russian individuals that work cyber crime,
and we are still working on those types of relationships with
them.
Senator Feinstein. Thank you very much. Thank you. I am
glad to hear that.
Thanks, Mr. Chairman.
Chairman Whitehouse. Thank you, Chairman Feinstein.
Next is Senator Klobuchar, then Senator Blumenthal.
Senator Klobuchar. Well, thank you very much, Chairman
Whitehouse, for holding this hearing, and I truly believe that
protecting our Nation's cyber infrastructure is critical as we
increasingly depend on it for everything from paying our
utility bills to our financial services.
The innovation surrounding a free and transparent Internet
has been great for our economy, but we have also opened
ourselves up to risks, and those are risks that, unfortunately,
criminals try to exploit.
I am working with Senator Hatch on a cloud computing bill,
and we hope to introduce it soon. And I really do see that
cloud computing has the potential to alleviate some of the
concerns in the cyber security field, particularly by
introducing economies of scale and making sophisticated
protection available to all users on the cloud. However, it
also raises some unique diplomatic issues because data is being
stored in multiple countries.
Could you talk, maybe Mr. Weinstein, about issues of
international jurisdiction faced by your agencies when
investigating cyber crime or, Deputy Director Snow, involving
cloud computing? And would better international agreements be
helpful to enforce the rules?
Mr. Weinstein. We flipped and I won.
Senator Klobuchar. I noticed that, yes.
Mr. Weinstein. Senator, I cannot speak specifically to
international issues involving cloud computing. It is a
relatively new phenomenon, at least known by that name. But I
can say that, as a general matter, it is increasingly important
that we have strong agreements, international agreements,
either multilateral or bilateral agreements, with our foreign
law enforcement partners because so often the targets or the
instrumentalities of the crime are located overseas, even if
the data is not overseas.
For example, in the cases that Senator Feinstein just
mentioned, in the TJX intrusion, the servers that the data was
stored on, the primary hacker was located in Florida. But the
data was stored in Latvia and Ukraine.
Senator Klobuchar. Right.
Mr. Weinstein. In the Heartland case that Senator Feinstein
mentioned, some of the servers were--there were three servers
in the United States, or in three States of the United States;
but servers were also in Latvia, Ukraine, and the Netherlands.
In the RBS case, some of the targets and evidence was in eight
different countries.
What makes the RBS case useful, I think, as an example,
though, is that the intrusion was reported to us by the victim
company in December of 2008, and the indictment was brought in
November 2009. So in less than 11 months, the FBI, working very
closely with foreign law enforcement, managed to get the
evidence we needed, even though it was across our borders,
identify the targets, put fingers at the keyboard, and actually
bring charges. And, in fact, BadB, the hacker that Senator
Hatch made reference to, is now indicted in that case and is
pending extradition.
So when we have got those agreements in place and when the
foreign country we are working with has the will, the capacity
and the will--because you have got to have both--we can be very
effective. Too often the countries have the will but not the
capacity, and that we can deal with because we can devote
resources, as we do, to training them and to helping them
strengthen their own criminal laws and then to developing
international agreements in which they work with us. If they do
not have the will, there is a limit to how much we can do.
One thing we do do throughout the world is try to get as
many countries as possible to accede to the Convention on Cyber
Crime, which we think is a very useful international framework,
one that provides a very strong foundation for international
cooperation in these cases.
Senator Klobuchar. Now, I know a lot of my colleagues have
asked you about resources and how that would be helpful. How
about legal changes? Are there changes that we could make to
current law? What would you have on your top list of things
that would be helpful as we battle this new-found crime?
Mr. Weinstein. Well, I can say that we have got some ideas
about some potential changes to 1030 that we are discussing and
working on, and as soon as they are done, we will be pleased to
bring them to your attention and to work with you on them, as
well as any other ideas that you have.
Obviously, we are watching and very eager to be engaged on
the ECPA debate. I know you had a hearing on that where Mr.
Baker and others testified last week because changes in ECPA
actually--if standards are increased in such a way that puts
information out of the reach of law enforcement, it makes it
very difficult for us to investigate and prosecute cases
against cyber criminals who threaten Americans' privacy. So we
are very eager to engage in that debate.
And as you may know, there is an interagency process that
is moving at a fever pitch to develop some cyber security
legislation. I would not say it has been at a fever pitch
throughout its life, but I can tell you that in the last 6
weeks it has.
Senator Klobuchar. When did it start, Mr. Weinstein?
Mr. Weinstein. It started a while ago.
Senator Klobuchar. OK.
Mr. Weinstein. The fever pitch started more recently.
Senator Klobuchar. OK.
Mr. Weinstein. But, you know, we have got people who are
literally working around the clock, judging by the time at
which they are e-mailing me in the middle of the night to try
to get proposals ready to present to you, and so I think that
will happen very soon.
Senator Klobuchar. Are you satisfied with the criminal
penalties in place for engaging in cyber crime?
Mr. Weinstein. Well, one of the ideas we do have involves
some streamlining and strengthening some of the penalties that
are provided in 1030. As I said, that proposal is still baking,
and when it is fully cooked, we will be pleased to bring it to
you and talk to you about it further.
Senator Klobuchar. OK. I am out of time here, and I will
just ask in writing Assistant Director Snow questions about the
work with the private sector. Minnesota is home to Target and
Best Buy and several major companies that deal with this all
the time, and so I am interested in that issue. I actually
visited McAfee, their offices in Minnesota, and the work that
is being done there.
And then I also will, for the record, Mr. Martinez, follow
up on some questions with you as well.
Mr. Martinez. Absolutely.
[The questions of Senator Klobuchar appears under questions
and answers.]
Senator Klobuchar. Thank you very much.
Chairman Whitehouse. Senator Blumenthal.
Senator Blumenthal. Thank you, Mr. Chairman.
I would like to join in thanking Senator Whitehouse for
holding this hearing and for his interest and effective action
in this area.
You know, we have been talking a lot about enforcement and
about potential changes in the law, and if I have time, I would
like to return to that subject. But I was very interested in an
observation made by one of the people who is going to follow
you in talking to us today, John Savage, who is a professor at
Brown, who says in his testimony, and I am going to quote,
``Computer industry insiders have solutions to many cyber
security problems, but the incentives to adopt them are weak,
primarily because security is expensive and there is no
requirement they be adopted until disaster strikes.''
Now, I have been involved in enforcement relating to this
issue, and I do not mean to minimize your efforts. In fact, I
think they have been heroic and remarkably effective, both at
the Federal level where you work and often at the State level.
But don't the holders of this information--and I am thinking of
Epsilon, for example, most recently the supposed victim of a
major breach--have a greater obligation to do more to safeguard
this information? And how do we create those incentives that
Professor Savage mentions to make your job more effective? I
will not say ``easier'' because nothing can make your job
easier, and I have great admiration for what you do. But how do
we create those incentives so that private companies are more
partners of yours in this enforcement effort? And I ask that of
all three of you, and I will let you go in whatever order you
would like.
Mr. Martinez. I will take it. Senator----
Senator Blumenthal. And, by the way, you may disagree with
Professor Savage, too. I am not assuming that you will
necessarily agree.
Mr. Martinez. Senator, I believe also Mr. Weinstein spoke
about a proposed package that is forthcoming here to Congress
regarding a comprehensive number of cyber bills that all three
organizations sitting at this table have been involved in the
crafting.
One of those proposals involves data breach legislation,
and I think it is important for us to create a national data
breach bill so that we do not continue to have this myriad of--
I believe right now there are 47 individual State data breach
requirements, all of which are unique and all of which have
different reporting requirements. So I think it is important
that we do have a national data breach bill.
As part of that national breach bill, I think it is
incumbent and it should be required that if companies do have
an intrusion, they not only notify the consumers or the victims
whose information might have potentially been stolen, but that
they also notify the Government and that the Government be
notified of the fact that there has been an intrusion.
To the point of the professor's, the other part that I
think is important in the legislation--and I think the
administration is going to be addressing that--is that there
also be a safe harbor for those computers that have protected
the information in a proper way. So even though they have an
intrusion but the information is protected, that they
themselves be protected via some type of safe harbor so that
civil action might not be taken.
I think in the package of legislation that the
administration is finalizing, you are going to see all three
aspects of that in that legislation.
Mr. Snow. And, Senator, I would just add that I would echo
Mr. Martinez's comments, and I would also say that I do not
think anything in the professor's statement is wrong. I think
the professor is exactly right. But a little bit closer
scrutiny of this statement would say something that is really
important, and that is that many of these people have many of
the solutions for many of the problems and understand that it
is a multi-layered, multi-faceted problem. To throw a few
solutions at some of the problems does not solve all the
problems. So we have to understand.
Right now I do not think there is any secure system out
there. I think it takes a defense in-depth layering, and I
think that is something that we have to work on.
On his point of weak incentives, I think he is exactly on
point. You know, I will go back to the bank robbery days that
the FBI was going from place to place. Just getting somebody to
put in a new VCR was extremely difficult because that was 60-
odd-some dollars at the time, and that did not do anything but
take away from the security budget.
I think that is the same thing we see in businesses right
now. That security that we layer that we think is essential is
not really put in place until there is a tragic incident, an
embarrassing incident, an incident that costs them close to a
huge concern about them being a continuing entity or a going
concern.
Senator Blumenthal. Mr. Weinstein.
Mr. Weinstein. I do not have anything to add to what Mr.
Martinez and Assistant Director Snow said other than to
emphasize that it has to be both incentives for companies to
protect themselves against breaches--and I do think that most
companies, especially those that operate in good faith and care
about their business reputations, do want to protect
themselves--but also, as Mr. Martinez said, to report the
breaches when they do happen.
I anticipate, although the shape of our package of
proposals is still being formed, but I do anticipate there will
be something about data breach reporting in that package, and
we look forward to working with you on that.
Senator Blumenthal. Well, I would be eager to work with. As
you may know, Connecticut is one of those States that has a
reporting requirement. I have asked for Epsilon to provide
credit reporting services as well as identity theft insurance,
which has been standard in what Connecticut at least has asked
the companies that had this information that may have been
breached to do in the past and has also sought penalties. So I
might just suggest, without commenting on Epsilon or any other
particular instance, that providing these incentives for
adoption of this technology is something that is worth your
very serious and positive scrutiny.
Thank you.
Chairman Whitehouse. We will go very shortly to the next
group of witnesses, and I will excuse this panel. I do have a
question for the record that I would like each of you to take
with you and answer for me, and I think Senator Kyl will do his
in writing.
Assistant Director Snow mentioned the high level of
activity of the sort of eBay type situation of the Russian-
based hackers and criminals who are working on this, and I am
reminded of the lawsuit that was brought by Microsoft against
the Waledac botnet, which was able to obtain a court order
involving the legitimate Internet world--the domain providers,
the ISPs and so forth--to cut off service from the command-and-
control nodes of that botnet so that it no longer was
operative. And it strikes me that without actually doing
criminal prosecutions of folks, we could be very aggressively
hunting down these criminals and these attackers on the Web and
disabling them with civil injunctive measures that require the
ISPs, the domain registers, and so forth to stop providing
service in certain components or to certain addresses or to
certain types of transmissions from addresses. And because
virtually all of this flows through the United States at some
point, jurisdiction should be fairly easy to get compared to an
unknown hacker who is working through a server in Estonia that
links to a server in the Ukraine that links to a server
somewhere else before it even gets here.
So I would like to hear from each of you as to what extent
your organization's cyber resources are empowered to support an
active criminal defense that uses civil law to shut down some
of these activities by authorizing the service providers to
engage with court permission, protected from liability because
of that, in a way that disables this. OK. Clear?
[The information appears as a submission for the record.]
Chairman Whitehouse. And Senator Kyl will do his for the
record.
[The questions of Senator Kyl appear under questions and
answers.]
Chairman Whitehouse. So with gratitude for your service and
for your focus on this very significant problem, I will excuse
this panel, and we will take a 2-minute recess while the next
panel convenes. Gentlemen, thank you all very much.
[Pause.]
Chairman Whitehouse. Let me call the new panel to order,
and thank you all for being here. Let me first ask that you
stand and be sworn. Do you affirm that the testimony you will
give in this Committee will be the truth, the whole truth, and
nothing but the truth, so help you God?
Ms. Schneck. I do.
Mr. Savage. I do.
Mr. Baker. I do.
Chairman Whitehouse. Thank you. Please be seated.
Welcome. We will begin with Phyllis Schneck, who comes to
us from McAfee, where she is vice president and chief
technology officer for their global public sector operations.
Previously, she was vice president for threat intelligence for
McAfee. She served as a commissioner and a working group co-
chair on the public-private partnership for the CSIS Commission
to Advise the 44th President on Cyber Security, which I am
proud to say was a report co-authored by my colleague in the
Rhode Island delegation, Congressman Jim Langevin. Ms. Schneck
also served--Dr. Schneck, I should say, also served for eight
years as Chairman of the National Board of Directors of the
FBI's InfraGard program, which has already been mentioned
today, and vice president of research integration at Secure
Computing. She has a Ph.D. in computer science from Georgia
Tech.
Ms. Schneck.
STATEMENT OF PHYLLIS SCHNECK, PH.D., VICE PRESIDENT AND CHIEF
TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, MCAFEE INC., RESTON,
VIRGINIA
Ms. Schneck. Chairman Whitehouse, Ranking Member Kyl, and
other distinguished members of the Subcommittee, thank you for
requesting McAfee's views on responding to the threat of cyber
crime and cyber terrorism. Your Subcommittee is playing a vital
role in cyber security, helping to investigate sophisticated
syndicates of criminals and terrorists who deploy cyber attacks
to finance their operations and undermine the security of our
country. Thank you for your commitment.
My testimony will focus on the following three areas: the
evolution of the cyber security threat landscape, as that has
changed over the past few decades; two major cyber security
attacks--Operation Aurora and Night Dragon--McAfee's technical
response to the cyber crime challenge and the implications for
national security from those attacks and others that look just
like it as we look at the future of our cyber security and
resilience in this country; McAfee's commitment to partnering
with law enforcement and the law enforcement community; and
policy recommendations to support law enforcement and improved
public-private collaboration and information sharing that is so
vital to give the Government the capabilities that it needs to
respond to this modern cyber security challenge.
First, a rollback on McAfee and our definition of cyber
crime for this testimony. McAfee protects businesses,
consumers, and the public sector worldwide from cyber threat.
Headquartered in Santa Clara, California; Plano, Texas; and a
large operation in Minnesota, McAfee is the world's largest
pure dedicated cyber security company, and McAfee is a wholly
owned subsidiary of Intel Corporation.
Today we use the term ``cyber crime'' to cover the act of
using electronic means to gain unauthorized access. As we heard
in the last hearing, cyber crime covers the spectrum, from
simply gaining notoriety to pooling funds, for organized crime,
now to intellectual property, and destruction--destruction of
critical infrastructure--with the very far end of the spectrum
some are calling ``cyber terrorism.''
Our overall key challenge is that the profit model benefits
the cyber adversary: very low barrier to entry, this stuff is
easy for them; and very, very strong reward, often large
amounts of money; often destruction; very, very little
attribution.
This adversary is fast. This adversary works faster than we
do. They build relationships, they build trust. As was
mentioned in the last hearing, the cyber underground, they know
how to share information. They have no intellectual property
boundaries, no legal boundaries, very often funded fully by
their government. No problems to execution.
As we have evolved in the cyber security threat landscape,
the traditional model of defeating malware, which is basically
an instruction that commands a machine to do now whatever the
adversary desires, and whenever, and send back whatever the
adversary desires, our traditional signature model does not
work.
For the past decade, the industry has looked at
understanding what could come in, recognizing what is wrong,
and blocking it, just like a vaccine would block a cold from
your body or a disease.
So we look at 50,000 new pieces of malware every day in
McAfee labs. We have seen many of the sites that were described
earlier in the cyber underground. We track the criminals. We
see this adversary, and we propose two key technologies that we
believe are the future to cyber security technology on the
technical side, understanding that this is half a people
problem, half a technology problem. These key technologies are:
Whitelisting, which is very simply closing the door. If you
are not an approved instruction, you do not run. It no longer
matters how many bad-guy instructions are on a machine. If you
are not known to be good, you simply do not run.
The second one being global threat intelligence, behavioral
understanding to build the cyber immune system, just like your
body fights off a cold or disease without knowing its name
automatically, we believe our networks should be a lot smarter
and pull data from our companies and others across the
financial field and the energy sector, across the critical
infrastructure to block bad things from coming into networks.
Two major attacks this year that McAfee led for
investigation: Operation Aurora and Night Dragon. In January
2010, Operation Aurora was exposed for having compromised
Google and 30 other companies. This year, Night Dragon.
In Operation Aurora, the adversary was looking for
intellectual property. Very large stores of IP and software,
and they identified exactly who in those companies would have
it, and they got it by social engineering their way in and
getting those people to answer an instant message.
In Night Dragon, they targeted the oil and gas industry
across the world looking for architectural documents,
pipelines, and looking at where the new oil exploration would
occur.
McAfee is fully committed to partnering with law
enforcement. We have a long history, my own having run the
FBI's InfraGard program nationally on the private sector side
for 8 years. I also chair the National Cyber Forensics and
Training Alliance. My colleagues, thousands of them working in
partnership with law enforcement every day at the Federal,
state, and local levels, assisting with investigations, working
closely with the intelligence community, also building strong
relationships with the FBI and Secret Service across our
partners.
We recommend in policy more budget to fund our law
enforcement colleagues, greater situational awareness in this
data, and stronger global partnerships, protect the private
sector so that we can release data very quickly without
worrying about material benefits for shareholders.
Thank you again for the opportunity to be a part of the
process in fighting cyber crime with law enforcement and
Government relationships. I look forward to your questions and
continued discussion.
[The prepared statement of Ms. Schneck appears as a
submission for the record.]
Chairman Whitehouse. Thank you, Dr. Schneck.
Before I go on to Dr. Savage, since you referenced the
Night Dragon report, I would, first of all, like to compliment
it. It is the clearest, most trenchant, accessible document I
have yet read in a lot of reading that I have done about cyber
security. Anybody who is watching this or listening to this and
has not had a look at that, it is a really, really good
document, both in terms of the overlay, the sort of
contextualization of this as a rapidly emerging threat with
rapidly increasing sophistication and multiplication of
incidents, but also as a quite clear layman's description of
how the attack takes place right down to showing the screens on
the computer that you would see as you go through the attack.
So what I will ask is unanimous consent that that report be
made a matter of record for this Committee hearing, and we can
provide a copy because I have got it. But I do applaud that. I
think that is a very, very clear, useful document, and thank
you very much for preparing that.
[The report appears as a submission for the record.]
Chairman Whitehouse. Also, unlike most of the stuff that is
put out here, it was unclassified and not kept proprietary. One
of the real problems in this area is that we know so little
about it because if it is the Government it is classified, if
it is the private sector it is held proprietary, and the public
is kept, unfortunately, ignorant of the actual threat. So I
think you did a real service with that, and I thank you.
Ms. Schneck. Thank you, Chairman Whitehouse. Would it be
out of line for me to point out that report was written by my
colleague, Dmitri Alperovich, in the row behind me.
Chairman Whitehouse. No, it would not be. It would be very
appropriate, and I am glad that he is here for this. I guess I
lucked out by saying nice things about it instead of bad
things.
[Laughter.]
Chairman Whitehouse. And now from the great State of Rhode
Island, from a university we are very proud of, Brown
University. I am delighted to have the chance to introduce Dr.
Savage. He is a professor in the Department of Computer Science
at Brown, currently conducting research on cyber security,
computational nanotechnology, the performance of multi-core
chips, and reliable computing with unreliable elements.
It sounds like something we try to do here in Congress.
Dr. Savage served as a Jefferson Science Fellow in the U.S.
Department of State during the 2009-10 academic year. He earned
his Ph.D. in electrical engineering at MIT, after which he
joined Bell Labs and then the faculty at Brown where he co-
founded the Department of Computer Science in 1979. He has
multiple clearances and knows a lot about this.
Dr. Savage, thank you. Please proceed.
STATEMENT OF JOHN E. SAVAGE, PROFESSOR OF COMPUTER SCIENCE,
BROWN UNIVERSITY, PROVIDENCE, RHODE ISLAND
Mr. Savage. Thank you, Chairman Whitehouse and Ranking
Member Kyl and members of the Subcommittee.
As you have heard, the Internet which is so important to
our economy, also exposes us to great risks. I have a few
statistics that highlight this, fact. Last year it was reported
that more than half of all the computers worldwide were
compromised. This means that each of these computers is not
only capable of being used to steal personal, corporate, or
Government data; they can also be marshalled into botnets and
used for nefarious purposes.
For example, the Mariposa botnet is reported to have
controlled a remarkable 12.7 million computers, distributed
across 190 countries, before it was silenced in early 2010. If
a botnet of this size were used to launch a denial-of-service
attack, it could wreak havoc on the Internet. More importantly,
if deployed to disrupt Internet routing tables using a
technique discovered and announced in early February, experts
say that routing on the Internet could be severely disrupted.
I cite these examples to illustrate some of the damage that
could be done via the Internet. If we add to the mix that some
important control systems, such as those used for electrical
power generation, can also be attacked, destroyed, or disabled
by the Internet, we see that hazards lurk here that were
unanticipated when the Internet was designed. The Internet,
which has contributed so much to our economic strength, allows
us to more tightly integrate segments of our economy; thus,
attacking the Internet is a way to attack large portions of our
economy.
Because cyber crime and terrorism are international in
nature, they both require a domestic and international
response. We must elevate our domestic security standards in
our hardware and software networks. We cannot tolerate having
several times more botnets than any other nation, nor large
numbers of compromised computers. We also need to better
control the supply chain as well as strike international
agreements to curb abuses that originate at foreign sites.
So we ask: What steps can we take as a Nation?
First, we should create the incentives and, if necessary,
regulations to design and improve computer security. Any
proposed regulations should be developed through a consultative
process involving those being regulated.
Second, the private sector and individual citizens need to
be educated to the need to keep their systems current with
security standards.
Third, steps should be taken to make the domain name system
more robust by accelerating the adoption of the domain name
system security extensions.
Fourth, understanding that our Nation faces a serious
deficit, we must nevertheless maintain strategic and targeted
funding for cyber R&D. In the policy dimension, we should
engage in a national conversation on the types of international
agreements that will best serve our cyber security interests.
Many interesting ideas have been proposed that should be
debated. Leading thinkers have said that the U.S. is not
sufficiently engaged in international negotiations to our
detriment.
Some may ask: Can we manage these problems? Are these
problems manageable? My answer is yes. I liken our computers to
our homes. A determined attacker can easily break into them. So
why aren't most of our homes invaded more often? Apparently
because the locks are good enough, the neighbors sufficiently
vigilant, uniformed police officers are sufficiently visible,
and the punishment if caught and convicted sufficiently onerous
to deter attackers. We need to arrive at a similar state in
cyberspace.
Many of us are struggling to understand, from both policy
and technological points of view, these issues. There are few
technologists conversant with policy and few policymaker
sufficiently knowledgeable about technology. Thus, there is an
opportunity here to bring the two camps together.
In the early days of the cold war, strategy development is
said to have lacked sophistication. However, once the
insightful analysts studied the issues, a more mature approach
to policy emerged. The same must be done for cyber security
policy.
In closing, let me say that cyber security research is very
young. While some profoundly interesting results have been
developed, many challenges remain. Since cyber security plays a
central role in our economy and is an important branch of
national security, it deserves to be given priority for
strategic, targeted research funding in both the technological
and policy realms.
Thanks, and I am happy to answer your questions.
[The prepared statement of Mr. Savage appears as a
submission for the record.]
Chairman Whitehouse. Thank you, Dr. Savage.
Our final witness is Stewart Baker, a partner in the law
firm of Steptoe & Johnson, where his practice covers national
and homeland security, cyber security, electronic surveillance,
law enforcement, export control, encryption, and related
technology issues. From 2005 to 2009, Mr. Baker served as the
first Assistant Secretary for Policy at the Department of
Homeland Security, where he oversaw the office responsible for
department-wide policy analysis, international affairs,
strategic planning, and relationships with the private sector.
From 1992 to 1994, Mr. Baker was General Counsel of the
National Security Agency.
Thank you for being with us.
STATEMENT OF STEWART A. BAKER, PARTNER, STEPTOE & JOHNSON, LLP,
WASHINGTON, D.C.
Mr. Baker. Thank you, Mr. Chairman, Ranking Member Kyl,
Senator Blumenthal.
I should say the one other credential that was left off of
my biography is that I am Brown Class of 1969.
Chairman Whitehouse. Very important credential to the
Chairman. Thank you.
Mr. Baker. I would like to spend a little time on--I talked
in my testimony about how bad this problem is. It is worse even
than we have heard today because there really are very few
barriers to a substantial increase in cyber attacks and cyber
crime. I laid out in my testimony the many things that we had
hoped will save us that will not.
Blaming Microsoft is not going to save us because almost
all of the software that is being used today has similar flaws.
Trying to use tokens, which many of us believe would save us
instead of passwords, increasingly have been compromised by
hacking attacks and by realtime exfiltration of those token
credentials.
We are not even going to be able to save ourselves if we
call people up and say, ``Did you really send me this e-mail?
'' Because that kind of out-of-band confirmation of the sort
you get with your credit card is increasingly at risk as we
move to IP telephony, which will have all of the problems that
ordinarily computers have as well.
Disconnecting from the Internet, which we also are not
going to do, is not going to solve this problem because the
agencies that have tried doing that--the Defense Department,
the Iranian Natanz centrifuge plant--have, nonetheless, been
compromised by attacks that use thumb drives and other media as
a way of transporting the compromising software.
What many of us hope to rely on, the anonymity that nobody
is really particularly looking for me, is also not going to
save us because, increasingly, it is possible to essentially
infect the world and then ask your malware to run in the
background until you do something that the crooks think is
interesting, like log on to a particular account with a private
equity fund, which indicates you have enough money to be worth
stealing from, at which point they will start stealing from
you.
All of those things are solutions that will not actually
work. And perhaps most important for this Committee and this
hearing, law enforcement is, in my view, almost entirely
helpless at this point. Six more prosecutors are not going to
address this issue in any significant way, and the principal
reason for that is that--I thought Professor Savage got it
right. We do feel safe in our houses, but it is not because the
locks are perfect. The locks on our houses are much worse than
the locks that are already on our computers. What is different
is that there is a realistic possibility of being caught
committing a crime if you try to break into somebody's house
and almost no possibility that you will be caught and
prosecuted if you commit a cyber crime.
I have suggested a bunch of rather tentative approaches to
solutions in my testimony, but I would like to just focus on
one, which is we really need to do a much better job of
building in attribution and minimizing anonymity on the
Internet, making it much more difficult for people to do
business, send e-mails, transmit packets and the like, and be
confident that they cannot be tracked back to their actual
identity.
This is a very difficult task. It is an architectural
problem that is quite significant. But, in my view, we will not
solve this problem if we cannot realistically threaten to
punish the people who are carrying these attacks out. We will
simply see more and more sophisticated, more and more
elaborate, and more and more damaging attacks until we begin
structuring the Internet and structuring the relationship that
ISPs have with each other and with their customers so that it
is much more difficult for people to avoid being identified
when they commit these crimes.
I will stop there.
[The prepared statement of Mr. Baker appears as a
submission for the record.]
Chairman Whitehouse. Thank you very much.
We had General Alexander, who I think is a really
remarkable individual, come to the University of Rhode Island
yesterday. He came at the invitation of Congressman Langevin,
who has a very significant role in this area on the House side,
and Jim Langevin and I talk frequently about this issue because
I have an interest on our side as well.
During the course of the discussion, General Alexander said
that we could--right now our stock markets, our financial
markets could be taken down, our power grid could be taken
down. If our power grid were taken down, it would not come up
quickly. It would not be just like the branch fell on the wire
outside your house, but do not worry, when the truck comes, the
power will be back on. It would be much more persistent and
prolonged than that. He said that the entire financial sector
is vulnerable and could be compromised, communications
networks, and that they could interlock. So the scale of how
bad this could be, if it really gets to the level of full-blown
cyber war, is really very, very dramatic.
I am interested--since we have private sector folks here,
this may seem like a hypothetical question, but I would love to
get your take on it.
If you imagine that there is a universe of cyber threats
out there and within that universe of cyber threats there is a
group of them about which the Government has awareness--Mr.
Baker, your old shop has pretty wide awareness, probably wider
than anybody else in the world, into the criminal ecosystem of
the cyber world. Within that larger awareness, there is an
awareness that the private sector has at its best level, at the
level of McAfee, at the level of Symantec, RSA, and so forth.
I would love, starting with you, Dr. Schneck, to get your
sense of what portion of the awareness that NSA has of the
cyber threat you think the private sector has. Clearly, it is
going to be a subset. But is it a tiny subset, or is it a
significant portion? What is your guess on how much visibility
McAfee and Symantec and the rest of the private sector
defenders of our private sector corporations have compared to
the NSA and to the overall picture?
Ms. Schneck. Thank you, Chairman Whitehouse. I will steal
some words from AD Snow earlier and ask that we could continue
part of this answer in a different forum. So clearly there will
be an overlap between what any Government entity, whether it is
intelligence, community law enforcement, DHS--would know and
what the private sector knows. I think we get our intelligence
differently in some cases. We gets ours from protecting
customers, so first and foremost, whether the threat is just to
get a little money or whether it is to destroy the electric
grid, we block that threat. We stand in front of the target; we
make sure the threat does not get there. That is our first
move. That is the in-line, speed-of-light work.
The second line is the human work. The reason that is so
hard is because we see all this data come together, and it
paints a picture. This happened in Night Dragon. And as that
picture came together, you realize that it is targeting the oil
and gas sector. At what point can we in the private sector
share that picture with the intelligence community, with the
FBI and the Secret Service?
Chairman Whitehouse. Let me try to focus back on my
question, and before I give the other two witnesses a chance to
answer it, would you at least concede that the awareness that
the cyber defense private sector community has of the threat is
significantly smaller than the awareness that NSA has of the
threat?
Ms. Schneck. So it is hard to answer that question in this
forum. I think the awareness is different. I do believe there
is an overlap. I think there is a lot of data in the private
sector that, if we were able to share that more readily with
some legal protection, we would protect our country better.
Senator Whitehouse. Do you understand my question, Dr.
Savage----
Ms. Schneck. I do, and I believe----
Chairman Whitehouse. No, no. I am sorry. I am going on to
the next witness.
Ms. Schneck. OK.
Mr. Savage. I do understand your question, and I cannot
answer it either because I do not represent either the private
industry or the intelligence community.
However, what I will say is I would not be surprised if the
private sector had access to perhaps more data than the
National Security Agency simply by virtue of the fact that have
sold, they sell products to customers worldwide, monitor the
state of computers worldwide. Although before I do not know for
sure, I expect that the National Security Agency has a
different focus.
So I would not be surprised if the private sector had a
great deal of very useful information.
Chairman Whitehouse. And, Mr. Baker, what is your take?
Mr. Baker. I would divide the problem into three possible
kinds of attacks: there are attacks to steal money, there are
attacks to steal secrets, and there are attacks to sabotage a
system.
When it is a question of stealing money, I would say the
private sector is better informed and better protected than the
U.S. Government or Government agencies generally. It affects
the bottom line. They know how much to spend. They want to
spend enough to stop losses that are equivalent to what they
have spent. And they do a better job than the U.S. Government
protecting themselves from that kind of an attack.
Stealing secrets, I would say the U.S. Government has a
better awareness and, by and large, I get more calls from
people in the private sector who are alerted to their losses by
the U.S. Government than the other way around. And there is a
tendency, if you do not steal secrets for a living, as
intelligence agencies do, not to believe that people are really
doing that to you, and the private sector falls prey to that
illusion.
And then there is sabotage where I think the private sector
is utterly clueless. They do not want to think about the
possibility of sabotage because they have no idea what to do
about that. They will end up spending money and getting nothing
obvious back because they are running now--they have not been
sabotaged yet, so all they get is a sense that maybe they would
withstand an attack, but they do not even know that.
And so they are reluctant to spend money or even to hear
the message in the private sector, the electrical grid, or the
pipeline companies and the like. The reluctance to hear that
message is profound.
Chairman Whitehouse. Senator Kyl.
Senator Kyl. Thank you, Mr. Chairman.
First, Mr. Baker, two questions for you. You discussed the
supply chain vulnerabilities, including the new smart grid
infrastructure. What is being done to ensure that the smart
grid does not become in essence an electronic Trojan horse?
Mr. Baker. Well, some things are being done on paper. There
are security standards being developed. Whether they are really
sufficient is open to question. But even if they were
sufficient, there is not an obvious enforcement mechanism. The
mechanisms for regulating power companies are deeply local and
State, and both the power companies and the State PUCs like it
that way, and they do not want the Federal Government to step
in and start telling them anything about their business. And so
while the Federal Government can recommend some security
standards, the PUCs who have to enforce them, in my
understanding, are not really doing much.
Senator Kyl. So we have still got a big problem there.
Mr. Baker. Yes.
Senator Kyl. Now, I think you are aware that last year
Congress gave the Department of Defense some new powers to
protect its information systems, and I wonder--regarding the
supply chain, again. I am just wondering whether you think
maybe Congress should use that kind of authority as a template
for other agencies in the Federal Government.
Mr. Baker. Well, certainly other agencies beyond the
Defense Department have to worry about the possibility that the
supply chain will compromise them, and indeed, you know,
anything that we think is a worry for the Defense Department is
probably a worry for the New York Stock Exchange or Citibank,
and we should not be encouraging them or allowing them, without
knowing about the risk, to continue to rely on insecure
material.
Senator Kyl. So we might take a look at that template in
dealing with other agencies that have important issues like
that.
Mr. Baker. Yes.
Senator Kyl. Now, for all of you, there is a sense here
that there is no silver bullet except better enforcement, but
better enforcement is really hard to do, well, primarily from a
resource standpoint, but also a capability standpoint. So I
presume that incremental changes, including creating
incentives, is one of the answers here. And in terms of
changing behavior, my question is with the private sector--in
particular business but also individuals--whether a greater use
of the concept of insurance as providing incentives would help
the private sector develop better protections. Maybe we will
start with you, Mr. Savage, and then Phyllis.
Mr. Savage. I agree. Cyber insurance to protect against
fraud, theft, interruption of service, things of that sort
would be very valuable, because I recall many years ago
learning about workers' compensation insurance where an
insurance company would issue a policy but they would also
provide experts to come into your place of business to help you
improve it so that they could reduce the number of injuries
and, therefore, the number of charges.
When I was in the State Department, I sat on a NITRD panel
that put together a set of recommendations, one of which was a
cyber economics recommendation for funding in fiscal year 2012s
budget, and the idea there being that if you offer insurance,
you can invite companies who are going to purchase the
insurance to provide you with incident information, which you
can then collect and use to create actuarial tables reducing
their costs, but also pooling these resources with other
insurance companies.
The good news is that when I was in the State Department, I
received a call from a Brown grad who had seen I was a
Jefferson Science Fellow. She works for an insurance company in
the Hartford area that sells insurance of this kind, but they
were at a little bit at sea because they could not really find
the others and work with the others to do this kind of thing
that I described.
Senator Kyl. Especially ways to help resolve that problem
and whether the Government should be involved in this, Dr.
Schneck?
Ms. Schneck. So, thank you. We have looked at the insurance
model for about 11 years that I remember. The key road block to
that was the lack of the actuarial data, to Professor Savage's
point on the need for that data. So in the startup, we have
plenty of data we can look back on in driving habits and other
areas where things are insured, but in this arena so little is
reported that we know what we know because we are out there
protecting, but to Mr. Baker's point, most of the private
sector does not have this kind of knowledge. So that actuarial
data to make the model work on the insurance would be
exceedingly difficult.
That is not to say it would not be a great idea to
incentive, but we would have to make sure of two things: one is
that the data is there so that nobody gets burnt, so the model
fits; and the other is to ensure that we are not encouraging
companies to be compliant, they have to be secure. There is a
very big difference. Do not just check the box, but
comprehensively protect your infrastructure.
Senator Kyl. Mr. Baker, any other thoughts?
Mr. Baker. Yes, very briefly. For insurance to work, people
have to either expect a harm, an identifiable harm, or
identifiable liability. The likelihood of liability in this
area has so far been pretty minimal just because of the
difficulty of tracking the attacks. And if all they steal is
secrets, you are not going to be able to identify a harm that
an insurance company will be comfortable reimbursing you for.
So it is part of the solution, but it is not as good a
solution as I would like.
Senator Kyl. Thank you.
Chairman Whitehouse. Senator Blumenthal.
Senator Blumenthal. Thank you. I would like to pursue that
line of questioning, but first thank you, all three of you, for
your very enlightening and useful testimony, and I would like
to pursue some of the questions here outside the time that I
have.
But in terms of liability, that is something that
corporations understand. If we talk about incentives, which is
where I was going with the last panel--treble damages--we know
how to impose liability, we know how to penalize. The courts do
it all the time. They have to put estimates on that harm. It
may be difficult to calculate, but, you know, we do it with
pain and suffering. If we can do it with pain and suffering,
then we can do it with the kind of commercial damage that
people suffer, which is much easier in many respects to
quantify.
So for all of you--but it is a question raised by Dr.
Savage's testimony, and I am quoting again: ``. . . the
incentives to adopt them are weak''--referring to the solutions
to these cyber security problems--``primarily because security
is expensive and there is no requirement they be adopted until
disaster strikes.''
What can we require--and I invite you to supplement your
answers here perhaps after you think about it some more. What
can we require, whether it is liability or Senator Kyl
mentioned insurance--and I agree with you about all the
difficulties raised by the insurance model. What can we do to
really grow your business, Dr. Schneck? And I do not mean that
altogether facetiously, I mean not just grow your business, but
grow the interest and incentive to do the kinds of things that
you advise your clients to do.
Ms. Schneck. Thank you. I think the first might be to
incentivize some innovation. So we have grown by finding ways
around this adversary. We get them by going at the speed of
light. That was a focus of necessity. That was market driven.
If we can change our culture a bit to have companies
incented to innovate around security and find models that work,
find ways that make them money by being more secure--and the
insurance models is a subset of that--I think that is one area.
The other might be some tax incentives, and, again, not
just being compliant but in doing it right and having that--
again, the decade-old discussion but the top-down policy, the
culture of security in the company.
Senator Blumenthal. But we want to measure results, not
just that they put a better fence around the home----
Ms. Schneck. Correct.
Senator Blumenthal.--or a better fire alarm--which, by the
way, insurance companies do reward so the insurance model does
work--or other kinds of alarms on homes.
Professor Savage or Mr. Baker.
Mr. Savage. I will say quickly, I continue to be troubled
by end-user licensing agreements which state that the company
selling me the software has no responsibility for it once it is
in my hands. I cannot fix any bugs that exist or any security
hazards that exist in that software myself. I cannot even keep
it up to date quickly enough because, as we know, as we have
heard, half of all the malware goes undetected.
It is said that last year PandaLabs reported that half of
the malware lived for 1 day. I am not sure to what extent that
statement is correct, but that is what I read.
Coming back to a point you made earlier, you asked about
the technologies that could be incorporated, well, there are--
you know, research is being done all the time, and it takes
time, of course, for these results to appear in products. But
there are ways to detect botnets. There are ways to defeat
denial-of-service attacks and things of that sort. And if there
were the right incentives--and I do not know what they are--
maybe some of our companies would be more ready to adopt them.
Now, having said that, there has been a lot of work done by
a number of companies both in the software sector and financial
services sector to introduce security techniques to teach their
engineers to write code that is less easily attacked. And I
think many of those efforts are actually terrific, and you can
see it, I think, in the reporting rates of errors.
So I want to applaud the industry for doing that. At the
same time, I think they need to take responsibility for this
issue. And as I say, many are, but not all.
Senator Blumenthal. Thank you.
Mr. Baker. If I could just--I know you are deeply familiar
with the data breach laws and the penalties for that, and I
have good news and bad news about those laws.
The good news is they have made a big difference in
corporate behavior. The companies do not want to have to
disclose that they have released a large amount of personal
information about consumers, and they will take steps to
prevent that from happening.
The bad news is that that is where the security budgets
have, by and large, gone. They are spending a lot of money to
make sure that their hard drives are encrypted so that if they
leave the computer, the laptop, at the airport, they do not
have to disclose a breach. They are not, by and large, treating
some of these more sophisticated attacks with the same kind of
attention because they do not tend to produce a verifiable
personal information breach.
And so if you are going to go down that road, I would urge
you to try to find an agency with a broader picture of the
kinds of attacks that can adjust the incentives so people are
actually responding to the worst kinds of attacks, the ones
that are most dangerous to us as a country.
Senator Blumenthal. Thank you.
Thank you, Mr. Chairman.
Chairman Whitehouse. Mr. Baker, as the lawyer on the panel,
let me ask you two questions.
One, in response to what Dr. Savage said, should we be
concerned that significant players in this area are purporting,
at least, in their contractual arrangements to relieve
themselves of any liability, given that liability is often a
motivating factor in human behavior?
And, second, to follow up on my question to the earlier
panel, I was very impressed by Microsoft's lawsuit. I asked
them to send me the complaint. I thought it was very well done.
And they did not really have a hostile defendant. The
defendant, the provider who was at stake, was perfectly happy
to comply as long as they had a court order that gave them a
reason to do it and protected them from any liability for what
they did. And I am a little bit surprised that there does not
seem to be more activity in that arena, somebody knows that
there is a bot out there that they can disable, somebody knows
that there is a worm out there, somebody knows that there is a
piece of--a website that is--you know, whatever it is that they
know about their risk posture, it seems very rare that somebody
actually goes to a court and says, oh, by the way, let us bring
in--again, the domain registrar, their ISP, or whoever--and say
we want you, because of the threat to our welfare here, to make
this change in your programming so that our threat is
diminished. And then everybody sits around and says yes, the
judge hits the gavel, everybody is happy. It seems to me to
be--the Microsoft thing does not seem to be repeating itself as
often as I would have expected. I am aware of a couple of
others, but that seems to be the breakthrough one, and it does
not seem to have created the sort of torrent I expected of
people going out to the courts, to the ISPs, to the domain
registrars, to help them clean up the environment.
Mr. Baker. Microsoft is in the unique position of seeing
attacks around the world on their software and having the
resources to pursue creative solutions. And I agree with you,
that was a very creative and constructive approach.
I do think that it is worth exploring what could be done to
allow companies that have an interest in doing more but need
some reassurance that what they are doing is not going to
result in liability. One of the great values of a civil
injunction and a civil order is that you know that the people
that you are going after are not going to turn around and file
lawsuits against you, because you have already gotten prior
approval. And finding ways to relieve ISPs, other companies, of
their fear that doing the right thing will result in liability
is worth looking at. I think that is a constructive approach.
By and large, using the tort system to improve security is
a pretty backward-looking approach; that is to say, by the time
you get a judgment, you are 6 years past the problem, and it is
probably----
Chairman Whitehouse. You are back to my first question.
Mr. Baker. Yes, I am coming back to your first----
Chairman Whitehouse. Yes, I am not sure it is the best
way----
Mr. Baker. So I----
Chairman Whitehouse. I am also not sure that allowing a
company to completely relieve itself of liability contractually
is very helpful in this space either, because it takes their
mind off it and they go on to other projects.
Mr. Baker. I do not disagree with you on that, and I
support the idea of having at least agencies that understand
what good security practices are, start to define those for
companies, including software companies, to make sure that they
are actually doing the things that they need to do. And if they
say you need to do this and then the company does not do it, I
do not think those contractual clauses are going to save them
from liability.
Chairman Whitehouse. Senator Kyl?
Senator Kyl. Thank you very much.
Chairman Whitehouse. Anything further?
Senator Blumenthal. No. Thank you.
Chairman Whitehouse. All right. We will conclude this
hearing. I thank all of the witnesses, and once again I very
much appreciate the Night Dragon report that McAfee did.
The hearing will stay open, the docket of the hearing will
stay open for an additional week, and we will, of course, ask
all of the witnesses to comply with the questions for the
record that you will get in writing.
Again, thank you very much. This has been instructive and
helpful.
The hearing is adjourned.
[Whereupon, at 4:33 p.m., the Subcommittee was adjourned.]
[Questions and answers and submissions for the record
follow.]
�