UPDATE 2000 : February 16, 2000 Statement for the Record of Louis J. Freeh, Director Federal Bureau of Investigation on Cybercrime Before the Senate Committee on Appropriations Subcommittee for the Departments of Commerce, Justice, State, the Judiciary, and Related Agencies Washington, D.C. Good morning, Mr. Chairman and members of the Subcommittee. I am privileged to join Attorney General Reno in this opportunity to discuss cybercrime -- one of the fastest evolving areas of criminal behavior and a significant threat to our national and economic security. Twelve years ago the "Morris Worm" paralyzed half of the Internet, yet so few of us were connected at that time that the impact on our society was minimal. Since then, the Internet has grown from a tool primarily in the realm of academia and the defense/intelligence communities, to a global electronic network that touches nearly every aspect of everyday life at the workplace and in our homes. There were over 100 million Internet users in the United States in 1999. That number is projected to reach 177 million in the United States and 502 million worldwide by the end of 2003. Electronic commerce has emerged as a new sector of the American economy, accounting for over $100 billion in sales during 1999, more than double the amount in 1998. By 2003, electronic commerce is projected to exceed $1 trillion. The recent denial of service attacks on leading elements of the electronic economic sector, including Yahoo!, Amazon.com, Ebay, E*Trade, and others, had dramatic and immediate impact on many Americans. I would like to acknowledge the strong support this Subcommittee has provided to the FBI over the past several years for fighting cybercrime. This Subcommittee was the first to support resources -- back in FY 1997 -- for establishing a computer intrusion investigative capability within the FBI. You have generously provided support for our efforts against on-line sexual exploitation of children and child pornography -- the Innocent Images initiative, as well as to develop our Computer Analysis Response Team (CART) program, and the creation of computer crime squads in our field offices. For that support, I would like to say thank you. In my testimony today, I would like to first discuss the nature of the threat that is posed from cybercrime and then describe the FBI's current capabilities for fighting cybercrime. Finally, I would like to close by discussing several of the challenges that cybercrime and technology present for law enforcement. Cybercrime Threats Faced by Law Enforcement Before discussing the FBI's programs and requirements with respect to cybercrime, let me take a few minutes to discuss the dimensions of the problem. Our case load is increasing dramatically. In FY 1998, we opened 547 computer intrusion cases; in FY 1999, that had jumped to 1154. At the same time, because of the opening the National Infrastructure Protection Center (NIPC) in February 1998, and our improving ability to fight cybercrime, we closed more cases. In FY 1998, we closed 399 intrusion cases, and in FY 1999, we closed 912 such cases. However, given the exponential increase in the number of cases opened, cited above, our actual number of pending cases has increased by 39%, from 601 at the end of FY 1998, to 834 at the end of FY 1999. In short, even though we have markedly improved our capabilities to fight cyber intrusions, the problem is growing even faster and thus we are falling further behind. These figures do not even include other types of crimes committed by a computer such as Internet fraud or child pornography on-line. As part of our efforts to counter the mounting cyber threat, the FBI uses both full National Infrastructure Protection and Computer Intrusion squads located in 16 field offices and is developing baseline computer intrusion team capabilities in non-squad field offices. Further, we are establishing partnerships with state and local law enforcement through cybercrime task forces. Cyber Threats Facing the United States The numbers above do not provide a sense of the wide range in the types of cases we see. Over the past several years we have seen a range of computer crimes ranging from simple hacking by juveniles to sophisticated intrusions that we suspect may be sponsored by foreign powers, and everything in between. A website hack that takes an e-commerce site off-line or deprives a citizen of information about the workings of her government or important government services she needs, these are serious matters. An intrusion that results in the theft of credit card numbers or proprietary information or the loss of sensitive government information can threaten our national security and undermine confidence in e-commerce. A denial-of-service attack that can knock e-commerce sites off-line, as we've seen over the last week, can have significant consequences, not only for victim companies, but also for consumers and the economy as a whole. Because of these implications, it is critical that we have in place the programs and resources to confront this threat. The following is a breakdown of types of malicious actors and the seriousness of the threat they pose. Insider Threat. The disgruntled insider is a principal source of computer crimes. Insiders do not need a great deal of knowledge about computer intrusions, because their knowledge of victim systems often allows them to gain unrestricted access to cause damage to the system or to steal system data. The 1999 Computer Security Institute/FBI report notes that 55% of respondents reported malicious activity by insiders. There are many cases in the public domain involving disgruntled insiders. For example, Shakuntla Devi Singla used her insider knowledge and another employee's password and logon identification to delete data from a U.S. Coast Guard personnel database system. It took 115 agency employees over 1800 hours to recover and reenter the lost data. Ms. Singla was convicted and sentenced to five months in prison, five months home detention, and ordered to pay $35,000 in restitution. In January and February 1999 the National Library of Medicine (NLM) computer system, relied on by hundreds of thousands of doctors and medical professionals from around the world for the latest information on diseases, treatments, drugs, and dosage units, suffered a series of intrusions where system administrator passwords were obtained, hundreds of files were downloaded which included sensitive medical "alert" files and programming files that kept the system running properly. The intrusions were a significant threat to public safety and resulted in a monetary loss in excess of $25,000. FBI investigation identified the intruder as Montgomery Johns Gray, III, a former computer programmer for NLM, whose access to the computer system had been revoked. Gray was able to access the system through a "backdoor" he had created in the programming code. Due to the threat to public safety, a search warrant was executed for Gray's computers and Gray was arrested by the FBI within a few days of the intrusions. Subsequent examination of the seized computers disclosed evidence of the intrusion as well as images of child pornography. Gray was convicted by a jury in December 1999 on three counts for violation of 18 U.S.C. 1030. Subsequently, Gray pleaded guilty to receiving obscene images through the Internet, in violation of 47 U.S.C. 223. Hackers. Hackers are also a common threat. They sometimes crack into networks simply for the thrill of the challenge or for bragging rights in the hacker community. More recently, however, we have seen more cases of hacking for illicit financial gain or other malicious purposes. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the World Wide Web and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. The recent denial-of-service attacks are merely illustrations of the disruption that can be caused by tools now readily available on the Internet. Hacks can also be mistaken for something more serious. This happened initially in the Solar Sunrise case, discussed below. Hactivism. Recently we have seen a rise in what has been dubbed "hacktivism"-- politically motivated attacks on publicly accessible web pages or e-mail servers. These groups and individuals overload e-mail servers and hack into web sites to send a political message. While these attacks generally have not altered operating systems or networks, they still damage services and deny the public access to websites containing valuable information and infringe on others' rights to communicate. One such group is called the "Electronic Disturbance Theater," which promotes civil disobedience on-line in support of its political agenda regarding the Zapatista movement in Mexico and other issues. This past spring they called for worldwide electronic civil disobedience and have taken what they term "protest actions" against White House and Department of Defense servers. In addition, during the recent conflict in Yugoslavia, hackers sympathetic to Serbia electronically "ping" attacked NATO web servers. Russians, as well as other individuals supporting the Serbs, attacked websites in NATO countries, including the United States, using virus-infected e-mail and hacking attempts. Supporters of Kevin Mitnick hacked into the Senate webpage and defaced it in May and June of last year. Mitnick had pled guilty to five felony counts and was sentenced in August 1999 to 46 months in federal prison and ordered to pay restitution. Mitnick was released from custody in January 2000 after receiving credit for time served on prior convictions. The Internet has enabled new forms of political gathering and information sharing for those who want to advance social causes; that is good for our democracy. But illegal activities that disrupt e-mail servers, deface web-sites, and prevent the public from accessing information on U.S. Government and private sector web sites should be regarded as criminal acts that deny others their First Amendment rights to communicate rather than as an acceptable form of protest. Virus Writers. Virus writers are posing an increasingly serious threat to networks and systems worldwide. As noted above, we have had several damaging computer viruses this year, including the Melissa Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The NIPC frequently sends out warnings or advisories regarding particularly dangerous viruses. The Melissa Macro Virus was a good example of our response to a virus spreading in the networks. The NIPC sent out warnings as soon as it had solid information on the virus and its effects. On the investigative side, the NIPC acted as a central point of contact for the field offices who worked leads on the case. A tip received by the New Jersey State Police from America Online, and their follow-up investigation with the FBI's Newark Field Office, led to the April 1, 1999 arrest of David L. Smith. Search warrants were executed in New Jersey by the New Jersey State Police and FBI Special Agents from the Newark Field Office. Mr. Smith pleaded guilty to one count of violating Title 18, U.S.C. 1030 in Federal Court. Smith stipulated to affecting one million computer systems and causing $80 million in damage. Criminal Groups. We are also seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain. In September, 1999, two members of a group dubbed the "Phonemasters" were sentenced after their conviction for theft and possession of unauthorized access devices (18 USC §1029) and unauthorized access to a federal interest computer (18 USC §1030). The "Phonemasters" were an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even the FBI's National Crime Information Center. Under judicially approved electronic surveillance orders, the FBI's Dallas Field Office made use of new data intercept technology to monitor the calling activity and modem pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card numbers, which he sold to a Canadian individual, who passed them on to someone in Ohio. These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy. Mr. Cantrell was sentenced to two years as a result of his guilty plea, while one of his associates, Cory Lindsay, was sentenced to 41 months. The "Phonemaster's" methods included "dumpster diving" to gather old phone books and technical manuals for systems. They then used this information to trick employees into giving up their logon and password information. The group then used this information to break into victim systems. It is important to remember that often "cyber crimes" are facilitated by old fashioned guile, such as calling employees and tricking them into giving up passwords. Good "cyber security" practices must therefore address personnel security and "social engineering" in addition to instituting electronic security measures. Distributed Denial of Service Attacks. In the fall of 1999, the NIPC began receiving reports about a new threat on the Internet--Distributed Denial of Service Attacks. In these cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht (German for barbed wire) on a number of unwitting victim systems. Then when the hacker sends the command, the victim systems in turn begin sending messages against a target system. The target system is overwhelmed with the traffic and is unable to function. Users trying to access that system are denied its services. The NIPC issued an alert regarding these tools in December 1999 in order to notify the private sector and government agencies about this threat. Moreover, the NIPC's Special Technologies and Applications Unit (STAU) created and released to the public a software tool that enables system administrators to identify DDOS software installed on victimized machines. The public has downloaded these tools tens of thousands of times from the web site, and has responded to the FBI by reporting many intrusions and installations of the DDOS software. The public received the NIPC tool so well that the computer security trade group SANS awarded their yearly Security Technology Leadership Award to members of the STAU. The availability of this tool has helped facilitate our investigations of ongoing criminal activity by uncovering evidence on victim computer systems. On February 8, 2000, the FBI received reports that Yahoo had experienced a denial of service attack. In a display of the close cooperative relationship the NIPC has developed with the private sector, in the days that followed, several other companies also reported denial of service outages. These companies cooperated with our National Infrastructure Protection and Computer Intrusion squads in the FBI field offices and provided critical logs and other information. Still, the challenges to apprehending the suspects are substantial. In many cases, the attackers used "spoofed" IP addresses, meaning that the address that appeared on the target's log was not the true address of the system that sent the messages. The resources required in these investigations can be substantial. Already we have five FBI field offices with cases opened: Los Angeles, San Francisco, Atlanta, Boston, and Seattle. Each of these offices has victim companies in its jurisdiction. In addition, so far seven field offices are supporting the five offices that have opened investigations. The NIPC is coordinating the nationwide investigative effort, performing technical analysis of logs from victims sites and Internet Service Providers, and providing all-source analytical assistance to field offices. Agents from these offices are following up literally hundreds of leads. While the crime may be high tech, investigating it involves a substantial amount of traditional police work as well as technical work. For example, in addition to following up leads, NIPC personnel need to review an overwhelming amount of log information received from the victims. Much of this analysis needs to be done manually. Analysts and agents conducting this analysis have been drawn off other case work. In the coming years we expect our case load to substantially increase. Terrorists. Terrorists are known to use information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. For example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. Moreover, some groups have already used cyber attacks to inflict damage on their enemies' information systems. For example, a group calling itself the Internet Black Tigers conducted a successful "denial of service" attack on servers of Sri Lankan government embassies. Italian sympathizers of the Mexican Zapatista rebels attacked web pages of Mexican financial institutions. Thus, while we have yet to see a significant instance of "cyber terrorism" with widespread disruption of critical infrastructures, all of these facts portend the use of cyber attacks by terrorists to cause pain to targeted governments or civilian populations by disrupting critical systems. Foreign intelligence services. Foreign intelligence services have adapted to using cyber tools as part of their information gathering and espionage tradecraft. In a case dubbed "the Cuckoo's Egg," between 1986 and 1989 a ring of West German hackers penetrated numerous military, scientific, and industry computers in the United States, Western Europe, and Japan, stealing passwords, programs, and other information which they sold to the Soviet KGB. Significantly, this was over a decade ago -- ancient history in Internet years. While I cannot go into specifics about the situation today in an open hearing, it is clear that foreign intelligence services increasingly view computer intrusions as a useful tool for acquiring sensitive U.S. Government and private sector information. Sensitive Intrusions. In the last two years we have seen a series of intrusions into numerous Department of Defense computer networks as well as networks of other federal agencies, universities, and private sector entities. Intruders have successfully accessed U.S. Government networks and taken enormous amounts of unclassified but sensitive information. In investigating these cases, the NIPC has been coordinating with FBI Field Offices, Legats, the Department of Defense (DOD), and other government agencies, as circumstances require. The investigation has determined that these intrusions appear to originate in Russia. The NIPC has also supported other very sensitive investigations, including the possible theft of nuclear secrets from Los Alamos National Laboratory in New Mexico. It is important that the Congress and the American public understand the very real threat that we are facing in the cyber realm, not just in the future, but now. Information Warfare. One of the greatest potential threats to our national security is the prospect of "information warfare" by foreign militaries against our critical infrastructures. We know that several foreign nations are already developing information warfare doctrine, programs, and capabilities for use against each other and the United States or other nations. Foreign nations are developing information warfare programs because they see that they cannot defeat the United States in a head-to-head military encounter and they believe that information operations are a way to strike at what they perceive as America's Achilles Heel -- our reliance on information technology to control critical government and private sector systems. For example, two Chinese military officers recently published a book that called for the use of unconventional measures, including the propagation of computer viruses, to counterbalance the military power of the United States. A serious challenge we face is even recognizing when a nation may be undertaking some form of information warfare. If another nation launched an information warfare attack against the United States, the NIPC would be responsible to gather information on the attack and work with the appropriate defense, intelligence, and national command authorities. Traditional Threats to Society Moved to the Cyber Realm Computers and networks are not just being used to commit new crimes such as computer intrusions, denial of service attacks, and virus propagation, but they are also facilitating some traditional criminal behavior such as extortion threats, fraud and the transmission of child pornography. For example, the NIPC recently supported an investigation involving e-mail threats sent to a Columbine High School student threatening violence. Child Pornography and Exploitation. While the Internet has been a tremendous boon for information sharing and for our economy, it unfortunately has also become a zone where predators prey on the weakest and most vulnerable members of our society, our children. The sex offender using a computer is not a new type of criminal. Rather it is simply a case of modern technology being combined with an age old problem. The use of computers has made child pornography more available now than at any time since the 1970s. An offender can use a computer to transfer, manipulate, or even create child pornography. Images can be stored, transferred from video tape or print media, and transmitted via the Internet. With newer technology, faster processors and modems, moving images can now also be transmitted. In addition, the information and images stored and transmitted can be encrypted to deter or avoid detection. As computers and technological enhancements, such as faster modems and processors, become less expensive and more sophisticated, the potential for abuse will grow. Challenges to Law Enforcement in Investigating Cybercrime The burgeoning problem of cuber crime poses unique challenges to law enforcement. These challenges require novel solutions, close teamwork among agencies and with the private sector, and adequate numbers of trained and experienced agents and analysts with sophisticated equipment. Identification and Jurisdictional Challenges Identifying the Intruder. One major difficulty that distinguishes cyber threats from physical threats is determining who is attacking your system, why, how, and from where. This difficulty stems from the ease with which individuals can hide or disguise their tracks by manipulating logs and directing their attacks through networks in many countries before hitting their ultimate target. The now well know "Solar Sunrise" case illustrates this point. Solar Sunrise was a multi-agency investigation (which occurred while the NIPC was being established) of intrusions into more than 500 military, civilian government, and private sector computer systems in the United States, during February and March 1998. The intrusions occurred during the build-up of United States military personnel in the Persian Gulf in response to tension with Iraq over United Nations weapons inspections. The intruders penetrated at least 200 unclassified U.S. military computer systems, including seven Air Force bases and four Navy installations, Department of Energy National Laboratories, NASA sites, and university sites. Agencies involved in the investigation included the FBI, DOD, NASA, Defense Information Systems Agency, AFOSI, and the Department of Justice (DOJ). The timing of the intrusions and links to some Internet Service Providers in the Gulf region caused many to believe that Iraq was behind the intrusions. The investigation, however, revealed that two juveniles in Cloverdale, California, and several individuals in Israel were the culprits. Solar Sunrise thus demonstrated to the interagency community how difficult it is to identify an intruder until facts are gathered in an investigation, and why assumptions cannot be made until sufficient facts are available. It also vividly demonstrated the vulnerabilities that exist in our networks; if these individuals were able to assume "root access" to DOD systems, it is not difficult to imagine what hostile adversaries with greater skills and resources would be able to do. Finally, Solar Sunrise demonstrated the need for interagency coordination by the NIPC. Jurisdictional Issues. Another significant challenge we face is hacking in multiple jurisdictions. A typical hacking investigation involves victim sites in multiple states and often many countries. This is the case even when the hacker and victim are both located in the United States. In the United States, we can subpoena records and execute search warrants on suspects' homes, seize evidence, and examine it. We can do none of those things ourselves overseas, rather, we depend on the local authorities. In some cases the local police forces simply do not understand or cannot cope with the technology. In other cases, these nations simply do not have laws against computer intrusions. Our Legats are working very hard to build bridges with local law enforcement to enhance cooperation on cybercrime. The NIPC has held international computer crime conferences with foreign law enforcement officials to develop liaison contacts and bring these officials up to speed on cybercrime issues. We have also held cybercrime training classes for officers from partner nations. Despite the difficulties, we have had some success in investigating and prosecuting these crimes. In 1996 and 1997, the National Oceanic and Atmospheric Administration (NOAA) suffered a series of computer intrusions that were linked to a set of intrusions occurring at the National Aeronautics and Space Administration (NASA). Working with the Canadian authorities, it was determined that the subject resided in Canada. In April 1999, Jason G. Mewhiney was indicted by Canadian authorities. In January 2000, he pled guilty to 12 counts of computer intrusions and the Canadian Superior Court of Justice sentenced him to 6 months in jail for each of the counts, with the sentences running concurrently. In another case, Peter Iliev Pentchev, a Princeton University student, was identified as an intruder on an e-commerce system. An estimated 1800 credit card numbers, customer names, and user passwords were stolen. The company had to shut down its web servers for five days to repair the damages estimated at $100,000. Pentchev has fled to his native Bulgaria and the process is being determined to return Pentchev to the United States to face charges. In 1994-95, an organized crime group headquartered in St. Petersburg, Russia, transferred $10.4 million from Citibank into accounts all over the world. After investigation by the FBI's New York field office, all but $400,000 of the funds were recovered. Cooperation with Russian authorities helped bring Vladimir Levin, the perpetrator, to justice. In another case, the FBI investigated Julio Cesar Ardita, an Argentine computer science student who gained unauthorized access to Navy and NASA computer systems. He committed these intrusions from Argentina, and Argentine authorities cooperated with the FBI on the investigation. While he could not be extradited for the offenses, he returned voluntarily to the United States and was sentenced to three years probation. In all of these cases, Legats have been essential to the investigation. As the Internet spreads to even more countries, we will see greater demand placed on the Legats to support computer intrusion investigations. Human and Technical Challenges The threats we face are compounded by human and technical challenges posed by these types of investigations. The first problem is, of course, having enough positions for agents, computer scientists, and analysts to work computer intrusions. Once we have the authorized positions, we face the issue of recruiting people to fill these positions, training them in the rapidly changing technology, and retaining them. There is a very tight market out there for information technology professionals. The Federal Government needs to be able to recruit the very best people into its programs. Fortunately, we can offer exciting, cutting-edge work in this area and can offer agents, analysts, and computer scientists the opportunities to work on issues that no one else addresses, and to make a difference to our national security and public safety. Our current resources are stretched paper thin. We only have 193 agents assigned to NIPC squads and teams nationwide. Major cases, such as the recent DDOS attacks on Yahoo, draw a tremendous amount of personnel resources. Most of our technical analysts will have to be pulled from other work to examine the log files received from the victim companies. Tracking down hundreds of leads will absorb the energy of a dozen field offices. And this is all reactive. My goal is for the FBI to become proactive in this area just as we have in other areas such as drugs and violent crime. In a few minutes I'll discuss what we need to do to improve our cybercrime fighting capabilities to become proactive in fighting cybercrime. The technical challenges of fighting crime in this arena are equally vast. We can start just by looking at the size of the Internet and its exponential growth. Today it is estimated that more than 60,000 individual networks with 40 million users are connected to the Internet. Thousands of more sites and people are coming on line every month. In addition, the power of personal computers is vastly increasing. The FBI's Computer Analysis Response Team (CART) examiners conducted 1,260 forensic examinations in 1998 and 1,900 in 1999. With the anticipated increase in high technology crime and the growth of private sector technologies, the FBI expects 50 percent of its caseload to require at least one computer forensic examination. By 2001, the FBI anticipates the number of required CART examinations to rise to 6,000. It is important to note that personnel resources with very specific technical skills are required not only for computer and Internet based crimes such as the DDOS incidents, but are increasingly necessary for more traditional matters as well. Examples of this type of problem include the approximately 6000 man hours that the NIPC was required to expend investigating a recent computer-based espionage case. The NIPC's Special Technologies and Applications Unit (STAU) received approximately one million raw files from CART, and was required by the investigators to reproduce the activities of individuals over a period of years from that raw data. The amount of information which was required to be processed by STAU, and is still necessary to process, would fill the Library of Congress nearly twice. This type of case illustrates where technical analysis of the highest order has become necessary in sophisticated espionage matters. A recent extortion and bombing illustrate how traditional violent criminals are also turning to high technology. In this extortion case, the bomber's demands included that the victim post their responses to his requirements on their web site. The STAU was required to sort through millions of web site "hits" to discern which entries may have come from the bomber. Based on information generated by the STAU's efforts, agents were able to trace the bomber to a specific telephone line to his home address. Clearly, the FBI needs engineering personnel to develop and deploy sophisticated electronic surveillance capabilities in an increasingly complex and technical investigative environment, skilled CART personnel to conduct the computer forensics examinations to support an increasingly diverse set of cases involving computers, as well as expert NIPC personnel to examine network log files to track the path an intruder took to his victim. In cases such as Los Alamos or Columbine, both NIPC and CART personnel were called in to bring their unique areas of expertise to bear on the case. During the last part of 1998, most computers on the market had hard drives of 6-8 gigabytes (GB). Very soon 13-27 GB hard drives will become the norm. By the end of 2000, we will be seeing 60-80 GB hard drives. All this increase in storage capacity means more data that must be searched by our forensics examiners, since even if these hard drives are not full, the CART examiner must review every bit of data and every area of the media to search for evidence. The FBI has an urgent requirement for improved tools, techniques and services for gathering, processing, and analyzing data from computers and computer networks to acquire critical intelligence and evidence of criminal activity. Over the past three years, the FBI's Laboratory Division (LD) has been increasingly requested to provide data interception support for such investigative programs as: Infrastructure Protection, Violent Crimes (Exploitation of Children, Extortion), Counterterrorism, and Espionage. In fact, since 1997, the LD has seen a dramatic increase in field requests for assistance with interception of data communications. Unless the FBI increases its capability and capacity for gathering and processing computer data, investigators and prosecutors will be denied timely access to valuable evidence that will solve crimes and support the successful prosecutions of child pornographers, drug traffickers, corrupt officials, persons committing fraud, terrorists, and other criminals. One of the largest challenges to FBI computer investigative capabilities lies in the increasingly widespread use of strong encryption. The widespread use of digitally-based telecommunications technologies, and the unprecedented expansion of computer networks incorporating privacy features/capabilities through the use of cryptography (i.e. encryption), has placed a tremendous burden on the FBI's electronic surveillance technologies. Today the most basic communications employ layers of protocols, formatting, compression and proprietary coding that were non-existent only a few years ago. New cryptographic systems provide robust security to conventional and cellular telephone conversations, facsimile transmissions, local and wide area networks, Internet communications, personal computers, wireless transmissions, electronically stored information, remote keyless entry systems, advanced messaging systems, and radio frequency communications systems. The FBI is already encountering the use of strong encryption. In 1999, 53 new cases involved the use of encryption. The FBI is establishing a centralized capability for development of investigative tools which support the law enforcement community's technical needs for cybercrime investigations, including processing and decrypting lawfully intercepted digital communications and electronically stored information. A centralized approach is appropriate since state and local law enforcement have neither the processing power nor trained individuals to assume highly complex analysis or reverse engineering tasks. The FY 2001 budget includes $7,000,000 for this effort. The need for a law enforcement centralized civilian resource for processing and decrypting lawfully intercepted digital communications and electronically stored information is well documented in several studies, including: The National Research Council's Committee Report entitled "Cryptography's Role in Securing the Information Society." Specifically, the Committee recommended that high priority be given to the development of technical capabilities, such as signal analysis and decryption, to assist law enforcement in coping with technological challenges. In 1996, Public Law 104-132 Section 811, the 104th Congress acknowledged the critical need and authorized the Attorney General to "...support and enhance the technical support [capabilities]..." of the FBI. The Administration policy position as set forth in the September 16, 1998, press release acknowledges that "The Administration intends to support FBI's establishment of a technical support [capability] to help build the technical capacity of law enforcement - Federal, State, and local - to stay abreast of advancing communications technology." It has been the position of the FBI that law enforcement should seek the voluntary cooperation of the computer hardware and software industry as a means of attempting to address the public safety issues associated with use of encryption in furtherance of serious criminal activity. Over the past year and a half, the FBI has initiated an aggressive industry outreach strategy to inform industry of law enforcement's needs in the area of encryption, to continue to encourage the development of recoverable encryption products that meet law enforcement's needs, and to seek industry's assistance regarding the development of law enforcement plain text access "tools" and capabilities when non-recoverable encryption products are encountered during the course of lawful investigations. The FBI will be meeting this year with industry in an environment wherein various computer and software industry representatives can exchange technical and business information regarding encryption and encryption products with law enforcement. This information will assist law enforcement agencies with establishing development and operational strategies to make the most effective use of limited resources. State and Local Assistance Just as with other crimes, often the state and local authorities are going to be the first ones on the scene. The challenge for these law enforcement officers is even greater than the one the Federal Government faces in that state and local law enforcement is less likely to have the expertise to investigate computer intrusions, gather and examine cyber media and evidence. The challenge for the federal government is to provide the training and backup resources to the state and local levels so that they can successfully conduct investigations and prosecutions in their jurisdictions. This sort of cooperation is already showing results. For example, the FBI worked with the New Jersey State Police on the Melissa Macro Virus case that resulted in the arrest of David L. Smith by the New Jersey authorities. In addition, the NIPC and our Training Division are working together to provide training to state and local law enforcement officers on cybercrime. In FY 1999 over 383 FBI Agents, state and local law enforcement and other government representatives have taken NIPC sponsored or outside training on computer intrusion and network analysis, energy and telecommunications key assets. We have made great strides in developing our training program for state and local law enforcement officials. More NIPC training than ever before is being conducted outside of Washington, DC, meaning that more state and local officers should have the opportunity to attend these classes with less disruption to their schedules and less travel. One of the main responsibilities of the NIPC Training and Continuing Education Unit is to develop and manage the state and local Law Enforcement Training Program. This program trains state and local law enforcement officials in a myriad of state-of-the-art cyber courses. Building on the success of the San Diego Regional Computer Forensic Laboratory, the Attorney General asked the FBI and the Office of Justice Programs, to work in partnership to develop a series of regional laboratories. These facilities will provide computer forensic services as joint ventures among federal, state and local law enforcement. Six million dollars is requested in the Office of Justice Programs to establish several regional computer forensic laboratories. Working together, we are identifying geographical areas where the establishment of such partnerships could make significant impact. The NIPC is supporting the Attorney General's proposal to create a network of federal, state, and local law enforcement personnel for combating cybercrimes. We are instructing each field office to have a point of contact at the appropriate investigative agencies regarding their area of jurisdiction and to provide this information to NIPC at FBIHQ. Presidential Decision Directive (PDD) 63 identified the Emergency Law Enforcement Services Sector (ELES) as one of the eight critical infrastructures. PDD 63 further designated the Federal Bureau of Investigation as the lead agency with protecting the ELES. The NIPC is currently working on a strategic plan for this sector and holding meetings with sector representatives. This involves developing and implementing a plan to help law enforcement protect its own systems from attack so it will be able to deliver vitally needed services to the public. Success of the NIPC requires building on proven mechanisms to develop and maintain long-term relationships with state and local law enforcement agencies. NIPC oversees outreach programs, coordinates training, shares information and coordinates interagency efforts to plan for, deter, and respond to cyber attacks. Currently, the NIPC is sharing information with state and local governments via Law Enforcement On-line (LEO) and the National Law Enforcement Telecommunications System. Timely coordination and sharing of information with other law enforcement agencies is essential in combating the cyber threat in the Information Age. Local law enforcement is also encouraged to join the InfraGard chapters in their area. State and local agencies investigate and prosecute cyber crimes based on violations of local laws. By sharing investigative data with the NIPC, emerging trends can be identified, analyzed and further shared with other agencies to share investigative responsibilities with their local FBI field office and the NIPC. The cross-jurisdictional nature of cyber crimes, in which attacks occur outside the state or even national borders, means that investigative efforts must be coordinated among local, state and federal agencies to ensure effective prosecution. FBI Cybercrime Investigation Capabilities National Infrastructure Protection Center Under PDD-63, the NIPC's mission is to detect, warn of, respond to, and investigate computer intrusions and unlawful acts that threaten or target our critical infrastructures. The Center not only provides a reactive response to an attack that has already occurred, but proactively seeks to discover planned attacks and issues warnings before they occur. This large and difficult task requires the collection and analysis of information gathered from all available sources (including law enforcement investigations, intelligence sources, data voluntarily provided by industry and open sources) and dissemination of analyses and warnings of possible attacks to potential victims, whether in the government or the private sector. To accomplish this mission, the NIPC relies on the assistance of, and information gathered by the FBI's 56 field offices, other federal agencies, state and local law enforcement, and perhaps most importantly, the private sector. The NIPC, while located at the FBI, is an interagency center, with representatives from many other agencies, including DOD, the U.S. Intelligence Community, and other federal agencies. The NIPC at FBI Headquarters currently has 79 FBI personnel, with an authorized ceiling of 94. There are 22 representatives from Other Government Agencies (OGAs), the private sector, state and local law enforcement, and our international partners at the Center. Our target for OGA and private sector participation is 40. To accomplish its goals, the NIPC is organized into three sections: The Computer Investigations and Operations Section (CIOS) is the operational response arm of the Center. It program manages computer intrusion investigations conducted by FBI field offices throughout the country: provides subject matter experts, equipment, and technical support to cyber investigators in federal, state and local government agencies involved in critical infrastructure protection; and provides a cyber emergency response capability to help resolve a cyber incident. The Analysis and Warning Section (AWS) serves as the "indications and warning arm of the NIPC. It provides analytical support during computer intrusion investigations and long-term analyses of vulnerability and threat trends. Through its 24/7 watch and warning capability, it distributes tactical warnings and analyses to all the relevant partners, informing them of potential vulnerabilities and threats and long-term trends. It also reviews numerous government and private sector databases, media, and other sources daily to gather information that may be relevant to any aspect of our mission, including the gathering of indications of a possible attack. The Training, Outreach and Strategy Section (TOSS) coordinates the training and education of cyber investigators within the FBI field offices, state and local law enforcement agencies, and private sector organizations. It also coordinates outreach to private sector companies, state and local governments, other government agencies, and the FBI's field offices. In addition, this section manages collection and cataloguing of information concerning "key assets" across the country. Finally, it handles our strategic planning and administrative functions with FBI and DOJ, the National Security Counsel, other agencies and Congress. Through these, the Center brings its unique perspective as the only national organization devoted to investigation, analysis, warning, and response to attacks on the infrastructures. Further, as an interagency entity, the NIPC takes a broad view of infrastructure protection, looking not just at reactive investigations but also at proactive warnings and prevention. Finally, through the FBI, the Center has a national reach to implement policy. The Center is working closely on policy initiatives with its Federal partners and meets regularly with the other Federal lead agencies on policy issues. National Infrastructure Protection and Computer Intrusion Squads/Teams In October 1998, the National Infrastructure Protection and Computer Intrusion Program (NIPCP) was approved as an investigative program and resources were created and placed in each FBI field office with the NIPC at FBI Headquarters acting as program manager. By the end of this fiscal year, there will be 16 FBI Field Offices with regional NIPC squads. Each of these squads will be staffed with 7 to 8 agents. Nationwide, there are 193 agents dedicated to investigating NIPC matters. In order to maximize investigative resources the FBI has taken the approach of creating regional squads that have sufficient size to work difficult major cases and to assist those field offices without an NIPC squad. In those field offices without squads, the FBI is building a baseline capability by having one or two agents to work NIPC matters, i.e. computer intrusions (criminal and national security), viruses, InfraGard, state and local liaison etc. Computer Analysis and Response Teams (CART) An essential element in the investigation of computer crime is the recovery of evidence from electronic media. In a murder investigation, the detectives investigate the case but the coroner examines the body for evidence of how the crime was committed. The CART personnel serve this function in cyber investigations. CART examiners perform three essential functions. First, they extract data from computer and network systems, and conduct forensic examinations and on-site field support to all FBI investigations and programs where computers and storage media are required as evidence. Second, they provide technical support and advice to field agents conducting such investigations. Finally, they assist in the development of technical capabilities needed to produce timely and accurate forensic information. Currently the FBI has 26 full time CART personnel at FBI Headquarters and 62 full-time and 54 part-time CART personnel in the field, for a total of 142 trained CART personnel. CART resources are used in a variety of investigations ranging from sensitive espionage cases to health care fraud. For example, on September 12, 1998, the FBI executed the arrest of individuals who were involved in an espionage ring trying to penetrate U.S. military bases on behalf of the Cuban government. During the arrest of these individuals CART conducted the seizure of 35 Gb of digital evidence to include personal computers containing twelve (12) hard drives, 2,500 floppy diskettes, and assorted CD-ROMs. The FBI deployed more than 30 CART field examiners during the search and examination which consumed thousands of hours of their time. In order to process the vast quantities of information required, the CART program needs to purchase or develop new ways of handling digital evidence. One program used by the FBI is the Automated Computer Examination System (ACES), a data exploration tool developed by the FBI Laboratory, to scan thousands of files for identification of known format and executable program files. ACES verifies that certain program, batch or executable files are for computer operation and do not represent a file in which potential evidentiary material is stored. Results from an ACES examination can be passed to other analytical utilities used in examining a computer. The FBI is also working with other federal agencies as well as state and local law enforcement to share data and forensic expertise. In San Diego, a regional computer forensic capability has been established that is staffed by the FBI, the Navy, and the San Diego police department, among others. This lab serves as a resource for the entire region. The vast majority of all computer related seizures in San Diego County are currently being made through the RCFL. During the start-up period (Summer 1999 to December 1999), although all participating agencies had been co-located, each examiner had been working on his own agencies's cases. As of January 3, 2000, the San Diego lab started receiving submissions as a joint facility and jointly tracking those submissions. As of February 3, the lab had received 26 cases, including three federal cases consisting of large scale networks, and local cases including a death threat to a Judge, a poisoning case, and a child molestation case. We recognize that state and local law enforcement often will not have the resources for complex computer forensics, and we hope that the San Diego model can be expanded. Technical Investigative Support The FBI has long had capabilities regarding the interception of conventional phone lines and modems. The rapid advance of data technologies and the unregulated nature of the Internet has resulted in a myriad of technologies and protocols which make the interception of data communications extremely difficult. It is critical that the FBI properly equip investigators with technical capabilities for utilizing the critical investigative tools on lawfully authorized Title III and Title 50 interception. Innocent Images Initiative/Child Pornography The FBI has moved aggressively against child pornographers. In 1995 the FBI's first undercover operation, code name Innocent Images, was initiated. Almost five years later, Innocent Images is an FBI National Initiative, supported by annual funding of $10 million, with undercover operations in eleven FBI field offices -- Baltimore, Birmingham, Cleveland, Dallas, Houston, Las Vegas, Los Angeles, Newark, Phoenix, San Francisco, and Tampa -- being worked by task forces that combine the resources of the FBI with other federal, state and local law enforcement officers from Maryland, Virginia, the District of Columbia, Alabama, Ohio, Texas, Nevada, California, New Jersey, Arizona, and Florida. Investigations developed by the National Initiative's undercover operations are being conducted by every field office and information has been referred to foreign law enforcement agencies through the FBI's Legal Attache Offices. During Fiscal Year 1999 a total of 1,497 new cases were opened. Every one of these investigations has digital evidence and requires the assistance of a CART examiner. Additionally, 188 search warrants and 57 consent searches were executed, and 193 arrests, 125 indictments, 29 information and 108 convictions were obtained as a result of the Innocent Images National Initiative. Also in Fiscal Year 1999, the IINI provided 227 presentations to 17,522 individuals from foreign and domestic law enforcement and government officials, civilian groups, and private citizens in an effort to raise awareness about child pornography/child sexual exploitation issues and increase coordination between federal, state and local law enforcement. Intellectual Property Rights/Internet Fraud Intellectual property is the driver of the 21st century American economy. In many ways it has become what America does best. The United States is the leader in the development of creative, technical intellectual property. Violations of Intellectual Property Rights, therefore, threaten the very basis of our economy. Of primary concern is the development and production of trade secret information. The American Society of Industrial Security estimated the potential losses at $2 billion per month in 1997. Pirated products threaten public safety in that many are manufactured to inferior or non-existent quality standards. A growing percentage of IPR violations now involve the Internet. There are thousands of web sites solely devoted to the distribution of pirated materials. The FBI has recognized, along with other federal agencies, that a coordinated effort must be made to attack this problem. The FBI, along with the Department of Justice, U.S. Customs Service, and other agencies with IPR responsibilities, will be opening an IPR Center this year to enhance our national ability to investigate and prosecute IPR crimes through the sharing of information among agencies. One of the most critical challenges facing the FBI and law enforcement in general, is the use of the Internet for criminal purposes. Understanding and using the Internet to combat Internet fraud is essential for law enforcement. The fraud being committed over the Internet is the same type of white collar fraud the FBI has traditionally investigated but poses additional concerns and challenges because of the new environment in which it is located. Internet fraud is defined as any fraudulent scheme in which one or more components of the Internet, such as Web sites, chat rooms, and E-mail, play a significant role in offering nonexistent goods or services to consumers, communicating false or fraudulent representations about the schemes to consumers, or transmitting victims' funds, access devices, or other items of value to the control of the scheme's perpetrators. The accessibility of such an immense audience coupled with the anonymity of the subject, require a different approach. The frauds range from simple geometric progression schemes to complex frauds. The Internet appears to be a perfect manner to locate victims and provides an environment where the victims don't see or speak to the fraud perpetrators. Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet. In addition, the expenses associated with the operation of a "home page" and the use of electronic mail (E-mail) are minimal. Fraud perpetrators do not require the capital to send out mailers, hire people to respond to the mailers, finance and operate toll free numbers, etc. This technology has evolved exponentially over the past few years and will continue to evolve at a tremendous rate. By now it is common knowledge that the Internet is being used to host criminal behavior. The top ten most frequently reported frauds committed on the Internet include Web auctions, Internet services, general merchandise, computer equipment/software, pyramid schemes, business opportunities/franchises, work at home plans, credit card issuing, prizes/sweepstakes and book sales. Improving FBI Cybercrime Capabilities The last two years have seen tremendous strides in the development of the National Infrastructure Protection Center in both the Headquarters and field program. We have directed our resources into developing our prevention, detection, and response capabilities. This has meant recruiting talented personnel from both inside and outside the FBI, training those personnel, and developing investigative, analytic, and outreach programs. Most of these programs had to be developed from scratch, either because no program previously existed or because the program had to be reinvigorated from an earlier FBI incarnation. The cyber crime scene is dynamic-- it grows, contracts, and can change shape. Determining whether an intrusion is even occurring can often be difficult in the cyber world, and usually a determination cannot be made until after an investigation is initiated. The establishment of the NIPC has greatly enhanced the FBI's investigative, analytic, and case support capabilities. A few years ago, the NIPC would have been limited in its ability to undertake some of the sensitive investigations of computer intrusions that the FBI has supported. While the FBI has been able to develop and maintain its present response capability, the explosive nature of the crime problem continues to challenge our capacities. While much has been accomplished, much remains to be done. Building Investigative Capacity Trained personnel and resources present the greatest challenges to the FBI critical infrastructure protection mission. The FBI must make sure that the NIPC and Field Office squads are fully staffed with technologically competent investigators and analysts. It is also essential that these professional have state of the art equipment and connectivity they need to conduct their training. To accomplish this, the FBI must identify, recruit, and train personnel who have the technical, analytical, investigative, and intelligence skills for engaging in cyber investigations. This includes personnel to provide early warnings of attacks, to read and analyze log files, write analytic reports and products for the field and the private sector, and to support other investigations with cyber components. With such a configuration of selected personnel skills, the FBI will be able to effectively and efficiently investigate cyber threats, allegations, incidents, and violations of the law that target and/or impact critical infrastructure facilities, components, and key assets. Aggressive recruitment of qualified specialists is critical. Targeting the right people and providing hiring and educational incentives are good steps in building this professional cadre. Developing and deploying the best equipment in support of the mission is very important. Not only do investigators and analysts need the best equipment to conduct investigations in the rapidly evolving cyber system but the NIPC must be on the cutting edge of cyber research and development. NIPC must not only keep abreast of the criminal element but they must also accurately predict the next generation of criminal activity. In order to support state and local law enforcement efforts, field offices will seek to form cybercrime task forces. This should include assigning a prosecutor to handle task force cases. Building Partnerships with Industry and Academia NIPC is founded on the notion of partnership. This partnership is critical to ensuring timely information sharing about threats and incidents, new technologies, and keeping our capabilities at the cutting edge. The FBI, in conjunction with the private sector, has also developed an initiative call "InfraGard" to expand direct contacts with the private sector infrastructure owners and operators and to share information about cyber intrusions, exploited vulnerabilities, and physical infrastructure threats. The initiative encourages the exchange of information by government and private sector members through the formation of local InfraGard chapters within the jurisdiction of each Field Office. Chapter membership includes representatives from the FBI, private industry, other government agencies, State and local law enforcement, and the academic community. The initiative provides four basic services to its members: an intrusion alert network using encrypted e-mail; a secure website for communication about suspicious activity or intrusions; local chapter activities; and a help desk for questions. The critical component of InfraGard is the ability of industry to provide information on intrusions to the local FBI Field Office using secure communications in both a "sanitized" and detailed format. The local FBI Field Offices can, if appropriate, use the detailed version to initiate an investigation; while NIPC Headquarters can analyze that information in conjunction with other law enforcement, intelligence, or industry information to determine if the intrusion is part of a broader attack on numerous sites. The Center can simultaneously use the sanitized version to inform other members of the intrusion without compromising the confidentiality of the reporting company. The secure website will also contain a variety of analytic and warning products that we can make available to the InfraGard community. The NIPC has also developed and is implementing an aggressive outreach program. We have briefed a number of key critical infrastructure sector groups including the North American Electric Reliability Council and business groups such as the U.S. Chamber of Commerce. We are also working closely with our international partners. Much attention has been given to the need to create mechanisms for sharing information with the private sector. The NIPC has built up a track record for doing this over the past 2 years with concrete results. Not only has it provided early warnings and vulnerability threat assessments but it has also developed unique detection tools to help potential victims of DDOS attacks. And contrary to press statements by companies offering security services that private companies won't share information with law enforcement, private companies have reported incidents and threats to the NIPC or FBI. The cooperation we have received from victims in the recent DDOS attacks is only the most recent example of this. InfraGard will increase this capacity by providing a secure two way mechanism for sharing information between the government and the private sector. Developing Forensic and Technical Capabilities As noted above, CART has developed substantial capability to examine computer and network media and storage devices. But the rapid change in technology and the increasing use of computers in criminal activity necessitate the on-going development of better investigative and forensic tools and techniques for examiners. We fully expect that the number of cases requiring CART examinations will increase by over 50% in the next few years. In addition, as storage media hold more information, each individual examination will require more effort. To even attempt to keep pace with these developments, we will need to increase our personnel base in CART. For FY 2001, funding is proposed to add 100 new CART examiners. In addition, in order for our ACES program to remain able to provide comprehensive analysis of computer files, it needs to be continuously updated. After all, how many iterations of Windows®, Microsoft Office®, and other software and operating systems have we seen just in the last two years? We need to ensure that ACES can perform its function. The FY 2001 budget includes $2,800,000 for the ACES program. Improving our technical capabilities to access plain text communications is a critical challenge to the FBI. The ultimate objective is to provide field investigators with an integrated suite of automated data collection systems, operating in a low-cost and readily available personal computer environment, which will be capable of identifying, intercepting and collecting targeted data of interest from a broad spectrum of data telecommunications transmissions mediums and networks. Substantial resource enhancements are required to progress development from current ad hoc, tactical data intercept systems to integrated modular systems, providing the field investigators with increased flexibility, simplicity and reliability and to enhance training programs to enable field Technically Trained Agents and Investigators to install and operate this complex equipment. The most technically complex component of electronic surveillance, has been and always will be the deciphering of encrypted signals and data. In the past few years, growth in electronic communications and the public demand for security have increased the number of investigations which encounter encrypted signals and data. With the convergence of digital technologies in the very near future, all electronic communications conducted using computers, the Internet, wireless and other forms of communications, will inherently incorporate and apply data security (i.e. encryption). The ability to gather evidence from FBI electronic surveillance and seized electronic data will significantly depend upon the development of and deployment of signal analysis and decryption capabilities. Funding enhancements are requested to step toward the fulfillment of a strategic plan to ensure that collected signals, data and evidence can be intercepted, interpreted and made usable in the prosecution of crimes and the detection of national security offenses. Failure to strategically prepare for the impending global changes data and voice telecommunications, information security, and the volumes of encrypted information collected by law enforcement pursuant to lawful court orders, will ensure that critical information and evidence will be unintelligible and unusable in future investigations. We are urgently trying to develop our capabilities in this area through the acquisition of hardware and software tools, technologies and systems, and support services to work on a variety of research projects to meet this problem. Last September, the Administration announced a "New Approach to Encryption" which included significant changes to the nation's encryption export policies and recommended public safety enhancement to ensure "that law enforcement has the legal tools, personnel, and equipment necessary to investigate crime in an encrypted world." Specifically, on September 16, 1999, the President, on behalf of law enforcement, transmitted to Congress the "Cyberspace Electronic Security Act of 1999" which would: ensure that law enforcement maintains its ability to access decryption information stored with third parties, while protecting such information from inappropriate release; protect sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials involving encryption, consistent with fully protecting defendants' rights to a fair trial; and authorize $80 million over four years for the FBI's Technical Support Center (TSC), which serves as a centralized technical resource for federal, state and local law enforcement in responding to the increased use of encryption in criminal cases. The TSC is an expansion of the FBI's Engineering Research capabilities that will take advantage of existing institutional and technical expertise in this area. As indicated earlier, the FY 2001 budget proposes an increase of $7,000,000 for the FBI's counterencryption program. We urge Congress to support us in these endeavors. The law enforcement community relies on lawfully-authorized electronic surveillance as an essential tool for the investigation, disruption, and prevention of serious and violent offenses. Technological advances have taken a serious toll on law enforcement's ability to protect the public through the use of lawfully-authorized electronic surveillance. The Communications Assistance for Law Enforcement Act (CALEA) was passed so that the telecommunications industry would pro-actively address law enforcement's need and authority to conduct lawfully-authorized electronic surveillance as a basic element in providing service. CALEA clarifies and further defines existing statutory obligations of the telecommunications industry to assist law enforcement in executing lawfully-authorized electronic surveillance. The FBI developed a flexible deployment strategy to minimize the costs and the operational impact of installation of CALEA-compliant software on telecommunications carriers. This strategy supports the carriers' deployment of CALEA-compliant solutions in accordance with their normal business cycles when this deployment will not delay implementation of CALEA solutions in high-priority areas. The carriers will provide projected CALEA-deployment schedules for all switches in their network and information pertaining to recent lawfully authorized electronic surveillance activity. Using this information, the FBI and the carrier will develop a mutually agreeable deployment schedule. The FBI provided the carriers with the Flexible Deployment Assistance Guide to facilitate the carrier's submission of information. The FBI is negotiating with telecommunications carriers and manufacturers of telecommunications equipment for nationwide Right-to-Use (RTU) licenses to facilitate the availability of CALEA-compliant software to carriers. Also, the FBI is establishing a regional, nationwide law enforcement liaison program. This team will facilitate developing consensus law enforcement electronic surveillance requirements for all telecommunications technologies and services required to comply with CALEA; educate and inform Congress and the Federal Communications Commission (FCC) to ensure law enforcement's ability to conduct court-authorized electronic surveillance is not compromised on any telecommunications technology or service required to comply with CALEA; identify, publish, and ensure deployment of capacity requirements in accordance with Section 104 of CALEA; and develop a prioritized plan for the effective deployment and tracking of CALEA solutions. The FBI needs to conduct testing and verification of manufacturer-proposed CALEA technical solutions and to have the subject matter expertise necessary to address new technologies that must comply with CALEA. Without these capabilities, the FBI will be unable to conduct testing and verification of manufacturer-proposed CALEA technical solutions and complete the nationwide RTU license agreements. The FY 2001 budget proposes a total of $240,000,000 for CALEA RTU license agreements, including $120,000,000 under the Telecommunications Carrier Compliance Fund and $120,000,000 under the Department of Defense. Additionally, $2,100,000 is requested to support the FBI's CALEA program management office. Conclusion Computer crime is one of the most dynamic problems the FBI faces today. Just think about how many computers you have owned and how many different software packages you have learned over the past several years and you can only begin to appreciate the scope of the problem we are dealing with in the fast changing area. We need to budget for and train on technology that often has not even been invented when we begin the budget cycle some 18 months prior to the beginning of the fiscal year. I am proud of the progress that we have made in dealing with this problem. What I have tried to do here today is give you a flavor of what we are facing. I am confident that once the scope of the problem is clear, we can work together to develop the capabilities to meet the computer crime problem, in all its facets, head on. Our economy and public safety depend on it.
Executive Order 13010, which formed the PCCIP, was signed by President William J. Clinton on July 15, 1996. The original text of the executive order as it was signed on that day is available from the White House Web site.
Executive Order 13010 has been amended three times:
The texts of these amendments are available on another page at this site. Below we have reproduced the text of Executive Order 13010 in its full amended form.
CRITICAL INFRASTRUCTURE PROTECTION
Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property ("physical threats"), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures ("cyber threats"). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation.
NOW, THEREFORE, by the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Section 1. Establishment. There is hereby established the President's Commission on Critical Infrastructure Protection ("Commission").
(a) Chair. A qualified individual from outside the Federal Government shall be designated by the President from among the members to serve as Chair of the Commission. The Commission Chair shall be employed on a full-time basis.
(b) Members. The head of each of the following executive branch departments and agencies shall nominate not more than two full-time members of the Commission:
(i) Department of the Treasury;
(ii) Department of Justice;
(iii) Department of Defense;
(iv) Department of Commerce;
(v) Department of Transportation;
(vi) Department of Energy;
(vii) Central Intelligence Agency;
(viii) Federal Emergency Management Agency;
(ix) Federal Bureau of Investigation;
(x) National Security Agency.
One of the nominees of each agency may be an individual from outside the Federal Government who shall be employed by the agency on a full-time basis. Each nominee must be approved by the Steering Committee.
Sec. 2. The Principals Committee. The Commission shall report to the President through a Principals Committee ("Principals Committee"), which shall review any reports or recommendations before submission to the President. The Principals Committee shall comprise the:
(i) Secretary of the Treasury;
(ii) Secretary of Defense;
(iii) Attorney General;
(iv) Secretary of Commerce;
(v) Secretary of Transportation;
(vi) Secretary of Energy;
(vii) Director of Central Intelligence;
(viii) Director of the Office of Management and Budget;
(ix) Director of the Federal Emergency Management Agency;
(x) Assistant to the President for National Security Affairs;
(xi) Assistant to the Vice President for National Security Affairs;
(xii) Assistant to the President for Economic Policy and Director of the National Economic Council; and
(xiii) Assistant to the President and Director of the Office of Science and Technology Policy.
Sec. 3. The Steering Committee of the President's Commission on Critical Infrastructure Protection. A Steering Committee ("Steering Committee") shall oversee the work of the Commission on behalf of the Principals Committee. The Steering Committee shall comprise five members. Four of the members shall be appointed by the President, and the fifth member shall be the Chair of the Commission. Two of the members of the Committee shall be employees of the Executive Office of the President. The Steering Committee will receive regular reports on the progress of the Commission's work and approve the submission of reports to the Principals Committee.
Sec. 4. mission. The Commission shall: (a) within 30 days of this order, produce a statement of its mission objectives, which will elaborate the general objectives set forth in this order, and a detailed schedule for addressing each mission objective, for approval by the Steering Committee;
(b) identify and consult with: (i) elements of the public and private sectors that conduct, support, or contribute to infrastructure assurance; (ii) owners and operators of the critical infrastructures; and (iii) other elements of the public and private sectors, including the Congress, that have an interest in critical infrastructure assurance issues and that may have differing perspectives on these issues;
(c) assess the scope and nature of the vulnerabilities of, and threats to, critical infrastructures;
(d) determine what legal and policy issues are raised by efforts to protect critical infrastructures and assess how these issues should be addressed;
(e) recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation;
(f) propose any statutory or regulatory changes necessary to effect its recommendations; and
(g) produce reports and recommendations to the Steering Committee as they become available; it shall not limit itself to producing one final report.
Sec. 5. Advisory Committee to the President's Commission on Critical Infrastructure Protection. (a) The Commission shall receive advice from an advisory committee ("Advisory Committee") composed of no more than 20 individuals appointed by the President from the private and public sectors who are knowledgeable about critical infrastructures. The Advisory Committee shall advise the Commission on the subjects of the Commission's mission in whatever manner the Advisory Committee, the Commission Chair, and the Steering Committee deem appropriate.
(b) A Chair or Co-Chairs shall be designated by the President from among the members of the Advisory Committee.
(c) The Advisory Committee shall be established in compliance with the Federal Advisory Committee Act, as amended (5 U.S.C. App.). The Department of Defense shall perform the functions of the President under the Federal Advisory Committee Act for the Advisory Committee, except that of reporting to the Congress, in accordance with the guidelines and procedures established by the Administrator of General Services.
Sec. 6. Administration. (a) All executive departments and agencies shall cooperate with the Commission and provide such assistance, information, and advice to the Commission as it may request, to the extent permitted by law.
(b) The Commission and the Advisory Committee may hold open and closed hearings, conduct inquiries, and establish subcommittees, as necessary.
(c) Members of the Advisory Committee shall serve without compensation for their work on the Advisory Committee. While engaged in the work of the Advisory Committee, members may be allowed travel expenses, including per diem in lieu of subsistence, as authorized by law for persons serving intermittently in the government service.
(d) To the extent permitted by law, and subject to the availability of appropriations, the Department of Defense shall provide the Commission and the Advisory Committee with administrative services, staff, other support services, and such funds as may be necessary for the performance of its functions and shall reimburse the executive branch components that provide representatives to the Commission for the compensation of those representatives.
(e) In order to augment the expertise of the Commission, the Department of Defense may, at the Commission's request, contract for the services of nongovernmental consultants who may prepare analyses, reports, background papers, and other materials for consideration by the Commission. In addition, at the Commission's request, executive departments and agencies shall request that existing Federal advisory committees consider and provide advice on issues of critical infrastructure protection, to the extent permitted by law.
(f) The Commission shall terminate 1 year and 90 days from the date of this order, unless extended by the President prior to that date. The Principals Committee, the Steering Committee, and the Advisory Committee shall terminate no later than March 15, 1998, and, upon submission of the Commission's report, shall review the report and prepare appropriate recommendations to the President.
(g) The person who served as Chair of the Commission may continue to be a member of the Steering Committee after termination of the Commission.
Sec. 7. Review of Commission's Report. (a) Upon the termination of the Commission as set out in section 6(f) of this order, certain of the Commission's staff may be retained no later than March 15, 1998, solely to assist the Principals, Steering, and Advisory Committees in reviewing the Commission's report and preparing recommendations to the President. They shall act under the direction of the Steering Committee or its designated agent. The Department of Defense shall continue to provide funding and administrative support for the retained Commission staff.
(b) Pursuant to Executive Order 12958, I hereby designate the Executive Secretary of the National Security Council to exercise the authority to classify information originally as "Top Secret" with respect to the work of the Commission staff, the Principals Committee, the Steering Committee, the Advisory Committee, and the Infrastructure Protection Task Force.
Sec. 8. Interim Coordinating mission. (a) While the Commission is conducting its analysis and until the President has an opportunity to consider and act on its recommendations, there is a need to increase coordination of existing infrastructure protection efforts in order to better address, and prevent, crises that would have a debilitating regional or national impact. There is hereby established an Infrastructure Protection Task Force ("IPTF") within the Department of Justice, chaired by the Federal Bureau of Investigation, to undertake this interim coordinating mission.
(b) The IPTF will not supplant any existing programs or organizations.
(c) The Steering Committee shall oversee the work of the IPTF.
(d) The IPTF shall include at least one full-time member each from the Federal Bureau of Investigation, the Department of Defense, and the National Security Agency. It shall also receive part-time assistance from other executive branch departments and agencies. Members shall be designated by their departments or agencies on the basis of their expertise in the protection of critical infrastructures. IPTF members' compensation shall be paid by their parent agency or department.
(e) The IPTF's function is to identify and coordinate existing expertise, inside and outside of the Federal Government, to:
(i) provide, or facilitate and coordinate the provision of, expert guidance to critical infrastructures to detect, prevent, halt, or confine an attack and to recover and restore service;
(ii) issue threat and warning notices in the event advance information is obtained about a threat;
(iii) provide training and education on methods of reducing vulnerabilities and responding to attacks on critical infrastructures;
(iv) conduct after-action analysis to determine possible future threats, targets, or methods of attack; and
(v) coordinate with the pertinent law enforcement authorities during or after an attack to facilitate any resulting criminal investigation.
(f) All executive departments and agencies shall cooperate with the IPTF and provide such assistance, information, and advice as the IPTF may request, to the extent permitted by law.
(g) All executive departments and agencies shall share with the IPTF information about threats and warning of attacks, and about actual attacks on critical infrastructures, to the extent permitted by law.
(h) The IPTF shall terminate no later than 180 days after the termination of the Commission, unless extended by the President prior to that date.
Sec. 9. General. (a) This order is not intended to change any existing statutes or Executive orders.
(b) This order is not intended to create any right, benefit, trust, or responsibility, substantive or procedural, enforceable at law or equity by a party against the United States, its agencies, its officers, or any person.
/s/ WILLIAM J. CLINTON
THE WHITE HOUSE,
July 15, 1996.
Executive Order 13025, which amended Executive Order 13010, was signed 13 November 1996 by President Clinton. Below is the text of this order as extracted from the Federal Record, which can be accessed online through the Government Printing Office.
[Federal Register: November 18, 1996 (Volume 61, Number 223)] [Presidential Documents] [Page 58623] Presidential Documents ___________________________________________________________________ Title 3-- The President [[Page 58623]] Executive Order 13025 of November 13, 1996 Amendment to Executive Order 13010, the President's Commission on Critical Infrastructure Protection By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to amend Executive Order 13010, it is hereby ordered as follows: Section 1. The first sentence of section 1(a) of Executive Order 13010 shall read "A qualified individual from outside the Federal Government shall be designated by the President from among the members to serve as Chair of the Commission.'' Sec. 2. The second and third sentences of section 3 of Executive Order 13010 shall read "The Steering Committee shall comprise five members. Four of the members shall be appointed by the President, and the fifth member shall be the Chair of the Commission. Two of the members of the Committee shall be employees of the Executive Office of the President.'' Sec. 3. The first sentence of section 5 of Executive Order 13010 shall be amended by deleting "ten'' and inserting "15'' in lieu thereof. (Presidential Sig.) <Clinton1><Clinton2> THE WHITE HOUSE, November 13, 1996. [FR Doc. 96-29597 Filed 11-15-96; 8:45 am] Billing code 3195-01-P
Executive Order 13041, which further amended Executive Order 13010, was signed 3 April 1997 by President Clinton. Below is the text of this order as extracted from the Federal Record, which can be accessed online through the Government Printing Office.
[Federal Register: April 8, 1997 (Volume 62, Number 67)] [Presidential Documents] [Page 17037-17039] [[Page 17037]] _______________________________________________________________________ Part V The President _______________________________________________________________________ Executive Order 13041--Further Amendment to Executive Order 13010, as Amended Presidential Documents ___________________________________________________________________ Title 3-- The President [[Page 17039]] Executive Order 13041 of April 3, 1997 Further Amendment to Executive Order 13010, as Amended By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to add the Assistant to the President for Economic Policy and the Assistant to the President and Director, Office of Science and Technology Policy to the Principals Committee of the President's Commission on Critical Infrastructure Protection ("Commission'') and to extend the life of the Commission for an additional 90 days, it is hereby ordered that Executive Order 13010, as amended, is further amended by adding (1) "(xii) Assistant to the President for Economic Policy and Director of the National Economic Council; and (xiii) Assistant to the President and Director of the Office of Science and Technology Policy.'" to section 2 of that order and (2) "and 90 days'' after "1 year'' in section 6(f) of that order. (Presidential Sig.) <Clinton1><Clinton2> THE WHITE HOUSE, April 3, 1997. [FR Doc. 97-9200 Filed 4-7-97; 11:11 am] Billing code 3195-01-P
On October 11, 1997, Executive Order 13010 was amended for a third time by Executive Order 13064. Below is the text of this order as extracted from the Federal Record, which can be accessed online through the Government Printing Office.
[Federal Register: October 16, 1997 (Volume 62, Number 200)] [Presidential Documents] [Page 53711] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr16oc97-165] Presidential Documents ___________________________________________________________________ Title 3-- The President [[Page 53711]] Executive Order 13064 of October 11, 1997 Further Amendment to Executive Order 13010, as Amended, Critical Infrastructure Protection By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to provide for the review of the report by the President's Commission on Critical Infrastructure Protection, it is hereby ordered that Executive Order 13010, as amended, is further amended as follows: Section 1. Section 5(a), as amended, shall be further amended by deleting "15" and inserting "20" in lieu thereof and by deleting "sector" and inserting "and public sectors" in lieu thereof. Section 5(b) shall be amended by inserting "or Co-Chairs" after "Chair". Sec. 2. Section 6(f), as amended, shall be further amended by deleting ", the Principals Committee, the Steering Committee, and the Advisory Committee" and by inserting a second sentence, which shall read: "The Principals Committee, the Steering Committee, and the Advisory Committee shall terminate no later than March 15, 1998, and, upon submission of the Commission's report, shall review the report and prepare appropriate recommendations to the President." Section 6, as amended, shall be further amended by inserting the following: "(g) The person who served as Chair of the Commission may continue to be a member of the Steering Committee after termination of the Commission." Sec. 3. A new section 7 shall be inserted, which reads: "Sec. 7. Review of Commission's Report. (a) Upon the termination of the Commission as set out in section 6(f) of this order, certain of the Commission's staff may be retained no later than March 15, 1998, solely to assist the Principals, Steering, and Advisory Committees in reviewing the Commission's report and preparing recommendations to the President. They shall act under the direction of the Steering Committee or its designated agent. The Department of Defense shall continue to provide funding and administrative support for the retained Commission staff. (b) Pursuant to Executive Order 12958, I hereby designate the Executive Secretary of the National Security Council to exercise the authority to classify information originally as "Top Secret" with respect to the work of the Commission staff, the Principals Committee, the Steering Committee, the Advisory Committee, and the Infrastructure Protection Task Force." Sec. 4. Sections 7 and 8 of Executive Order 13010, as amended, shall be renumbered sections 8 and 9, respectively. (Presidential Sig.)<Clinton1><Clinton2> THE WHITE HOUSE, October 11, 1997. [FR Doc. 97-27644 Filed 10-15-97; 8:45 am] Billing code 3195-01-P
[Federal Register: March 3, 1997 (Volume 62, Number 41)] [Presidential Documents] [Page 9349] Presidential Documents ___________________________________________________________________ Title 3-- The President [[Page 9349]] Order of February 26, 1997 Designation Under Executive Order 12958 Pursuant to the provisions of section 1.4 of Executive Order 12958 of April 17, 1995, entitled "Classified National Security Information," I hereby designate the following additional official to classify information originally as "Top Secret": The Chair, President's Commission on Critical Infrastructure Protection. The Chair of the President's Commission on Critical Infrastructure Protection, established under Executive Order 13010 of July 15, 1996, shall exercise the authority to classify information originally as "Top Secret" during the existence of the Commission. Any delegation of this authority shall be in accordance with section 1.4(c) of Executive Order 12958. This order shall be published in the Federal Register. (Presidential Sig.) <Clinton1><Clinton2> THE WHITE HOUSE, February 26, 1997. [FR Doc. 97-5308 Filed 2-28-97; 8:45 am] Billing code 3195-01-P
This report summary is also available in a formatted Acrobat version (30k). The report itself is also available at this Web site.
"Our responsibility is to build the world of tomorrow by embarking on a period of construction -- one based on current realities but enduring American values and interests..."
President William J. Clinton
National Security Strategy
The United States is in the midst of a tremendous cultural change -- a change that affects every aspect of our lives. The cyber dimension promotes accelerating reliance on our infrastructures and offers access to them from all over the world, blurring traditional boundaries and jurisdictions. National defense is not just about government anymore, and economic security is not just about business. The critical infrastructures are central to our national defense and our economic power, and we must lay the foundations for their future security on a new form of cooperation between the private sector and the federal government.
The federal government has an important role to play in defense against cyber threats -- collecting information about tools that can do harm, conducting research into defensive technologies, and sharing defensive techniques and best practices. Government also must lead and energize its own protection efforts, and engage the private sector by offering expertise to facilitate protection of privately owned infrastructures.
In the private sector, the defenses and responsibilities naturally encouraged and expected as prudent business practice for owners and operators of our infrastructures are the very same measures needed to protect against the cyber tools available to terrorists and other threats to national security.
Terrorist bombings of US forces in Saudi Arabia, the World Trade Center in New York City, and the federal building in Oklahoma City remind us that the end of the Cold War has not eliminated threats of hostile action against the United States.
In recognition of comparable threats to our national infrastructures, President Clinton signed Executive Order 13010 on July 15, 1996, establishing the President's Commission on Critical Infrastructure Protection. The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operation.
This was an unusually large commission with broad representation from federal departments and agencies and from the private sector. An Advisory Committee of industry leaders appointed by the President provided the perspective of the infrastructure owners and operators. A Steering Committee, composed of the Commission's Chairman and four top government officials, oversaw the Commission's work on behalf of the Principals Committee, which included Cabinet Officers, heads of agencies, and senior White House staff members.
The Commission generally operated by consensus. Every recommendation was discussed at length with the full Commission and most were revised several times before final approval. No Commissioner agreed completely with all of the recommendations. Nevertheless, each accepted the final report as a reasonable and balanced recommendation to the President.
The Commission divided its work into five "sectors" based on the common characteristics of the included industries. The sectors are:
The Commission characterized the sectors, studied their vulnerabilities, and looked for solutions.
We prepared comprehensive working papers for each of the five sectors providing specific recommendations. Other work contains the results of deliberations on issues that are not sector specific. Among them is a paper on Research and Development Recommendations, which outlines a comprehensive set of topics regarding the long term needs of infrastructure protection. The paper on National Structures contains our conclusions and recommendations about the functions and responsibilities for infrastructure assurance and the creation of new units in the federal government and the private sector, and some that are jointly staffed by government employees and representatives of the infrastructure owners and operators. The paper on Shared Infrastructures: Shared Threats is our collected analysis of the vulnerabilities and threats facing the critical infrastructures. We recognize the enormous significance of physical threats, but we have a significant amount of experience in dealing with them. It is the cyber threat that is new. Cyber issues dominate this analysis because networked information systems present fundamentally new security challenges.
We conducted extensive meetings with a range of professional and trade associations concerned with the infrastructures, private sector infrastructure users and providers, academia, different state and local government agencies, consumers, federal agencies, and numerous others. Of special interest were five public meetings in major cities.
We attended dozens of conferences and roundtables with a variety of groups, and we arranged two strategic simulations with participants drawn from across the infrastructures and from all levels of government. We encouraged questions and comments by anyone, and established a World Wide Web site to facilitate contact. Several meetings with Congressional Members and their staffs added a very useful perspective to our research.
During the preparation of the sector papers we identified several dozen issues for which recommendations might be appropriate. Each issue was described, relevant observations, findings, and conclusions were collected, and several alternative recommendations were prepared. The Commission then deliberated each issue and selected one of the alternative recommendations.
The development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society. Our security, economy, way of life, and perhaps even survival, are now dependent on the interrelated trio of electrical energy, communications, and computers.
Classical physical disruptions. A satchel of dynamite or a truckload of fertilizer and diesel fuel have been frequent terrorist tools. The explosion and the damage are so certain to draw attention that these kinds of attacks continue to be among the probable threats to our infrastructures.
New, cyber threats. Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend.
The rapid growth of a computer-literate population ensures that increasing millions of people possess the skills necessary to consider such an attack. The wide adoption of public protocols for system interconnection and the availability of "hacker tool" libraries make their task easier.
While the resources needed to conduct a physical attack have not changed much recently, the resources necessary to conduct a cyber attack are now commonplace. A personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm.
System complexities and interdependencies. The energy and communications infrastructures especially are growing in complexity and operating closer to their designed capacity. This creates an increased possibility of cascading effects that begin with a rather minor and routine disturbance and end only after a large regional outage. Because of their technical complexity, some of these dependencies may be unrecognized until a major failure occurs.
Of the many people with the necessary skills and resources, some may have the motivation to cause substantial disruption in services or destruction of the equipment used to provide the service.
This list of the kinds of threats we considered shows the scope of activity with potentially adverse consequences for the infrastructures, and the diversity of people who might engage in that activity. It may not be possible to categorize the threat until the perpetrator is identified -- for example, we may not be able to distinguish industrial espionage from national intelligence collection.
Natural events and accidents. Storm-driven wind and water regularly cause service outages, but the effects are well known, the providers are experienced in dealing with these situations, and the effects are limited in time and geography.
Accidental physical damage to facilities is known to cause a large fraction of system incidents. Common examples are fires and floods at central facilities and the ubiquitous backhoe that unintentionally severs pipes or cables.
Blunders, errors, and omissions. By most accounts, incompetent, inquisitive, or unintentional human actions (or omissions) cause a large fraction of the system incidents that are not explained by natural events and accidents. Since these usually only affect local areas, service is quickly restored; but there is potential for a nationally significant event.
Insiders. Normal operation demands that a large number of people have authorized access to the facilities or to the associated information and communications systems. If motivated by a perception of unfair treatment by management, or if suborned by an outsider, an "insider" could use authorized access for unauthorized disruptive purposes.
Recreational hackers. For an unknown number of people, gaining unauthorized electronic access to information and communication systems is a most fascinating and challenging game. Often they deliberately arrange for their activities to be noticed even while hiding their specific identities. While their motivations do not include actual disruption of service, the tools and techniques they perfect among their community are available to those with hostile intent.
Criminal activity. Some are interested in personal financial gain through manipulation of financial or credit accounts or stealing services. In contrast to some hackers, these criminals typically hope their activities will never be noticed, much less attributed to them. Organized crime groups may be interested in direct financial gain, or in covering their activity in other areas.
Industrial espionage. Some firms can find reasons to discover the proprietary activities of their competitors, by open means if possible or by criminal means if necessary. Often these are international activities conducted on a global scale.
Terrorism. A variety of groups around the world would like to influence US policy and are willing to use disruptive tactics if they think that will help.
National intelligence. Most, if not all, nations have at least some interest in discovering what would otherwise be secrets of other nations for a variety of economic, political, or military purposes.
Information warfare. Both physical and cyber attacks on our infrastructures could be part of a broad, orchestrated attempt to disrupt a major US military operation or a significant economic activity.
We have observed that the general public seems unaware of the extent of the vulnerabilities in the services that we all take for granted, and that within government and among industry decision-makers, awareness is limited. Several have told us that there has not yet been a cause for concern sufficient to demand action.
We do acknowledge that this situation seems to be changing for the better. The public news media seem to be carrying relevant articles more frequently; attendance at conferences of security professionals is up; and vendors are actively introducing new security products.
The Commission believes that the actions recommended in this report will increase sensitivity to these problems and reduce our vulnerabilities at all levels.
Related to the lack of awareness is the need for a national focus or advocate for infrastructure protection. Following up on our report to the President, we need to build a framework of effective deterrence and prevention.
This is not simply the usual study group's lament that "no one is in charge." These infrastructures are so varied, and form such a large part of this nation's economic activity, that no one person or organization can be in charge. We do not need, and probably could not stand, the appointment of a Director of Infrastructures. We do need, and recommend, several more modest ways to create and maintain a national focus on the issues.
Protection of our infrastructures will not be accomplished by a big federal project. It will require continuous attention and incremental improvement for the foreseeable future.
Life on the information superhighway isn't much different from life on the streets; the good guys have to hustle to keep the bad guys from getting ahead.
It is not surprising that infrastructures have always been attractive targets for those who would do us harm. In the past we have been protected from hostile attacks on the infrastructures by broad oceans and friendly neighbors. Today, the evolution of cyber threats has changed the situation dramatically. In cyberspace, national borders are no longer relevant. Electrons don't stop to show passports.
Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker.
Formulas that carefully divide responsibility between foreign defense and domestic law enforcement no longer apply as clearly as they used to. "With the existing rules, you may have to solve the crime before you can decide who has the authority to investigate it." 
The Commission has not discovered an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis. However, we are quite convinced that our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop. What is more, the investments required to improve the situation are still relatively modest, but will rise if we procrastinate.
We should attend to our critical foundations before the storm arrives, not after: Waiting for disaster will prove as expensive as it is irresponsible.
National security requires much more than military strength. Our world position, our ability to influence others, our standard of living, and our own self-image depend on economic prosperity and public confidence. Clear distinctions between foreign and domestic policy no longer serve our interests well.
At the same time, the effective operation of our military forces depends more and more on the continuous availability of infrastructures, especially communications and transportation, that are not dedicated to military use.
While no nation state is likely to attack our territory or our armed forces, we are inevitably the target of ill will and hostility from some quarters. Disruption of the services on which our economy and well-being depend could have significant effects, and if repeated frequently could seriously harm public confidence. Because our military and private infrastructures are becoming less and less separate, because the threats are harder to differentiate as from local criminals or foreign powers, and because the techniques of protection, mitigation, and restoration are largely the same, we conclude that responsibility for infrastructure protection and assurance can no longer be delegated on the basis of who the attacker is or where the attack originates. Rather, the responsibility should be shared cooperatively among all of the players.
Because of our finding that the public in general and many industry and government leaders are insufficiently aware of the vulnerabilities, we have recommended a broad and continuous program of awareness and education to cover all possible audiences. We include White House conferences, National Academy studies, presentations at industry associations and professional societies, development and promulgation of elementary and secondary curricula, and sponsorship of graduate studies and programs.
We believe the quickest and most effective way to achieve a much higher level of protection from cyber threats is to raise the level of existing protection through application of "best practices." We have accordingly recommended a sector-by-sector cooperation and information sharing strategy. In general, these sector structures should be partnerships among the owners and operators, and appropriate government agencies, which will identify and communicate best practices. We have especially asked the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to provide technical skills and expertise required to identify and evaluate vulnerabilities in the associated information networks and control systems.
One very effective practice is a quantitative risk-management process, addressing physical attacks, cyber attacks that could corrupt essential information or deny service, the possibility of cascading effects, and new levels of interdependency.
The first focus of sector cooperation should be to share information and techniques related to -risk management assessments. This should include development and deployment of ways to prevent attacks, mitigate damage, quickly recover services, and eventually reconstitute the infrastructure
We suggest consideration of these immediate actions prior to the completion of a formal risk assessment: (1) Isolate critical control systems from insecure networks by disconnection or adequate firewalls; (2) Adopt best practices for password control and protection, or install more modern authentication mechanisms; (3) Provide for individual accountability through protected action logs or the equivalent.
The sector cooperation and information sharing needed to improve risk assessments and to protect against probable attacks may naturally develop into sharing of information on current status. This would permit assessing whether one of the infrastructures is under a coordinated attack -- physical, cyber, or combined. As this process develops, the national center for analysis of such information should be in place and ready to cooperate.
Law has failed to keep pace with technology. Some laws capable of promoting assurance are not as clear or effective as they could be. Still others can operate in ways that may be unfriendly to security concerns. Sorting them all out will be a lengthy and massive undertaking, involving efforts at local, state, federal, and international levels. Recognizing the dynamic nature of legal reform, we attempted to lay a foundation through various studies, papers, and a legal authorities database that can aid eventual implementation of our recommendations and assist owners, operators, and government at all levels.
We also offered a number of preliminary legal recommendations intended to jump-start this process of reform. We identified existing laws that could help the government take the lead and serve as a model of standards and practices for the private sector. We identified other areas of law which, with careful attention, can enable infrastructure owners and operators to take precautions proportionate to the threat. We identified still other areas of law that should be molded to enable a greater degree of government-industry partnership in areas such as information sharing.
The Commission believes that some of the basic technology needed to improve infrastructure protection already exists, but needs to be widely deployed. In other areas, additional research effort is needed.
At the same time the Commission recognizes that we are not now able to deploy several capabilities that we need. We have, therefore, recommended a program of research and development focused on those future capabilities. Among them are new capabilities for detection and identification of intrusion and improved simulation and modeling capability to understand the effects of interconnected and fully interdependent infrastructures.
In order to be effective, recommendations must discuss not only what is to be done, but how it will get done and who will do it. We have recommended the following partnering organizations be established to be responsible for specific parts of our vision:
Sector Coordinators to provide the focus for industry cooperation and information sharing, and to represent the sector in matters of national cooperation and policy;
Lead Agencies, designated within the federal government, to serve as a conduit from the government into each sector and to facilitate the creation of sector coordinators, if needed;
National Infrastructure Assurance Council of industry CEOs, Cabinet Secretaries, and representatives of state and local government to provide policy advice and implementation commitment;
Information Sharing and Analysis Center to begin the step-by-step process of establishing a realistic understanding of what is going on in our infrastructures -- of distinguishing actual attack from coincidental events;
Infrastructure Assurance Support Office to house the bulk of the national staff which is responsible for continuous management and follow-through of our recommendations; and
Office of National Infrastructure Assurance as the top-level policy making office connected closely to the National Security Council and the National Economic Council.
It is clear to us that infrastructure assurance must be a high priority for the nation in the Information Age. With escalating dependence on information and telecommunications, our infrastructures no longer enjoy the protection of oceans and military forces. They are vulnerable in new ways. We must protect them in new ways. And that is what we recommend in this report.
The public and private sectors share responsibility for infrastructure protection. Our recommendations seek to provide structures for the partnership needed to assure our future security. Further, they seek to define new ways for approaching infrastructure assurance -- ways that recognize the new thinking required in the Information Age, the new international security environment emerging from our victory in the Cold War and both the promise and danger of technology moving at breakneck speed.
We do not so much offer solutions as directions -- compass headings that will help navigate through a new geography and ensure the continuity of the infrastructures that underpin America's economic, military, and social strength.
This report summary is also available in a formatted Acrobat version (30k). The report itself is also available at this Web site.