SPEAKERS CONTENTS INSERTS Tables
Page 1 TOP OF DOC
67–303
2000
INTERNET DENIAL OF SERVICE ATTACKS AND THE FEDERAL RESPONSE
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
AND THE
SUBCOMMITTEE ON CRIMINAL JUSTICE OVERSIGHT
OF THE
SENATE COMMITTEE ON THE JUDICIARY
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
Page 2 PREV PAGE TOP OF DOC
FEBRUARY 29, 2000
Serial No. 139
(House Committee on the Judiciary)
Serial No. J–106–66A
(Senate Committee on the Judiciary)
Printed for the use of the House and Senate Committees on the Judiciary
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
BOB BARR, Georgia
Page 3 PREV PAGE TOP OF DOC
WILLIAM L. JENKINS, Tennessee
ASA HUTCHINSON, Arkansas
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
LINDSEY O. GRAHAM, South Carolina
MARY BONO, California
SPENCER BACHUS, Alabama
JOE SCARBOROUGH, Florida
DAVID VITTER, Louisiana
JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
STEVEN R. ROTHMAN, New Jersey
Page 4 PREV PAGE TOP OF DOC
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
THOMAS E. MOONEY, SR., General Counsel-Chief of Staff
JULIAN EPSTEIN, Minority Chief Counsel and Staff Director
Subcommittee on Crime
BILL McCOLLUM, Florida, Chairman
STEVE CHABOT, Ohio
BOB BARR, Georgia
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
CHARLES T. CANADY, Florida
ASA HUTCHINSON, Arkansas
ROBERT C. SCOTT, Virginia
MARTIN T. MEEHAN, Massachusetts
STEVEN R. ROTHMAN, New Jersey
ANTHONY D. WEINER, New York
SHEILA JACKSON LEE, Texas
GLENN R. SCHMITT, Chief Counsel
DANIEL J. BRYANT, Chief Counsel
RICK FILKINS, Counsel
Page 5 PREV PAGE TOP OF DOC
CARL THORSEN, Counsel
BOBBY VASSAR, Minority Counsel
SENATE COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina
CHARLES E. GRASSLEY, Iowa
ARLEN SPECTER, Pennsylvania
JON KYL, Arizona
MIKE DEWINE, Ohio
JOHN ASHCROFT, Missouri
SPENCER ABRAHAM, Michigan
JEFF SESSIONS, Alabama
BOB SMITH, New Hampshire
PATRICK J. LEAHY, Vermont
EDWARD M. KENNEDY, Massachusetts
JOSEPH R. BIDEN, Jr., Delaware
HERBERT KOHL, Wisconsin
DIANNE FEINSTEIN, California
RUSSELL D. FEINGOLD, Wisconsin
ROBERT G. TORRICELLI, New Jersey
CHARLES E. SCHUMER, New York
Page 6 PREV PAGE TOP OF DOC
MANUS COONEY, Chief Counsel and Staff Director
BRUCE A. COHEN, Minority Chief Counsel
Subcommittee on Criminal Justice Oversight
STROM THURMOND, South Carolina, Chairman
MIKE DEWINE, Ohio
JOHN ASHCROFT, Missouri
SPENCER ABRAHAM, Michigan
JEFF SESSIONS, Alabama
CHARLES E. SCHUMER, New York
JOSEPH R. BIDEN, Jr., Delaware
ROBERT G. TORRICELLI, New Jersey
PATRICK J. LEAHY, Vermont
GARY MALPHRUS, Chief Counsel
GLEN SHOR, Legislative Assistant
C O N T E N T S
HEARING DATE
February 29, 2000
Page 7 PREV PAGE TOP OF DOC
OPENING STATEMENT
McCollum, Hon. Bill, a Representative in Congress From the State of Florida, and chairman, Subcommittee on Crime
Thurmond, Hon. Strom, a U.S. Senator From the State of South Carolina, and presiding chairman, Subcommittee on Criminal Justice Oversight
WITNESSES
Dempsey, James X., Esq., senior staff counsel, The Center for Democracy & Technology, Washington, DC
Fithen, Katherine T., manager, Cert Coordination Center, Software Engineering Institute, Pittsburgh, PA
Giancarlo, Charles, senior vice president, Cisco Systems Incorporated, San Jose, CA
Guiberson, Samuel A., Esq., Houston, TX
Holder, Eric, Deputy Attorney General, Department of Justice, Washington, DC
Page 8 PREV PAGE TOP OF DOC
Misener, Paul, vice president, Global Public Policy, Amazon.Com, Seattle, WA
''Mudge,'' vice president of research and development, @Stake, Inc., Cambridge, MA
Rosensweig, Dan, president and CEO, ZDNet.Com, New York, NY
Schmidt, Howard, director information security, Microsoft Corporation, Redmond, WA
Vatis, Michael, Director, National Infrastructure Protection Center, Federal Bureau of Investigation, Washington, DC
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Barr, Hon. Bob, a Representative in Congress From the State of Georgia: Prepared statement
Conyers, Hon. John, Jr., a Representative in Congress From the State of Michigan: Prepared statement
Dempsey, James X., Esq., senior staff counsel, The Center for Democracy & Technology, Washington, DC: Prepared statement
Page 9 PREV PAGE TOP OF DOC
Fithen, Katherine T., manager, Cert Coordination Center, Software Engineering Institute, Pittsburgh, PA: Prepared statement
Giancarlo, Charles, senior vice president, Cisco Systems Incorporated, San Jose, CA: Prepared statement
Guiberson, Samuel A., Esq., Houston, TX: Prepared statement
Holder, Eric, Deputy Attorney General, Department of Justice, Washington, DC: Prepared statement
Leahy, Hon. Patrick J., a U.S. Senator From the State of Vermont: Prepared statement
McCollum, Hon. Bill, a Representative in Congress From the State of Florida, and chairman, Subcommittee on Crime: Prepared statement
Misener, Paul, vice president, Global Public Policy, Amazon.Com, Seattle, WA: Prepared statement
''Mudge,'' vice president of research and development, @Stake, Inc., Cambridge, MA: Prepared statement
Rosensweig, Dan, president and CEO, ZDNet.Com, New York, NY: Prepared statement
Page 10 PREV PAGE TOP OF DOC
Schmidt, Howard, director information security, Microsoft Corporation, Redmond, WA: Prepared statement
Thurmond, Hon. Strom, a U.S. Senator From the State of South Carolina, and presiding chairman, Subcommittee on Criminal Justice Oversight: Prepared statement
Vatis, Michael, Director, National Infrastructure Protection Center, Federal Bureau of Investigation, Washington, DC: Prepared statement
APPENDIX
Material submitted for the record
INTERNET DENIAL OF SERVICE ATTACKS AND THE FEDERAL RESPONSE
TUESDAY, FEBRUARY 29, 2000
House of Representatives, Subcommittee on Crime, Committee on the Judiciary, Jointly With U.S. Senate, Subcommittee on Criminal Justice Oversight, Committee on the Judiciary, Washington, DC.
The subcommittees met, pursuant to call, at 2:10 p.m., in Room 2141, Rayburn House Office Building, Hon. Bill McCollum [chairman of the Subcommittee on Crime] presiding.
Present for the Subcommittee on Crime: Representatives Bill McCollum, Bob Barr, Howard Coble, Asa Hutchinson, Robert C. Scott, and Martin T. Meehan.
Page 11 PREV PAGE TOP OF DOC
Present for the Subcommittee on Criminal Justice Oversight: Senators Strom Thurmond and Charles Schumer.
Also present: Representatives Robert Goodlatte and Jerrold Nadler.
Staff present: For the Subcommittee on Crime: Glenn R. Schmitt, chief counsel; Daniel J. Bryant, chief counsel; Rick Filkins, counsel; Veronica L. Eligan, staff assistant; Bobby Vassar, minority counsel. For the Senate Subcommittee on Criminal Justice Oversight: Garry Malphrus, chief counsel; and Melinda Koutsoumpas, chief clerk.
OPENING STATEMENT OF CHAIRMAN MCCOLLUM
The CHAIRMAN. This joint hearing will come to order today. Today the members of the Subcommittee on Crime in the House are pleased to be joined by the members of the Senate Subcommittee on Criminal Justice Oversight for the purpose of conducting a joint oversight hearing on the recent cyber attacks on the Internet and the Federal Government response.
I want to personally welcome each of the Senators here today, and in particular, the distinguished chairman of the subcommittee, the Senator from South Carolina, Strom Thurmond. Strom, I am delighted to see that we are sharing the gavel today. It is the first time, I think, that we have had an opportunity to do that, and it is a wonderful experience. And I am looking forward to it. I also want to welcome back to the House the ranking minority member of the Senate subcommittee, the Senator from New York, Mr. Schumer. Chuck, it is nice to see you back in your old chair.
Page 12 PREV PAGE TOP OF DOC
On February the 8th, a series of well-planned, coordinated attacks on several of the Nation's Internet sites began and continued for several days. Within seconds of the first wave of attacks, two popular sites, search engine Yahoo.com, and retailer Buyer.com, were effectively shut down for several hours. Over the next 2 days, more of the Internet's flagship sites were similarly disrupted. Including news outlet CNN.com and ZDNet.com, retailer Amazon.com, auction house eBay.com, and brokerage house E*trade. These cyber attacks inconvenienced millions of Internet users and resulted in the loss of revenue for several of these affected sites. Electronic commerce has been a catalyst for the current extraordinary economic expansion we are currently enjoying.
E-commerce and the high tech industry have positioned the United States economy to lead the world for the foreseeable future. Billions of dollars are being poured into our economy each month in connection with e-commerce, and along with exciting employment and investment opportunities as well as tax revenues that help fund basic government services.
Unfortunately, with new ways of conducting electronic commerce come new ways of committing crime. While the term cyber crime may sound like the stuff of science fiction, all Americans have a vested interest in ensuring that we are prepared to prevent and respond to cyber attacks at this crucial stage in the development of the Internet and e-commerce. The wide ranging scope and effect of the recent Internet attacks dramatically illustrate the potential vulnerabilities of the Internet and of electronic commerce. The attacks also highlight the need that has been a key theme of our efforts to combat crime in recent years as criminals go more sophisticated in their criminal activity, so also must law enforcement grow more sophisticated.
Page 13 PREV PAGE TOP OF DOC
With each passing year we have to learn to fight crime smarter, not just harder, and this continues to be the case. I believe we can all agree that the Internet simply must be kept free from anyone who would seek to interfere with its use, whatever their motivation. The right to political speech, commercial, and other speech over the Internet must be guaranteed so all citizens and the Federal Government have an interest in protecting all forms of speech and in the interstate commerce that accompanies them over the Internet. To do this, we must send a clear message to those who would attempt to interfere with the free speech of others: you will be dealt with and you will be dealt with swiftly and severely.
At today's hearing, there are a number of important questions to be considered. First, we must better understand the nature of the recent attacks, who is committing them and why are they doing this. Are these just isolated instances of people committing what they view as pranks, or is this evidence of an increasing threat to the very integrity of the Internet? Does the possibility of these type of attacks directed at banks and other financial Websites threaten our economic security? Do they have the potential to also threaten our national security? Should they be used against government computers as well?
Second, we should consider whether current Federal law is sufficient to address this behavior. In 1996, I introduced the Economic Espionage Act which the President signed into law in October of that year. One of the changes made by the act was to make a Federal crime to attack and damage a private computer system. But the statute was drafted based on what we knew of the Internet and other computer systems of the time. Given the tremendous changes in technology in the last few years, does the statute need to be updated? Also, are other changes that could be made to current law to ensure that Federal law enforcement agencies will have the sufficient tools to investigate these crimes? And what additional resources should be devoted to the problem?
Page 14 PREV PAGE TOP OF DOC
Thirdly, what is the role of the private sector in addressing this problem? Far too often the reaction of many to a criminal act is to run to the Federal Government and ask some new law be passed. While I will not shy away from addressing this problem with new laws if they are warranted, I do believe the private sector bears a good measure of responsibility for taking steps necessary to protect itself from these attacks.
I look forward to hearing the witnesses here today as to their views, as to the role of government to investigate these crimes and the obligation of private businesses to take steps necessary to protect their property from attack. I also welcome their suggestions as to how the existing partnership between law enforcement and the private industry can be made more effective.
Today's witnesses represent a broad range of participants in the Internet and electronic commerce. We will hear from victims of the recent attacks, from the companies that make the software that make the Internet run, and from experts on the security of the Internet. We will also hear the view of the privacy community as the appropriate role of government is evolving and how they see it.
I am also pleased that the Deputy Attorney General will begin today's testimony accompanied by other Justice Department representatives. His appearance here today demonstrates the importance of this issue and I especially welcome you, Mr. Holder. I look forward to the testimony of all the witnesses today, and I am especially pleased, as I stated at the opening, now to turn the microphone and the gavel for the moment over to my good friend from the Senate, my colleague, Senator Strom Thurmond.
Page 15 PREV PAGE TOP OF DOC
[The prepared statement of Mr. McCollum follows:]
PREPARED STATEMENT OF HON. BILL MCCOLLUM, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA, AND CHAIRMAN, SUBCOMMITTEE ON CRIME
Washington, D.C.—''Today the Members of the Subcommittee on Crime are pleased to be joined by the Members of the Senate Subcommittee on Criminal Justice Oversight for the purpose of conducting a joint oversight hearing on the recent cyber attacks on the Internet and the Federal government response.
''On February 8, a series of well-planned and coordinated attacks on several of the nation's biggest Internet sites began and continued for several days. Within seconds of the first wave of attacks, two popular sites—search engine Yahoo.com and retailer Buy.com—were effectively shut down for several hours. Over the next two days, more of the Internet's flagship sites were similarly disrupted, including news outlets CNN.com and ZDNet.com, retailer Amazon.com, auction house eBay.com, and brokerage house E*Trade. These cyber attacks inconvenienced millions of Internet users and resulted in a loss of revenue for several of these affected sites.
''Electronic commerce has been a catalyst for the current extraordinary economic expansion that we're currently enjoying. E-commerce and the high tech industry have positioned the U.S. economy to lead the world economy for the foreseeable future. Billions of dollars are being poured into our economy each month in connection with e-commerce, and, along with it, exciting employment and investment opportunities, as well as tax revenues that help fund basic government services. Unfortunately, with new ways of conducting electronic commerce come new ways of committing crime. While the term 'cyber-crime' may sound like the stuff of science fiction, all Americans have a vested interest in ensuring that we are prepared to prevent and respond to cyber attacks at this crucial stage in the development of the Internet and e-commerce.
Page 16 PREV PAGE TOP OF DOC
''The wide-ranging scope and effects of the recent Internet attacks dramatically illustrate the potential vulnerabilities of the Internet and of electronic commerce. The attacks also highlight a need that has been a key theme of our efforts to combat crime in recent years: as criminals grow more sophisticated in their criminal activity, so also must law enforcement grow more sophisticated. With each passing year, we have to learn to fight crime smarter, not just harder, and this continues to be the case.
''I believe we all can agree that the Internet simply must be kept free from anyone who would seek to interfere with its use, whatever their motivation. The right to free political, commercial, and other speech over the Internet must be guaranteed to all citizens and the federal government has an interest in protecting all of these forms of speech, and in the interstate commerce that accompanies them over the Internet. To do this, we must send a clear message to those who would attempt to interfere with the free speech of others—you will be dealt with swiftly and severely.
''At today's hearing, there are a number of important questions to be considered. First, we must better understand the nature of the recent attacks: who is committing them, and why they are doing this? Are these just isolated instances of people committing what they view as pranks, or is this evidence of an increasing threat on the very integrity of the Internet? Does the possibility of these types of attacks directed at banks and other financial websites threaten our economic security? Do they have the potential to also threaten our national security should they be used against government computers as well?
''Second, we should consider whether current federal law is sufficient to address this behavior. In 1996, I introduced the Economic Espionage Act, which the President signed into law in October of that year. One of the changes made by that act was to make it a federal crime to attack and damage a private computer system. But the statute was drafted based on what we knew of the Internet and other computer systems at the time. Given the tremendous changes in technology over just the last few years, does this statute need to be updated? Also, are there other changes that could be made to current law so ensure federal law enforcement agencies will have sufficient tools to investigate these crimes? And what additional resources should be devoted to this problem?
Page 17 PREV PAGE TOP OF DOC
''Thirdly, what is the role of the private sector in addressing this problem? Far too often, the reaction of many people to a criminal act is to run to the federal government and ask it to pass some new law. While I will not shy away from addressing this problem with new laws if it is warranted, I do believe the private sector bears a good measure of responsibility for taking the steps necessary to protect itself from these attacks. I look forward to hearing from the witnesses here today as to their views on the role of the government to investigate these crimes and the obligation of private businesses to take the steps necessary to protect their property from attack. I also welcome their suggestions as to how the existing partnership between law enforcement and private industry can be made more effective.
''Today's witnesses represent a broad range of participants in the Internet and electronic commerce. Today we will hear from victims of the recent attacks, from the companies that make the software that make the Internet run, and from experts on the security of the Internet. We'll also hear the views of the privacy community as to the appropriate role of the government in solving this problem. I am most pleased that the Deputy Attorney General will begin today's testimony accompanied by other Justice Department representatives. His appearance here today demonstrates the importance of this issue and I especially welcome him. I look forward to the testimony of all of the witnesses here today and I welcome all of you.''
The CHAIRMAN. Senator Thurmond, you are recognized.
Senator THURMOND. Thank you very much. I am pleased to hold this joint hearing with the House Judiciary Subcommittee on Crime as we review recent serious criminal misconduct involving the Internet. A few weeks ago, hackers blocked access to several popular and commercially significant Internet sites, some of whom are represented here today. Various computers were hijacked and used to essentially shut down particular Internet sites temporarily by overwhelming them with data. Apparently, the technology used here to conduct these denial of service attacks were not very complex, which raises the question of what hostile adversaries could accomplish through a sophisticated concerted effort. Moreover, these attacks were not isolated incidents. Just last week, Microsoft, and even the FBI, experienced somewhat milder and less disruptive attacks. A recent study that was conducted in cooperation with the FBI found that almost one-third of those responding reported denial of service attacks in 1999.
Page 18 PREV PAGE TOP OF DOC
Denial of service attacks alarm not only victim companies and users, they can also undermine public confidence in electronic commerce. This is particularly troublesome, as e-commerce is growing at an incredible rate and becoming an increasingly important part of our economy. Hacking such as this is not a prank. It is a serious criminal act that warrants tough punishment. It cannot be tolerated. There has to be no double standard regarding crime on the Internet. Vandalism and other malicious conduct is no less serious or harmful in the computer environment. The subcommittee I chair recently held a hearing on the report of the Commission on the Advancement of Law Enforcement, and it warned that the Internet is one of the greatest potential avenues for criminal activity ever created.
Law enforcement must have the tools and resources it needs to address this growing national and international threat. Our laws must be updated for the times to make certain they are technologically neutral. The tools and resources as Federal law enforcement has in the physical world should be available when they are working in the computer environment. The private sector, which controls 90 percent of the infrastructure, should take the lead in protecting computer systems from attacks just as citizens must protect themselves from crimes by locking their doors. Also, industry should cooperate with law enforcement and share information regarding intrusions with the authorities and among themselves. While no one wants to create what the Attorney General has called ''a surveillance society,'' it is critical for industry to view the government as a partner in their joint efforts to stop malicious hackers and other Internet crimes.
I welcome our distinguished witnesses, including the Deputy Attorney General, to discuss this critical timely issue.
Page 19 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman.
[The prepared statement of Senator Thurmond follows:]
PREPARED STATEMENT OF HON. STROM THURMOND, A U.S. SENATOR FROM THE STATE OF SOUTH CAROLINA, AND PRESIDING CHAIRMAN, SUBCOMMITTEE ON CRIMINAL JUSTICE OVERSIGHT
I am pleased to hold this joint hearing with the House Judiciary Subcommittee on Crime as we review recent, serious criminal misconduct involving the Internet.
A few weeks ago, hackers blocked access to several popular and commercially significant Internet sites, some of whom are represented here today. Various innocent computers were hijacked and used to essentially shut down particular Internet sites temporarily by overwhelming them with data. Apparently, the technology used here to conduct these distributed denial of service attacks was not very complex, which raises the question of what hostile adversaries could accomplish through a sophisticated, concerted effort.
Moreover, these attacks were not isolated incidents. Just last week, Microsoft and even the F.B.I. experienced similar but milder and less disruptive attacks. A recent study that was conducted in cooperation with the F.B.I. found that almost one-third of those responding reported denial of service attacks in 1999.
Denial of service attacks harm not only victim companies and users, they can also undermine public confidence in electronic commerce. This is particularly troublesome as e-commerce is growing at an incredible rate and is becoming an increasingly important part of our economy.
Page 20 PREV PAGE TOP OF DOC
Hacking such as this is not a prank. It is a serious criminal act that warrants tough punishment. It cannot be tolerated. There can be no double standard regarding crime on the Internet. Vandalism and other malicious conduct is no less serious or harmful in the computer environment. The subcommittee I chair recently held a hearing on the Report of the Commission on the Advancement of Law Enforcement, and it warned that the Internet is one of the greatest potential avenues for criminal activity ever created.
Law enforcement must have the tools and resources it needs to address this growing national and international threat. Our laws must be updated for the times to make certain they are technology neutral. The tools and resources that federal law enforcement has in the physical world should be available when they are working in the computer environment.
The private sector, which controls 90 percent of the infrastructure, should take the lead in protecting computer systems from attacks, just as citizens must protect themselves from crimes by locking their doors. Also, industry should cooperate with law enforcement and share information regarding intrusions with the authorities and among themselves. While no one wants to create what the Attorney General has called ''a surveillance society,'' it is critical for industry to view the government as a partner in their joint efforts to stop malicious hackers and other Internet crime.
I welcome our distinguished witnesses, including the Deputy Attorney General, to discuss this critical, timely issue.
67303b.eps
Page 21 PREV PAGE TOP OF DOC
The CHAIRMAN. Thank you very much, Senator Thurmond.
Mr. Scott, you are recognized.
Representative SCOTT. Thank you, Mr. Chairman. I want to express my appreciation to you for holding this hearing to examine the recent spat of distributed denial of service attacks on Internet businesses and the role of the Federal Government in securing the Internet for the continued reliable use of our businesses and citizens.
During my relatively short tenure in Congress, we have moved from reading or hearing about the vast potential of the world wide Web to depending on it for the efficient conduct of daily congressional operations. I rely heavily on the Internet for communicating with staff in three offices and for the efficient conduct of routine personal business, such as bill paying and other things. Given this rapidly growing dependency on the Internet, the Congress and the rest of the Federal Government is just as subject to the denial of service or other attacks as any other entity dependent upon the Internet. So we have as much at stake as anyone else in ensuring that we have the solutions that prevent problems, such as the recent attacks, and not just responding to them after the fact.
I believe that persons who maliciously or deliberately interfere with the efficient and effective use of the Internet should be held accountable. And yet that will be difficult because the Internet is a hot bed of innovation in a constantly changing context. Legislation in general and criminal statutes in particular can be confining and hard to change. So trying to prevent crime on the Internet through criminal legislation alone will not be sufficient. In technology, today's horizons are tomorrow's confinements. And therefore, I believe that our best hope for safeguarding the Internet lies in developing security safeguards as we accept Internet technology.
Page 22 PREV PAGE TOP OF DOC
A crime such as theft or destruction of property, whether committed over the Internet or through other means should be dealt with as such. We have many laws on the books that already deal with such crimes. I have heard many potential charges for the recent denial of service attacks, so there appears to be no shortage of ways to address those who perpetrate such crimes. And that is only with regard to the Federal options. Some, if not all of the incidents, may be subject to State criminal charges as well as civil proceedings.
I will remain open to hearing proposals for additional crimes and penalties, but I would also hope that any such additions are based on findings that they are necessary to effective prosecution of Internet-related crimes, and not just a gratuitous violation of traditional notions of privacy and individual rights. Passing laws for the mere purpose of sending a message has not been shown to be effective in preventing crimes in any other area, and there is no reason to think it would work on the Internet.
I understand, for example, that there will be a proposal to address the problem by having the Federal Government treat more juveniles as adults in the criminal justice system. This kind of approach has already been shown to be counterproductive in other areas. All the research shows that prosecuting more juveniles as adults will result in them probably serving less time, and in the end, committing more crimes than similar juveniles prosecuted in juvenile court. And since the Federal Government has no juvenile judges and no juvenile facilities, we cannot do this. We could not treat more juveniles as adults effectively.
A hearing last spring in the Subcommittee on Crime, none of the panel of 10 juvenile justice experts from across the political spectrum agreed with the proposal to give Federal prosecutors more discretion to try more juveniles as adults. We had a bipartisan task force and had 6 weeks of testimony, and during those 6 weeks, not a single witness supported the idea of trying more juveniles as adults. Yet despite these facts, the slogan, ''you do the adult crime, you do the adult time,'' remains a popular way to send a message.
Page 23 PREV PAGE TOP OF DOC
We must also be vigilant to ensure that our zeal to address crime on the Internet does not unduly restrain our privacy and individual freedoms. Unnecessary monitoring and oversight by law enforcement authorities could not only stymie technological innovation, but also infringe upon the reasonable expectations of privacy and individual freedoms. Most people expect the same kind of privacy protection on the Internet as they receive in their mail and telephones, and in the absence of probable cause to believe that a crime has been committed, there is generally no right to invade mail or phone use.
Mr. Chairman, we have a good list of experts and able witnesses for our discussion today, and I look forward to their testimony. And again, thank you for convening the meeting. I would like to just make one note, that I want to welcome my colleague, Mr. Schumer, back in his old seat where he sat many years as a member of this committee. And in fact, was the chairman of this subcommittee for many years. And I want to welcome him back.
The CHAIRMAN. I join you in that welcome, and now recognize the gentleman from New York.
Senator SCHUMER. Well, thank you, Mr. Chairman. I very much appreciate the opportunity to be here. As my friend Bobby Scott said, it is the same room, the same chair, the same subcommittee, the same ranking member of the subcommittee. So plus ca change, plus c'est la meme chose, that is about the only French I know. I try to use it whenever I can. But I want to thank you, Mr. Chairman. We work together well on many issues in this room. I want to thank my chairman, Senator Thurmond. In a year I will be joining his ranks as a senior Senator from our State.
Page 24 PREV PAGE TOP OF DOC
And thank Bobby Scott as well for his friendship and all the things that we have done together as well as all the members on sides of the aisle. It is great to be back.
Mr. Chairman, I want to also commend you for holding this hearing. And I would also like to welcome ZDNet CEO Dan Rosensweig, who is here from my State of New York.
The recent denial of service attacks on companies like Amazon.com and ZDNet underscore to the new threats to our security our economy and all our lives that are posed by online crime in an increasingly networked society. The blossoming of the Internet is obviously something to celebrate. But there is a dark side which the Net creates, which is that the Net creates vast new opportunities for criminals to exploit. The recent attacks show how easy it is to break into the country's most prized computer networks and how helpless law enforcement is in catching them. So far these attacks have been relatively benign, but it would be foolhardy to believe they will always be benign.
The problem is threefold. First, most computer systems are not secure, and security was usually a relatively low priority in the development of computer software and Internet systems. Second, hacking is still considered more of a prank than a crime, even though hacking could cost lives or billions of dollars to the economy. And third, our laws, even our computer laws, are set up for a world that travels at subsonic speed while hacking crimes move at the speed of light.
So we have fallible systems vulnerable to hackers who are viewed with bemusement and laws that make it difficult to apprehend them. For sure, we can't solve all these problems through legislation or government agency. While the government can help with research and by providing a market for secure systems by purchasing only hack-proof computers, and software private companies will have to take the lead in making systems more secure. But we can make the crime of hacking a more serious offense befitting the serious damage it can cause, and we can make it possible for law enforcement to catch hackers in the act by modernizing our laws.
Page 25 PREV PAGE TOP OF DOC
Over the past year, I have met with law enforcement groups and computer experts to discuss how we can best address the problem of computer crime without stifling the growth of the Net and without harming the privacy rights of individuals online. Over the year, I have become convinced that many of the best solutions are far-reaching and complex and will, among other things, require significant cooperation of foreign governments.
We shouldn't fool ourselves into thinking that Congress alone can solve this problem or that we can do so right away. With that said, I do think there are some common sense changes we can make to existing laws right now which will serve as a significant first step in a much needed effort to give law enforcement the tools they need to effectively fight cyber crime. And so last Thursday I introduced with Senator Kyl, a member of the Senate Judiciary Committee Republican from Arizona, a new bipartisan high tech crime bill that, for the first time, provides law enforcement with nationwide trap and trace authority.
Let me explain. Under current law, investigators who are trying to track a hacker must obtain a trap and trace order in each jurisdiction through which an electronic communication is made. For example, to trace an online communication between two terrorists that started a computer company in New York goes through a server in New Jersey, bounces off a computer in Wisconsin, and then ends up in San Francisco, investigators may be forced to go successfully to a court in each jurisdiction for an order permitting the trace.
I would never want to loosen the rules by which you need to obtain that order, but requiring to go for virtually the same order in four or five different jurisdictions is a huge impediment that slows down the ability to catch hackers. So the Schumer-Kyl bill amends current law to authorize the issuance of a single order to completely trace an online communication to its source, regardless of how many intermediate sites it passes through.
Page 26 PREV PAGE TOP OF DOC
Law enforcement must still meet the exact same burden to obtain such an order, the only difference is they won't have to repeat this process over and over each time a communication passes to a new carrier in a different jurisdiction.
The bill would also make several changes to the Computer Fraud and Abuse Act that would enhance the prosecution of computer criminals. One deficiency of that act is its requirement to proof of damages in excess of $5,000. In several cases, prosecutors have found that while computer intruders had attempted to harm computers vital to our critical infrastructure, damages of 5,000 could not be proven. Nevertheless, these intrusions pose a great risk of harm to our country and must be prosecuted punished and deterred. Our legislation unambiguously permits Federal jurisdiction at the outset of an unauthorized intrusion into critical infrastructure systems rather than having investigators wait for any damage assessment.
Crimes that exceed the $5,000 limit will be prosecuted as felonies, while crimes below that amount will be defined as misdemeanors. The $5,000 requirement should not serve as a barrier to the prosecution of serious computer criminals who threaten our country's networks. Those are the two main provisions of the bill. There are others I won't get into today.
I meet often with members of New York Silicon Valley and other consulting edge high tech innovators. The views these innovative leaders have toward government has evolved. It's a big difference than it was 2 years ago. It used to be—the view has evolved from ''stay out of our way'' to skepticism, to a realization that there is a need for government and high tech to work together and legislate wisely.
Page 27 PREV PAGE TOP OF DOC
Mr. Chairman, we are in a brave new world. The bottom line is that the creation of a more secure environment in cyber space is good for everyone except criminals. The denial of service attacks have boosted the prominence of this issue, and ultimately that may be a good thing. But the real key will be whether we can come up with appropriate solutions that will deter and punish crime without impinging on the rights of individuals and without slowing down the booming growth of the Internet.
Mr. Chairman, thank you again for holding these hearings and for your courtesy, and I thank all the witnesses in advance as well.
The CHAIRMAN. Thank you, Mr. Schumer.
Mr. Barr, do you have an opening statement?
Representative BARR. I do, Mr. Chairman, thank you. Mr. Chairman, I would like to commend you for exercising your subcommittee's jurisdiction in holding this hearing. I realize the new wave of attacks on large Internet sites has prompted the House Subcommittee on Crime, along with the Senate Subcommittee on Criminal Justice Oversight, to examine what has been termed ''cyber terrorism.'' I fully agree that is something that should be examined. However, I also believe these recent attacks perhaps should more properly be characterized as cyber vandalism rather than cyber terrorism. Terrorism, in its definition, suggests mass destruction and endangerment of human life. For this reason, I do believe that a better way to characterize perhaps these threats is as a form of cyber vandalism.
I share your concern about the need to protect American lives and property from terrorist attack. Our Nation faces numerous threats from foreign nations, terrorist groups and weapons of mass destruction. While the spectre of cyber terrorism makes for an interesting news article or novel, I am doubtful the real threat posed by malicious hackers is, perhaps, as high as that posed by conventional biological chemical and nuclear weapons.
Page 28 PREV PAGE TOP OF DOC
I do think we should take steps to protect our Nation's computer infrastructure, but I hope the novelty and media interest surrounding electronic terrorism will not spur us to neglect other threats. The difficulty lies with balancing the protection of the Internet with the highly important privacy rights of United States citizens. I hope you and others will make protecting the privacy of American computer users a foundational part of any future proposal regarding Internet security. Under no circumstances will I support the creation of a Nationwide computer security system that functions by monitoring and profiling of online activities of millions of Americans.
Mr. Chairman, I commend you for beginning this process and hopefully working toward a proper and balanced approach to this very serious problem. Thank you.
The CHAIRMAN. Thank you, Mr. Barr. I commend you for your privacy statement I think that is very accurate.
[The prepared statement of Mr. Barr follows:]
PREPARED STATEMENT OF HON. BOB BARR, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF GEORGIA
Mr. Chairman, I would like to commend you for exercising your subcommittee's jurisdiction and holding this hearing. I realize the new wave of attacks on large Internet sites has prompted the House Subcommittee on Crime, along with the Senate's Subcommittee on Criminal Justice Oversight, to examine what has been termed ''cyber-terrorism.'' I fully agree it is something that should be examined; however, I also believe these recent attacks should be categorized as ''cyber-vandalism,'' rather than ''cyber-terrorism.'' Terrorism, in its definition, suggests mass destruction and endangerment of human life. For this reason, I believe a better way to categorize these threats is as a form of ''cyber-vandalism.''
Page 29 PREV PAGE TOP OF DOC
I share your concern about the need to protect American lives and property from terrorist attack. Our nation faces numerous threats from foreign nations, terrorist groups, and weapons of mass destruction. While the specter of ''cyber-terrorism'' makes for interesting news articles and novels, I am dubious the real threat posed by malicious hackers is as high as that posed by conventional, biological, chemical, and nuclear weapons. I do think we should take steps to protect our nation's computer infrastructure, but I hope the novelty and media interest surrounding electronic terrorism will not spur us to neglect other threats.
The difficulty is with balancing the protection of the Internet with the highly important privacy rights of United States citizens. I hope you will make protecting the privacy of American computer users a foundational part of any future proposals, regarding Internet security. Under no circumstances will I support the creation of a nationwide computer security system that functions by monitoring and the profiling the online activities of millions of Americans.
The CHAIRMAN. Mr. Meehan, you are recognized.
Representative MEEHAN. Thank you, Mr. Chairman, again, for holding this important hearing. It is good to see my colleagues from the Senate, especially my former colleague from this committee, Senator Schumer. I think the last time that Senator Schumer was sitting in that chair, we were considering whether or not to impeach the President of the United States. And although I think the Internet denial of service attacks is certainly a serious and troubling matter, I do consider this to be a happier time for this committee, and certainly happier than the last time we last saw the Senator from New York.
Page 30 PREV PAGE TOP OF DOC
The computerization of commerce and communications has been a wonderful development. It has produced convenience and connectedness that we couldn't have anticipated as late as 5 years ago. Our Nation's information infrastructure, the banking system, the stock market, our electricity and water supply, telecommunications systems, and even critical government services, all rely on computer networks. But with the convenience and connectedness spurred by this computerization, comes new vulnerabilities. When our information structure is interconnected, crimes against that structure stand to cause enormous loss rather than minor disruption. At the same time the reliance of our information infrastructure on computers means that seriously disrupting that infrastructure is easier than it had been before. Less buck, so to speak, is indeed for the major bang.
Anyone who has read the newspapers over the past few weeks knows what I am talking about. Some of our Nation's most high profile Websites, CNN.com, eBay, Yahoo, Amazon.com, for example, were all recently shut down by hacker attacks. The tools to perpetrate an attack of this nature have long been widely available on the Internet. Indeed, Fortune 500 companies lost an excess of $360 million over the past 2 years due to computer crime. 62 percent of those companies responding to an FBI and computer security institute survey said that they were—that they had experienced a computer security breach within the last year.
This committee has recognized over the past few years that the promise of the Internet could be foiled by those who view what should be a tool for lawful commerce and learning instead is a tool for exploiting children, and raiding intellectual property. We must recognize now that the Internet's and computerization's promise is equally threatened by network crashes and virus spreaders. What entrepreneur would want to take his or her innovative ideas and capital online if it all could be taken away with but the click of a mouse.
Page 31 PREV PAGE TOP OF DOC
I am pleased that when this committee was considering its views on the Justice Department's budget request last week, that it unanimously passed my amendment to express support for the funding to hire 1,000 additional computer analysts and response team members and develop 10 regional computer forensic labs. These new resources will enable the FBI to investigate computer crimes more effectively. At the same time, we must take care to understand before we act, and above all, vigilantly protect the civil liberties that truly distinguish this Nation from virtually every other.
I believe it was Justice Holmes that once said that something to the effect that good cases make for bad law. He was essentially cautioning us against acting too swiftly and too broadly in response to episodes of apparent wrongdoing. Those words were as wise today as they were when they were first penned. Thank you, Mr. Chairman.
The CHAIRMAN. Thank you very much. Mr. Coble, you are recognized.
Representative COBLE. Mr. Chairman, this is one of those days where I have to be at five places simultaneously, so I won't be able to stay here for the entire meeting, but I appreciate you and Senator Thurmond convening this hearing. This is a matter that needs to be addressed. And some sort of satisfactory resolution needs to be realized. And I thank you for the hearing.
The CHAIRMAN. Thank you very much Mr. Coble.
Page 32 PREV PAGE TOP OF DOC
Mr. Weiner.
Representative WEINER. Thank you, Mr. McCollum. I appreciate you holding this hearing, and I too want to join in welcoming Senator Schumer, but unlike you, I am not at all unhappy that he left. With this hearing about denial of service attacks, we are faced with how to respond to what was an expensive inconvenience with bids on eBay being delayed and stock transactions being slowed down and news clips arriving later than they should have. Indeed this was a problem that we should take a hard look at. But frankly, I am skeptical of calls for greater Federal assistance in cracking down on these e-commerce vandals. We have taken in this country I think a wise policy of standing on the sidelines and resisting the temptations to bring the Federal Government regulation to bear on the Internet. The result has been explosive growth of e-mail and e-commerce of all types and we have seen, unfortunately with that growth, some inconvenience and some sacrificing of personal privacy.
But consumers on the information super highway may have their information delayed or their commerce hijacked from time to time, I am not sure that it is the Federal Government's job to step in. The Federal Government ought to be on the back lines of this defensive strategy, not necessarily the cop on the beat. It is a responsibility, I believe, of the high tech community to develop strategies to prevail in this game of cat and mouse with cyber pests.
Before we authorize greater access by government to our Internet activity, consumers must first demand of their e-commerce providers that they take the first steps. Ideally in the months and years to come, we are going to see e-commerce providers competing to win customers by showing how they have taken the toughest possible security steps to avoid these types of attacks.
Page 33 PREV PAGE TOP OF DOC
Mr. Chairman, the cyber economy has boomed with the government appropriately staying out of the way. The FBI and the Justice department, as I said, should be armed as well as possible to be that last line of defense while the private sector I would hope takes the lead. Nonetheless, as we review this issue, I hope that we do consider the best strategy to take for both consumers and for the e-commerce firms that would be affected by much of this regulation. At the end of the day I believe consumers got a wise wake up call to the vulnerability and the fragile nature of the information that is shooting across the information super highway. I think we should use caution as well when acting to regulate.
Thank you, Mr. Chairman.
The CHAIRMAN. Thank you Mr. Weiner. Mr. Hutchinson, you are recognized.
Representative HUTCHINSON. Thank you, Mr. Chairman and Senator Thurmond. I appreciate this hearing. And I am here to learn and listen and that is what I intend to do. It is a very fascinating experience that we in America are going through when we are looking at the explosion of Internet users and this tremendous tool for education and business and commerce, and I think it is wonderful, but we are also looking at trying to keep up our criminal law and the protections that are justified from a privacy standpoint, as well as from a criminal law standpoint. So with that in mind, I will look forward to the testimony of the witnesses and experts to learn a great deal. I thank you, Mr. Chairman.
The CHAIRMAN. Thank you Mr. Hutchinson.
Page 34 PREV PAGE TOP OF DOC
Ms. Jackson Lee.
Representative JACKSON LEE. Thank you, Mr. Chairman. I think today we can all say you have made us happy, so I would like to thank you and Ranking Member Scott, Senator Strom Thurmond as well, and again might I add my accolades and tell Senator Schumer that seat has never looked better. Oh, don't tell him I said that. That is the friendliness that we have for each other. But we do welcome him and the other members of the Senate who have joined us on this hearing on the Internet denial of service attacks and the Federal response.
The Internet is a fascinating and vital new device. I hesitated over that word because I was thinking of using ''toy.'' for many in this Nation it has become that. And part of what we are facing with this new movement of hackerism, if you will, is whether or not we have sufficiently educated the American public by the vitality, the importance, the fascination about the crucialness of what the Internet means to this Nation and to the world.
This hearing could not take place at a better time. Today, Internet e-commerce and information technology represents at least one-third of economic growth in the United States. As a former member of municipal government, I am always hearing from governors and county commissioners and mayors as to why they cannot tax the Internet or the goods that are sold on the Internet, another issue that is not before us today.
The information revolution has surpassed the expectations of some of the brightest minds enabling so many to reap the benefits of a booming economy. The question today, however, is not to restate our mutual commitment and admiration to the development of the Internet. Instead, we are here to discuss the cumbersome challenges that cyber crime has compelled to all fellow Americans to consider. The recent cyber attacks designed to disrupt major networks represents a serious weakness in Internet security. It exposes how the vulnerabilities of one place on the Net can create risks for all. The global reliance upon the vast resources of the Internet is undeniable. Hacking, denial of service attacks and other interference or destruction of data, should not be allowed.
Page 35 PREV PAGE TOP OF DOC
However, I too raise, and I will continue to make the point as I proceed with my remarks, the concern of total Federal Government involvement. Why do I say that as I look at the representatives of the first panel? I can already see the overload that might be exuded from the large jurisdiction and responsibilities that they have. Coming from the southern district of Texas, I can tell you that there is an overload of drug cases that are still backlogged, if you will, and have not been tried or not been handled.
We have an overload of criminal legislation as well as a backlog of criminal cases to be tried. However, the acts should not be tolerated. They should be deterred. As a member of the House Science Committee, I had an amendment passed 2 years ago for the Department of Justice to study children's access to pornography on the Internet. Of course, we know it still exists. But the idea was to get information to determine how we could at least keep our children from that kind of access.
I am looking now at legislation that does not play into, Congressman Scott, the idea of incarcerating our young people, or even trying them as adults, but I do think there is some merit to holding parents responsible for young people who access the Internet and who have not unfortunately restrained their access as it relates to hacker crimes. And so I am studying the issue of liability on behalf of adults who have supervision over a child who is engaged in hacker activities. We are studying the issue because we believe it is important. There are other issues that the Internet deals with, of course, that are not before us. But I think it is outrageous to have victims' items to be auctioned on various Internet channels, if you will. That is also something that should be considered.
Page 36 PREV PAGE TOP OF DOC
So the Internet is fascinating, it is confusing, it is vital, however. And although we must recognize that Congress has some role in monitoring this, we should recognize that the problem of the Internet security is, as I said, not primarily within the control of the Federal Government. If nothing else, recent cyber attacks demonstrate the need to work together to strengthen Internet security in an integrated form. The President recently met with leaders of high tech industry and experts on Internet security. This was an important first step because Internet security is ordinarily handled as a matter within the private sector.
For this reason, I am pleased that many conditions with the assistance of the administration have agreed to create a mechanism to share cyber security information. In that mechanism, I believe it should also be a funding source coming from those corporations of such an amount that would help us in this effort. We must do more however to understand how to prevent and investigate Internet attacks. The private sector in a partnership with the Federal Government can and should play a better role in preventing cyber attacks. The incredible explosion of services and businesses online and the rapid innovation of new software at new features have come at a price. I agree with my fellow Americans that these service attacks were a wake up call to the global marketplace. They almost stopped us in our tracks, and we simply must not allow these activities to have a major impact in the world markets, both the consumer and the stock market.
That is why so many people perceive this to be truly criminal. Any other proposals to this problem must be considered with some degree of caution. Whatever actions are considered must address the issue of penalties and the proper level of sentencing if we even move in that direction. That is because the Department of Justice may not seek to pursue certain crimes where there must be a certain minimum sentence, may not seek certain crimes if there is not a minimum sentence.
Page 37 PREV PAGE TOP OF DOC
In other words, the punishment must fit the crime. And some minimum sentences may be too severe for every potential hacker. Again, I refer the chairman to my interests in the liability issue of the parents.
Additionally, there are certain privacy issues that certain penalties may raise, what liberties are at risk, the questions of first amendment and, of course, due process. Accordingly the Congress must proceed both carefully and expeditiously on this matter. I am committed to increasing the security of the Internet by sharing information, but I would also like to understand what, in fact, are the appropriate measures for an Internet with respect to security. What kind of research have we done? What have our scientific studies brought to our attention as to how long we can best solve this problem?
It is a scientific device of sorts. Engineers and other researchers who might be able to best share with us the way to keep this viable tool secure. I look forward to reviewing any proposals that coordinate these efforts on a Federal level and through State and Federal partnerships. I do believe that as I started out, it is a fascinating vehicle and tool. We should encourage our young people to be engaged in it, but we must warn them and caution them that it is a dangerous tool to play it when it impacts negatively on the world trade and world traffic and the security of all of us.
I thank you, Mr. Chairman.
The CHAIRMAN. We have today with us two members of the full Judiciary Committee of the House who are not members of the subcommittee, Mr. Goodlatte and Mr. Nadler. I certainly want to ask unanimous consent that they be allowed to ask questions at the appropriate time after the appropriate subcommittee questions have been asked. But I would request if they have statements, that we have them submitted for the record at this time so we can proceed with our witnesses if we could.
Page 38 PREV PAGE TOP OF DOC
Yes, Mr. Scott.
Representative SCOTT. In that light, I would ask unanimous consent that a statement from Ranking Member Conyers and Senator Leahy be introduced into the record.
The CHAIRMAN. Without objection so ordered.
[The information referred to follows:]
PREPARED STATEMENT OF HON. JOHN CONYERS, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN
I first want to welcome all of our distinguished guests today, including Deputy Attorney General Eric Holder, as well as other representatives from the Department of Justice, the FBI, and companies in the high-tech sector.
As we all know, the Internet and technology companies have contributed to the great success of our economy over the past several years—and they will become an increasingly important part of our economy in the future. We cannot underestimate the importance of the Internet in creating a world market for American goods and services, including the technologies that power this marketplace.
Despite the critical position that the Internet holds for our economy, we know that its security can be compromised. Starting on February 7, a series of Denial of Service attacks hit some of our most used web sites—such as Yahoo, eBay, CNN, Amazon, and E*Trade, to name a few. These attacks were coordinated attempts to shut down the sites, by overloading the networks with meaningless tidal waves of data. Fortunately, the denial of service attacks ended after several days, and although the economic impact was significant, it was not crippling.
Page 39 PREV PAGE TOP OF DOC
We should view these attacks as a wake up call, and use this opportunity to improve the security of our Internet infrastructure and software. Already, a hacker has invaded the website RealNames and accessed customers' personal records—including their credit card numbers. And another hacker entered the CDUniverse site and attempted to extort $100,000 from the company in exchange for refraining from posting the customers' credit card numbers on the Net. CDUniverse refused to pay, and the hacker made good on his promise. If we permit this type of information hijacking to go unchecked, it will drive people away from e-commerce.
We must be equally—if not more—concerned about our government computer systems, which are prone to attack, as well. The Pentagon alone estimates that its computer networks are hacked about 2,509,000 times a year. At least 500 of these are serious attempts to break into classified systems. In 1998, three teenage hackers broke into heavily protected Air Force and Navy computers, leaving ''trapdoors'' that allowed them to return undetected. And a 1996 presidential commission concluded that our computer-controlled infrastructure—including power grids, airports, rail systems, hospitals, and even the space program—are all vulnerable.
We must acknowledge that the same interconnections that make the Internet so robust also make it vulnerable to attack. The same openness and ease with which people can share information also makes it easier to invade people's privacy.
While the market may provide the technological fixes to prevent hacker attacks from happening in the future, we in the government sector must do what we can to encourage the development of security-enhancing technologies.
Page 40 PREV PAGE TOP OF DOC
We must also ensure that our law enforcement agencies are properly equipped to investigate and prosecute crimes as they migrate onto the Web. The FBI is currently attempting to track down the perpetrators of the denial of service attacks—but it is a difficult and painstaking process. The investigators must comb through reams of computer logs and electronic messages to try to pick up clues to the hacker's identity. And law enforcement's work is made more challenging because it is difficult for them to recruit and retain technology experts. We need to give law enforcement the tools it needs to do its job in the 21st Century.
I look forward to the testimony today and to learning how Congress can help empower the Department of Justice, the FBI, and the private sector to combat cybercrimes. At the same time, we need to strike the correct balance to protect individuals' civil liberties and privacy on the Web.
PREPARED STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE STATE OF VERMONT
As we head into the twenty-first century, computer-related crime is one of the greatest challenges facing law enforcement. Many of our critical infrastructures and our government depend upon the reliability and security of complex computer systems. We need to make sure that these essential systems are protected from all forms of attack.
Whether we work in the private sector or in government, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. For instance, Congressional buildings like this one use cement pillars placed at entrances, photo identification cards, metal detectors, x-ray scanners and security guards to protect the physical space. These security steps and others have become ubiquitous in the private sector as well.
Page 41 PREV PAGE TOP OF DOC
Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we communicate and do business. This plain fact was amply demonstrated by the recent hacker attacks on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet sites. These attacks raise serious questions about Internet security—questions that we need to answer to ensure the long-term stability of electronic commerce. More importantly, a well-focused and more malign cyber-attack on computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense. We have learned that even law enforcement is not immune. Just this past weekend we learned of a denial of service attack successfully perpetrated against a FBI web site, shutting down that site for several hours.
The cybercrime problem is growing. The reports of the CERT Coordination Center (formerly called the ''Computer Emergency Response Team''), which was established in 1988 to help the Internet community detect and resolve computer security incidents, provide chilling statistics on the vulnerabilities of the Internet and the scope of the problem. Over the last decade, the number of reported computer security incidents grew from 6 in 1988 to more than 8,000 in 1999. But that alone does not reveal the scope of the problem. According to CERT's most recent annual report, more than four million computer hosts were affected by computer security incidents in 1999 alone by damaging computer viruses, with names like ''Melissa,'' ''Chernobyl,'' ''ExploreZip,'' and by other ways that remote intruders have found to exploit system vulnerabilities. Even before the recent headline-grabbing ''denial-of-service'' attacks, CERT documented that such incidents ''grew at a rate around 50% per year'' which was ''greater than the rate of growth of Internet hosts.''
Page 42 PREV PAGE TOP OF DOC
CERT has tracked recent trends in severe hacking incidents on the Internet and made the following observations. First, hacking techniques are getting more sophisticated. That means law enforcement is going to have to get smarter too, and we need to give them the resources to do this. Second, hackers have ''become increasingly difficult to locate and identify.'' These criminals are operating in many different locations and are using techniques that allow them to operate in ''nearly total obscurity.''
Cybercrime is not a new problem. We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1981 by the Subcommittee on Technology and the Law in the Senate Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely ''hardening'' our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government has a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems.
The private sector must assume primary responsibility for protecting its computer systems. Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. Just recently, internet providers and companies such as Yahoo! and Amazon.com Inc., and computer hardware companies such as Cisco Systems Inc., proved successful at stemming attacks within hours thereby limiting losses.
Page 43 PREV PAGE TOP OF DOC
Encryption helps prevent cybercrime. That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress earlier this year when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging—and not restraining—the use of strong encryption and other technical solutions to protecting our computer systems.
Prior legislative efforts were designed to deter cybercrime. Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. in 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met.
In this Congress, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million giant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime.
Page 44 PREV PAGE TOP OF DOC
Our computer crime laws must be kept up-to-date as an important backstop and deterrent. I believe that our current computer crime laws can be enhanced and that the time to act is now. We should pass legislation designed to improve our law enforcement efforts while at the same time protecting the privacy rights of American citizens. Such legislation should make it more efficient for law enforcement to use tools that are already available—such as pen registers and trap and trace devices—to track down computer criminals expeditiously. It should ensure that law enforcement can investigate and prosecute hacker attacks even when perpetrators use foreign-based computers to facilitate their crimes. It should implement criminal forfeiture provisions to ensure that cybercriminals are forced to relinquish the tools of their trade upon conviction. It should also close a current loophole in our wiretap laws that prevents a law enforcement officer from monitoring an innocent-host computer with the consent of the computer's owner and without a wiretap order to track down the source of denial-of-service attacks. Finally, such legislation should assist state and local police departments in their parallel efforts to combat cybercrime, in recognition of the fact that this fight is not just at the federal level.
I have been crafting legislation to accomplish all of these goals and look forward to discussing these proposals with law enforcement and industry leaders.
Legislation must be balanced to protect our privacy and other constitutional rights. I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can be respected at the same time we hold accountable those malicious mischief makers and digital graffiti sprayers, who use computers to damage or destroy the property of others. I have seen Congress react reflexively in the past to address concerns over anti-social behavior on the Internet with legislative proposals that would do more harm than good. A good example of this is the Communications Decency Act, which the Supreme Court declared unconstitutional. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights.
Page 45 PREV PAGE TOP OF DOC
Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress and the Administration need to work together to meet these new challenges while preserving the benefits of our new era.
I thank Senators Thurmond and Schumer and Representatives McCollum and Scott for their leadership in holding this important hearing.
The CHAIRMAN. At this time I would like to take the privilege of introducing our first panel. And then after we finish with this panel, I am going to have the questions led off by Senator Thurmond, who will then get to introduce the next panel. We will share this gavel today. But our first panel today I welcome, as our lead witness, Eric Holder, who is the Deputy Attorney General of the United States. Mr. Holder began his career in the Justice Department in the public integrity section in 1976. In 1988, he was nominated by the President to become an associate judge of the Superior Court of the District of Columbia where he served for 5 years.
In 1993, President Clinton named Mr. Holder as United States attorney for the District of Columbia. The largest U.S. attorneys office in the Nation. In 1997, President Clinton nominated him to become Deputy Attorney General, and he was confirmed to that position by unanimous vote in the Senate. He received his undergraduate degree from Columbia College and his law degree from the Columbia School of Law.
Mr. Holder is accompanied today by Martha Stansell-Gamm, Section Chief of the computer crime and intellectual property section of the Department of Justice. She is the most experienced Federal prosecutor of computer hacker cases. She joined the Justice Department in 1991 after serving 11 years as a judge advocate in the United States Air Force. Having been a judge advocate in the Navy, I respect that a great deal, Ms. Stansell-Gamm. She received her undergraduate degree from Depauw University, her law degree from Georgetown University, and a masters of law from Harvard.
Page 46 PREV PAGE TOP OF DOC
The second witness on this panel is Michael Vatis, the Director of the National Infrastructure Protection Center of the FBI. The center is charged with leading the Federal efforts to detect, prevent, investigate and respond to cyber attacks on the Nation's critical infrastructures. Mr. Vatis joined the FBI in 1998. In 1994 to 1998, he served as the Associate Deputy Attorney General in the Department of Justice and Deputy Director of the Executive Office for National Security. In that capacity, he advised the Attorney General and Deputy Attorney General on intelligence, counter-terrorism and other national security issues. From 1993 to 1994, Mr. Vatis served in the Department of Defense as special counsel in the Office of the General Counsel. He received his undergraduate degree from Princeton University and his law degree from Harvard.
We thank you all for being here today and Mr. Holder, you are recognized. You have been extremely patient with us today. Your entire statement will be submitted for the record without objection. And I hear none. You may proceed as you see fit.
STATEMENT OF ERIC HOLDER, DEPUTY ATTORNEY GENERAL, DEPARTMENT OF JUSTICE, WASHINGTON, DC
Mr. HOLDER. Thank you very much Mr. Chairman. I thank Senator Thurmond and the other members of the subcommittees. I want to thank you for this opportunity to testify about cyber crime and related issues, including the recent Internet denial of service incidents. I am joined, as you indicated, by two of my esteemed colleagues, and just as I go through my remarks, let me just say that Marty Sansell-Gamm is the head of what we call CCIPS. Mike Vatis is the head of what we call NIPC. So if you hear me use those terms, I am referring to their organizations.
Page 47 PREV PAGE TOP OF DOC
Both subcommittees have been very helpful in providing the department with the resources and tools we need to keep pace with the everchanging challenge of cyber crime. We look forward to continuing our cooperation with Congress to ensure that law enforcement, in cooperation with the private sector, can play an appropriate and critical role in protecting the public against cybercrime. I would be happy to address your questions on the recent attacks to the extent that I can, without compromising our ongoing investigation.
At this point I would simply say that we are taking the attacks very seriously, and that we will do everything in our power to identify those responsible, and to bring them to justice. We are making progress. In addition to the malicious disruption of legitimate service, so-called denial of service attacks involve the unlawful intrusion to unknown number of computers, thus, the number of victims in these types of cases can be substantial, and the collective loss and cost to respond to these attacks can run into the tens of millions of dollars or more.
Computer crime investigators and a number of FBI field offices and investigators from other agencies are investigating these attacks. The agents are also working closely with our network of specially trained computer crime prosecutors who are available 24 hours a day, 7 days a week, to provide legal advice and obtain whatever court orders are necessary.
We are also obtaining information from victim companies and security experts who, like many in the Internet community, condemn these recent attacks. While the Internet is providing wonderful benefits that are transforming our society in countless beneficial ways from providing new high wage jobs to our economy to improving health care and in countless other ways these wonderful technologies also provide new opportunities for criminals. Online crime is rapidly increasing. We are seeing more pure computer crimes, that is, crimes where the computer is used as a weapon to attack other computers as we saw in the distributed denial of service attacks that I just spoke about, and in the spread of malicious code-like viruses. Our vulnerability to this type of crime is astonishingly high.
Page 48 PREV PAGE TOP OF DOC
It was only this past December that the creator of the Melissa virus admitted that he caused over $80 million in damage. These crimes not only affect our financial well-being and our privacy, they also threaten our Nation's critical infrastructure.
For a real world terrorist to blow up a dam, he would need tons of explosives, a delivery system and a surreptitious means of evading armed security guards. For the cyber terrorist, however, the same devastating result could be achieved by hacking into the control networks and commanding the computer to open the floodgates.
We are also seeing a migration of traditional crimes, including child pornography, fraud, gambling and extortion from the physical to the online world. When these crimes are carried out online, perpetrators often find that they can reach more victims quickly and quite easily, turning what were once local scams into crimes that cross interstate and international borders.
Now while the Internet has tremendous benefits to our society, include greater freedom through expression and economic growth, we must also recognize that investigators and prosecutors at all levels, international, Federal, State and local, are encountering unique challenges, and these challenges include technical challenges that hinder law enforcement's ability to find and to prosecute criminals operating on line. Legal challenges resulting from laws and legal tools needed to investigate cyber crime, lagging behind technological structural and social changes and resource challenges to ensure that we have adequate investigative and prosecutorial needs at all levels of government.
Page 49 PREV PAGE TOP OF DOC
And we recognize that government will not be able to solve all of these problems. In fact, we believe that the private sector should take the lead in protecting private computer networks through more vigilant security efforts, information sharing, and where appropriate, cooperation with government agencies. The private sector can and should take the lead on improving security practices and the development of a more secure Internet infrastructure.
Despite the technical legal and resource challenges that we do face, the department has made strides in our fight against cyber crime. We have and will continue to develop extensive investigatory and prosecutorial programs to counter cyber crime. We have established the FBI's National Infrastructure Protection Center, NIPC, and specialized squads located in 16 field offices.
On the prosecution side, we have trained attorneys, both in headquarters and in the field who are experts in the legal, technological and practical challenges involved in investigating and prosecuting cyber crime. As a result of these programs, the number of cases and prosecutions by the department is growing at a tremendous rate. For example, in 1998 U.S. attorneys offices filed 85 computer crime cases against 116 defendants. This represents a 29 percent increase in the number of cases filed and a 51 percent increase in the number of defendants compared to the previous year. During that same period of time, a total of 62 cases against 72 defendants were terminated with 78 percent of those defendants being convicted.
On behalf of the department, I want to thank Congress for all the support it has given to us in our efforts to combat cyber crime. Advancements in technology indicate that our efforts are really only just beginning. We look forward to working with Congress and the private sector to ensure that we have a robust and effective long term plan for combating cyber crime, protecting our Nation's infrastructure and ensuring that the Internet reaches its full potential for expanding communications facilitating commerce and bringing countless other benefits to our society.
Page 50 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman.
The CHAIRMAN. Thank you very much Mr. Holder.
[The prepared statement of Mr. Holder follows:]
PREPARED STATEMENT OF ERIC HOLDER, DEPUTY ATTORNEY GENERAL, DEPARTMENT OF JUSTICE, WASHINGTON, DC
Mr. Chairmen and other Members of the Subcommittees, I want to thank you for this opportunity to testify on the recent Internet ''denial of service'' attacks and the federal response to these incidents, with a particular focus on the challenges facing the Department of Justice in its fight against cybercrime. Both Subcommittees have been very helpful in providing the Department with the resources and tools we need to keep pace with the ever-changing demands of law enforcement and public safety, particularly the new challenge of cybercrime. At a time where new technologies abound and our society becomes increasingly reliant on computer networks and thus vulnerable to cybercrime, we look forward to working again with you to ensure that law enforcement, in cooperation with the private sector, can play an appropriate and critical role in protecting the well-being of Americans.
COMMENTS ON THE RECENT ATTACKS
I would be happy to address your questions on the recent attacks, to the extent I can do so without compromising our investigation. At this point, I would simply say that we are taking the attacks very seriously and that we will do everything in our power to identify those responsible and bring them to justice. In addition to the malicious disruption of legitimate commerce, so-called ''denial of service'' attacks involve the unlawful intrusion into an unknown number of computers, which are in turn used to launch attacks on the eventual target computer, in this case the computers of Yahoo, eBay, and others. Thus, the number of victims in these types of cases can be substantial, and the collective loss and cost to respond to these attacks can run into the tens of millions of dollars—or more.
Page 51 PREV PAGE TOP OF DOC
OVERVIEW OF INVESTIGATIVE EFFORTS AND COORDINATION
Computer crime investigators in a number of FBI field offices and investigators from other agencies are investigating these attacks. They are coordinating information with the National Infrastructure Protection Center (NIPC) of the FBI. The agents are also working closely with our network of specially trained computer crime prosecutors who are available 24 hours a day/7 days a week to provide legal advice and obtain whatever court orders are necessary. Attorneys from the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) are coordinating with the Assistant United States Attorneys in the field. We are also obtaining information from victim companies and security experts, who, like many in the Internet community, condemn these recent attacks. We are also working closely with our counterparts in other nations. I am proud of the efforts being made in this case, including the assistance we are receiving from a number of federal agencies.
THE EMERGENCE OF CYBERCRIME
It is worth remembering that just ten years ago, the Internet was largely unknown and unavailable to the average person. There was no e-commerce, no e-Bay, no amazon-dot-com, very little dot-anything. At that time, the Internet was a collection of military, academic, and research networks serving a small community of trusted users. Many of us were just learning about pagers and cell phones, VCRs, and videocams. That world is history. The far-reaching, ever-expanding, and ever more rapid advances in computer and software technology over the last ten years have combined with the explosive growth of the Internet to change the world forever. For the most part, the Internet and other technologies are providing wonderful benefits to our society—from providing new, high-wage jobs to our economy, to expanding educational opportunities, to improving health care, and in countless other ways.
Page 52 PREV PAGE TOP OF DOC
Unfortunately, these wonderful technologies also provide new opportunities for criminals. Online crime is rapidly increasing. We are seeing more ''pure'' computer crimes, that is, crimes where the computer is used as a weapon to attack other computers, as we saw in the distributed denial of service attacks I just spoke about, and in the spread of malicious code, like viruses. Our vulnerability to this type of crime is astonishingly high—it was only this past December that a defendant admitted, when he pled guilty in federal and state court to creating and releasing the Melissa virus, that he caused over 80 million dollars in damage. These crimes also include computer intrusions designed to obtain information of the most sensitive sort—such as credit cards, companies' trade secrets, or individual's' private information.
These crimes not only affect our financial well-being and our privacy; they also threaten our nation's critical infrastructure. Our banking system, the stock market, the electricity and water supply, telecommunications networks, and critical government services, such as emergency and national defense services, all rely on computer networks. For a real-world terrorist to blow up a dam, he would need tons of explosives, a delivery system, and a surreptitious means of evading armed security guards. For a cyberterrorist, the same devastating result could be achieved by hacking into the control network and commanding the computer to open the floodgates.
We are also seeing a migration of ''traditional'' crimes—including threats, child pornography, fraud, gambling, and extortion—from the physical to the online world. When these crimes are carried out online, perpetrators often find that they can reach more victims quickly and quite easily, turning what were once ''local'' scams into crimes that cross interstate and international borders. Computers and computer networks provide a cheap and powerful means of communications, and criminals take advantage of this just like everyone else. In addition, sophisticated criminals can readily use the easy anonymity that the Internet provides to hide their crimes.
Page 53 PREV PAGE TOP OF DOC
CHALLENGES OF CYBERCRIME
The Internet and computers have brought tremendous benefits to our society, including greater freedom of expression and economic growth. But we must also recognize that as a result of our society's increasing reliance on technology, investigators and prosecutors at all levels—international, federal, state, and local—are encountering unique challenges. These challenges generally can be divided into three categories:
1) Technical challenges that hinder law enforcement's ability to find and prosecute criminals operating online;
2) Legal challenges resulting from laws and legal tools needed to investigate cybercrime lagging behind technological, structural, and social changes; and
3) Resource challenges to ensure we have satisfied critical, investigative and prosecutorial needs at all levels of government.
Before I discuss each of these challenges, let me say that we recognize that we in government will not be able to solve all of these problems. In fact, we believe the private sector should take the lead in protecting private computer networks, through more vigilant security efforts, information sharing, and, where appropriate, cooperation with government agencies. The private sector has the resources, the technical ability, and the trained personnel to ensure that, as technology continues to develop and change rapidly, the Internet is a safer place for all of us. Thus, the private sector can and should take the lead on improving security practices and the development of a more secure Internet infrastructure.
Page 54 PREV PAGE TOP OF DOC
Our society will also need the assistance of the everyday user in making sure that safeguards are taken and practices are followed. The best infrastructure and most secure means of electronic commerce will be ineffective if the users of the technology, that is, all of us, don't follow the basic ''rules of the road.''
However, even assuming that users and companies do everything they can to provide a safe, secure, and vibrant Internet, there will be instances where the practices and safeguards fail. Criminals rob banks even though banks use numerous security measures. In such cases, law enforcement must be prepared and equipped to investigate and prosecute cybercriminals in order to stop their criminal activity, to punish them, and to deter others who might follow the same path. This is the reason that it is so important that we work together to address the challenges I am about to discuss.
Technical Challenges
When a hacker disrupts air traffic control at a local airport, when a child pornographer sends computer files, when a cyberstalker sends a threatening e-mail to a public school or a local church, or when credit card numbers are stolen from a company engaged in e-commerce, investigators must locate the source of the communication. Everything on the Internet is communications, from an e-mail to an electronic heist. Finding an electronic criminal means that law enforcement must determine who is responsible for sending an electronic threat or initiating an electronic robbery. To accomplish this, law enforcement must in nearly every case trace the ''electronic trail'' leading from the victim back to the perpetrator.
Page 55 PREV PAGE TOP OF DOC
Tracking a criminal online is not necessarily an impossible task, as demonstrated last year when federal and state law enforcement agencies were able to track down the creator of the Melissa virus and the individual who created a false Bloomburg News Service website in order to drive up the stock price of PairGain, a telecommunications company in California. In both cases, technology enabled us to find the individuals who were engaging in criminal activity.
Unfortunately, despite our successes in the Melissa and PairGain cases, we still face significant challenges as online criminals become more sophisticated, often wearing the equivalent of Internet electronic gloves to hide their fingerprints and their identity.
It doesn't take a master hacker to disappear on a network. Ironically, while the public is justifiably worried about protecting the legitimate electronic privacy of individuals who use networks, a criminal using tools and other information easily available over the Internet can operate in almost perfect anonymity. By weaving his or her communications through a series of anonymous remailers; by creating a few forged e-mail headers with powerful, point-and-click tools readily downloadable from many hacker web sites; or by using a ''free-trial'' account or two, a hacker, online pornographer, or web-based fraud artist can often effectively hide the trail of his or her communications.
As we consider the challenge created by anonymity, we must also recognize that there are legitimate reasons to allow anonymity in communications networks. A whistleblower, a resistance fighter in Kosovo, a battered woman's support group—all of these individuals may understandably wish to use the Internet and other new technologies to communicate with others without revealing their identities.
Page 56 PREV PAGE TOP OF DOC
In addition to problems related to the anonymous nature of the Internet, we are being challenged to investigate and prosecute criminals in an international arena. The Internet is a global medium that does not recognize physical and jurisdictional boundaries. A criminal no longer needs to be at the actual scene of the crime to prey on his or her victims. As a result, a computer server running a web page designed to defraud U.S. senior citizens might be located in Europe or Asia. A child pornographer may distribute photographs or videos via e-mail, sending the e-mails through the communications networks of several countries before they reach their intended recipients. With more than 190 Internet-connected countries in the world, the coordination challenges facing law enforcement are tremendous. And any delay in an investigation is critical, as a criminal's trail might, in certain circumstances, end as soon as he or she disconnects from the Internet.
Likewise, evidence of a crime can be stored at a remote location, either for the purpose of concealing the crime from law enforcement and others, or simply because of the design of the network. In certain circumstances, the fact that the evidence is stored and held by a third party, such as an internet service provider, might be helpful to law enforcement agencies who might be able to use lawful process to get that information. However, storing information remotely can also create a challenge to law enforcement, which cannot ignore the real-world limits of local, state, and national sovereignty and jurisdiction. Obtaining information from foreign countries, especially on an expedited basis, can be a daunting task, especially when a country may be in a different time zone, use a different language, have different legal rules, and may not have trained experts available. Consequently, even as the Internet and other new technologies have given us new abilities to find criminals remotely, our abilities can be hindered if we cannot obtain the necessary legal cooperation from our counterparts in other countries.
Page 57 PREV PAGE TOP OF DOC
The vast majority of Internet companies are good corporate citizens and are interested in the safety of our citizens. In fact, several companies have been engaged in discussions with law enforcement regarding our concerns. Despite these efforts, we have learned that we cannot take for granted the nature of any Internet service provider's services, its record-keeping practices, and its ability or willingness to cooperate with us. We have encountered a handful of companies involved in criminal activity. In addition, even those companies that are not involved in criminal activities might not be able to assist us because of business reasons or privacy concerns that have resulted in them not keeping the records that will assist in the investigation of a particular crime.
Moreover, users connect to the Internet from anywhere in the world over old-fashioned telephone lines, wireless phones, cable modems, and satellite systems. Each of these telecommunications systems has its own protocols for addressing and routing traffic, which means that tracking all the way back to the criminal at his or her computer will require agents to be fluent in each technical language. Gathering this evidence from so many kinds of providers is a very different proposition from the days when we simply obtained an order for a telephone company to trace a threatening call.
Legal Challenges
Deterring and punishing computer criminals requires a legal structure that will support detection and successful prosecution of offenders. Yet the laws defining computer offenses, and the legal tools needed to investigate criminals using the Internet, can lag behind technological and social changes, creating legal challenges to law enforcement agencies.
Page 58 PREV PAGE TOP OF DOC
Some of the legal challenges we encounter can easily be corrected through legislative action. For example, the Computer Fraud and Abuse Act, 18 U.S.C. §1030, arguably does not reach a computer hacker who causes a large amount of damage to a network of computers if no individual computer sustains over $5,000 worth of damage. The Department of Justice has encountered several instances in which intruders have gained unauthorized access to protected computers (whether publicly or privately owned) used in the provision of ''critical infrastructure'' systems and services—such as those that hospitals use to store sensitive information and to treat patients, and those that the military uses to defend the nation—but where proof of damage in excess of $5,000 has not been readily available.
The laws under which we are able to identify the origin and destination of telephone calls and computer messages also need to be reviewed. For example, under current law we may have to obtain court orders in multiple jurisdictions to trace a single communication. Obtaining court orders in multiple jurisdictions does not advance any reasonable privacy safeguard, yet it can be a substantial impediment to a fast-paced investigation. As the Attorney General testified recently, it might be extremely helpful, for instance, to provide nationwide effect for trap and trace orders.
Another concern focuses on the problem of online threats and serious harassment—that is, cyberstalking. Current federal law does not address those situations where a cyberstalker uses unwitting third parties to bombard a victim with messages, transmits personal data about a person—such as the route by which the victim's children walk to school—in order to place such person or his family in fear of injury, or sends an e-mail or other communications under someone else's name with the intent to abuse, harass, or threaten that person. We believe federal law may need to be amended to address this gap.
Page 59 PREV PAGE TOP OF DOC
These aren't hypothetical changes that we are proposing to address. Just ask the California woman who was awakened six times in the middle of the night to find men knocking on her door offering to rape her. She discovered that a man whom she had told she was not romantically interested in had posted personal advertisements on a variety of Internet services pretending to be her. Each posting, which contained her home address and telephone number, claimed that she fantasized about being raped. We need to ensure that laws against harassment clearly prohibit such horrific actions, particularly since access to the Internet means immediate access to a wide audience.
Resource Challenges
In addition to technical and legal challenges, we face significant resource challenges. Simply stated, we need an adequate number of prosecutors and agents—at the federal, state and local level—trained with the necessary skills and properly equipped to effectively fight all types of cybercrime.
While Congress has been very supportive of the Department's cybercrime efforts, we need additional resources to ensure we are adequately equipped to continue our battle against cybercriminals. The President has requested $37 million in new money in FY 2001 to expand our staffing, training and technological capabilities to continue the fight against computer crime. Together, these enhancements will increase the Department's 2001 funding base for computer crime to $138 million, 28 percent more than in 2000.
Last, the Department of Justice would like to work with Congress to develop a comprehensive, five-year plan—with FY 2001 as our baseline—to prevent cybercrime and, when it does occur, to locate, identify, apprehend and bring to justice those responsible for these types of crimes. On February 16th, the Attorney General testified before Congress regarding a proposed a 10-point plan to identify the key areas we need to develop for our cybercrime capability. The key points of this plan she touched upon include:
Page 60 PREV PAGE TOP OF DOC
Developing a round-the-clock network of federal, state and local law enforcement officials with expertise in, and responsibility for, investigating and prosecuting cybercrime.
Developing and sharing expertise—personnel and equipment—among federal, state and local law enforcement agencies.
Dramatically increasing our computer forensic capabilities, which are so essential in computer crime investigations—both hacking cases and cases where computers are used to facilitate other crimes, including drug trafficking, terrorism, and child pornography.
Reviewing whether we have adequate legal tools to locate, identify, and prosecute cybercriminals. In particular, we may need new and more robust procedural tools to allow state authorities to more easily gather evidence located outside their jurisdictions. We also need to explore whether we have adequate tools at the federal level to effectively investigate cybercrime.
Because of the borderless nature of the Internet, we need to develop effective partnerships with other nations to encourage them to enact laws that adequately address cybercrime and to provide assistance in cybercrime investigations. A balanced international strategy for combating cybercrime should be at the top of our national security agenda.
We need to work in partnership with industry to address cybercrime and security. This should not be a top-down approach through excessive government regulation or mandates. Rather, we need a true partnership, where we can discuss challenges and develop effective solutions that do not pose a threat to individual privacy.
Page 61 PREV PAGE TOP OF DOC
And we need to teach our young people about the responsible use of the Internet. The Department of Justice and the Information Technology Association of America have already taken steps to do so through the development of the Cybercitizen Partnership, but more needs to be done.
EFFORTS AGAINST CYBERCRIME
Despite the technical, legal, and resource challenges, the Department has made strides in our fight against cybercrime. We have and will continue to develop extensive investigatory and prosecutorial programs to counter cybercrime. Let me take a few moments to details some of our efforts to date.
On the investigatory side, we have the FBI's National Infrastructure Protection Center (NIPC) and specialized squads located in 16 field offices.
On the prosecutorial side, we have trained attorneys, both in headquarters and in the field, who are experts in the legal, technological, and practical challenges involved in investigating and prosecuting cybercrime. The cornerstone of our prosecutor cybercrime program is the Computer Crime and Intellectual Property Section. CCIPS, which currently has 18 attorneys, was founded in 1991 as the Computer Crime Unit and was elevated to Section status in 1996. CCIPS works closely on computer crime cases with Assistant United States Attorneys known as ''Computer and Telecommunications Coordinators'' (CTCs) in U.S. Attorneys' Offices around the country. Each CTC is given special training and equipment, and serves as the district's expert in computer crime cases. As a result of these programs, the number of cases and prosecutions by the Department is growing at a tremendous rate. For example, in 1998, U.S. Attorneys' Offices filed 85 computer crime cases against 116 defendants. This represents a 29% increase in the number of cases filed and a 51% increase in the number of defendants, compared to the previous year. During that same period of time, a total of 62 cases against 72 defendants were terminated, with 78% of those defendants being convicted.
Page 62 PREV PAGE TOP OF DOC
At the same time, our prosecutors are working with numerous other federal, state, and local investigators and prosecutors, providing assistance in any case involving computers and other high technology, such as computer searches and seizure. In sum, the Department and, in particular, its investigators and prosecutors take seriously our responsibility to protect the nation's computers and the Internet from computer crime.
In addition to the Department's efforts, other agencies including the Customs Service, the Secret Service, the Securities and Exchange Commission, and the U.S. Postal Service's Inspectors General, have played a role in the investigation and prosecution of computer crimes.
CONCLUSION
On behalf of the Department of Justice, I want to thank Congress for all the support it has given to our efforts to combat cybercrimes. Advancements in technology indicate that our efforts are only just beginning. We look forward to working with Congress and the private sector to ensure that we have a robust and effective long-term plan for combating cybercrime, protecting our nation's infrastructure, and ensuring that the Internet reaches its full potential for expanding communications, facilitating commerce, and bringing countless other benefits to our society.
The CHAIRMAN. Mr. Vatis.
STATEMENT OF MICHAEL VATIS, DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC
Page 63 PREV PAGE TOP OF DOC
Mr. VATIS. Thank you, Chairman McCollum. Thank you, Mr. Chairman Thurmond and members of the subcommittees. I would like to thank you all for inviting me here today to discuss the growing problem of cyber crime. The recent denial of service attacks have thrust the security of our information infrastructure into the spotlight. But they are really only one example of the growing and very large problem of criminal activity in cyber space.
The information technology revolution has permeated virtually every facet of our lives, and we see its effects all around us in the way we communicate, do business and in the way government agencies operate. Unfortunately, that same revolution has affected the nature of criminal activity as well. Criminals are increasingly seeing the utility of cyber tools to facilitate traditional crimes such as Internet fraud, extortion and dissemination of child pornography. But they are also inventing new forms of crime which make computers and the information stored on them the targets of criminal activity.
Thus we are seeing criminals go into computers to steal credit cards or money to abscond with proprietary high tech information, and to shut down e-commerce sites. And this is not just a criminal problem, it is also a national security problem. This is because our Nation's critical infrastructures, and by that I mean those services that are vital to our economy and to our national security such as electrical power, telecommunications, transportation, and government operations are now all depending on computer technology for their very operations and that dependence makes them vulnerable to an attack, which if successful could deny service on a very broad scale.
The same basic types of cyber attacks that therefore have become attractive to criminals are also attractive to foreign intelligence services who seek new ways to obtain sensitive government or proprietary information, and also to terrorists and hostile foreign nations who are bent on attacking U.S. interests. The difficulty of dealing with this challenge stems from the nature of the cyber environment itself. That environment is borderless, it affords easy anonymity to bad actors and methods of concealment, and it provides new tools that allow for remote access to targeted computers.
Page 64 PREV PAGE TOP OF DOC
A criminal sitting on the other side of the planet is now capable of stealthily infiltrating a computer network in this country to steal information, to steal money, to shut down e-commerce sites, and to steal government information. Therefore to deal with this problem, law enforcement must retool its work force, its equipment and its own information infrastructure. It must also forge new partnerships with private industry, with other government agencies, with State and local law enforcement, and with our international counterparts. We at the NIPC have been doing this for the last 2 years, but we must continue to build on our progress to ensure that we can continue to perform our responsibilities to protect public safety and the national security.
Let me just give a little background about the NIPC, since I think in the parlance of the industry, it could probably have done a better job of branding ourselves. We were created in 1998 as the focal point for the government's efforts to both warn of and respond to cyber attacks, particularly those directed at the Nation's critical infrastructures. We are an interagency center that brings together representatives from many different Federal agencies, State and local law enforcement, and the private sector as well. And this interagency public/private composition is based on the recognition that dealing with the cyber threat is not just a problem for the FBI, it is not just a problem for law enforcement, and indeed it is not just a government problem, it is a problem that spreads across all of those entities and includes the private sector perhaps most importantly.
The FBI has also created a cyber crime investigative program in all field offices of the FBI across the country. This program consists of specially trained special agents in each field office who are responsible for investigating computer intrusions, viruses, and denial of service attacks, and for conducting the critical liaison activities with private industry and academia. They are also in the process of developing task forces with State and local law enforcement so that we can leverage the limited resources that we have in this area.
Page 65 PREV PAGE TOP OF DOC
My written statement goes through some examples of the very broad spectrum of cyber threats that we face. And I will just mention three here today from last year that I think exemplify that broad range. One, as Mr. Holder talked about, was the Melissa virus, which resulted in only the second Federal prosecution of a virus propagator that I am aware of in history. And David Smith, who pled guilty to both Federal and State charges, admitted to causing $80 million of damage and to having affected over a million computers.
So the extent of harm that can be caused by viruses or intrusions is extremely significant, based on that example alone.
Another example was the phone masters case worked by the Dallas division of the FBI, which involved an international group of hackers who were able to penetrate the computer systems of MCI, Sprint, AT&T, and even the National Crime Information Center. They downloaded thousands of calling card numbers which they sold through various middlemen, and ultimately ended up in the hands of organized crime groups in Italy. Again, many thousands of dollars at stake in that case.
And in another case from last year, we observed a series of intrusions into numerous Defense Department computers that resulted in the taking of large amounts of unclassified but still sensitive information, including Defense technical research information. Those intrusions appear to have originated in Russia, raising obvious concerns about the impact on our national security.
Let me talk briefly about the recent denial of service attacks and give you an overview of our efforts to date on that case. Unfortunately, I can't go into great detail since the matter is still pending, but if you like, I can give you some detail about what we have done to date, and the nature of those attacks to provide some illustration of the problem.
Page 66 PREV PAGE TOP OF DOC
Last fall we began receiving reports about a new set of what are called exploits, or attack tools, that are collectively known as distributed denial of service tools. Some of the variants of these tools are known as Trin00, Tribal Flood Network, TFN2K and Stacheldraht, which is German for barbed wire. Essentially, what these tools do is allow a hacker to gain unauthorized access to a computer system and place software code on that system that renders that system into what is known as a master or a handler system. The hackers then intrude into other computers and place malicious code in them which makes them into agents or slaves of the master also known as zombies or demons. Each master that has been taken over by the hacker can then control multiple numbers of agents. And in both sets of circumstances, the owners of those infiltrated computers are normally unwitting to the fact that dangerous tools have been placed on their networks.
At some point the hackers then activate the master computers remotely and use them to send information to the agents, and thereby activating the agents. The agents then generate numerous requests to connect with the ultimate target of the distributed denial of service attack, usually using an fictitious or spoofed Internet protocol address. The agents act in unison to direct a large volume of connection requests to the ultimate target. And due to the volume of those requests, the target computer becomes overwhelmed in its efforts to acknowledge and complete a connection with the agents. And therefore, service to legitimate customers is denied. And hence, the term ''denial of service.''
In November and December, after we received several reports that universities and other entities had been infiltrated with agents on their networks, we worked closely with the computer emergency response team at Carnegie-Mellon University, with other academic institutions and with private companies to assess the scope of this problem. The number of agents that had been detected clearly could have been only a small subset of the total number of agents that were out there. We were also somewhat concerned that malicious actors could choose to launch an attack around New Years Eve in order to cause mayhem or chaos around the millennium rollover.
Page 67 PREV PAGE TOP OF DOC
We therefore decided in December to issue a number of alerts, both to government agencies and to the public at large so that people could take steps to try to find and remove agents that might have been placed on their systems. Moreover, in late December of last year, we determined that a detection tool that we had developed for investigative purposes might also be useful to network operators and allow them to detect the presence of denial of service agents on their systems. We therefore took the somewhat unusual step of posting that tool on our Website, making it available to the public and also publicly announcing the availability of that tool.
Since that time public and private entities have downloaded this tool tens of thousands of times and have responded by reporting many installations of the malicious software on their systems, thereby preventing those systems from being used in an attack and leading to the opening of many criminal investigations.
Unfortunately the warnings and the availability detection tools did not completely eliminate the threat. And so as is now common knowledge around the world, on February 7th, we began receiving reports that Yahoo had, in fact, experienced a denial of service attack. A display of close cooperation between private companies and the FBI several other companies began reporting similar attacks including CNN, eBay, Amazon.com, Buy.com on the day that it was having its initial public offering, and also ZDNet. These companies have cooperated fully with us by providing critical log information and other leads that we have used in our investigations. And most recently in what appears to have been a similar sort of denial of service the IBM server that hosts the FBI's own Website was knocked off line for several hours on February 18th.
Page 68 PREV PAGE TOP OF DOC
The challenges in this sort of case are substantial. In many cases, the attackers use spoofed IP addresses, meaning that the address that appeared on the target's log was not the true address of the system that sent the messages. In addition, many victims do not keep complete network logs. And the resources required in this sort of investigation are also substantial. Companies have been victimized or used as hop sites in numerous places across the country, and indeed around the world, meaning that we have to deploy special agents Nationwide to work leads.
We currently have seven FBI field offices with cases opened, and all of the remaining 49 FBI field offices are supporting by following up on leads.They are literally following up hundreds of leads. The NIPC is coordinating this Nationwide investigative effort and performing technical analysis of logs from victim sites and Internet service providers. And because parts of the evidentiary trail have led overseas, we are working through our legal attaches in many U.S. embassies abroad to work with foreign law enforcement counterparts to gather evidence in other countries.
Despite all these challenges I remain optimistic that the hard work of our agents our computer scientists and our analysts and as a result of the excellent cooperation we have gotten from the private sector that we will, in the end, prove to be successful in this investigation.
These types of investigations require teamwork. No one can do it alone. Certainly not us in the FBI, and nobody in the private sector. There has to be teamwork among government agencies, there has to be teamwork between government and private sector entities, and there must be good team work between Federal and State and local law enforcement agencies.
Page 69 PREV PAGE TOP OF DOC
We have made a lot of progress in the last 2 years in establishing that sort of teamwork on all of those fronts. And I think the cooperation that we have received from private companies in these recent attacks is ample proof of that sort of teamwork. To encourage further cooperation, we have engaged in a concerted outreach to private industry. And one initiative in particular bears mentioning here, that is something called ''InfraGard.'' this is a program we have developed in concert with private companies to encourage information sharing between the private sector and the government about incidents and threats that they are experiencing, and also so we can share information back with those companies about threats that we become aware of through sources of information that are uniquely available to the government such as intelligence, sources about foreign threats, or law enforcement information about domestically-based threats.
Now, the key to developing a successful relationship with the private sector in our view is number one, that we have to prove that we are capable of investigating these sorts of high tech crimes. I think that we are doing that. The second is that we have to prove that we are both able and willing to provide information back to the private sector that we are not just willing to take information but also give good useful threat information back. And our warnings and programs like InfraGard are meant to establish that sort of two-way street for information sharing. And third, we have to make it clear that our role, though very important, is a limited one. We try to prevent the attacks by issuing threat warnings based on concrete information that we receive, and we try to resolve incidents by investigating them if they occur in an effort to find the perpetrator. But we do not try to tell companies what to do to secure their systems. We do not tell them what firewalls or detection systems to install. That is a job that must be left to the private sector. And with those who say that the private sector has to be the first line of defense, and that law enforcement should not be in a position of telling the private sector how to secure its systems, I say I agree 100 percent.
Page 70 PREV PAGE TOP OF DOC
But I think everybody here would agree that if a crime does occur, Americans rightfully would expect that their law enforcement agencies would have the resources and the capabilities to investigate a crime that occurs online and ideally to deter crimes by warning of imminent threats when we have relevant information.
As we continue to try to meet this problem, the things that we must focus on are ensuring that we have the requisite resources in place both personnel and equipment, and that we continue to train our agents so that they are in a position to respond to information technology crimes.
Just to give you one example of the sorts of challenges that we face on the technical side, the amount of data that we must examine with human resources, not through technical tools, but with humans looking at technical information is often overwhelming. One current case that we are working that involves an espionage matter requires the analysis by some of our computer scientists of 17 1/2 tarabytes of data. To put this in perspective, the entire collection of the Library of Congress, if digitized, would comprise only 10 tarabytes, and we are talking about 17 1/2 tarabytes for one investigation.
The investigation of the Yahoo denial of service attack alone involved approximately 630 gigabytes of data, which is equivalent to enough printed pages to fill 630 pickups with paper. So obviously, we need to make sure that we have the technical equipment in place to conduct the sort of analysis that is necessary in these cases.
And finally, let me just stress here today how careful we are to protecting privacy rights as we conduct these investigations. All of our investigative activities must comport with restrictions and procedures set forth in the Constitution, and particularly the fourth amendment, and Federal statutes such as Title III and the Electronic Communications Privacy Act, as well as attorney general guidelines that govern how we conduct criminal investigations. All of these rules are directed at protecting privacy and respect for privacy is a solemn obligation that all of our investigators take very seriously.
Page 71 PREV PAGE TOP OF DOC
Thank you again for giving me this opportunity to discuss this problem with you today. I look forward to working with these committees in the future.
[The prepared statement of Mr. Vatis follows:]
PREPARED STATEMENT OF MICHAEL VATIS, DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC
Good afternoon, Chairman Thurmond, Chairman McCollum, and members of the subcommittees. I am pleased to be testifying today before this special joint hearing. Addressing the problem of cyber crime requires dynamic new working relationships in both the government and private sector. This joint meeting symbolizes in part those new relationships. Our ability in law enforcement to deal with this crime problem will also require the support of Congress, and I want to express my appreciation for your subcommittees' longstanding support for the work of the FBI, and for your acknowledgment of the importance of the issue of cyber crime. The recent denial-of-service attacks against Yahoo!, Amazon.com, E-bay, CNN, Buy.com, and other e-commerce web sites have thrust the security of our information infrastructure into the spotlight. I look forward to discussing the steps we have taken to tackle this issue to date, and the measures that are necessary to ensure that we retain the ability to deal with this problem in the future.
The changes wrought by the Internet to our society—including business, education, government, and personal communication—are evident all around us, and still very much in flux. The cyber revolution has permeated virtually every facet of our lives. Unfortunately, that revolution has entered the criminal arena as well. For just as millions of people around the globe have incorporated the Internet and advanced information technology into their daily endeavors, so have criminals, terrorists, and adversarial foreign nations. Whether we like it or not, cyber crime presents the most fundamental challenge for law enforcement in the 21st Century. By its very nature, the cyber environment is borderless, affords easy anonymity and methods of concealment to bad actors, and provides new tools to engage in criminal activity. A criminal sitting on the other side of the planet is now capable of stealthily infiltrating a computer network in this country to steal money, abscond with proprietary information, or shut down e-commerce sites. To deal with this problem, law enforcement must retool its work force, its equipment, and its own information infrastructure. It must also forge new partnerships with private industry, other agencies, and our international counterparts. We have been doing all of these things for the last two years. But we must continue to build upon our progress to ensure that we can perform our responsibilities to protect public safety and national security in the Information Age. These are some of the issues I would like to focus on today.
Page 72 PREV PAGE TOP OF DOC
THE NIPC
Let me begin with some background about the National Infrastructure Protection Center, or ''NIPC.'' The NIPC is an interagency Center located at the FBI. Created in 1998, the NIPC serves as the focal point for the government's efforts to warn of and respond to cyber attacks, particularly those that are directed at our nation's ''critical infrastructures.'' These infrastructures include telecommunications and information, energy, banking and finance, transportation, government operations, and emergency services. In Presidential Decision Directive (PDD) 63, the President directed that the NIPC serve as a ''national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity.'' The PDD further states that the mission of the NIPC ''will include providing timely warnings of intentional threats, comprehensive analyses and law enforcement investigation and response.''
To accomplish its goals, the NIPC is organized into three sections:
The Computer Investigations and Operations Section (CIOS) is the operational response arm of the Center. It supports and, where necessary, coordinates computer investigations conducted by FBI field offices throughout the country, provides expert technical assistance to network investigations, and provides a cyber emergency response capability to coordinate the response to a national-level cyber incident.
The Analysis and Warning Section (AWS) serves as the ''indications and warning'' arm of the NIPC. It provides tactical analytical support during a cyber incident, and also develops strategic analyses of threats for dissemination to both government and private sector entities so that they can take appropriate steps to protect themselves. Through its 24/7 watch and warning operation, it maintains a real-time situational awareness by reviewing numerous governmental and ''open'' sources of information and by maintaining communications with partner entities in the government and private sector. Through its efforts, the AWS strives to acquire indications of a possible attack, assess the information, and issue appropriate warnings to government and private sector partners as quickly as possible
Page 73 PREV PAGE TOP OF DOC
The Training, Outreach and Strategy Section (TOSS) coordinates the vital training of cyber investigators in the FBI field offices, other federal agencies, and state and local law enforcement. It also coordinates outreach to private industry and government agencies to build the partnerships that are key to both our investigative and our warning missions. In addition, this section manages our efforts to catalogue information about individual ''key assets'' across the country which, if successfully attacked, could have significant repercussions on our economy or national security. Finally, the TOSS handles the development of strategy and policy in conjunction with other agencies and the Congress.
Beyond the NIPC at FBI Headquarters, we have also created a cyber crime investigative program in all FBI Field Offices called the National Infrastructure Protection and Computer Intrusion (NIPCI) Program. This program, managed by the NIPC, consists of special agents in each FBI Field Office who are responsible for investigating computer intrusions, viruses, or denial of service attacks, for implementing our key asset initiative, and for conducting critical liaison activities with private industry. They are also developing cyber crime task forces in partnership with state and local law enforcement entities within their jurisdiction to leverage the limited resources in this area.
THE BROAD SPECTRUM OF CYBER THREATS
Over the past several years we have seen a range of computer crimes ranging from defacement of websites by juveniles to sophisticated intrusions that we suspect may be sponsored by foreign powers, and everything in between. Some of these are obviously more significant than others. The theft of national security information from a government agency or the interruption of electrical power to a major metropolitan area would have greater consequences for national security, public safety, and the economy than the defacement of a web-site. But even the less serious categories have real consequences and, ultimately, can undermine confidence in e-commerce and violate privacy or property rights. A website hack that shuts down an e-commerce site can have disastrous consequences for a business. An intrusion that results in the theft of credit card numbers from an online vendor can result in significant financial loss and, more broadly, reduce consumers' willingness to engage in e-commerce. Because of these implications, it is critical that we have in place the programs and resources to investigate and, ultimately, to deter these sorts of crimes.
Page 74 PREV PAGE TOP OF DOC
The following are some of the categories of cyber threats that we confront today.
Insiders. The disgruntled insider (a current or former employee of a company) is a principal source of computer crimes for many companies. Insiders' knowledge of the target companies' network often allows them to gain unrestricted access to cause damage to the system or to steal proprietary data. The 1999 Computer Security Institute/FBI report notes that 55% of respondents reported malicious activity by insiders.
One example of an insider was George Parente. In 1997, Parente was arrested for causing five network servers at the publishing company Forbes, Inc., to crash. Parente was a former Forbes computer technician who had been terminated from temporary employment. In what appears to have been a vengeful act against the company and his supervisors, Parente dialed into the Forbes computer system from his residence and gained access through a co-worker's log-in and password. Once online, he caused five of the eight Forbes computer network servers to crash, and erased all of the server volume on each of the affected servers. No data could be restored. Parente's sabotage resulted in a two day shut down in Forbes' New York operations with losses exceeding $100,000. Parente pleaded guilty to one count of violating of the Computer Fraud and Abuse Act, Title 18 U.S.C. 1030.
Hackers. Hackers (or ''crackers'') are also a common threat. They sometimes crack into networks simply for the thrill of the challenge or for bragging rights in the hacker community. Recently, however, we have seen more cases of hacking for illicit financial gain or other malicious purposes. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the World Wide Web and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. The distributed denial-of-service (DDOS) attacks earlier this month are only the most recent illustration of the economic disruption that can be caused by tools now readily available on the Internet.
Page 75 PREV PAGE TOP OF DOC
We have also seen a rise recently in politically motivated attacks on web pages or e-mail servers, which some have dubbed ''hacktivism. In these incidents, groups and individuals overload e-mail servers or deface web sites to send a political message. While these attacks generally have not altered operating systems or networks, they have disrupted services, caused monetary loss, and denied the public access to websites containing valuable information, thereby infringing on others' rights to disseminate and receive information. Examples of ''hacktivism'' include a case in 1996, in which an unknown subject gained unauthorized access to the computer system hosting the Department of Justice Internet web site. The intruders deleted over 200 directories and their contents on the computer system and installed their own pages. The installed pages were critical of the Communications Decency Act (CDA) and included pictures of Adolf Hitler, swastikas, pictures of sexual bondage scenes, a speech falsely attributed to President Clinton, and fabricated CDA text.
Virus Writers. Virus writers are posing an increasingly serious threat to networks and systems worldwide. Last year saw the proliferation of several destructive computer viruses or ''worms,'' including the Melissa Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The NIPC frequently sends out warnings or advisories regarding particularly dangerous viruses, which can allow potential victims to take protective steps and minimize the destructive consequences of a virus.
The Melissa Macro Virus was a good example of our two-fold response—encompassing both warning and investigation—to a virus spreading in the networks. The NIPC sent out warnings as soon as it had solid information on the virus and its effects; these warnings helped alert the public and reduce the potential destructive impact of the virus. On the investigative side, the NIPC acted as a central point of contact for the field offices who worked leads on the case. A tip received by the New Jersey State Police from America Online, and their follow-up investigation with the FBI's Newark Division, led to the April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one count of violating 18 U.S.C. §1030 in Federal Court, and to four state felony counts. As part of his guilty plea, Smith stipulated to affecting one million computer systems and causing $80 million in damage. Smith is awaiting sentencing.
Page 76 PREV PAGE TOP OF DOC
Criminal Groups. We are also seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain. In September, 1999, two members of a group dubbed the ''Phonemasters'' were sentenced after their conviction for theft and possession of unauthorized access devices (18 U.S.C. §1029) and unauthorized access to a federal interest computer (18 U.S.C. §1030). The ''Phonemasters'' were an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even the National Crime Information Center. Under judicially approved electronic surveillance orders, the FBI's Dallas Division made use of new data intercept technology to monitor the calling activity and modem pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card numbers, which he sold to a Canadian individual, who passed them on to someone in Ohio. These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy. Cantrell was sentenced to two years as a result of his guilty plea, while one of his associates, Cory Lindsay, was sentenced to 41 months.
The Phonemasters' methods included ''dumpster diving'' to gather old phone books and technical manuals for systems. They used this information to trick employees into giving up their logon and password information. The group then used this information to break into victim systems. It is important to remember that often ''cyber crimes'' are facilitated by old fashioned guile, such as calling employees and tricking them into giving up passwords. Good cyber security practices must therefore address personnel security and ''social engineering'' in addition to instituting electronic security measures.
Another example of cyber intrusions used to implement a criminal conspiracy involved Vladimir L. Levin and numerous accomplices who illegally transferred more than $10 million in funds from three Citibank corporate customers to bank accounts in California, Finland, Germany, the Netherlands, Switzerland, and Israel between June and October 1994. Levin, a Russian computer expert, gained access over 40 times to Citibank's cash management system using a personal computer and stolen passwords and identification numbers. Russian telephone company employees working with Citibank were able to trace the source of the transfers to Levin's employer in St. Petersburg, Russia. Levin was arrested in March 1995 in London and subsequently extradited to the U.S. On February 24, 1998, he was sentenced to three years in prison and ordered to pay Citibank $240,000 in restitution. Four of Levin's accomplices pleaded guilty and one was arrested but could not be extradited. Citibank was able to recover all but $400,000 of the $10 million illegally transferred funds.
Page 77 PREV PAGE TOP OF DOC
Unfortunately, cyberspace provides new tools not only for criminals, but for national security threats as well. These include terrorists, foreign intelligence agencies, and foreign militaries.
Terrorists. Terrorists groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. In his statement on the worldwide threat in 2000, Director of Central Intelligence George Tenet testified that terrorists groups, ''including Hezbollah, HAMAS, the Abu Nidal organization, and Bin Laden's al-Qa'ida organization are using computerized files, e-mail, and encryption to support their operations.'' In one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. While we have not yet seen these groups employ cyber tools as a weapon to use against critical infrastructures, their reliance on information technology and acquisition of computer expertise are clear warning signs. Moreover, we have seen other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engage in attacks on foreign government web-sites and e-mail servers. ''Cyber terrorism''—by which I mean the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population—is thus a very real, though still largely potential, threat.
Foreign intelligence services. Not surprising, foreign intelligence services have adapted to using cyber tools as part of their espionage tradecraft. Even as far back as 1986, before the worldwide surge in Internet use, the KGB employed West German hackers to access Department of Defense systems in the well-known ''Cuckoo's Egg'' case. While I cannot go into specifics about more recent developments in an open hearing, it should not surprise anyone to hear that foreign intelligence services increasingly view computer intrusions as a useful tool for acquiring sensitive U.S. government and private sector information.
Page 78 PREV PAGE TOP OF DOC
Information Warfare. The prospect of ''information warfare'' by foreign militaries against our critical infrastructures is perhaps the greatest potential cyber threat to our national security. We know that several foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. Knowing that they cannot match our military might with conventional or ''kinetic'' weapons, nations see cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heel—our growing dependence on information technology in government and commercial operations.
DISTRIBUTED DENIAL OF SERVICE ATTACKS
The recent distributed denial of service (DDOS) attacks have garnered a tremendous amount of interest in the public and in the Congress. Because we are actively investigating these attacks, I cannot provide a detailed briefing on the status of our efforts. However, I can provide an overview of our activities to deal with the DDOS threat beginning last year and of our investigative efforts over the last three weeks.
In the fall of last year, the NIPC began receiving reports about a new set of ''exploits'' or attack tools collectively called distributed denial of service (or DDOS) tools. DDOS variants include tools known as ''Trin00,'' ''Tribal Flood Net'' (TFN), ''TFN2K,'' and ''Stacheldraht'' (German for ''barbed wire''). These tools essentially work as follows: hackers gain unauthorized access to a computer system(s) and place software code on it that renders that system a ''master'' (or a ''handler''). The hackers also intrude into other networks and place malicious code which makes those systems into agents (also known as ''zombies'' or ''daemons'' or ''slaves''). Each Master is capable of controlling multiple agents. In both cases, the network owners normally are not aware that dangerous tools have been placed and reside on their systems, thus becoming third-party victims to the intended crime.
Page 79 PREV PAGE TOP OF DOC
The ''Masters'' are activated either remotely or by internal programming (such as a command to begin an attack at a prescribed time) and are used to send information to the agents, activating their DDOS ability. The agents then generate numerous requests to connect with the attack's ultimate target(s), typically using a fictitious or ''spoofed'' IP (Internet Protocol) address, thus providing a falsified identity as to the source of the request. The agents act in unison to generate a high volume of traffic from several sources. This type of attack is referred to as a SYN flood, as the SYN is the initial effort by the sending computer to make a connection with the destination computer. Due to the volume of SYN requests the destination computer becomes overwhelmed in its efforts to acknowledge and complete a transaction with the sending computers, degrading or denying its ability to complete service with legitimate customers—hence the term ''Denial of Service''. These attacks are especially damaging when they are coordinated from multiple sites—hence the term Distributed Denial of Service.
An analogy would be if someone launched an automated program to have hundreds of phone calls placed to the Capitol switchboard at the same time. All of the good efforts of the staff would be overcome. Many callers would receive busy signals due to the high volume of telephone traffic.
In November and December, the NIPC received reports that universities and others were detecting the presence of hundreds of agents on their networks. The number of agents detected clearly could have been only a small subset of the total number of agents actually deployed. In addition, we were concerned that some malicious actors might choose to launch a DDOS attack around New Year's Eve in order to cause disruption and gain notoriety due to the great deal of attention that was being payed to the Y2K rollover. Accordingly, we decided to issue a series of alerts in December to government agencies, industry, and the public about the DDOS threat.
Page 80 PREV PAGE TOP OF DOC
Moreover, in late December, we determined that a detection tool that we had developed for investigative purposes might also be used by network operators to detect the presence of DDOS agents or masters on their operating systems, and thus would enable them to remove an agent or master and prevent the network from being unwittingly utilized in a DDOS attack. Moreover, at that time there was, to our knowledge, no similar detection tool available commercially. We therefore decided to take the unusual step of releasing the tool to other agencies and to the public in an effort to reduce the level of the threat. We made the first variant of our software available on the NIPC website on December 30, 1999. To maximize the public awareness of this tool, we announced its availability in an FBI press release that same date. Since the first posting of the tool, we have posted three updated versions that have perfected the software and made it applicable to different operating systems.
The public has downloaded these tools tens of thousands of times from the web site, and has responded by reporting many installations of the DDOS software, thereby preventing their networks from being used in attacks and leading to the opening of criminal investigations both before and after the widely publicized attacks of the last few weeks. Our work with private companies has been so well received that the trade group SANS awarded their yearly Security Technology Leadership Award to members of the NIPC's Special Technologies Applications Unit.
Recently, we received reports that a new variation of DDOS tools was being found on Windows operating systems. One victim entity provided us with the object code to the tool found on its network. On February 18 we made the binaries available to anti-virus companies (through an industry association) and the Computer Emergency Response Team (CERT) at Carnegie Mellon University for analysis and so that commercial vendors could create or adjust their products to detect the new DDOS variant. Given the attention that DDOS tools have received in recent weeks, there are now numerous detection and security products to address this threat, so we determined that we could be most helpful by giving them the necessary code rather than deploying a detection tool ourselves.
Page 81 PREV PAGE TOP OF DOC
Unfortunately, the warnings that we and others in the security community had issued about DDOS tools last year, while alerting many potential victims and reducing the threat, did not eliminate the threat. Quite frequently, even when a threat is known and patches or detection tools are available, network operators either remain unaware of the problem or fail to take necessary protective steps. In addition, in the cyber equivalent of an arms race, exploits evolve as hackers design variations to evade or overcome detection software and filters. Even security-conscious companies that put in place all available security measures therefore are not invulnerable. And, particularly with DDOS tools, one organization might be the victim of a successful attack despite its best efforts, because another organization failed to take steps to keep itself from being made the unwitting participant in an attack.
On February 7, 2000, the NIPC received reports that Yahoo had experienced a denial of service attack. In a display of the close cooperative relationship that we have developed with the private sector, in the days that followed, several other companies (including Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also reported denial of service outages to the NIPC or FBI field offices. These companies cooperated with us by providing critical logs and other information. Still, the challenges to apprehending the suspects are substantial. In many cases, the attackers used ''spoofed'' IP addresses, meaning that the address that appeared on the target's log was not the true address of the system that sent the messages. In addition, many victims do not keep complete network logs.
The resources required in an investigation of this type are substantial. Companies have been victimized or used as ''hop sites'' in numerous places across the country, meaning that we must deploy special agents nationwide to work leads. We currently have seven FBI field offices with cases opened and all the remaining offices are supporting the offices that have opened cases. Agents from these offices are following up literally hundreds of leads. The NIPC is coordinating the nationwide investigative effort, performing technical analysis of logs from victims sites and Internet Service Providers (ISPs), and providing all-source analytical assistance to field offices. Moreover, parts of the evidentiary trail have led overseas, requiring us to work with our foreign counterparts in several countries through our Legal Attaches (Legats) in U.S. embassies.
Page 82 PREV PAGE TOP OF DOC
While the crime may be high tech, investigating it involves a substantial amount of traditional investigative work as well as highly technical work. Interviews of network operators and confidential sources can provide very useful information, which leads to still more interviews and leads to follow-up. And victim sites and ISPs provide an enormous amount of log information that needs to be processed and analyzed by human analysts.
Despite these challenges, I am optimistic that the hard work of our agents, analysts, and computer scientists; the excellent cooperation and collaboration we have with private industry and universities; and the teamwork we are engaged in with foreign partners will in the end prove successful.
INTERAGENCY COOPERATION
The broad spectrum of cyber threats described earlier, ranging from hacking to foreign espionage and information warfare, requires not just new technologies and skills on the part of investigators, but new organizational constructs as well. In most cyber attacks, the identity, location, and objective of the perpetrator are not immediately apparent. Nor is the scope of his attack—i.e., whether an intrusion is isolated or part of a broader pattern affecting numerous targets. This means it is often impossible to determine at the outset if an intrusion is an act of cyber vandalism, organized crime, domestic or foreign terrorism, economic or traditional espionage, or some form of strategic military attack. The only way to determine the source, nature, and scope of the incident is to gather information from the victim sites and intermediate sites such as ISPs and telecommunications carriers. Under our constitutional system, such information typically can be gathered only pursuant to criminal investigative authorities. This is why the NIPC is part of the FBI, allowing us to utilize the FBI's legal authorities to gather and retain information and to act on it, consistent with constitutional and statutory requirements.
Page 83 PREV PAGE TOP OF DOC
But the dimension and varied nature of the threats also means that this is an issue that concerns not just the FBI and law enforcement agencies, but also the Department of Defense, the Intelligence Community, and civilian agencies with infrastructure-focused responsibility such as the Departments of Energy and Transportation. It also is a matter that greatly affects state and local law enforcement. This is why the NIPC is an interagency center, with representatives detailed to the FBI from numerous federal agencies and representation from state and local law enforcement as well. These representatives operate under the direction and authority of the FBI, but bring with them expertise and skills from their respective home agencies that enable better coordination and cooperation among all relevant agencies, consistent with applicable laws.
We have had many instances in the last two years where this interagency cooperation has proven critical. As mentioned earlier, the case of the Melissa virus was successfully resolved with the first successful federal prosecution of a virus propagator in over a decade because of close teamwork between the NIPCI squad in the FBI's Newark Division and other field offices, the New Jersey State Police, and the NIPC.
The ''Solar Sunrise'' case is another example of close teamwork with other agencies. In 1998, computer intrusions into U.S. military computer systems occurred during the Iraq weapons inspection crisis. Hackers exploited known vulnerabilities in Sun Solaris operating systems. Some of the intrusions appeared to be coming from the Middle East. The timing, nature, and apparent source of some of the attacks raised concerns in the Pentagon that this could be a concerted effort by Iraq to interfere with U.S. troop deployments. NIPC coordinated a multiagency investigation which included the FBI, the Air Force Office of Special Investigations, the National Aeronautics and Space Administration, the Department of Justice, the Defense Information Systems Agency, the National Security Agency, and the Central Intelligence Agency. Within several days, the investigation determined that the intrusions were not the work of Iraq, but of several teenagers in the U.S. and Israel. Two juveniles in California pleaded guilty to the intrusions, and several Israelis still await trial. The leader of the Israeli group, Ehud Tenenbaum, has been indicted and is currently scheduled for trial in Israel in April.
Page 84 PREV PAGE TOP OF DOC
More recently, we observed a series of intrusions into numerous Department of Defense and other federal government computer networks and private sector entities. Investigation last year determined that the intrusions appear to have originated in Russia. The intruder successfully accessed U.S. Government networks and took large amounts of unclassified but sensitive information, including defense technical research information. The NIPC coordinated a multiagency investigation, working closely with FBI field offices, the Department of Defense, and the Intelligence Community. While I cannot go into more detail about this case here, it demonstrates the very real threat we face in the cyber realm, and the need for good teamwork and coordination among government agencies responsible for responding to the threat.
PRIVATE SECTOR COOPERATION
Most importantly, however, our success in battling cyber crime depends on close cooperation with private industry. This is the case for several reasons. First, most of the victims of cyber crimes are private companies. Therefore, successful investigation and prosecution of cyber crimes depends on private victims reporting incidents to law enforcement and cooperating with the investigators. Contrary to press statements by companies offering security services that private companies won't share information with law enforcement, private companies have reported incidents and threats to the NIPC or FBI field offices. The number of victims who have voluntarily reported DDOS attacks to us over the last few weeks is ample proof of this. While there are undoubtedly companies that would prefer not to report a crime because of fear of public embarrassment over a security lapse, the situation has improved markedly. Companies increasingly realize that deterrence of crime depends on effective law enforcement, and that the long-term interests of industry depend on establishing a good working relationship with government to prevent and investigate crime.
Page 85 PREV PAGE TOP OF DOC
Testimony two weeks ago before the Senate Appropriations Subcommittee for Commerce, State, and Justice by Robert Chesnut, Associate General Counsel for eBay, illustrates this point:
Prior to last week's attacks, eBay had established a close working relationship with the computer crimes squad within the Northern California office of the Federal Bureau of Investigation (''FBI''). eBay has long recognized that the best way to combat cyber crime, whether it's fraud or hacking, is by working cooperatively with law enforcement. Therefore, last year we established procedures for notifying the FBI in the event of such an attack on our web site. As result of this preparation, we were able to contact the FBI computer intrusion squad during the attack and provide them with information that we expect will assist in their investigation. In the aftermath of the attack, eBay has also been able to provide the FBI with additional leads that have come to our attention.
Second, the network administrator at a victim company or ISP is critical to the success of an investigation. Only that administrator knows the unique configuration of her system, and she typically must work with an investigator to find critical transactional data that will yield evidence of a criminal's activity.
Third, the private sector has the technical expertise that is often critical to resolving an investigation. It would be impossible for us to retain experts in every possible operating system or network configuration, so private sector assistance is critical. In addition, many investigations require the development of unique technical tools to deal with novel problems. Private sector assistance has been critical there as well.
Page 86 PREV PAGE TOP OF DOC
To encourage private sector cooperation, we have engaged in a concerted outreach effort to private industry, providing threat briefings, issuing analyses and threat warnings, and speaking at industry conferences. In another example of cooperation, the Attorney General and the Information Technology Association of America announced a set of initiatives last year as part of a ''Cybercitizens Partnership'' between the government and the information technology (IT) industry. One initiative involves providing IT industry representatives to serve in the NIPC to enhance our technical expertise and our understanding of the information and communications infrastructure.
We have several other initiatives devoted to private sector outreach that bear mentioning here. The first is called ''InfraGard.'' This is an initiative that we have developed in concert with private companies and academia to encourage information-sharing about cyber intrusions, exploited vulnerabilities, and physical infrastructure threats. A vital component of InfraGard is the ability of industry to provide information on intrusions to the local FBI field office using secure e-mail communications in both a ''sanitized'' and detailed format. The local FBI field offices can, if appropriate, use the detailed version to initiate an investigation; while NIPC Headquarters can analyze that information in conjunction with other information we obtain to determine if the intrusion is part of a broader attack on numerous sites. The NIPC can simultaneously use the sanitized version to inform other members of the intrusion without compromising the confidentiality of the reporting company. The key to this system is that whether, and what, to report is entirely up to the reporting company. A secure website also contains a variety of analytic and warning products that we make available to the InfraGard community. The success of InfraGard is premised on the notion that sharing is a two-way street: the NIPC will provide threat information that companies can use to protect their systems, while companies will provide incident information that can be used to initiate an investigation and to warn other companies.
Page 87 PREV PAGE TOP OF DOC
Our Key Asset Initiative (KAI) is focused more specifically on the owners and operators of critical components of each of the infrastructure sectors. It facilitates response to threats and incidents by building liaison and communication links with the owners and operators of individual companies and enabling contingency planning. The KAI began in the 1980s and focused on physical vulnerabilities to terrorism. Under the NIPC, the KAI has been reinvigorated and expanded to focus on cyber vulnerabilities as well. The KAI currently involves determining which assets are key within the jurisdiction of each FBI Field Office and obtaining 24-hour points of contact at each asset in cases of emergency. Eventually, if future resources permit, the initiative will include the development of contingency plans to respond to attacks on each asset, exercises to test response plans, and modeling to determine the effects of an attack on particular assets. FBI field offices are responsible for developing a list of the assets within their respective jurisdictions, while the NIPC maintains the national database. The KAI is being developed in coordination with DOD and other agencies. Currently the database has about 2400 entries. This represents 2400 contacts with key private sector nodes made by the NIPC and FBI field offices.
A third initiative is a pilot program we have begun with the North American Electrical Reliability Council (NERC). Under the pilot program, electric utility companies and other power entities transmit cyber incident reports in near real time to the NIPC. These reports are analyzed and assessed to determine whether an NIPC warning, alert, or advisory is warranted. Electric power participants in the pilot program have stated that the information and analysis provided by the NIPC back to the power companies fully justify their participation in the program. It is our expectation that the Electrical Power Indications and Warning System will provide a full-fledged model for the other critical infrastructures.
Page 88 PREV PAGE TOP OF DOC
Much has been said over the last few years about the importance of information sharing. Since our founding, the NIPC has been actively engaged in building concrete mechanisms and initiatives to make this sharing a reality, and we have built up a track record of actually sharing useful information. These efforts belie the notions that private industry won't share with law enforcement in this area, or that the government won't provide meaningful threat data to industry. As companies continue to gain experience in dealing with the NIPC and FBI field offices, as we continue to provide them with important and useful threat information, and as companies recognize that cyber crime requires a joint effort by industry and government together, we will continue to make real progress in this area.
KEEPING LAW ENFORCEMENT ON THE CUTTING EDGE OF CYBER CRIME
As Internet use continues to soar, cyber crime is also increasing exponentially. Our case load reflects this growth. In FY 1998, we opened 547 computer intrusion cases; in FY 1999, that number jumped to 1154. Similarly, the number of pending cases increased from 206 at the end of FY 1997, to 601 at the end of FY 1998, to 834 at the end of FY 99, and to over 900 currently. These statistics include only computer intrusion cases, and do not account for computer facilitated crimes such as Internet fraud, child pornography, or e-mail extortion efforts. In these cases, the NIPC and NIPCI squads often provide technical assistance to traditional investigative programs responsible for these categories of crime.
We can clearly expect these upward trends to continue. To meet this challenge, we must ensure that we have adequate resources, including both personnel and equipment, both at the NIPC and in FBI field offices. We currently have 193 agents nationwide dedicated to investigating computer intrusion and virus cases. In order to maximize investigative resources the FBI has taken the approach of creating regional squads in 16 field offices that have sufficient size to work complex intrusion cases and to assist those field offices without a NIPCI squad. In those field offices without squads, the FBI is building a baseline capability by having one or two agents to work NIPC matters, i.e. computer intrusions (criminal and national security), viruses, InfraGard, state and local liaison, etc.
Page 89 PREV PAGE TOP OF DOC
At the NIPC, we currently have 101 personnel on board, including 82 FBI employees and 19 detailees from other government agencies. This cadre of investigators, computer scientists, and analysts perform the numerous and complex tasks outlined above, and provide critical coordination and support to field office investigations. As the crime problem grows, we need to make sure that we keep pace by bringing on board additional personnel, including from other agencies and the private sector.
In addition to putting in place the requisite number of agents, analysts, and computer scientists in the NIPC and in FBI field offices, we must fill those positions by recruiting and retaining personnel who have the appropriate technical, analytical, and investigative skills. This includes personnel who can read and analyze complex log files, perform all-source analysis to look for correlations between events or attack signatures and glean indications of a threat, develop technical tools to address the constantly changing technological environment, and conduct complex network investigations.
Training and continuing education are also critical, and we have made this a top priority at the NIPC. In FY 1999, we trained 383 FBI and other-government-agency students in NIPC sponsored training classes on network investigations and infrastructure protection. The emphasis for 2000 is on continuing to train federal personnel while expanding training opportunities for state and local law enforcement personnel. During FY 2000, we plan to train approximately 740 personnel from the FBI, other federal agencies, and state and local law enforcement.
Developing and deploying the best equipment in support of the mission is also very important. Not only do investigators and analysts need the best equipment to conduct investigations in the rapidly evolving cyber system but the NIPC must be on the cutting edge of cyber research and development. Conducting a network intrusion or denial-of-service investigation often requires analysis of voluminous amounts of data. For example, one network intrusion case involving an espionage matter currently being investigated has required the analysis of 17.5 Terabytes of data. To place this into perspective, the entire collection of the Library of Congress, if digitized, would comprise only 10 Terabytes. The Yahoo DDOS attack involved approximately 630 Gigabytes of data, which is equivalent to enough printed pages to fill 630 pickup trucks with paper. Technical analysis requires high capacity equipment to store, process, analyze, and display data. Again, as the crime problem grows, we must ensure that our technical capacity keeps pace.
Page 90 PREV PAGE TOP OF DOC
Finally, we must look at whether changes to the legal procedures governing investigation and prosecution of cyber crimes are warranted. The problem of Internet crime has grown at such a rapid pace that the laws have not kept up with the technology. The FBI is working with the Department of Justice to propose a legislative package for your review to help keep our laws in step with these advances.
One example of some of the problems law enforcement is facing is the jurisdictional limitation of pen registers and trap-and-trace orders issued by federal district courts. These orders allow only the capturing of tracing information, not the content of communications. Currently, in order to track back a hacking episode in which a single communication is purposely routed through a number of Internet Service Providers that are located in different states, we generally have to get multiple court orders. This is because, under current law, a federal court can order communications carriers only within its district to provide tracing information to law enforcement. As a result of the fact that investigators typically have to apply for numerous court orders to trace a single communication, there is a needless waste of time and resources, and a number of important investigations are either hampered or derailed entirely in those instances where law enforcement gets to a communications carrier after that carrier has already discarded the necessary information.
Another laws may be in need of revision because they are decades old and did not anticipate current technology. Many laws were not drafted in a technology neutral way, and do not make much sense in today's world where telephone carriers, Internet service providers, and cable operators, are all providing ways to communicate both electronically and by voice over the Internet. We are reviewing the pen register, trap and trace statutes, the Computer Fraud and Abuse Act, and the Cable Communications Policy Act, to ensure that the laws make sense in the current environment.
Page 91 PREV PAGE TOP OF DOC
There are also issues that we must readdress with respect to the need, under current law, to demonstrate at least $5,000 in damage for certain hacking crimes enumerated under 18 U.S.C. 1030(a)(5). In some of the cases we investigate, proof of damage in excess of $5,000 on a particular system is difficult to show, although the crime of breaking into numerous systems and obtaining root access, with the ability to destroy the confidentiality or accuracy of information, remains very real and extremely serious.
Finally, we should consider whether current sentencing provisions for computer crimes provide an adequate deterrence. Given the degree of harm that can be caused by a virus, intrusion, or a denial of service—in terms of monetary loss to business and consumers, infringement of privacy, or threats to public safety when critical infrastructures are affected—it would be appropriate to consider whether penalties established years ago remain adequate.
THE ROLE OF LAW ENFORCEMENT
Finally, I would like to conclude by emphasizing two key points. The first is that our role in combating cyber crime is essentially two-fold: (1) preventing cyber attacks before they occur or limiting their scope by disseminating warnings and advisories about threats so that potential victims can protect themselves; and (2) responding to attacks that do occur by investigating and identifying the perpetrator. This is very much an operational role. Our role is not to determine what security measures private industry should take, or to ensure that companies or individuals take them. It is the responsibility of industry to ensure that appropriate security tools are made available and are implemented. We certainly can assist industry by alerting them to the actual threats that they need to be concerned about, and by providing information about the exploits that we are seeing criminals use. But network administrators, whether in the private sector or in government, are the first line of defense.
Page 92 PREV PAGE TOP OF DOC
Second, in gathering information as part of our warning and response missions, we rigorously adhere to constitutional and statutory requirements. Our conduct is strictly limited by the Fourth Amendment, statutes such as Title III and ECPA, and the Attorney General Guidelines. These rules are founded first and foremost on the protection of privacy inherent in our constitutional system. Respect for privacy is thus a fundamental guidepost in all of our activities.
CONCLUSION
I want to thank the subcommittees again for giving me the opportunity to testify here today. The cyber crime problem is real, and growing. The NIPC is moving aggressively to meet this challenge by training FBI agents and investigators from other agencies on how to investigate computer intrusion cases, equipping them with the latest technology and technical assistance, developing our analytic capabilities and warning mechanisms to head off or mitigate attacks, and closely cooperating with the private sector. We have already had significant successes in the fight. I look forward to working with Congress to ensure that we continue to be able to meet the threat as it evolves and grows. Thank you.
The CHAIRMAN. Thank you, Mr. Vatis.
I gather, Ms. Stansell-Gamm, you do not have a separate statement?
Ms. STANSELL-GAMM. I do not.
Page 93 PREV PAGE TOP OF DOC
The CHAIRMAN. According with the procedure we have agreed with the Senate, Senator Thurmond gets to ask the first round of questions. And we are going to have the Senate take the lead on this. So Senator Thurmond, you are recognized.
Senator THURMOND. Thank you very much, Mr. Chairman. Mr. Vatis, the perpetrators of the denial of service attacks against Amazon and others a few weeks ago have not been caught despite an intensive Federal effort. Can you give us some information about the status of your investigation?
Mr. VATIS. Mr. Chairman, we continue to make good progress. We are working aggressively across FBI field offices around the country and also working in conjunction with our foreign counterparts and with our specially trained prosecutors.
Senator THURMOND. You think you are making headway?
Mr. VATIS. I think we are.
Senator THURMOND. Thank you. Mr. Holder, can you make any additional comments about the investigation and whether the department intends to prosecute those responsible to the full extent of the law.
Mr. HOLDER. We certainly will use all the resources that we have available to us, and once caught, we will, as I indicated a couple weeks ago, we will prosecute these people to the fullest extent that we can.
Page 94 PREV PAGE TOP OF DOC
Senator THURMOND. Mr. Holder, many have said that the recent denial of service attacks against Amazon and other sites probably was not a very complex method of hacking, and possibly could have been done by teenagers. Currently it is very difficult for Federal authorities to prosecute juveniles. Do we need to consider making it easier for Federal prosecution of juveniles who commit serious computer intrusion attacks?
Mr. HOLDER. I think that is certainly something we ought to look at. I think we need to try to hold responsible individuals who perpetrate these attacks. We have to think about the unfortunate fact that a certain number of these crimes are committed by juveniles. To the extent we find that to be a problem, we would like to work with the committees, the subcommittees, to develop legislation that might deal with that problem.
Senator THURMOND. Mr. Holder, hacking investigations often cross international boundaries, but malicious hacking is not even illegal in many countries. How does this impede law enforcement, and what is the United States doing to encourage other countries to view malicious hacking as a crime?
Mr. HOLDER. Well, I certainly think that what we need to do is establish relationships across international boundaries to ensure we get requested information from other countries. These attacks can be launched from overseas, and to be truly effective in combatting them, we need to have these kinds of partnerships. We need to work with other nations. There are about 190 countries around the world who are connected to the Internet at this point. We need to work with all of these countries to come up with ways in which we can be more effective in fighting this problem.
Page 95 PREV PAGE TOP OF DOC
Senator THURMOND. Mr. Holder, as you know, to violate the Computer Fraud and Abuse Act, perpetrators must cause over $5,000 in damage to an individual computer. Has this standard for damages and the definition of damages caused problems in prosecutions?
Mr. HOLDER. Yes, I think there is a potential problem there. We think we need to look at that and ask whether or not that threshold requirement is an appropriate one. I think we want to have an ability to aggregate the amounts that are at issue into these kinds of instances so we can meet that barrier, and perhaps come up with a way which we deal with crime where the aggregate is less than $5,000, perhaps, as misdemeanors as opposed to felonies. But that is a problem that I think we need to deal with.
Senator THURMOND. Mr. Vatis, have a number of FBI investigations into denial of service attacks increased considerably since the attacks on Amazon and others, and do you think that most recent cases are mostly the work of copycats?
Mr. VATIS. Mr. Chairman, I think it is too early to tell whether they are the result of copycats or the same group of people who are behind the initial wave of attacks. But we are looking at possible linkages between all the investigations and trying to determine who is behind all of them.
Senator THURMOND. Mr. Vatis, the administration's budget requests $37 million in additional funding to fight cyber crime. How much of this would be directed to the FBI and what are the Bureau's current resource needs regarding cyber crime?
Page 96 PREV PAGE TOP OF DOC
Mr. VATIS. Part of the $37 million that the Attorney General has talked about in the President's Fiscal Year 2001 budget submission would go to the FBI to develop computer analysis and response teams, which are responsible for forensic examination of computers that are seized from subjects. And that comes to about $11.4 million. There is not money in that bill for our investigative teams, though, who are on the front end of an investigation who are responsible for finding those computers that then require forensic examination.
Senator THURMOND. Thank you, Congressman McCollum.
The CHAIRMAN. Thank you very much, Senator Thurmond. Now I am going to recognize myself for 5 minutes then Senator Schumer and Mr. Scott. I think that is kind of the order in which this has been ascertained to be.
Mr. Vatis, in terms of what you have been able to discover so far, the leading suspects in the current denial of service matter, have you been able to ascertain what motive any of them have?
Mr. VATIS. I think it is too early to tell what the motives might have been.
The CHAIRMAN. Have you been able to rule out any State acts of other governments?
Mr. VATIS. We have not been able to rule out anything yet. But I think this—these series of attacks don't have some of the critical indicators of a State action, and it would be hard to determine what a State actor might be motivated by to engage in this sort of activity.
Page 97 PREV PAGE TOP OF DOC
The CHAIRMAN. That's why I asked. I didn't see it but I wanted to know if you saw it. Because I think that is relevant, although I don't want to get into your investigation itself.
Mr. Holder, under the current statute that I understand would be most likely utilized in any prosecutions of what have been described by Mr. Vatis as the type of attack that occurred, it appears it be would be section 1030 of title 18, and the subsection of the paragraph that reads that the person who committed these crimes would have to knowingly cause the transmission of a program information code or command, and as a result of such conduct, intentionally cause damage without authorization to a protected computer. And the term ''damage'' is defined to mean any impairment to the integrity or availability of data, a program, a system or information that causes the damages in the dollar amounts that Senator Thurmond mentioned.
I am concerned not about the dollar amounts, I am concerned about whether the type of crime we are talking about here, if indeed it is a crime under the current law, would meet the test of any impairment to the integrity or availability of a data program system, et cetera. Have you and your attorneys examined this? Do you believe that the current statute would be sufficient to meet the thresholds to prosecute the type of crime that you see in this case or are you concerned that this isn't clear enough?
Mr. HOLDER. Without referring to the specific matters that we have under investigation, I do think that that section would be adequate to deal with those types of crimes we are looking at. Perhaps I can let Ms. Stansell-Gamm, who is obviously more experienced with these matters, and this is her area of expertise, talk about any concerns she might have with regard to that section and the ways in which you have indicated.
Page 98 PREV PAGE TOP OF DOC
The CHAIRMAN. Please, Ms. Stansell-Gamm.
Ms. STANSELL-GAMM. Again, without regard to the specifics of the particular case, we have used this provision in many different kinds of prosecutions, and it has been interpreted broadly enough, we feel, to cover basically the kinds of activities we are seeing now. But if you have some particular ideas for ways in which the statute should be shored up, we would, of course, be eager for your observations.
The CHAIRMAN. Well, certainly the committee is going to look at that. That is what with we want to be sure, that prosecutions can go on in the meantime. But we wouldn't want to leave any ambiguities here, which is why I ask the question. And in the next few weeks, we will make some suggestions, perhaps you will too, given the number of cases that the FBI opened in 1999 more than doubled to 1,154. Mr. Holder, or maybe Ms. Stansell-Gamm, has the number of prosecutions similarly kept pace?
Ms. STANSELL-GAMM. There is a bit of an apples-and-oranges quality to the figures. One of the reasons is because the prosecution figures you see result from prosecutions under the statute of conviction that we have been talking about, 18–USC–1030, the computer crimes statute. But that is not the only one we use for prosecuting computer crimes. We also use frequently the wiretap statute, because hackers engage in illegal wiretaps. We use the wire fraud statute. We use 18 U.S.C. §1029, the illegal access device statute. But of course, those aren't exclusively for that use. So I think we can say the figures have gone up, but whether it is in exact proportion to increase in investigations I can't be certain.
Page 99 PREV PAGE TOP OF DOC
The CHAIRMAN. Do you think that your workload is too great? You need more prosecutors?
Ms. STANSELL-GAMM. Without doubt, yes.
The CHAIRMAN. That will be a significant cost item I assume you are going to be coming and asking us for.
Mr. HOLDER. In fact, Mr. Chairman, we have asked for an additional $850,000 for additional prosecutors for the Department's Computer Crime Section.
The CHAIRMAN. That is going to be enough in light of what we are seeing here, or you think you have to come back to ask for more?
Mr. HOLDER. I think it is entirely possible we might have to come back and ask for more. The Attorney General has talked about developing a cyber crime 5-year plan. I think that the numbers that we are talking about now would certainly see us through the next 12-month period, but I think over a 5-year period, in looking at the outyears, I think we would probably be coming back for additional funds.
The CHAIRMAN. Before my time expires, you stated, Mr. Holder, that there are other Federal agencies that provided assistance in connection with the recent attacks besides the FBI. Can you tell us who they were and what type of role they played?
Page 100 PREV PAGE TOP OF DOC
Mr. HOLDER. Mr. Vatis can do that better.
Mr. VATIS. In this case, it is primarily FBI field officers working in conjunction with U.S. attorneys offices and foreign counterparts. This is one of those increasingly rare cases where we have not had the occasion to work with many other Federal agencies. But there have been some. We are not aware of Federal agency victims other than the IBM server that I said hosts our own site.
The CHAIRMAN. That is fine. It does strike me as unusual because everybody is always working with everybody else. But you have got the ball. That is good. We identified a single responsible party, and that is important in this actually. Thank you very much.
Senator Schumer, you are recognized for 5 minutes.
Senator SCHUMER. Thank you, Mr. Chairman, and most of the questions I was going to ask have been asked already. Two have not. The recent denial of service attacks involve the use, of course, of dozens of, or possibly hundreds, we don't know yet, zombie computers, from which the attacks on specific sites were launched. And these computers undoubtedly are located all over the country, maybe even outside the country.
With that in mind, would you agree that having Nationwide trap and trace authority would facilitate investigations of denial of service attacks?
Ms. STANSELL-GAMM. It would make a tremendous difference in the conduct of this case and many other hacking cases. It is one of our procedural instruments of choice.
Page 101 PREV PAGE TOP OF DOC
Senator SCHUMER. Is it probably the most important thing we do to help you on the procedural side?
Ms. STANSELL-GAMM. It is certainly one of the most critical.
Senator SCHUMER. The second question I had, I know Senator Thurmond asked a little bit about international problems, because obviously these computers can be anywhere. The question I guess I would ask is how cooperative are our fellow governments being? Our brother and sister governments being?
Mr. HOLDER. Well, I will let Marty get into some more detail, but that level of cooperation varies. We have very good relationships with some countries, certainly we have done a lot with the G–8. And we have not been as successful with others, but maybe Marty wants to talk about that a little bit.
Ms. STANSELL-GAMM. We are getting there. We are slowly making progress. One of the things our section does and has done since 1992 is work with European colleagues in trying to standardize substantive computer crime laws so that we can assist each other. But above and beyond that, once we have the legal ability to help each other, it requires a great deal of work to put a network in place that is going to respond as quickly as we need to respond in these cases.
So I think with our G–8 partners, we are beginning to see some very rapid coordination that is a direct response of our having created a 24/7 network for computer crime investigations.
Page 102 PREV PAGE TOP OF DOC
Senator SCHUMER. Are any countries, particularly any of our allies, being particularly uncooperative?
Mr. VATIS. In this investigation, we are having very good cooperation. If I could add one other point, one of Director Freeh's big priorities during his whole tenure has been bolstering the FBI legal attache program and putting legates in embassies around the world. And this sort of case exemplifies why they are so critical to effectuating the sort of coordination that we need with foreign law enforcement counterparts.
Senator SCHUMER. And my final question, we talked a little bit about the need for resources, I believe either Senator Thurmond or Congressman McCollum asked about that. Other than resources, are there other legislative incentives that we in Congress could provide that would trigger a sort of trickle down of the need, the technical expertise to State and local prosecutors who needed help as well?
Mr. HOLDER. The request that we have made for the next fiscal year we asked for about $15 million in assistance to State and local law enforcement, that is about 40 percent of the requests that we have made, 40 percent of the additional $37 million that we have requested to provide cyber crime training to locals to expand their computer forensic capabilities. It seems to us that in order to be totally effective in this, we have to have not only an increased ability on the part of Federal Government, but our State and local counterparts as well.
Senator SCHUMER. Thank you, Mr. Chairman.
Page 103 PREV PAGE TOP OF DOC
The CHAIRMAN. Thank you, Mr. Schumer.
Mr. Scott, you are recognized.
Representative SCOTT. Thank you, Mr. Chairman. I think one of the themes of some of the questions relates to the fact that most crimes we deal with have a specific location, so that you know whose jurisdiction it is in. With cyber space, you don't know the jurisdictional lines. With the Federal trace, if a Federal officer asked for a trace and went and got a national trace, that would be one thing. Can you say a word about a State official having the ability to place traces in States for which they have possibly no connection at all?
Ms. STANSELL-GAMM. Well, actually the Attorney General has recognized this issue and she gave a speech not long ago to the National Association of Attorney Generals, in which she encouraged them to look at these kinds of cases. And at some of the procedural limitations, that would be imposed, and to consider whether the States ought to engage in an interstate compact. So she is encouraging the States to look at this based on their own authority.
Representative SCOTT. A Virginia judge could issue—how would an interstate—a Virginia judge issues an order that the trace can be placed in a Michigan computer connection?
Ms. STANSELL-GAMM. Here's the problem: In the old days, there was one phone company, and when we got a trap and trace order, we were asking the phone company to give us the originating phone number that was used all the way throughout the system to ring the bell at the end of the line. That is no longer true anymore. That is, if we want to trace a communication, what we find is that one communication is being carried by several different Internet service providers, by a telephone company or two, local or long distance, by a cell company or two, and soon enough, by satellite companies or two. And what we find is that we give the trap and trace order to the originating phone company, and they say to us the telephone call is coming in to us from MCI, or it is coming in from another provider. I am sorry, that is all the information we have. And our order addressed to that original carrier is of no effect on the next carrier in the chain.
Page 104 PREV PAGE TOP OF DOC
Representative SCOTT. You expect a State official who issues the order to at least have some connection with the——
Ms. STANSELL-GAMM. Yes. There would have to be a jurisdictional connection with the case.
Representative SCOTT. Based on the interstate nature of this thing, would you expect the FBI to be involved in most of these investigations and not State officials?
Mr. VATIS. I think we need a real partnership, and that is one of the reasons we are trying to work with State and locals, because there is so often an interstate nexus. But given the explosive growth of crime in this area, it is clear that State and local law enforcement is going to have to start bearing a very big portion of the load, simply because there are far more State and local law enforcement officers than there are FBI agents.
Representative SCOTT. You mentioned the Melissa virus. You didn't mention what the penalty was imposed.
Mr. VATIS. He is still awaiting sentencing.
Representative SCOTT. For these kinds of cases, what charges are now possible? You mentioned wiretap violations. In terms of additional penalties, it seems to me that some of the things you have mentioned in the aggregate ought to be sufficient deterrent. Can you talk about what the present law provides in terms of penalties?
Page 105 PREV PAGE TOP OF DOC
Ms. STANSELL-GAMM. The present law provides for all of the felony offenses under the computer crimes statute for 5-year maximums. And those, of course, would be geared to the sentencing guidelines.
Representative SCOTT. Five-year maximums, regardless of the amount of damage done?
Ms. STANSELL-GAMM. That is correct.
Representative SCOTT. Are there provisions——
Ms. STANSELL-GAMM. Mr. Holder reminds me, repeat offenders, recidivists get double.
Representative SCOTT. Are there penalties for just hacking and peeking without causing any damage?
Ms. STANSELL-GAMM. There is a misdemeanor offense for accessing government computer systems, but that, of course, is 1 year penalty or less. And there are also misdemeanor offenses for hacking certain kinds of systems and acquiring information. That is 1030 [(a)(2)].
Representative SCOTT. Back to the trace, just very briefly, what standard do you need to get a trace as opposed to a kind of listen in wiretap.
Page 106 PREV PAGE TOP OF DOC
Ms. STANSELL-GAMM. Those two procedural tools are really at opposite ends of the spectrum of our arsenal of procedural weapons. A trap and trace, keep in mind, does not give us any kind of content. It gives us basically phone bill information, so the originating phone number, the originating IP address. The standard there is relevance to a criminal investigation. Then there are other——
Representative SCOTT. Who establishes whether it is relevant or not?
Ms. STANSELL-GAMM. Who establishes whether it is relevant or not? The order must be signed by a judge, by a magistrate.
Representative SCOTT. If the police officer represents that it is relevant, what discretion does the judge have?
Ms. STANSELL-GAMM. The statute says that the orders must be issued if the predicate has been met.
Representative SCOTT. So if a police officer represents that it is relevant, that is it.
Mr. HOLDER. No, a judge has to be satisfied that he or she, in signing the order, that the law has been complied with that the statutory mandates have been met. So there is that the judge acts as a neutral person in that regard. It is not simply enough that an officer could walk up and present anything to a judge and get something signed.
Page 107 PREV PAGE TOP OF DOC
Representative SCOTT. Has a judge ever turned down such a request?
Mr. HOLDER. The standard is a fairly low one, given the fact that we are not talking about the acquisition of content, we are not listening into conversations as if you are doing a wiretap.
Representative SCOTT. But to get to the content, would you need a probable cause standard?
Ms. STANSELL-GAMM. To get to the content, if you were intercepting it in real-time, you would have to meet the title III standard, which is not only probable cause, but necessity and minimization. So it is the opposite end of the procedural spectrum in order to listen to the content or acquire the content in real-time, that is, a wiretap standard which requires not only probable cause, but the other elements as well.
Representative SCOTT. Thank you, Mr. Chairman.
The CHAIRMAN. Thank you, Mr. Scott.
Mr. Barr you are recognized.
Representative BARR. Thank you, Mr. Chairman. As I think our colleague, Mr. Hutchinson, said in his opening remarks, this really is a fascinating area of inquiry. I think we could all agree that, particularly in potential crimes of this sort, the best course of the agency is to try and prevent the crimes from occurring in the first place, or if they have begun to prevent them from succeeding. And it seems to me that what we are talking about, distributed denial of service attacks, or DDOS, it really requires very sophisticated, yet already available software that can develop for a particular company, for example, or provider, instantaneous profiling of information that is coming in to determine if this is really a hacking process that is beginning here and be able to stop it.
Page 108 PREV PAGE TOP OF DOC
Can we agree that the nature of this really requires that, and the magnitude of trying to respond to this, I think, really requires—I think, Mr. Vatis, as you said, that the primary responsibility is going to have to be with companies themselves, and to a very large extent, with State and local governments, since although the most recent examples early this month, hopefully, are somewhat of an aberration, the vast majority problems in this area of cyber vandalism, or whatever we want to call it, are much more localized.
Mr. VATIS. Yes. I absolutely agree that prevention is, by and large, the responsibility of the private sector. We can assist in prevention by disseminating information about concrete threats that we are aware of, so that companies know with great particularity what sorts of things they need to be alert to and protect themselves against. But the actual act of prevention and securing the items must be the responsibility of the network administrator.
Representative BARR. Is it really do you think that we need, and I know there are some questions about what is damage within the terms of the statute and access and so forth, does this really appear to be an area where we need new statutory authority, expand the statutory authority, or simply, you know, a better response and better development by private industry, and the ability to respond to these sorts of attacks by State and local government, given that the primary responsibility of the government, the Federal Government, that is, is already very well defined, and has been well-defined protection of our, that is, the Federal Government's, computer systems.
Ms. STANSELL-GAMM. Well, we do think that the computer crime statute does bear reexamination in light of all of these events, and we would be happy to work with you on that. But in addition to working with our State and local counterparts, we also feel that the procedural rules through which we gather evidence need to be reexamined as well.
Page 109 PREV PAGE TOP OF DOC
Representative BARR. I know that the FBI has requested already and I think in the President' budget, some 25- or 26 million additional dollars. What is it that this would be used for? Why could not at least an initial response to this not be incorporated into the very substantial increases that have already occurred over the last few years with the FBI's budget? Why is it necessary to have $26 million more requested?
Mr. HOLDER. Well, I mean, we have tried to, in formulating our resource requests, identify the problems that we have faced in the past and try to kind of extrapolate the kinds of problems that we anticipate we will face in the future. One of the problems we have is to try to identify additional resources. We have tried to be comprehensive in looking at the problem and try to, in formulating the Department of Justice budget, say that we need more prosecutors, we need more analysts, we need a greater research capability.
And it was taking those things that account, that we formulated the numbers that we have submitted to Congress. We have asked for 28 percent increase over our fiscal year 2000 appropriation with regard to cyber crime. And I think, as I said before, that the Attorney General's notion that we come up with a more comprehensive 5-year plan, using next year as the baseline, is probably the best way to go, so that we can really try to comprehensively, wholistically look at the problem and come up with an idea of what we need over the long term.
Representative BARR. Does it make sense to not make that available to us here in the Congress before the request for additional monies and positions comes forward?
Page 110 PREV PAGE TOP OF DOC
Mr. HOLDER. I think we certainly want to work with you to talk about the kinds of problems that we will face, share with you information that we have acquired, listen to the concerns that you have, because there are concerns that you all have to obviously weigh. The competing interest that you have to weigh in, trying to decide how the budget pie ultimately is cut up. So I think a great deal of interaction before these proposals are submitted is appropriate.
Representative BARR. Aren't you, to some extent, already putting the cart before the horse asking for additional money for a additional positions without giving us that 5-year plan, and given the fact that this is a relatively new area, the parameters of which we—none of us really understand as we sit here, would it not make sense to give us that 5-year plan that look down the road, taking into account local and State resources, industry resources, companies such as Internet security systems, is doing tremendous work here first to be able to get that comprehensive look first, and really understand better the Federal role before asking for fairly significant sums of money? Can't we get that 5-year plan now rather than after the request for funding?
Mr. HOLDER. Well, the request that we have made so far is based on—it is for 1 year, it is for fiscal year 2000 that is based on the experiences that we have had. The 5-year plan that I am talking about is something what we would be submitting for beginning in the next fiscal year. I do think that yeah, we need to sit down and work with people in the House, people in the Senate, to come up with to try to develop this plan in a way that there are no surprises in it for you, and that we glean from you and from your staffs the concerns, interests that you have, as well and take from all available sources people and industry, our State and local counterparts as well in trying to determine what this 5-year plan ought to look like.
Page 111 PREV PAGE TOP OF DOC
Representative BARR. Thank you. I think it makes sense to get that to us sooner rather than later.
The CHAIRMAN. Thank you, Mr. Barr.
Ms. Jackson Lee, you are recognized for 5 minutes.
Representative JACKSON LEE. Thank you, Mr. Chairman. Let me pursue the line of thought that I had early on in my remarks. First of all, with respect to the budget, the 28 percent is part of that the wholistic approach of also including dollars for understanding the problem more? I mean, I wouldn't want to suggest that you don't understand it all, but I think as I opened my remarks, we all are coming to this newly, is part of those dollars to increase the knowledge, and the knowledge, first of all, the knowledge base and then the training base?
Mr. HOLDER. Absolutely right. If you look at the amount of money that we want to give to our State and local counterparts, 8.75 million is to provide cyber crime training to State and local investigators and prosecutors, and that training mostly means educating people, acquiring knowledge about that and then trying to tell people, train people as to how that knowledge can be used.
Representative JACKSON LEE. Though I don't want to give any new ideas to those who may be listen we don't know the potential of this problem. Frankly I have got friends in the room who are dealing with credit unions, there are other individuals here who utilize the Internet, the computer, this whole technological information tool, and you don't yet really have your hands around how massive a potential problem we might have. Am I—do you or do you not? I don't want to put words in your mouth.
Page 112 PREV PAGE TOP OF DOC
Mr. HOLDER. I would not want to alarm people, but I will certainly defer to my colleagues here, but I don't want to alarm people, but which is a problem that is ever changing and has been rapidly expanding. So I can not safely say that we have our hands around the problem at this point. I mean, if we did, we would not be asking for additional resources. We would not be trying to come up with new and better ways to deal with this problem. But I would not want to be alarmist either. Michael or Marty.
Representative JACKSON LEE. Mr. Vatis, if you answer, I would like you to comment on the training level of your those on your team or the needs of more training for those in the FBI.
Mr. VATIS. Absolutely. I think you raise an excellent point about the breadth of the vulnerabilities that exist as we continue to do more and more business online and we rely on computers in every facet of our lives. We are more and more vulnerable to those who could do us harm, whether they are criminals or terrorists or foreign nations. And I think we have a sense of the theoretical scope of the problem, but it still seems that it takes events for people to really realize that these are not just theoretical problems, they are real ones. So I think as awareness builds, we will see security correspondingly increase and that will be a good thing. And that is the silver lining to these problems.
I think your point about training is also absolutely critical. We have tried, since our founding 2 years ago, to bring up the level of expertise, not just within the FBI, but with our Federal investigative counterparts, and also State and local law enforcement by giving them training on how to do network investigations. Last year we trained between 200 and 400 FBI personnel on network investigations and infrastructure protection, and we are continuing that sort of training this year. And really focusing on getting that training out to our State and local counterparts as well and bringing them in both to Quantico for training and also delivering regional training out there.
Page 113 PREV PAGE TOP OF DOC
Representative JACKSON LEE. Because the time goes and I have a series of questions, let me just, if I could, get back from you in writing the portion that really focuses on both training and understanding the problem. I too don't want to bring a sense of immediate crisis to the table, but I do want us to focus on understanding it. And I think that is key. I do want to move toward the profiles of those that you have been able to find that are engaged in this hackering. I guess I have coined a new phrase, I am not sure. But in any event, with my particular interests in children, I am particularly concerned, and I use the term ''toy'' and I saw some lifted eyes, but it is new, it is fascinating, it is different, and I was in one of my schools and talked to a 10-year-old and said how long have you been on the computer? Since age 5. We are not talking to novices, if you will.
And so by age 15, they are senior citizens on the Internet, if they were born within the last, obviously in the last 15 years. My question is, what is the profile and how are you dealing with that youthful offender?
Mr. HOLDER. Well Marty, maybe I will let you answer that one.
Ms. STANSELL-GAMM. All right. There is not extensive research on this question. But the research that I am aware of tells us that a lot of these juvenile offenders tend to be male, they are teenagers. A lot of them are socially inept. They don't——
Representative JACKSON LEE. Are they criminally minded? Would you——
Page 114 PREV PAGE TOP OF DOC
Ms. STANSELL-GAMM. They may.
Representative JACKSON LEE. Incarcerated for 25 years?
Ms. STANSELL-GAMM. They may or may not be. It may be just a period of deep social maladjustment through which they are passing. And you are absolutely right, I don't think that the importance of teaching limits and ethics on the Internet can be overstated. I have, upon occasion, gone to class rooms of young children, fourth graders, for example; if you ask a classroom of fourth graders, ''How would you feel if you wrote an e-mail to a friend and somebody hacked your Internet service provider and read your e-mail?'' first of all, they all understand the question, and second of all, they are outraged. Their teacher, however, may ask you later, ''Can people do that?''
The CHAIRMAN. Thank you, Mrs. Jackson Lee.
Representative JACKSON LEE. If I could ask them for something in writing, Mr. Chairman, if I can pursue that line of thought with you on the profile and the potential penalties that may be appropriate along with my comment about parental liability, I would appreciate it. If we could get that in writing I may have some other questions as well. Thank you.
The CHAIRMAN. Thank you, Ms. Jackson Lee.
Mr. Goodlatte, you are recognized for 5 minutes.
Page 115 PREV PAGE TOP OF DOC
Representative GOODLATTE. Thank you, Mr. Chairman, and I want to thank you for holding this hearing and allow me, a member of the full committee but not subcommittee, to participate. It is an area I have interest in because a number of years ago, I introduced legislation to impose criminal sanctions on those who hack into computers, both governmental and privately owned computers. And I am curious in knowing from the panel if they feel that currently existing laws covered by 18 USC 1030 are adequate, and do they cover this particular type of denial of service attack, since it is not really hacking into the computer of the victim, but sending millions or billions of messages from unwitnessing third party participants computers. Is that covered by the law?
Mr. HOLDER. It is my position, and again, I will defer to my colleagues. I think that 1030 does cover these kinds of attacks. I think there is a real question that we need to ask ourselves, if you have the kinds of attacks that we have seen in the recent past that resulted in probably tens of millions of dollars of damages to the companies, whether the level of penalties that now contained in the statute of 5 years is an appropriate sentence. I think we would be more than glad to work with both of the subcommittees to examine that question to determine whether or not some modifications need to be made in the statute. But Marty——
Representative GOODLATTE. Has the government experienced similar denial of service attacks on government computers?
Mr. VATIS. Yes. We have sent many instances over the years of government Websites in particular, experiencing denial of service attacks.
Page 116 PREV PAGE TOP OF DOC
Representative GOODLATTE. Not too long ago, the administration announced a national plan to address Internet security, and that included a program called Fidnet. And I am wondering if you could tell me whether it is your intent that Fidnet be involved in addressing this problem.
Mr. VATIS. I think the descriptions of Fidnet that we have seen would be helpful in detecting illegal intrusions into government agency systems. And might give a system administrator of a Federal agency advance warning of an intrusion, and perhaps of a denial of service attack as well, depending on how the system is ultimately designed. And then the system administrator would notify law enforcement if he or she saw an indication of a crime being committed.
Representative GOODLATTE. Are you suggesting that Fidnet would protect against a denial of service attack?
Mr. VATIS. It would allow for perhaps early detection. But it depend ultimately on how such a system is designed and what it is constructed to do. Right now it is still very much in the process of being designed, as I understand it.
Representative GOODLATTE. If Fidnet has come under some scrutiny over privacy concerns affecting the monitoring of private sector networks. In a letter to majority leader Dick Armey the acting Assistant General John Jennings stated that Fidnet is being designed to monitor Federal executive branch computer networks, not private networks or the Internet in general. Does the national plan, in any way, envision any monitoring of private networks for the purposes of cyber security?
Page 117 PREV PAGE TOP OF DOC
Mr. HOLDER. No, that is not the plan. I really want to stress that. We are sensitive to the privacy concerns that people have, individuals as well as people in industry. We are sensitive to those concerns. We think that we need to work with industry. We think in some we need to look at some of the statutes that are the tools that we use. But we want to come up with a balanced approach that will allow us to become more effective, while at the same time promoting and enhancing privacy for people who use the Internet.
Representative GOODLATTE. When Fidnet was criticized over privacy concern, the administration took great pains to say that the participation of private sector monitors was voluntary. Yet the national plan is being sold as a way to prevent attacks on critical infrastructures, including private networks like banking and telecommunications. If the national plan remains voluntarily for the private sector how can the administration claim that it will protect private networks?
Mr. HOLDER. One of the things that we have to do is try to convince people in the private sector that there are things that they can do and things that they should do to protect their networks. As we have all indicated, we think it is—the lead role in that effort should be by those in private industry. I think Marty uses the analogy, I think it is a good, one if you have a lock on your front door, the government doesn't tell you what kind of lock to put, and your front door, we leave that to the individual homeowner. Yet if somebody breaks into your house, then it is appropriate for government to become involved. I think in that regard, we want to encourage people in industry to become involved in this effort and to try to come up with ways in which people in industry working with one another, working with us, can come up with a comprehensive plan.
Page 118 PREV PAGE TOP OF DOC
Representative GOODLATTE. Good. It is my hope that you will continue to allow the industry to take the lead in solving these problems, because I think that is exactly where it must lie in terms of the resources. You need to prosecute the actual violators. I am fully supportive of the role of the government in monitoring the system I have some concerns about. Thank you, Mr. Chairman.
The CHAIRMAN. Thank you, Mr. Goodlatte.
Mr. Nadler, you are recognized for 5 minutes.
Representative NADLER. Thank you, Mr. Chairman. Let me begin by expressing my thanks to you for calling this hearing and for extending me the courtesy as a member of the committee, but not the subcommittee, of sitting in on the hearing. I have two questions both to Deputy Attorney General Holder. First, we are talking about expanding the definition of certain crimes and expanding the authority of government to deal with those crimes. And some people are concerned that there are certain weaknesses in the current law about giving government access to information, for example, many of the protections of the wiretap law including the statutory rule against use of illegally-obtained evidence, and the remedies for privacy violation do not apply to e-mail and other Internet communications.
Another example data stored on networks is not afforded standard full privacy protection. And the third is that ISP customers are not entitled to notice when personal information is subpoenaed in civil lawsuits. And notice of government requests can be delayed until it is too late to object.
Page 119 PREV PAGE TOP OF DOC
Do you believe that or would you support the proposition that as we deal with legislation expanding crimes or expanding authority to deal with crimes in the Internet, we should also deal in the same legislation with some of these problems to balance it?
Mr. HOLDER. I think that is actually an excellent point. We need to protect privacy and not lose sight of the fact that one of the reasons that people use the Internet is they use the Internet with an expectation of privacy, and to the extent that we can harmonize our existing law so that electronic communications enjoy the same privacy safeguards as oral and wire communications under present law, that is something that the administration would support.
Representative NADLER. So you support balancing it with some of these protections—expanding protections to crimes on the Internet that we have in other areas as part of expanding it?
Ms. STANSELL-GAMM. Yes, we would.
Representative NADLER. Thank you. My second question is the following: We were talking about the crimes of the DDOS crimes, the distributed denial of service hacking attacks on various commercial Internet sites that we just experienced, but—I shouldn't say ''but,'' in these attacks, the criminals exploited well-known system vulnerabilities. As with most malicious code there were diagnostic tools that would have allowed system administrators to determine if their computers had been hijacked for these purposes. The Internet Emergency Task Force had recommended, for example, a simple and effective method to prohibit such attacks using forged IP addresses in January 1998 and Carnegie Melon had issued an incident note of last year, specifically describing the kind of tools used in last week's attacks in advance, and yet apparently some people were caught napping and hadn't put these protections on their own systems.
Page 120 PREV PAGE TOP OF DOC
Now, at the White House conference the other day, the Cyber Security Summit, some people argued that the government ought to move away from a police department model to a fire department model, and emphasizing prevention and public education. And that some people suggested a public health model stressing the need for computer hygiene to extrapolate malicious code and install and regularly upgrade security measures. That government ought to, rather than trying to police the Internet for security purposes, ought to be functioning as fire department or public health department, and suggesting, or perhaps even requiring private operators to protect their own computers with certain kinds of protections and educating people about this and emphasizing prevention. Do you agree or disagree with that?
Mr. HOLDER. I don't think it would be appropriate for government to require certain things of private industry. I think to the extent we can, as the FBI did prior to the attacks in February, share information that we have about specific threats, and whatever information we have that would allow people in private industry to come up with the ways in which they want to protect their networks, but really leave to private industry the actual way in which they do it. Getting back to the analogy of the lock on the door, to leave to them what kind of lock they want to put on their door. But again to work with private industry to the extent that that is appropriate to share information, so that the decisions that they make are wise ones.
Representative NADLER. So you are saying the fire department model but not the public health model?
Mr. HOLDER. I am not sure it is the fire department public health or police department. I may get a little carried away with my analogies there. I am not sure which one I would say, it is, other than to say that private industry ought to take the lead working with us in a mutual sharing of information so that the decisions, those that are made by those in private industry are the best ones that they can make, the most informed decisions they can make.
Page 121 PREV PAGE TOP OF DOC
Representative NADLER. I have one more short question. Can you tell us more about the challenge of recruiting and retaining well-trained staff at the department to help combat this type of crime? I am specifically thinking what kind of problems posed by the fact that people who are knowledgeable about the underlying technology can get jobs for $90,000 plus stock options? How do you compete with that and what do you recommend that we ought to do to help you compete with that? We obviously can't give stock options to the Federal Government. How do we deal with that?
Mr. HOLDER. That is a major problem. If you look at the United States attorney's office in San Francisco, in Silicon Valley in California, their San Jose office, they have had a very difficult time retaining people who, over time, increase their knowledge and expertise, who get snatched up by private industry. We have to come up with ways in which we can make more attractive the retention of people. I mean Marty, you know, bless her heart, could walk out of the door tomorrow and probably triple or quadruple her salary and get stock options, we have a dedicated core of people in the Federal Government who like the work that they do. But I think we have to think of ways in which we can enhance the experience for them so that we can retain them and also perhaps come up with ways in which we attract people who are recent graduates from college, perhaps come up with some kind of program where, in exchange for their staying with us for a prescribed number of years, the government does something about the loans that they might have incurred in their education. And think about that as a way there which we might hold onto people 4, 5 and 6 years, or extended periods of time.
Representative NADLER. Thank you very much.
Page 122 PREV PAGE TOP OF DOC
The CHAIRMAN. Thank you, Mr. Nadler. Thank you, Mr. Holder, Mr. Vatis, Ms. Stansell-Gamm. We appreciate you appearing today, and I am sure we will hear more from you about our possible improvements in the codes.
We are now ready for our next panel of witnesses. There is a vote going on in the Senate, so the two Senators have abandoned us for the moment.
I would like to call the next panel, and as I do and the seats are reconfigured, if you could have your seats, we would appreciate it. The first witness on the second panel is Paul Misener, vice president for global public policy at Amazon.com, where he is responsible for formulating and representing the company's public policy positions world wide. Mr. Misener was formally a partner and chairman of the E-commerce and Internet practice at the firm of Weilly, Rein & Fielding. He has also served as senior legal adviser and chief of staff to an FCC commissioner. Prior to entering public service, Mr. Misener was manager of telecommunications and computer technology policy at Intel Corporation. He received his bachelors degree in electrical engineering and computer science from Princeton University and his law degree from George Mason University.
Next is Dan Rosensweig, president and CEO of ZDNet, the leading Website for information about buying, using, and learning about technology. It is ranked among the top 15 Websites in the world according to Media Metrix Magazine, and has more than 1 million visitors each day. Mr. Rosensweig has worked in the Ziff-Davis family of companies, of which ZDNet is a part, for 17 years and developed his expertise in Web business as vice president of the Ziff-Davis Internet Publishing Group. Prior to serving in that position, he was vice president and publisher of PC Magazine, one of the world's leading computer and business magazines. He received his undergraduate degree from Hobart College.
Page 123 PREV PAGE TOP OF DOC
Our next witness is Charles Giancarlo, senior vice president of Cisco Systems and manages its small and medium line of business. From 1997 and 1999 he was senior vice president of Global Alliances. Mr. Giancarlo joined Cisco through Cisco's acquisition of Kalpanana Incorporated, the company that pioneered Ethernet switching where he was vice president of marketing. In 1999, Mr. Giancarlo was voted one of the most 25 most powerful people in the networking business by Network World Magazine. He received his bachelors degree from Brown University, his masters degree in electrical engineering from the University of California at Berkeley, and also holds an MBA from Harvard University.
Howard Schmidt is the director of information security for Microsoft Corporation. As the corporation's chief security officer, he is responsible for protecting the integrity of Microsoft's world wide computer network, a favorite target of hackers. Before joining Microsoft 2 years ago, Mr. Schmidt worked as deputy chief for computer crime and information warfare in the Office of Special Investigations of the United States Air Force. Prior to that, he held a position as the head of the computer exploitation team at the National Drug Intelligence Center. Among his many professional associations, he is a board member of the Information Systems Security Association.
Our next witness is Katherine Fithen, a manager of the CERT coordination center, part of the Software Engineering Institute, a federally funded research and development center located at Carnegie-Mellon University. CERT was established in 1988 after the first major cyber attack stopped more than 10 percent of the computers connected to the Internet. Its charter is to work with the Internet community to respond to computer security events, raise awareness of computer security issues, and prevent security breaches. Since 1988, CERT has responded to 24,000 computer security incidents and analyzed 1,500 vulnerabilities. Ms. Fithen has been with CERT since 1992 has been its manager since 1998.
Page 124 PREV PAGE TOP OF DOC
Our next witness, who goes by the name of Mudge, is one of the Nation's leading gray-hat hackers and vice president of research and development with the computer security firm, @Stake, located in Cambridge, Massachusetts. He is an expert on electronic threats to national security and has provided technical assistance to NASA, the U.S. Air Force and other governmental agencies. He has written over a dozen computer threat advisories and developed computer software programs to respond to those threats. Two weeks ago, Mudge participated in President Clinton's high tech summit at the White House. We welcome you.
Next is James Dempsey, who is the senior staff counsel for The Center for Democracy and Technology. He joined CDT in 1997 and works on fourth amendment and electronic surveillance issues. Prior to joining CDT, Mr. Dempsey was deputy director of the Center of National Security Studies, and before that, he served as special counsel to the National Security Archive, a non-governmental organization that uses the Freedom of Information Act to gain the declassification of documents on U.S. foreign policy. From 1985 to 1994, Mr. Dempsey served as assistant counsel to the House Judiciary Committee's Subcommittee on Civil and Constitutional Rights. He is a graduate of Harvard Law School.
And last but not least is Sam Guiberson, a criminal defense lawyer and consulting attorney who specializes in cases involving the use of technology in complex litigation as well as the prosecution and defense of criminal cases. He is a frequent author and lecturer on criminal defense topics, law enforcement technology, and the use of technology in the practice of law. He is the Chair of the Technology and Law Enforcement Committee of the National Association of Criminal Defense Lawyers and appears on their behalf today. He also serves as co-chair of the ABA Criminal Justice Section on Science and Technology, and for the past 2 years, has served on the ABA's Criminal Justice Task Force on Technology and Law Enforcement.
Page 125 PREV PAGE TOP OF DOC
And we have a very distinguished panel. We also have a very big panel. I would like to make the request that each of you, if you could limit your actual oral testimony to 5 minutes. I know that is a tough thing to do, but if you can, we will be able to proceed through this in an orderly fashion. Your entire testimony without objection will be submitted to the record as it is. I hear no objection and each of the witnesses' testimony is now admitted into the record.
With that in mind, Mr. Misener, we will go with you first. You are recognized for 5 minutes.
STATEMENT OF PAUL MISENER, VICE PRESIDENT, GLOBAL PUBLIC POLICY, AMAZON.COM, SEATTLE, WA
Mr. MISENER. Thank you very much, Mr. Chairman. I do appreciate very much you inviting me to testify. My name is Paul Misener, and I am Amazon.com's vice president for global public policy. Amazon.com opened its virtual doors in July 1995 with a mission to use the Internet to transform book buying into the fastest, easiest, and most enjoyable shopping experience possible. Today Amazon.com also offers consumer electronics, toys, CDs, videos, DVDs, home improvement tools, and much more. Seventeen million people in more than 160 countries have made us the leading on-line shopping site.
Amazon.com greatly appreciates the opportunity to testify before these two subcommittees today on the recent distributed denial-of-service attacks. We look forward to working with Congress and to address these incidents and other important Internet policy issues.
Page 126 PREV PAGE TOP OF DOC
We particularly support the Federal Government's involvement in fighting criminal behavior on the Internet, and are actively cooperating with law enforcement agencies in their investigations. Because electronic commerce is the driving factor in the current booming economy, our Nation's economic well-being depends in part on stopping criminal activity that impede e-commerce.
Although the distributed denial-of-service incidents that occurred 3 weeks ago have been described many times, a short description of what specifically happened to Amazon.com bears repeating. In essence, for about an hour on February 8, 2000, a large amount of so-called junk traffic was directed to our site. This junk traffic degraded the technical quality of service at the site.
To be clear, this was not a break in our on-line premises, but rather a deliberate and illegitimate crowding of the virtual driveways and sidewalks around our on-line store. This crowding somewhat hindered our customers' ability to visit and shop. At all times during this crowding, however, our customers' information was safe and secure, and many customers were able to enter and shop at our store. Nonetheless for about an hour, our customers experienced congestion-related delays when visiting the site.
For Amazon.com customers who have come to expect the world's best on-line shopping experience, even such a relatively minor inconvenience is frustrating. This is a key point. Consumers are the ones inconvenienced by distributed denial-of-service attacks. Indeed, millions of consumers have come to rely on the Internet to communicate, shop, invest, obtain news and learn on-line. The denial-of-service attacks earlier this month interrupted these important consumer activities and thus it is on behalf of consumers that we all must work to prevent these attacks in the future.
Page 127 PREV PAGE TOP OF DOC
So what can the Federal Government do about distributor denial-of-service attacks? Obviously a key role of government is to prosecute perpetrators of these criminal actions. Current laws, notably the Federal Computer Fraud and Abuse Act, appear to provide some prosecutorial authority and have been used successfully in several recent hacking cases. In addition to current law, Attorney General Reno and FBI Director Freeh have suggested extending existing law or enacting new laws to combat distributed denial-of-service attacks and other criminal behavior on the Internet.
Mr. Holder has suggested establishing stiffer penalties under existing statutes. On behalf of our current and future customers, Amazon.com would be happy to work with you and your committees on any new legislation to address Internet crime issues. Successful prosecutions, of course, also rely on adequate resources with which to conduct the investigations. Amazon.com believes that additional resources should be applied in at least 4 years.
First, continuous training the latest digital forensic techniques, as well as the newest technologies, should be at the top of any list for additional funding. In particular, additional training in electronic evidence handling is necessary.
Second, given the strong demand for information technology experts, both within and outside of government, law enforcement agencies need additional resources to retain senior IT professionals and attract new ones.
Third, Federal law enforcement agencies should have sufficient resources to help educate private industry and consumers on preventing Internet-related crime.
Page 128 PREV PAGE TOP OF DOC
Finally, funding for better coordination among agencies is needed. The recent incidents were not geographically localized, and there is no reason to expect that future Internet crime will be. In all of these areas, government interaction with private industry would be helpful.
Amazon.com already is engaged in such a partnership. In addition to assisting the ongoing investigations, our technologists are helping to train various law enforcement personnel on the latest developments in Internet technology.
Thank you very much for the opportunity to testify before your committees. I would be pleased to answer your questions, and I look forward to working with you in the future.
The CHAIRMAN. Thank you very much, Mr. Misener. And you kept within the 5 minutes, and we appreciate that, too.
[The prepared statement of Mr. Misener follows:]
PREPARED STATEMENT OF PAUL MISENER, VICE PRESIDENT, GLOBAL PUBLIC POLICY, AMAZON.COM, SEATTLE, WA
My name is Paul Misener, and I am Amazon.com's Vice President for Global Public Policy. Amazon.com opened its virtual doors in July 1995 with a mission to use the Internet to transform book buying into the fastest, easiest, and most enjoyable shopping experience possible. Today, Amazon.com also offers consumer electronics, toys, CDs, videos, DVDs, home improvement tools, and much more. Seventeen million people in more than 160 countries have made us the leading online shopping site.
Page 129 PREV PAGE TOP OF DOC
Amazon.com greatly appreciates the opportunity to testify before these two subcommittees on the recent distributed denial of service attacks. We look forward to working with Congress to address these incidents and other important Internet policy issues.
We particularly support the federal government's involvement in fighting criminal behavior on the Internet, and are actively cooperating with law enforcement agencies in their investigations. Because electronic commerce is the driving factor in the current booming economy, our nation's economic well-being depends in part on stopping criminal activity that impedes e-commerce.
Although the distributed denial of service incidents that occurred three weeks ago have been described many times, a short description of what specifically happened to Amazon.com bears repeating.
In essence, for about an hour on February 8, 2000, a large amount of so-called ''junk traffic'' was directed to our site. This junk traffic degraded the technical quality of service at the site.
To be clear: this was not a break-in at our online premises but, rather, a deliberate and illegitimate crowding of the virtual ''driveways and sidewalks'' around our online store. This crowding somewhat hindered our customers' ability to visit and shop.
At all times during this crowding, however, our customers' information was safe and secure, and many customers were able to enter and shop at our store. Nonetheless, for about an hour, our customers experienced congestion-related delays when visiting the site. For Amazon.com's customers, who have come to expect the world's best online shopping experience, even such a relatively minor inconvenience is frustrating.
Page 130 PREV PAGE TOP OF DOC
This is a key point: consumers are the ones inconvenienced by distributed denial of service attacks. Indeed, millions of consumers have come to rely on the Internet to communicate, shop, invest, obtain news, and learn online. The denial of service attacks earlier this month interrupted these important consumer activities and, thus, it is on behalf of consumers that all of us must work to prevent these attacks in the future.
So what can the federal government do about distributed denial of service attacks? Obviously, a key role of government is to prosecute the perpetrators of these criminal actions. Current laws, notably the federal Computer Fraud and Abuse Act, appear to provide some prosecutorial authority, and have been used successfully in several recent hacking cases.
In addition to current law, Attorney General Reno and FBI Director Freeh have suggested extending existing law or enacting new laws to combat distributed denial of service attacks and other criminal behavior on the Internet. And Mr. Holder has suggested establishing stiffer penalties under existing statutes.
On behalf of our current and future customers, Amazon.com would be happy to work with your subcommittees on any new legislation to address Internet crime issues.
Successful prosecutions, of course, also rely on adequate resources with which to conduct investigations. Amazon.com believes that additional resources should be applied in at least four areas:
1. First, continuous training in the latest digital forensic techniques, as well as the newest technologies, should be at the top of any list for additional funding. In particular, additional training in electronic evidence handling is necessary.
Page 131 PREV PAGE TOP OF DOC
2. Second, given the strong demand for information technology experts, both within and outside of government, law enforcement agencies need additional resources to retain senior IT professionals and attract new ones.
3. Third, federal law enforcement agencies should have sufficient resources to help educate private industry and consumers on preventing Internet-related crime.
4. Finally, funding for better coordination among the agencies is needed. The recent incidents were not geographically localized, and there is no reason to expect that future Internet crime will be.
In all of these areas, government interaction with private industry would be helpful. Amazon.com already is engaged in such a partnership: in addition to assisting the ongoing investigations, our technologists are helping to train various law enforcement personnel on the latest developments in Internet technology.
Thank you very much for the opportunity to testify before your subcommittees. I would be pleased to answer your questions and I look forward to working with you in the future.
The CHAIRMAN. Mr. Rosensweig, you are recognized.
STATEMENT OF DAN ROSENSWEIG, PRESIDENT AND CEO, ZDNET.COM, NEW YORK, NY
Page 132 PREV PAGE TOP OF DOC
Mr. ROSENSWEIG. Thank you. ZDNet also appreciates the opportunity to participate in——
The CHAIRMAN. You have to turn the mike toward you.
Mr. ROSENSWEIG. I'm used to doing it by e-mail.
Again, thank you very much for the opportunity to present testimony before these committees today. Clearly this is an enormous issue and one that garnered a great deal of press and one that has sparked a tremendous debate that is worth having; and it is fascinating to have the opportunity to not only participate but to actually listen and learn how the Government is going to address these issues.
ZDNet is the word's largest Website. We are already today in 29 different languages in 20 different countries, and so this is clearly a big issue for us. We are regularly in the top 20 of all Websites, and we have over a million visitors a day and all of them are interested in technology. So this is an issue not only for the companies that are building but for the users of our site who are interested in how government is going to participate in this issue.
I also would like to take a minute just to describe what happened to us so you understand how complicated this issue is, even though it can be done by just about anybody. Essentially what happened on ZDNet on two occasions now, February 8 being one of them and February 20 being a second, was our users in essence were flooded out for the opportunity to come to the site. We had experienced something that represented about a hundred times our normal traffic being sent to the site within 5 seconds; and it looked as if it was coming from hundreds of thousands of global IP addresses, so it was something clearly we were not prepared for, and I don't think anybody was prepared for at the time.
Page 133 PREV PAGE TOP OF DOC
This is something that masks itself in a way that you actually have no idea where to go or what to do to stop it, so this is not something that can easily be avoided or easily have been prepared for, even though the Government had notified people that something like this could happen. So I just want to be very clear on that. Fortunately for us, the impact on our business on these particular attacks was minimal in that the site was able to return to normal operation in about 2 1/2 hours, and we were able to fulfill all of our commitments to our advertisers.
What did come from this, though, was something that I think was really interesting and unique to the Internet industry, which is tremendous cooperation amongst companies, even competitive companies. A grassroots coalition was formed actually on that day for the sites and the infrastructure companies and the service providers that are all involved in this for companies that were affected and companies that might be affected to communicate throughout the day over what the issues were, share information, share data and do that with the Government.
And we think that was a very interesting and positive step forward and really one that represents how the private sector feels that it is our responsibility to address these issues. The importance of the Internet to the economy is something that cannot be denied, and the fact that we are discussing this here in the United States is important; but it also is something that we need to understand is a global issue.
As we mentioned, we are already in 20 countries today. All of the sites that were attacked were in multiple countries, and these attackers may have come from anywhere in the world, not just in the U.S.; and so anything that we do here needs to recognize that this is something that we are going to need to cooperate with around the world from private sector companies and governments. We do feel that the private sector is best equipped to handle the situation, and we are like any other company and any other citizen concerned about the use of the government and the impact on issues like privacy or regulation.
Page 134 PREV PAGE TOP OF DOC
We do, however, believe the government has a hugely important role and that role is law enforcement; that role is in data collection, and data sharing, coordination, education and training. The fact is we were pleasantly surprised at the FBI speed with which they dealt with this issue. They actually contacted us and coordinated a number of companies to get together, sent a field representative to our office within just a few hours; and it was a very positive experience for us and one that makes us even more willing to cooperate with the Government on issues like this.
We really do want to protect against over-regulation or privacy issues that might impact the consumers' confidence to actually use the Internet. We are all worried about their confidence to use the Internet if sites are attacked. We are equally worried that their willingness to use the Internet will be diminished by the Government's over-interference into issues like this. So again we very much appreciate the opportunity to discuss this issue with you today, and we look forward to continuing our conversation and our cooperation.
The CHAIRMAN. Thank you very much.
[The prepared statement of Mr. Rosensweig follows:]
PREPARED STATEMENT OF DAN ROSENSWEIG, PRESIDENT AND CEO, ZDNET.COM, NEW YORK, NY
ZDNet is the leading Web destination for people who want to buy, use and learn about technology. In January, it ranked 15th among all Web properties, with 10.7 million unique monthly visitors.
Page 135 PREV PAGE TOP OF DOC
In February 2000, ZDNet experienced two Denial of Service (DoS) attacks, both lasting between two and three hours. The first one occurred on February 9, from 7:11 a.m. to 9:43 a.m EST. The second one occurred on February 20, from 7:05 a.m. to 9:12 a.m. EST. Both the symptoms of the two attacks, and the measures taken by ZDNet and GTEI/BBN, the hosting company that manages its systems and connectivity, were identical. Following is an overview of the first attack:
7:11 a.m.
ZDNet's Web servers became inaccessible, affecting approximately 75 percent of its Web sites.
7:20 a.m.
ZDNet's engineering team assembled and DoS was established as the most likely cause.
7:40 a.m.
GTEI/BBN's engineering team began working in concert with ZDNet to find a solution, and the FBI was contacted.
8:00 a.m.
Page 136 PREV PAGE TOP OF DOC
SYN FLOOD, a type of DoS attack characterized by an overwhelming flood of Web traffic coming from nonexistent computers, was identified as the DoS method.
8:30 a.m.
Some of the spoofed computer traffic was identified and blocked from accessing the site, slightly diminishing the load on ZDNet's servers, but not effectively squelching the attack.
8:00–9:43 a.m.
Until the DoS situation subsided, apparently on its own, the teams worked to identify the location of traffic, while altering parameters that manage the illegal traffic.
Denial of Service attacks are designed to deny the use of a particular Web service to a group of users, in ZDNet's case its more than 1 million daily visitors. DoS attacks do not fit the traditional definition of a ''hacker'' attack, in that computers and servers are not broken into, data assets are not corrupted, and privacy is not compromised.
ZDNet was effected by the most common kind of DoS attack, the SYN FLOOD. During a SYN FLOOD attack, people attempting to visit Web sites are unable to retrieve pages, as the Web provider's servers are overwhelmed with an enormous influx of page requests from bogus sources, which cannot be processed. During the two attacks on ZDNet, affected sites received 50 to 100 times the amount of Web traffic than its servers could sustain under peak load. The servers ran out of resources and were incapable of responding to normal requests.
Page 137 PREV PAGE TOP OF DOC
Because advertising is ZDNet's primary revenue stream, it does not expect these attacks to have a financial impact, unlike some of the other affected sites, which derive a significant portion of their revenues from online transactions. ZDNet's advertising clients have been supportive. In addition, the two attacks have not had significant impact on ZDNet's daily traffic, perhaps because of the national DoS news coverage during the first attack, for which ZDNet's audience typically turns to its sites for information, and because the second attack occurred during a holiday weekend.
ZDNet regrets the loss of service to its visitor base, and joins other Web businesses in its concern for the protection of the Internet's integrity. After its first attack, ZDNet joined a grassroots coalition including other top Web sites effected, for the purpose of sharing information with hosting companies like GTEI/BBN, and the FBI.
The success of the Internet is critical to the nation's economy. Internet businesses recognize the importance of working together to nurture the Web's development, and to build infrastructure security solutions that will protect against infractions like DoS attacks. The Internet is a unique industry, in that competing Web businesses are cooperating to raise the bar for the Web's performance, development, security and protection.
The private sector has the expertise to help address computer crime and thus should be primarily responsible for Internet protection at this early stage of the industry's development.
While the government should not be responsible for protecting the Internet's infrastructure, it should continue to play a role in prosecuting the parties responsible for Internet-related crimes like DoS attacks.
Page 138 PREV PAGE TOP OF DOC
The CHAIRMAN. Mr. Giancarlo, you are recognized.
STATEMENT OF CHARLES GIANCARLO, SENIOR VICE PRESIDENT, CISCO SYSTEMS INCORPORATED, SAN JOSE, CA
Mr. GIANCARLO. Thank you, sir. Chairman McCollum, distinguished members of the House and Senate, I appreciate the opportunity to speak with you today about security on the Internet. My name is Charles Giancarlo. I am senior vice president of small and medium business for Cisco Systems. As you may know, Cisco is the world's largest manufacturer of equipment that connects people and businesses to the Internet. Cisco employs 26,000 people. It is headquartered in San Jose, California, and has significant operations in Massachusetts, North Carolina, Texas, and at various locations around the world.
I am pleased to tell you that while no communications network is invulnerable or immune to interruptions, the Internet remains strong and will continue to prosper. With the attacks that began on February 7, hackers briefly disrupted access to some of the Internet's most popular destinations. But the technology community showed that it can respond swiftly and effectively, taking steps to quickly beat back the attacks and to make it harder for similar assaults to succeed in the future. Within hours of the first attacks, the technology community had identified the basic methods that hackers were using to target specific Websites and had begun to deploy effective defenses.
It's important to note that technology capable of defeating these attacks not only exists, it can be employed quickly and relatively cheaply. We at Cisco are aware of very recent instances in which these defenses have worked just as they are supposed to. It is also important to note that while these attacks blocked access to some targeted computer systems, they do not appear to have penetrated the outer defenses of these systems. We know of no case in these instances in which hackers obtained access to confidential customer information, such as credit card numbers, or did lasting damage to any of the targeted sites.
Page 139 PREV PAGE TOP OF DOC
And it is important to note that the technology community has already joined with the Federal Government to respond more effectively should these attacks be repeated in the future. The community and the Government are forming an organization that will disseminate critical information quickly and widely if the Internet is threatened. With speed that is characteristic of the Internet, our industry has learned from this episode and is taking concrete steps to implement what we have learned.
One of our divisions, Cisco Secure Consulting Services, recently did a 6-month survey of 33 business Internet sites and found that about a third of their Internet-connected services were vulnerable to attack. The good news is that the survey also found that most of the problems could be solved with technology that is readily available.
We at Cisco also understand how important it is that the public and you as their representatives understand exactly what has happened and what did not happen as a result of these attacks. To avoid getting lost in techno jargon, it is useful to recall one of the phrases most often used to describe the Internet as the information super highway.
At the risk of using analogy in this august audience, the attacks that began on February 7 were a series of maliciously planned traffic jams at important on and off ramps to that highway. The hackers hijacked third-party computers and included them in their hostile networks without the knowledge of the computers' owners. As law enforcement has found, this techniques makes it harder to trace the attacks real perpetrators.
But the hackers' basic technology was neither new nor especially advanced. Other less visible Websites have been similarly targeted on numerous occasions. In fact, the basic denial-of-service attack was first created over 3 years ago. Indeed, the goal of these denial-of-service attacks creating a roadblock that excludes people from specific sites is less technologically ambitious than other types of attacks that penetrate a targeted site's security perimeter.
Page 140 PREV PAGE TOP OF DOC
In these cases, hackers attempt to exploit trusted relationships between computers, steal or alter data or cause malicious damage.
Some of the recent attacks bombard targeted sites with false computer addresses and created a huge backup when the targets tried to respond to this deluge. Cisco equipment can be and often is configured to sniff out these phony addresses and break off contact before a traffic jam results. We at Cisco know that in the wake of these recent attacks, equipment configuration changes were effective in spotting and defeating subsequent hacking attempts.
So you might ask, if these defenses work so well and are readily available, why doesn't everybody have them? The answer is not everybody knows about them or understands how to use them. In such a vital area such as security, one thing we can do better is share information about up-to-the-minute developments and create incentives to employ this technology. The technology community has joined with the Federal Government to do this.
The Internet is and should always remain an open medium. No one can insulate the Internet and everyone connected to it from threats or guarantee that no attack on any particular Internet site will succeed. Even our oldest most established public infrastructures pause on occasion. Power and water lines come down, water mains break, highways become clogged; and like them, the Internet will occasionally have localized difficulties. These are but potholes on the information super highway which we will fill in as fast as they appear, learning how to prevent similar potholes in the future. Thank you. I look forward to your questions.
The CHAIRMAN. Thank you.
Page 141 PREV PAGE TOP OF DOC
[The prepared statement of Mr. Giancarlo follows:]
PREPARED STATEMENT OF CHARLES GIANCARLO, SENIOR VICE PRESIDENT, CISCO SYSTEMS INCORPORATED, SAN JOSE, CA
Chairman Thurmond, Chairman McCollum, distinguished members of the House and Senate, I appreciate the opportunity to speak with you today about security on the Internet. My name is Charlie Giancarlo and I am Senior Vice President of Small and Medium Business for Cisco Systems Inc. As you may know, Cisco is the world's largest manufacturer of equipment that connects people and businesses to the Internet. Cisco employs 26,000 people, is headquartered in San Jose, California, and also has significant operations in Massachusetts, North Carolina and Texas.
Few events in the short history of the Internet have captured more attention than the recent hacker attacks on several of the web's best-known business sites. These assaults prompted a great deal of breathless speculation about whether the public can depend on the Internet as a reliable means of doing business and sharing information.
I am pleased to tell you that, while no communications network is invulnerable or immune to interruptions, the Internet remains strong and will continue to prosper. With the attacks that began Feb. 7, hackers briefly disrupted access to some of the Internet's most popular destinations. But the technology community showed that it can respond swiftly and effectively, taking steps to quickly beat back the attacks and to make it harder for similar assaults to succeed in the future.
Page 142 PREV PAGE TOP OF DOC
Within hours of the first attacks, the technology community had identified the basic methods that hackers were using to target specific web sites and had begun to deploy effective defenses. It's important to note that technology capable of defeating these attacks not only exists, it can be employed quickly and relatively cheaply. We at Cisco are aware of very recent instances in which these defenses have worked just as they are supposed to.
It's also important to note that while these attacks blocked access to some targeted computer systems, they do not appear to have penetrated the outer defenses of these systems. We know of no case in which hackers obtained access to confidential customer information, such as credit card numbers, or did lasting damage to any of the targeted sites.
And it's important to note that the technology community has already joined with the federal government to respond more effectively should attacks like these be repeated in the future. The community and the government are forming an organization that will disseminate critical information quickly and widely if the Internet is threatened. With speed that is characteristic of the Internet, our industry has learned from this episode and is taking concrete steps to implement what we have learned.
We at Cisco Systems keenly understand the importance of this task. We will conduct $12 billion worth of business over our own web site this year, and our employees are able to do about 95 percent of their work on the site. Our site is our employees' primary link to each other and our customers, and we know that defending it against threats is quite demanding.
One of our divisions, Cisco Secure Consulting Services, recently did a six-month survey of 33 business Internet sites and found that a third of their Internet-connected services were vulnerable to attack. The good news is that the survey also found that most of the problems could be solved with technology that is readily available.
Page 143 PREV PAGE TOP OF DOC
That fact might sound jarring at first, but there is a simple and straightforward explanation: The Internet is evolving so rapidly that it's hard for all of us to keep up. Potential threats to the Internet constantly change, as do the proper responses. That's why we in the technology community are working to quickly share up-to-date information. To borrow a phrase, eternal vigilance is the price of Internet security.
We at Cisco also understand how important it is that the public, and you their representatives, understand exactly what happened—and what did not happen—as a result of these attacks. For many people, the Internet remains new and somewhat forbidding territory. The inner workings of this remarkable medium, and the subculture of hackers who delight in probing for its vulnerabilities, can blur into a jumble of acronyms and code names that would fit in well at the Pentagon.
To avoid getting lost in techno-speak, it's useful to recall one of the phrases most often used to describe the Internet, ''the information superhighway.'' At the risk of using an analogy in this august audience, the attacks that began on Feb. 7 were a series of maliciously planned traffic jams at important on- and off-ramps to that highway.
The computers and equipment that make up the Internet are designed to convey massive amounts of data just as our interstate highways move unprecedented numbers of vehicles. In these attacks, hackers flooded these targeted Internet sites with enormous amounts of information and brought these off-ramps to a standstill. These so-called ''denial of service'' attacks created information gridlock at the targeted sites, denying legitimate customers access to the services that these sites provide.
Page 144 PREV PAGE TOP OF DOC
These attacks garnered enormous attention primarily because the targeted sites are highly utilized and because the attacks occurred in quick succession. And they were different than previous assaults in one respect: They were launched from many different computers at once. The hackers hijacked third-party computers and included them in their hostile networks without the knowledge of the computers' owners. As law enforcement has found, this technique makes it harder to trace the attacks' real perpetrators.
But the hackers' basic technology was neither new nor especially advanced. Other, less-visible web sites have been similarly targeted on numerous occasions. Indeed, the goal of these denial-of-service attacks—creating a roadblock that excludes people from specific sites—is less technologically ambitious than other types of attacks that penetrate a targeted site's security perimeter. In these cases, hackers attempt to exploit trusted relationships between computers, steal or alter data, or cause malicious damage.
Cisco is the world's largest producer of routers and switches, the equipment that directs traffic on the information superhighway. These products can be equipped with a variety of filters and security devices that detect suspicious patterns in the information traffic at a site. Our equipment can be configured to limit or entirely block out data that appears suspicious.
For instance, some of the recent attacks bombarded targeted computers with phony computer addresses and created a huge backup when the targets tried to respond this deluge. Cisco equipment can be configured to sniff out these phony addresses and break off contact before a traffic jam results. Cisco is also one of a number of companies that offers consulting services that pinpoint vulnerabilities in computer systems and eliminate them before they can be exploited by hackers.
Page 145 PREV PAGE TOP OF DOC
We at Cisco know that in the wake of these recent attacks, equipment configuration changes were effective in spotting and defeating subsequent hacking attempts. So you might ask, if these defenses work so well and are so readily available, why doesn't everybody have them?
The answer is, not everybody knows about them or understands how to use them. In a vital area such as security, one thing we can do better is share information about up-to-the-minute developments. And the technology community has joined with the federal government to do this.
Even before this month's attacks, industry leaders had joined to form the Partnership for Critical Infrastructure Security. The PCIS is a voluntary organization that is working to share information about threats to the Internet and other crucial networks, and determine how best to respond to those threats. About 120 companies are cooperating in this effort. We are happy that Ken Watson, a Cisco Systems security expert, is playing a leading role in PCIS.
And two weeks ago at the White House information technology summit, Cisco was one of about 40 Internet companies that agreed to develop a more robust and structured mechanism that would speed reaction to events like the recent hacker attacks. As with the PCIS, the federal government would play a coordinating role in this organization.
We believe that this public-private partnership is the most effective response to these recent attacks. In the private sector, incentives must be put into place to encourage all web sites to deploy security technologies to protect themselves and their customers from hacker attacks. In the ''bricks and mortar'' world, retail businesses take advantage of lower insurance rates if their stores are adequately protected with locks and alarm systems.
Page 146 PREV PAGE TOP OF DOC
In the public sector, we are grateful that the Federal Bureau of Investigation has devoted significant resources to investigating these attacks and we hope the perpetrators will be prosecuted to the fullest extent of the law. We also encourage the federal government to serve as a model for private industry by equipping its own computer systems with the best security measures possible.
At this time, however, we do not ask Congress for new laws in the area of Internet security. Cooperation, not regulation or legislation, will insure that the Internet remains secure and at the same time open to the broadest possible public access.
The Internet is, and should always remain, an open medium. No one can insulate the Internet and everything connected to it from all threats or guarantee that no attack on any particular Internet site will succeed. Even our oldest, most established public infrastructures pause on occasion—power and water lines come down, water mains break, highways become clogged—and, like them, the Internet will occasionally have localized difficulties. These are but potholes on the information superhighway, which we will fill in as fast as they appear—learning how to prevent similar potholes in the future.
These recent attacks actually demonstrated that the technology community can quickly identify threats to the Internet, quickly act to eliminate them and quickly take measures that will reduce the impact of similar threats in the future. This spirit of innovation and rapid development propels the Internet's exponential growth and ensures that the Internet will remain secure as it continues to grow.
Page 147 PREV PAGE TOP OF DOC
Thank you. I look forward to your questions.
Mr. MCCOLLUM. Mr. Schmidt, you are recognized for 5 minutes.
STATEMENT OF HOWARD SCHMIDT, DIRECTOR INFORMATION SECURITY, MICROSOFT CORPORATION, REDMOND, WA
Mr. SCHMIDT. Chairman McCollum and the distinguished committee members, I would like to thank you for the opportunity to appear here today for this joint hearing on critical infrastructure protection. My name is Howard Schmidt, and I am the chief information security officer at Microsoft Corporation. Microsoft recognizes the need for increased cyber-security throughout those sectors of our economy, utilities, banking, communications, transportation, health care, and of course electronic commerce that today are so reliant on information systems. We strongly subscribe to the proposition that these essential services are critical to the productivity and efficient interoperability of the Nation's economy.
The viability of that economy and its unparalleled growth, driven in part by information technology, is our greatest national asset. Our armed services also relies heavily on these private sector services. For both reasons we agree that the protection of America's critical infrastructure is a critical national security responsibility. National security is traditionally viewed as a government responsibility. Infrastructure security, however, does not lend itself to government management.
In the United States most of the services involved are only by the private sector. The private sector has the knowledge and expertise to help fight against computer crimes on the infrastructures in which we operate. Therefore, successful management of these problems requires a strong partnership between government and private sector. Microsoft is an enthusiastic backer of this voluntary and cooperative approach.
Page 148 PREV PAGE TOP OF DOC
We believe that it is a framework that makes the most of private sector strengths, industry's intimate knowledge of systems that are created and that we operate. At the same time, a voluntary partnership avoids unnecessary outside regulation or interference with the dynamic of productive businesses. Within the information technology sector, Microsoft has helped lead the way in the information sharing on cyberattacks, vulnerabilities, countermeasures, and best information security practices.
At the recent White House security summit on cybersecurity, I repeated Microsoft's support for the President's national information assurance plan. I noted particularly our strong support for its research and development priorities and for its cybersecurity training scholarships. Microsoft is also an active participant in the partnership for critical infrastructure security, or the PCIS, a cross-sector, cross-industry effort supported by Dick Clark of the National Security Council, Commerce Secretary Daley and John Tritak, the Critical Infrastructure Assurance Office.
As the committees know well, the White House meeting followed hard on the heels of significant denial-of-service attacks by still-unknown attackers on high profile Internet Web and e-commerce sites. Secretary Daley called these attacks a wake-up call on cyberthreats to the economy, and we agree he was correct. Microsoft also agrees that the computer attacks earlier this month deserve serious attention. We trusted that the appropriate law enforcement agencies will identify and prosecute those responsible to the fullest extent of the law, but we have also reached several conclusions from those attacks that lead us to caution against swift action, legislative or otherwise on this on this front.
Page 149 PREV PAGE TOP OF DOC
First, the type of attack that we saw in this case was not unknown nor is it new. Microsoft and other information technology companies deal daily with a host of hacker assaults. We regularly defeat a vast majority of these efforts, and we constantly upgrade our products and support services to provide protection against similar attacks. Our security operations are effective and are themselves well insulated from outside penetration.
Second, security measures to defeat denial-of-service attacks exist today and existed at the time of the attacks. Computer emergency response team, the SANS organization which is the systems administration network security group, and the National Information Protection Center represented earlier by Mike Vatis put out alerts warning of these denial-of-service attacks late last year.
All the necessary security improvements subsequently made the sites half the attack accomplished within hours based on this information. This is not to downplay the seriousness of those attacks, only to point out the security measures and warnings about denial-of-service attacks did exist.
Third, the Federal Government deserves credit for identifying critical infrastructure protection as a national priority and has come forward with a structure and plans for how to achieve better computer security. I would also like to thank Speaker Hastert for assembling a cybersecurity team chaired by Representative J.C. Watts, with whom I will be meeting shortly to deal with some of these issues. The government should also continue to take steps to employ good security, including standard security tools, installing patches and updates, and otherwise setting a good example for the private sector.
Page 150 PREV PAGE TOP OF DOC
Lastly, we believe that our industry should be allowed to pursue and to perfect those initiatives already under way to improve security awareness and cooperation. Microsoft fully supports the funding of additional government personnel as well as the appropriate training to ensure that the government has sufficient resources to fight effectively against computer crimes. We are serious about our commitment to implementing the voluntary partnership between government and industry that the President has proposed.
In summary, Mr. Chairman, the Nation should use the computer security wakeup call to do what we are already in the process of doing, working at a voluntary cooperative and productive partnership between the private sector and government. These partnerships are well grounded in reality. The security inclusions to our vulnerabilities are going to come from the private sector. Microsoft has contributed and will continue to contribute to the creation of these solutions. Our belief is that the industry and government have already arrived at a right mix of duties and responsibilities. Now it is up to both of us to do what we do best. Thank you.
[The prepared statement of Mr. Schmidt follows:]
PREPARED STATEMENT OF HOWARD SCHMIDT, DIRECTOR INFORMATION SECURITY, MICROSOFT CORPORATION, REDMOND, WA
Mr. Chairman and Committee Members, thank you for the opportunity to appear today at this joint hearing on critical infrastructure protection. My name is Howard Schmidt and I am the Chief Information Security Officer at Microsoft Corporation. Microsoft recognizes the need for increased cyber security throughout those sectors of our economy—utilities, banking, communications, transportation, health care and, of course, electronic commerce—that today are so reliant on information systems. We strongly subscribe to the proposition that these essential services are critical to the productivity and efficient interoperability of the nation's economy. The viability of that economy and its unparalleled growth, driven in large part by information technology, is our greatest national asset. Our armed forces also rely heavily on these largely private sector services. For both reasons, we agree that the protection of America's ''critical infrastructures'' is a critical, national security responsibility.
Page 151 PREV PAGE TOP OF DOC
National security is traditionally viewed as a government responsibility. Infrastructure security, however, does not lend itself to government management. In the United States, most of the services involved are owned by the private sector. The private sector has the knowledge and expertise to help fight against computer crimes on the infrastructures on which they operate. Therefore, successful management of these problems requires a strong partnership between government and the private sector.
Indeed, President Clinton, in Presidential Decision Directive 63, has proposed a voluntary public-private partnership which will have as its primary goal the protection of our critical infrastructures through the sharing of information about computer vulnerabilities, attacks and countermeasures within and across service sectors, and between private industry and government. The partnership is intended to encourage the creation of and sharing of best practices. For its part, the government proposes to sponsor increased research and development and to support the training of a new generation of cyber security experts. The private sector is encouraged to organize along sector lines to share information and experience in defeating computer attacks.
Microsoft is an enthusiastic backer of this voluntary and cooperative approach. We believe it is a framework that makes the most of private sector strengths—industry's intimate knowledge of the systems it has created and which it operates. At the same time, a voluntary partnership avoids unnecessary outside regulation or interference in the operation of dynamic, very productive businesses.
Within the information technology sector, Microsoft has helped lead the way in sharing information on cyber attacks, vulnerabilities, countermeasures and best information security practices. At the recent White House summit on cyber security, I repeated Microsoft's support for the President's National Infrastructure Assurance Plan. I noted particularly our strong support for its research and development priorities and for its cyber security training scholarships. Microsoft is also an active participant in the Partnership for Critical Infrastructure Security (PCIS), a cross sector, cross industry effort supported by Richard Clarke of the National Security Council, Commerce Secretary Daley and John Tritak from the Critical Infrastructure Assurance Office (CIAO). Collectively they have been instrumental in building trust with the private sector and working closely with the PCIS to facilitate discussion amongst ourselves and with government the ways in which we should communicate, share information, educate the public and remediate cyber security issues.
Page 152 PREV PAGE TOP OF DOC
As the committees know well, the White House meeting followed hard on the heels of significant denial of service attacks by still unknown attackers on high-profile Internet web and E-Commerce sites. Secretary Daley called these attacks a ''wake up call'' on cyber threats to the economy. He was right. Many web users and e-commerce customers could not use these sites for hours. Their frustration at the effectiveness of the attacks has finally brought to the attention of the general public the potential vulnerabilities of our highly interdependent information economy.
Microsoft agrees that the computer attacks earlier this month deserve serious attention. We trust that the appropriate law enforcement agencies will identify and prosecute those responsible to the fullest extent of the law. But we have also reached several conclusions from those attacks that lead us to caution against swift action, legislative or otherwise, on this front.
First, the type of attack we saw in this case was not unknown nor is it new. Microsoft and other information technology companies deal daily with a host of hacker assaults. We regularly defeat the vast majority of those efforts and we constantly upgrade our products and support services to provide protection against similar attacks. Our security operations are effective and are themselves well insulated from outside penetration. Microsoft regularly participates in a range of information security problem solving groups, many of them informal. In sum, we have a great deal of sophistication and experience in dealing with cyber attacks. Other IT companies engage in similar efforts to protect their product lines and infrastructures, and to share information.
Page 153 PREV PAGE TOP OF DOC
Second, security measures to defeat denial of service attacks exist today and existed at the time of the attacks. CERT, SANS and the NIPC all put out alerts warning of denial of service attacks late last year. And the necessary security improvements subsequently made at the sites under attack were accomplished within hours. This is not to downplay the seriousness of those attacks, only to point out that security measures and warnings about denial of service attacks did exist at the time. Security protection against a range of threats always involves choices. What is the best protection that will also permit the most efficient business operation? Every company doing business on the Internet faces such choices. In making the necessary trade-offs, however, we believe that Internet businesses can and will assign higher priority to implementing existing security measures.
Third, the federal government deserves credit for identifying critical infrastructure protection as a national priority and has come forward with a structure and plans for how to achieve better computer security. The National Plan for Information Systems Protection devotes most of its attention to improving the security of government computer networks. The government should continue to take steps to employ good security, including standard security tools, installing patches and updates, and otherwise setting a good example for the private sector.
Fourth, the corollary to this is that the real expertise on privately developed and operated networks resides in the private sector. As Vinton Cerf of MCI WorldCom pointed out to the Joint Economic Committee recently, these private sector companies also have the most to gain from improving Internet security. His advice was ''to let the private sector take the lead.'' Microsoft agrees and believes that industry should take the lead. We believe that information and communications sector companies accept that improved network security is an imperative and are willing to do their part. We also believe that our industry can get it right, just as so many individual IT companies get it right every day in the face of cyber security threats.
Page 154 PREV PAGE TOP OF DOC
Lastly, we believe that our industry should be allowed to pursue and to perfect those initiatives already underway to improve security awareness and cooperation. These include the continued development of an industry structure to share information among companies and with government. They include protocols for protecting proprietary information and the privacy of web users. They include examining best practices and making them better. And they involve monitoring and making use of government-funded R & D and of new cyber security scholarship graduates.
Microsoft fully supports the funding of additional government computer security personnel, as well as appropriate training, to ensure that the government has sufficient resources to fight effectively against computer crimes. We are serious about our commitment to implementing the voluntary partnership between government and industry as the President has proposed. For example, we will continue to work with organizations such as the National White Collar Crime Center to support their efforts to train law enforcement officers, including those at the state and local levels. Our goal is to improve computer security and make the Internet a safe and reliable environment for business and personal use, while preserving the dynamic growth and rapid pace of innovation that have made the Internet such an amazing phenomenon.
Boiling it down, the message I wish to leave with these committees is that there have always been Internet security threats. These will certainly continue. Therefore, we must constantly strive to improve computer security. A framework for achieving that goal has been identified and both the private sector and the government are committed to its realization. The work of implementing that private-public partnership—education, information sharing, best practices—should be accelerated.
Page 155 PREV PAGE TOP OF DOC
In summary, Mr. Chairman, the nation should use the computer security wake up call to do what we are already in the process of doing—working at voluntary, cooperative and productive partnerships between the private sector and government. These partnerships are well grounded in the reality that security solutions to our vulnerabilities are going to come from the private sector. Microsoft has contributed, and will continue to contribute to the creation of these solutions. Our belief is that our industry and government have already arrived at the right mix of duties and responsibilities. Now it's up to both of us to do what we do best.
The CHAIRMAN. Thank you very much, Mr. Schmidt.
Ms. Fithen.
STATEMENT OF KATHERINE T. FITHEN, MANAGER, CERT COORDINATION CENTER, SOFTWARE ENGINEERING INSTITUTE, PITTSBURGH, PA
Ms. FITHEN. Thank you. Mr. Chairman and members of the House and Senate subcommittees, my name is Katherine Fithen, and I am the manager of the CERT Coordination Center. Thank you for the opportunity to speak to you today on the distributor denial-of-service attacks. Today, I will describe those attacks and the role of the CERT Coordination Center. As mentioned in the introduction, the CERT Coordination Center was formed in 1988 and the charter is to work with the Internet community to respond to computer and network security events, raise awareness of computer and network security issues, and help prevent security attacks and intrusions. We do this by working directly with system and network administrators and with computer and network technology vendors. We also work with individual organizations to help them create their own CERT capability.
Page 156 PREV PAGE TOP OF DOC
CERT is internationally recognized as a trusted, neutral authoritative source of computer and network security information and expertise. Since 1988, we have responded to more than 24,000 incidents and have analyzed more than 1,500 Internet technology product vulnerability reports. The DDoS attacks pose a difficult security problem. For years we and others have discussed the interconnectedness and interdependency of systems, that is that the security of my system relies on the security of other systems on the Internet. The DDoS attacks clearly demonstrate this interdependency.
There is little a system administrator can do to prevent becoming a victim. The victim must depend on other sites to protect their own sites from being used as launch sites for these attacks. The CERT Coordination Center constantly monitors security and vulnerability trends and watches for new techniques and tools. As early as 1998 we began to see very crude DDoS attack tools. By the fall 1999, more sophisticated tools were becoming available; and it was clear that action was needed before these tools were used in widespread attacks.
As outlined in a chronology of CERT involvement with DDoS, which is included in the attachment package, the CERT Coordination Center issued several special communications to technology experts to elicit their knowledge of these denial-of-service attack tools. On November 4, we held a workshop of 30 technology experts from around the world to try to address the DDoS problem. A paper with the results from that workshop is available on the CERT Website and is included in your attachments package. This paper provides steps a victim site can take to prepare to respond to a DDoS attack to minimize the impact to the victim site. But again, the victim site is dependent on the security of other systems to protect its site.
Page 157 PREV PAGE TOP OF DOC
Near-term action recommendations are outlined in pages five through eight of the written testimony. They describe steps system administrators, Internet service providers and technology vendors can take to mitigate the risk of a DDoS attack. The CERT Coordination Center followed up the workshop with several more documents. These documents provide the Internet community with updated information on the evolution of the attack technology, and all those documents are also included in the attachments package. We also participated in a jointly written document ''Consensus for Defeating DDoS Attacks,'' which is included in the attachment package.
To address the DDoS attacks and other security problems on the Internet, we, the Internet community, must work together. We must pool our expertise. We must take steps to protect ourselves. We must help others take steps to protect themselves. The CERT Coordination Center will continue in our role as a trusted, neutral, authoritative source of computer and network security information and expertise and to work with the Internet community to publish information as needed. Thank you very much.
The CHAIRMAN. Thank you, Ms. Fithen.
[The prepared statement of Ms. Fithen follows:]
PREPARED STATEMENT OF KATHERINE T. FITHEN, MANAGER, CERT COORDINATION CENTER, SOFTWARE ENGINEERING INSTITUTE, PITTSBURGH, PA
INTRODUCTION
Mr. Chairman and Members of the House and Senate Subcommittees:
Page 158 PREV PAGE TOP OF DOC
My name is Katherine Fithen. I am the manager of the CERT Coordination Center (CERT/CC), which is part of the Software Engineering Institute (SEI) at Carnegie Mellon University. Thank you for the opportunity to testify on the issue of Internet denial-of-service attacks. Today I will describe distributed denial-of-service attacks (DDoS), the role that the CERT/CC played, and what the future holds.
The CERT Coordination Center (CERT/CC) is part of the Survivable Systems Initiative of the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. The CERT/CC was established in 1988, after an Internet ''worm'' stopped 10% of the computers connected to the Internet. This program—the first Internet security incident to make headline news—was the wake-up call for network security. In response, the CERT/CC was established at the SEI. The center was up and running in just two weeks, and we have worked hard to maintain our ability to act quickly.
The CERT/CC charter is to work with the Internet community to respond to computer security events, raise awareness of computer security issues, and prevent security breaches. While continuing to respond to incidents, the CERT/CC provides training, investigates tools and techniques that enable typical users and administrators to effectively protect systems from damage caused by intruders, conducts research leading to increased security of the Internet, and serves as a model to others establishing incident response teams. The CERT/CC is now recognized by both government and industry as a neutral, authoritative source of information assurance data and expertise. More details about our work are attached to the end of this testimony (see Meet the CERT Coordination Center).
Page 159 PREV PAGE TOP OF DOC
In the first full year of operation, 1989, The CERT/CC responded to 132 computer security incidents. In 1999, the staff responded to more than 8,000 incidents. In total, the CERT/CC staff has handled well over 24,000 incidents and analyzed more than 1,500 computer vulnerabilities. This testimony is based on that first-hand experience.
DISTRIBUTED DENIAL-OF-SERVICE TOOLS
Distributed systems based on the client/server model have become increasingly common. In recent months, there has been an increase in the development and use of distributed network sniffers, scanners, and denial-of-service tools. Attacks using these tools can involve a large number of sites simultaneously and be focused to attack one or more victim hosts or networks.
Damaged systems include those used in the attack as well as the targeted victim. For the victim, the impact can be extensive. For example, in a denial-of-service attack using distributed technology, the attacked system observes simultaneous attacks from all the nodes at once—flooding the network normally used to communicate and trace the attacks and preventing any legitimate traffic from traversing the network.
There are indications that the processes for discovering vulnerable sites, compromising them, installing daemons (programs used in the attack), and concealing the intrusion are largely automated, with each step being performed in ''batch'' mode against many machines in one ''session.'' Attack daemons have been discovered on a variety of operating systems with varying levels of security and system management.
Page 160 PREV PAGE TOP OF DOC
It is critical to plan and coordinate before an attack to ensure an adequate response when an attack actually happens. Since the attack methodology is complex and there is no single-point solution or ''silver bullet,'' resolution and restoration of systems may be time-consuming. The bottom line is that an organization's systems may be subject at any time to distributed attacks that are extremely difficult to trace or defend against. Only partial solutions are available.
Although an organization may be able to ''harden'' its own systems to help prevent having its systems used as part of a distributed attack, there is essentially nothing a site can do with currently available technology to prevent becoming a victim of, for example, a coordinated network flood. The impact upon the site and its operations is dictated by the (in)security of other sites and the ability of a remote attacker to implant the tools and, subsequently, to control and direct multiple systems worldwide to launch an attack. The result may be reduced or unavailable network connectivity for extended periods of time, possibly days or even weeks depending upon the number of sites attacking and the number of possible attack networks that could be activated in parallel or sequentially.
Coordinated attacks across national boundaries have occurred. The tools and attacks demonstrate that a network that optimizes its technology for speed and reliability at the expense of security may experience neither speed nor reliability, as intruders abuse the network or deny its services. The intruder technology is evolving, and future tools may be more difficult to defeat.
Here are key points to note about distributed-system denial-of-service (DDoS) tools:
Page 161 PREV PAGE TOP OF DOC
Intruders compromise systems through other means and install DDoS tools.
The DDoS tools often are equipped with a variety of different attack types.
Computers that are compromised with DDoS tools are aggregated into networks.
These networks act in unison to attack a single victim. Any computer on the Internet can be a victim.
The networks can be activated remotely at a later date by a ''master'' computer.
Communication between the master computer and the networks can be encrypted and obfuscated to make it very difficult to locate the master.
Once activated, the tools typically proceed on their own. No further communication is necessary on the part of the intruder—it is not possible to discover the master by tracing an ongoing attack. However, there may be evidence on one or more of the machines in the DDoS network regarding the true location of the master.
Attacks from the network to the victim typically employ techniques designed to obfuscate the true location of the machines in the DDoS network. This makes it difficult to recognize the traffic (and thus block it), to trace the traffic back from the victim to the nodes in the network, and to analyze an attack while it is in progress.
Page 162 PREV PAGE TOP OF DOC
There are no proactive technical steps an organization can take to prevent becoming a victim. Everyone's security is intertwined. However, by preparing a response in advance, sites can significantly diminish the impact. For information on preparing to respond to these attacks, see the report on the results of a workshop that the CERT Coordination Center organized in November 1999 to address the imminent threat posed by the tools: http://www.cert.org/reports/dsit—workshop.pdf
The tools are rapidly evolving but have not reached their full potential by any means.
The magnitude of the attacks can overwhelm even the largest networks.
Intruders are building networks of machines used in these attacks ranging in size from tens to hundreds of machines. It is likely that some networks are much larger.
The individual nodes in the network can be automatically updated by the master machines, enabling rapid evolution of tools on an existing base of compromised machines.
A variety of tools are available to detect DDoS tools. Each of these tools has weaknesses, and none is a general-purpose solution. Some of these tools can be found at http://www.fbi.gov/nipc/trinoo.htm; http://staff.washington.edu/dittrich/misc/stacheldraht.analysis; http://www.iss.net/cgi-bin/dbt-display.exe/db—data/press—rel/release/122899199.plt; http://www.sans.org/y2k/stacheldraht.htm
Currently, there is a nearly inexhaustible supply of computers with well-known vulnerabilities that intruders can compromise and install DDoS tools on. Additionally, many networks are configured in a way that facilitates the obfuscation techniques used by intruders to conceal their identity. Information about how to configure networks properly is available at http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
Page 163 PREV PAGE TOP OF DOC
An archive of DDoS tools can be found at http://packetstorm.securify.com/distributed/
The CERT/CC published advisories and other documents about this topic: http://www.cert.org/advisories/CA–2000–01.html; http://www.cert.org/advisories/CA–99–17–denial-of-service-tools.html; http://www.cert.org/tech—tips/denial—of—service.html
ROLE OF THE CERT/CC IN DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
The CERT Coordination Center constantly monitors trends and watches for new attack techniques and tools. As the attached timeline shows, we began seeing distributed denial-of-service tools in early 1998. Denial-of-service attacks are not new. (See, for example, the attached CERT advisories CA–96.21 on TCP ''syn'' flooding and CA–98.01 on ''smurf'' attacks, as well a ''tech tip'' on denial-of-service attacks, which the CERT/CC wrote for system administrators in 1997.)
By fall 1999, it was evident that steps needed to be taken to deal with increasingly sophisticated intruder tools before they—and attacks using them—became widespread. On November 2–4, 1999, the CERT/CC invited 30 experts from around the world to address the problem of network attack tools that use distributed systems in increasingly sophisticated ways. During the Distributed-Systems Intruder Tools (DSIT) Workshop, participants discussed a large number of approaches to preventing, detecting, and responding to distributed attacks. The CERT/CC invited personnel who could contribute technically to the solutions regardless of their position in their home organization or their ''political'' stature in the community. Thus, the workshop effectively provided a venue for experts around the world to share experiences, gain a common understanding, and creatively brainstorm possible responses and solutions to this category of attack before the dissemination of the attack tools—and the attacks themselves—became widespread. A paper, Results of the Distributed-Systems Intruder Tools Workshop (attached), is available on the CERT web site (www.cert.org). This paper explains the threat posed by these intruder tools and provides suggestions for safeguarding systems from this type of malicious activity.
Page 164 PREV PAGE TOP OF DOC
The CERT/CC continues to collaborate with the participants who attended the workshop and with an additional group of security experts to address the ongoing problem.
Earlier this month, Rich Pethia of the CERT/CC, Alan Paller of the SANS Institute, and Gene Spafford of Purdue University, prepared a Consensus Roadmap for Defeating Distributed Denial of Service Attacks (attached) for the Partnership for Critical Infrastructure Security. The most current version can be found on the SANS Institute Web site (www.sans.org).
INTERNET TRENDS AND FACTORS AFFECTING SECURITY
The recent attacks against e-commerce sites demonstrate the opportunities that attackers now have because of several Internet trends and related factors:
The Internet is becoming increasingly complex and dynamic, but among those connected to the Internet there is a lack of adequate knowledge about the network and about security. The rush to the Internet, coupled with a lack of understanding, is leading to the exposure of sensitive data and risk to safety-critical systems. Misconfigured or outdated operating systems, mail programs, and Web sites result in vulnerabilities that intruders can exploit. Just one naive user with an easy-to-guess password increases an organization's risk.
When vendors release patches or upgrades to solve security problems, organizations' systems often are not upgraded. The job may be too time-consuming, too complex, or just at too low a priority for the system administration staff to handle. With increased complexity comes the introduction of more vulnerabilities, so solutions do not solve problems for the long term'system maintenance is never-ending. Because managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources.
Page 165 PREV PAGE TOP OF DOC
Attack technology is developing in an open-source environment and is evolving rapidly. Technology producers, system administrators, and users are improving their ability to react to emerging problems, but they are behind and significant damage to systems and infrastructure can occur before effective defenses can be implemented. As long as defensive strategies are reactionary, this situation will worsen.
Currently, there are tens of thousands—perhaps even millions—of systems with weak security connected to the Internet. Attackers are compromising these machines and building attack networks (and will continue to do so). Attack technology takes advantage of the power of the Internet to exploit its own weaknesses and overcome defenses.
Increasingly complex software is being written by programmers who have no training in writing secure code and are working in organizations that sacrifice the safety of their clients for speed to market. This complex software is then being deployed in security-critical environments and applications, to the detriment of all users.
User demand for new software features instead of safety, coupled with industry response to that demand, has resulted in software that is increasingly supportive of subversion, computer viruses, data theft, and other malicious acts.
Because of the scope and variety of the Internet, changing any particular piece of technology usually cannot eliminate newly emerging problems; broad community action is required. While point solutions can help dampen the effects of attacks, robust solutions will come only with concentrated effort over several years.
Page 166 PREV PAGE TOP OF DOC
The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrator technical competence has decreased dramatically in the last 5 years as non-technical people are pressed into service as system administrators. Additionally, there has been little organized support of higher education programs that can train and produce new scientists and educators with meaningful experience and expertise in this emerging discipline.
The evolution of attack technology and the deployment of attack tools transcend geography and national boundaries. Solutions must be international in scope.
The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer criminals is unlikely, and thus little deterrent value is realized.
The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These ''always-on, rarely-protected'' systems allow attackers to continue to add new systems to their arsenal of captured weapons.
NEAR-TERM ACTIONS TO REDUCE RISK AND DAMPEN THE EFFECTS OF ATTACKS
The problem of distributed denial-of-service attacks is complex, and there are no easy answers. The Results of the Distributed-System Intruder Tools Workshop contains specific steps that can be taken by managers, system administrators, Internet service providers, and computer security incident response teams. The Consensus Roadmap for Defeating Distributed Denial of Service Attacks, contains additional recommendations. The recommendations below,divided into four key problem areas, can be found in the Consensus Roadmap.
Page 167 PREV PAGE TOP OF DOC
Solutions to mitigate ''spoofing''
Attackers often hide the identity of machines used to carry out an attack by falsifying the source address of the network communication. This makes it more difficult to identify the sources of attack traffic and sometimes shifts attention onto innocent third parties. Limiting the ability of an attacker to spoof IP source addresses will not stop attacks, but will dramatically shorten the time needed to trace an attack back to its origins.
User organizations and Internet service providers can
— ensure that traffic exiting an organization's site, or entering an ISP's network from a site, carries a source address consistent with the set of addresses for that site, and
— ensure that no traffic from ''unroutable addresses'' listed in RFC 1918 are sent from their sites. This activity is often called egress filtering.
ISPs can provide backup to pick up spoofed traffic that is not caught by user filters. ISPs may also be able to stop spoofing by accepting traffic (and passing it along) only if it comes from authorized sources. This activity is often called ingress filtering.
Dial-up users are the source of some attacks. Putting an end to spoofing by these users is also an important step.
ISPs, universities, libraries and others that serve dial-up users should ensure that proper filters are in place to prevent dial-up connections from using spoofed addresses.
Page 168 PREV PAGE TOP OF DOC
Network equipment vendors should ensure that no-IP-spoofing is a user setting, and the default setting, on their dial-up equipment.
Solutions to help stop broadcast amplification
In a common attack, the malicious user generates packets with a source address of the site he wishes to attack (site A) (using spoofing) and then sends a series of network packets to an organization with lots of computers (site B), using an address that broadcasts the packets to every machine at site B. Unless precautions have been taken, every machine at Site B will respond to the packets and send data to the organization (site A) that was the target of the attack. The target will be flooded and people at site A may blame the people at site B. Attacks of this type often are referred to as Smurf attacks. In addition, the echo and chargen services can be used to create oscillation attacks similar in effect to Smurf. Solutions include the following:
Unless an organization is aware of a legitimate need to support broadcast or multicast traffic within its environment, the forwarding of directed broadcasts should be turned off. Even when broadcast applications are legitimate, an organization should block certain types of traffic sent to ''broadcast'' addresses (e.g., ICMP Echo Reply) messages so that its systems cannot be used to effect these Smurf attacks.
Network hardware vendors should ensure that routers can turn off the forwarding of IP directed broadcast packets as described in RFC 2644 and that this is the default configuration of every router.
Page 169 PREV PAGE TOP OF DOC
Users should turn off echo and chargen services unless they have a specific need for those services. (This is good advice, in general, for all network services—they should be disabled unless known to be needed.)
Solutions that encourage appropriate response to attacks
Many organizations do not respond to complaints of attacks originating from their sites or to attacks against their sites, or respond in a haphazard manner. This makes containment and eradication of attacks difficult. Further, many organizations fail to share information about attacks, giving the attacker community the advantage of better intelligence sharing.
User organizations should establish incident response policies and teams with clearly defined responsibilities and procedures.
ISPs should establish methods of responding quickly if they discover that their systems were used for attacks on other organizations. They must also have enough staffing to support these efforts.
User organizations should encourage system administrators to participate in industry-wide early warning systems, where their corporate identities can be protected (if necessary), to counter rapid dissemination of information among the attack community.
Attacks and system flaws should be reported to appropriate authorities (e.g., vendors, response teams) so that the information can be applied to defenses for other users.
Page 170 PREV PAGE TOP OF DOC
Solutions to protect unprotected computers
Many computers are vulnerable to take-over for distributed denial-of-service attacks because of inadequate implementation of well-known ''best practices.'' When those computers are used in attacks, the result can be major costs, headaches, and embarrassment for the owners of computers being attacked. Furthermore, once a computer has been compromised, the data may be copied, altered or destroyed, programs changed, and the system disabled. Solutions include the following:
User organizations should check their systems periodically to determine whether they have had malicious software installed, including DDoS Trojan horse programs. If such software is found, the system should be restored to a known good state.
User organizations should reduce the vulnerability of their systems by installing firewalls with rule sets that tightly limit transmission across the site's periphery (e.g. deny traffic, both incoming and outgoing, unless given specific instructions to allow it).
All machines, routers, and other Internet-accessible equipment should be periodically checked to verify that all recommended security patches have been installed.
The security community should maintain and publicize a current ''Top-20 Exploited Vulnerabilities'' and the ''Top 20 Attacks'' list of currently most-often-exploited vulnerabilities to help system administrators set priorities.
Page 171 PREV PAGE TOP OF DOC
Users should turn off services that are not required and limit access to vulnerable management services (e.g., RPC-based services).
Users and vendors should cooperate to create ''system-hardening'' scripts that can be used by less sophisticated users to close known holes and tighten settings to make their systems more secure. Users should employ these tools when they are available.
System software vendors should ship systems where security defaults are set to the highest level of security rather than the lowest level of security. These ''secure out-of-the-box'' configurations will greatly aid novice users and system administrators. They will furthermore save critically scarce time for even the most experienced security professionals.
System administrators should deploy ''best practice'' tools including firewalls (as described above), intrusion detection systems, virus detection software, and software to detect unauthorized changes to files. Use of software to detect unauthorized changes may also be helpful in restoring compromised systems to normal function.
System and network administrators should be given time and support for training and enhancement of their skills. System administrators and auditors should be periodically certified to verify that their security knowledge and skills are current.
PROGNOSIS FOR THE FUTURE
In spite of preparation and protective measures that can be taken now, the problem of conquering DDoS attacks requires a long-term effort to define and implement effective solutions. The Consensus Roadmap for Defeating Distributed Denial of Service Attacks identifies these actions that should be considered:
Page 172 PREV PAGE TOP OF DOC
Establish load and traffic volume monitoring at ISPs to provide early warning of attacks.
Accelerate the adoption of the IPsec components of Internet Protocol Version 6 and Secure Domain Name System.
Increase the emphasis on security in the research and development of Internet II.
Support the development of tools that automatically generate router access control lists for firewall and router policy.
Encourage the development of software and hardware that is engineered for safety with possibly vulnerable settings and services turned off, and encourage vendors to automate security updating for their clients.
Sponsor research in network protocols and infrastructure to implement real-time flow analysis and flow control.
Encourage wider adoption of routers and switches that can perform sophisticated filtering with minimal performance degradation.
Sponsor continuing topological studies of the Internet to understand the nature of ''choke points.''
Test deployment and continue research in anomaly-based, and other forms of intrusion detection
Page 173 PREV PAGE TOP OF DOC
Support community-wide consensus of uniform security policies to protect systems and to outline security responsibilities of network operators, Internet service providers, and Internet users.
Encourage development and deployment of a secure communications infrastructure that can be used by network operators and Internet service providers to enable real-time collaboration when dealing with attacks.
Sponsor research and development leading to safer operating systems that are also easier to maintain and manage.
Sponsor research into survivable systems that are better able to resist, recognize, and recover from attacks while still providing critical functionality.
Sponsor research into better forensic tools and methods to trace and apprehend malicious users without forcing the adoption of privacy-invading monitoring.
Provide meaningful infrastructure support for centers of excellence in information security education and research to produce a new generation of leaders in the field.
Consider changes in government procurement policy to emphasize security and safety rather than simply cost when acquiring information systems, and to hold managers accountable for poor security.
Page 174 PREV PAGE TOP OF DOC
CONCLUSION
We have discussed for many years the tremendous interconnectedness and interdependency among computer systems on the Internet. As a result, the security of each system on the Internet depends on the security of all other systems on the network. The distributed denial-of-service attacks clearly demonstrate this interdependency. Any computer system can be a victim of a DDoS attack, and there is little system owners can do beyond depending upon others to protect their systems from being used as a launch site in a DDoS attack. To address the distributed denial-of-service attacks and other security problems on the Internet, we must continue to work together. We must pool our expertise, take steps to protect ourselves, and help others protect themselves.
Attachments to the Testimony:
Meet the CERT Coordination Center
A Chronology of CERT Coordination Center Involvement with Distributed Denial of Service
CERT Advisory CA–2000–01
Denial-of-Service Developments
CERT Advisory CA–99–17
Denial-of-Service Tools
Page 175 PREV PAGE TOP OF DOC
CERT Incident Note IN–99–07
Distributed Denial of Service Tools
CERT Incident Note IN–99–06
Distributed Network Sniffer
CERT Advisory CA–98.01
''smurf'' IP Denial-of-Service Attacks
CERT Advisory CA–96.21
TCP SYN Flooding and IP Spoofing Attacks
CERT Tech Tip
Denial of Service
Results of the Distributed-Systems Intruder Tools Workshop
Consensus Roadmap for Defeating Distributed Denial of Service Attacks
Page 176 PREV PAGE TOP OF DOC
MEET THE CERT Coordination Center
OVERVIEW
The CERT Coordination Center (CERT/CC) is located at the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Internet Worm incident, which brought 10 percent of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. Since then, the CERT/CC has helped to establish other response teams and our incident handling practices have been adopted by more than 80 response teams around the world.
While we continue to respond to security incidents and analyze product vulnerabilities, our role has expanded over the years. Each year, commerce, government, and individuals grow increasingly dependent on networked systems. Along with the rapid increase in the size of the Internet and its use for critical functions, there have been progressive changes in intruder techniques, increased amounts of damage, increased difficulty of detecting an attack, and increased difficulty of catching the attackers. To better manage these changes, the CERT/CC is now part of the larger SEI Networked Systems Survivability Program, whose primary goals are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks (''survivability'').
To accomplish our goals, we focus our efforts on the following areas of work: survivable network management, survivable network technology, incident response, incident and vulnerability analysis, knowledgebase development, and courses and seminars.
Page 177 PREV PAGE TOP OF DOC
We are also committed to increasing awareness of security issues and helping organizations improve the security of their systems. Therefore, we disseminate information through several channels.
AREAS OF WORK
Survivable Network Management
Our survivable network management effort focuses on publishing security improvement practices, developing a self-directed method for organizations to improve the security of their network computing systems, and defining an adaptive security improvement process.
Security improvement practices provide concrete, practical guidance that will help organizations improve the security of their networked computer systems. These practices are published as security improvement modules and focus on best practices that address important problems in network security. We have published seven modules, incorporating more than 80 recommended practices and technology-specific implementations. A complete list of the modules, practices, and implementations can be found on the CERT/CC Web site at http://www.cert.org/security-improvement/
Our self-directed security evaluation method will give organizations a comprehensive, repeatable technique that can be used to identify risk in their networked systems and keep up with changes over time. The method takes into consideration assets, threats, and vulnerabilities (both organizationally and technologically) so that the organization gains a comprehensive view of the state of its systems' security.
Page 178 PREV PAGE TOP OF DOC
Additionally, the adaptive security management process, that we have under development, builds on and incorporates our work on security practices and self-directed security evaluations. The adaptive process presents a structure that an organization can use to develop and execute a plan for continuously improving the security of its networked systems.
Survivable Network Technology
In the area of survivable network technology, we are concentrating on the technical basis for identifying and preventing security flaws and for preserving essential services if a system is penetrated and compromised. Approaches that are effective at securing bounded systems (systems that are controlled by one administrative structure) are not effective at securing unbounded systems such as the Internet. Therefore, new approaches to system security must be developed. They include design and implementation strategies, recovery tactics, strategies to resist attacks, survivability trade-off analysis, and the development of security architectures. This work draws on the vast collection of incident data collected by the CERT/CC. For introductory information, technical reports, and more, see http://www.cert.org/research
Incident Response
We provide assistance to computer system administrators in the Internet community who report security problems. When a security breach occurs, we help the administrators of the affected sites to identify and correct the vulnerabilities that allowed the incident to occur. We will also coordinate the response with other sites affected by the same incident. When a site specifically requests, we will facilitate communication with law enforcement agencies.
Page 179 PREV PAGE TOP OF DOC
Since our inception in 1988, we have received more than 260,000 email messages and 17,600 hotline calls reporting computer security incidents or requesting information. We have handled more than 24,300 computer security incidents and received more than 1,500 vulnerability reports.
The scale of emerging networks and the diversity of user communities make it impractical for a single organization to provide universal support for addressing computer security issues. Therefore, the CERT/CC staff regularly works with sites to help them form incident response teams and provides guidance to newly formed teams.
FedCIRC—We are responsible for the day-to-day operations of FedCIRC, the Federal Computer Incident Response Capability, an organization that provides incident response and other security-related services to Federal civilian agencies. FedCIRC is managed by the General Services Administration (GSA).
More information about FedCIRC is available from http://www.fedcirc.gov/. Federal agencies can contact FedCIRC by sending email to fedcirc-info@fedcirc.gov or by calling the FedCIRC Management Center at (202) 708–5060. To report an incident, affected sites should send email to fedcirc@fedcirc.gov or phone the FedCIRC hotline at (888) 282–0870.
Incident and Vulnerability Analysis
Our ongoing computer security incident response activities help the Internet community to deal with its immediate problems while allowing us to understand the scope and nature of the problems and of the community's needs. Our understanding of current security problems and potential solutions comes from first-hand experience with compromised sites on the Internet and subsequent analysis of security incidents, intrusion techniques, configuration problems, and software vulnerabilities.
Page 180 PREV PAGE TOP OF DOC
The CERT/CC has become a major reporting center for incidents and vulnerabilities because we have an established reputation for discretion and objectivity. Organizations trust us with sensitive information about security compromises and network vulnerabilities because we have proven our ability to keep their identities and other sensitive information confidential. Our connection with the Software Engineering Institute and Carnegie Mellon University contributes to our ability to be neutral, enabling us to work with commercial competitors and government agencies without bias. As a result of the community's trust, we are able to obtain a broad view of incident and vulnerability trends and characteristics.
When we receive a vulnerability report, our vulnerability experts analyze the potential vulnerability and work with technology producers to inform them of security deficiencies in their products and to facilitate and track their response to these problems. Another source of vulnerability information comes from incident analysis. Repeated incidents of the same type often point to the existence of a vulnerability and, often, the existence of public information or automated tools for exploiting the vulnerability.
To achieve long-term benefit from vulnerability analysis, we have begun to identify the underlying software engineering and system administration practices that lead to vulnerabilities and, conversely, practices that prevent vulnerabilities. We will broadly disseminate this information to practitioners and consumers and influence educators to include it in courses for future software engineers and system administrators. Only when software is developed and installed using defensive practices will there be a decrease in the expensive, and often haphazard, reactive use of patches and workarounds.
Page 181 PREV PAGE TOP OF DOC
Knowledgebase Development
We are developing a knowledgebase that will help to capture and effectively use information related to network survivability and security. The work includes developing processes and tools to support the increasing complexity of handling incidents, analyzing vulnerabilities, and managing the volume of information that is essential to the CERT/CC mission. We are forming collaborative relationships with other organizations to support this work.
Education and Training
We offer public training courses for technical staff and managers of computer security incident response teams (CSIRTs) as well as for system adminstrators and other technical personel interested in learning more about network security. In addition, several CERT/CC staff members teach courses in the Information Security Management specialization of the Master of Information Systems Management program in the H. J. Heinz III School of Public Policy and Management at Carnegie Mellon University. For more information, see http://www.cert.org/training/index.html
INFORMATION DISSEMINATION
To increase awareness of security issues and help organizations improve the security of their systems, we collect and disseminate information through multiple channels:
telephone and email—hotline: (412) 268–7090; email: cert@cert.org; mailing list: cert-advisory-request@cert.org
Page 182 PREV PAGE TOP OF DOC
USENET newsgroup: comp.security.announce
World Wide Web: http://www.cert.org
anonymous FTP: ftp://ftp.cert.org/pub/
Since beginning operation in 1988, the we have handled more than 17,600 hotline calls and 260,600 mail messages. We have published 290 security alerts (advisories, vendor-initiated bulletins,(see footnote 1) incident notes, vulnerability notes, and CERT summaries).
Publications
Advisories—CERT/CC advisories address Internet security problems. They offer an explanation of the problem, information that helps you determine if your site has the problem, fixes or workarounds, and vendor information. Among the criteria for developing an advisory are the urgency of the problem, potential impact of intruder exploitation, and the existence of a software patch or workaround. On the day of release, we send advisories to a mailing list, post them to the USENET newsgroup comp.security.announce and make them available on the CERT Web site at http://www.cert.org/advisories/.
CERT Summaries—We publish the CERT Summary as part of our ongoing efforts to disseminate timely information about Internet security issues. The summary is typically published four to six times a year. The primary purpose of the summary is to call attention to the types of attacks currently being reported to the CERT/CC. Each summary includes pointers to advisories or other publications that explain how to deal with the attacks. Summaries are distributed in the same way as advisories.
Page 183 PREV PAGE TOP OF DOC
Incident Notes and Vulnerability Notes—We publish two web documents, Incident Notes and Vulnerability Notes, as an informal means for giving the Internet community timely information relating to the security of its sites. Incident Notes describe current intruder activities that have been reported to the CERT/CC incident response team. Vulnerability Notes describe weaknesses in Internet-related systems that could be exploited but that do not meet the criteria for advisories.
Security Improvement Modules—Security Improvement Modules address an important but narrowly defined problem in network security. They provide concrete, practical guidance that will help organizations improve the security of their network computer systems. The modules are available on the CERT Web site at http://www.cert.org/security-improvement/. We have published, in Web form only, technology-specific implementation details for the modules.
Other security information—We capture lessons learned from incident handling and vulnerability analysis and make them available to users of the Internet through a web site archive of security information and products. These include answers to frequently asked questions, a security checklist, ''tech tips'' for system administrators, research and technical reports, and a handbook for new computer security incident response teams (CSIRTs).
ADVOCACY AND OTHER INTERACTIONS WITH THE COMMUNITY
The CERT/CC has the opportunity to advocate high-level changes that improve Internet security and network survivability. Additionally, CERT/CC staff members are invited to give presentations at conferences, workshops, and meetings. These activities enhance the understanding of Internet security and related issues.
Page 184 PREV PAGE TOP OF DOC
Forum of Incident Response and Security Teams (FIRST)—FIRST is a coalition of individual response teams around the world. Each response team builds trust within its constituent community by establishing contacts and working relationships with members of that community. These relationships enable response teams to be sensitive to the distinct needs, technologies, and policies of their constituents. FIRST members collaborate on incidents that cross boundaries, and they cross-post alerts and advisories on problems relevant to their constituents.
The CERT/CC was a founding member of FIRST, and staff members continue to be active participants in FIRST. A current list of FIRST members is available from www.first.org/team-info/. More than 80 teams belonged to FIRST, and membership applications for additional teams are pending.
Internet Engineering Task Force
Members of our staff influence the definition of Internet protocols through participation in the Internet Engineering Task Force (IETF); a member of our staff sits on the Security Area Advisory Group to ensure that the CERT/CC perspective is brought to bear on all new standards activities.
Vendor Relations
We work closely with technology producers to inform them of security deficiencies in their products and to facilitate and track their response to these problems. Staff members have worked to influence the vendors to improve the basic, as shipped, security within their products and to include security topics in their standard customer training courses. We interact with more than 100 vendors, as well as developers of freely available software such as sendmail and BIND.
Page 185 PREV PAGE TOP OF DOC
Vendors often provide information to the CERT/CC for inclusion in advisories.
External Events
CERT/CC staff members are regularly invited to give presentations at conferences, workshops, and meetings. We have found this to be an excellent tool to educate attendees in the area of network information system security and incident response.
Media Relations
Internet security issues increasingly draw the attention of the media. The headlines, occasionally sensational, report only a small fraction of the events that are reported to the CERT/CC. Even so, accurate reporting on security issues can raise the awareness of a broad population to the risks they face on the Internet and steps they can take to protect themselves. Ultimately, the increased visibility of security issues may lead consumers to demand increased security in the computer systems and network services they buy.
In the course of a year, the CERT/CC is referred to in major U.S. newspapers and in a variety of other publications, from the Chronicle of Higher Education to IEEE Computer. Our staff gives interviews to a selected number of reporters, under the guidance of the SEI public affairs manager.
In 1999, the CERT/CC has been covered in radio, television, print, and online media around the world, including US News and World Report, USA Today, the San Jose Mercury News, The New York Times, The Wall Street Journal, The Washington Post, the Chicago Sun-Times, The Toronto Star, the Ottowa Citizen, Agence France Presse, Deutsche Presse-Agentur, the Xinhua News Agency, MSNBC, Ziff-Davis ZDNET, BBC London, National Public Radio, ABC, CNN, NBC, and more.
Page 186 PREV PAGE TOP OF DOC
APPENDIX A: THE CERT/CC CHARTER
The CERT/CC is chartered to work with the Internet community in detecting and resolving computer security incidents, as well as taking steps to prevent future incidents. In particular, our mission is to
Provide a reliable, trusted, 24-hour, single point of contact for emergencies.
Facilitate communication among experts working to solve security problems.
Serve as a central point for identifying and correcting vulnerabilities in computer systems.
Maintain close ties with research activities and conduct research to improve the security of existing systems.
Initiate proactive measures to increase awareness and understanding of information security and computer security issues throughout the community of network users and service providers.
APPENDIX B: THE CERT/CC AND THE INTERNET COMMUNITY
The CERT/CC operates in an environment in which intruders form a well-connected community and use network services to quickly distribute information on how to maliciously exploit vulnerabilities in systems. Intruders dedicate time to developing programs that exploit vulnerabilities and to sharing information. They have their own publications, and they regularly hold conferences that deal specifically with tools and techniques for defeating security measures in networked computer systems.
Page 187 PREV PAGE TOP OF DOC
In contrast, the legitimate, often overworked, system administrators on the network often find it difficult to take the time and energy from their normal activities to stay current with security and vulnerability information, much less design patches, workarounds (mitigation techniques), tools, policies, and procedures to protect the computer systems they administer.
In helping the legitimate Internet community work together, we face policy and management issues that are perhaps even more difficult than the technical issues. For example, one challenge we routinely face concerns the dissemination of information about security vulnerabilities. Our experience suggests that the best way to help members of the network community to improve the security of their systems is to work with a group of technology producers and vendors to develop workarounds and repairs for security vulnerabilities disclosed to the CERT/CC. To this end, in the absence of a major threat, we do not publicly disclose vulnerabilities until a repair or workaround has been developed.
Copyright 2000 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal—stuff/legal—stuff.html.
* CERT is registered in the U.S. Patent and Trademark Office
Last updated February 16, 2000
A CHRONOLOGY OF CERT Coordination Center Involvement with
Page 188 PREV PAGE TOP OF DOC
Distributed Denial-of-Service Tools
The CERT Coordination Center (CERT/CC) has handled ongoing reports of intruders installing distributed denial-of-service (DDoS) intruder tools. The tools that we have encountered use distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial-of-service attacks. We have seen distributed tools installed on hosts that have been compromised through the exploitation of known vulnerabilities. In particular, various RPC services have been exploited.
Since the use of DDoS tools was first detected, we have been engaged in collaboration with technical experts from around the world to develop mitigation strategies. A brief chronology of CERT/CC activity follows.
Early 1998: The CERT/CC begins to see signs of the use of distributed systems in tools such as ''Fapi.'' Reports of its use ''in the wild'' first begin to surface.
Late July 1999: The CERT/CC begins receiving reports of sites finding Trinoo ''daemons'' (and have continued to receive reports as of the date of this chronology).
09 September 1999: A discussion of DSoS appears in an issue of the ''hacker'' magazine Phrack (Vol 9, Issue 55, File 09 and Vol 9, Issue 55, File 16).
Please see http://www.phrack.com/search.phtml?issueno=55&r=0
October 1999: The CERT/CC begins receiving reports of sites finding Tribal Flood Net (TFN) ''daemons'' (and have continued to receive reports).
Page 189 PREV PAGE TOP OF DOC
01 October 1999: The CERT/CC issues a special communication(see footnote 2) (SC–99.41) describing Trinoo activity.
08 October 1999: The CERT/CC issues another special communication (SC–99.42) describing Trinoo activity in further detail as well as distributed sniffer activity.
25 October 1999: The CERT/CC publishes an incident note (IN–99–06: Distributed Network Sniffer) on reports of distributed tools being used to exploit systems.
Please see attached or http://www.cert.org/incident—notes/IN–99–06.html
02–04 November 1999: The CERT/CC hosts the Distributed-Systems Intruder Tools (DSIT) Workshop in Pittsburgh.
Please see attached or http://www.cert.org/reports/dsit—workshop.pdf
18 November 1999: The CERT/CC publishes an incident note (IN–99–07: Distributed Denial of Service Tools) on reports of DSIT being used to exploit systems.
Please see attached or http://www.cert.org/incident—notes/IN–99–07.html
08 December 1999: The CERT/CC publishes a report (Results of the Distributed Systems Intruder Tools Workshop) produced by participants in the DSIT Workshop.
Page 190 PREV PAGE TOP OF DOC
Please see attached or http://www.cert.org/reports/dsit—workshop.pdf
20 December 1999: The CERT/CC issues a special communication (SC–99.54) describing Tribal Flood Net 2000 (TFN2K).
22 December 1999: The CERT/CC issues another special communication (SC–99.55) further describing TFN2K activity.
23 December 1999: The CERT/CC issues a special communication (SC–99.56) with updated information on TFN2K activity and one on another denial-of-service attack method (SC–99.57).
27 December 1999: The CERT/CC issues a special communication (SC–99.58) providing information regarding TFN2K and Mac Attack.
28 December 1999: The CERT/CC issues advisory CA–99–17 discussing denial-of-service tools.
Please see attached or http://www.cert.org/advisories/CA–99–17.html
31 December 1999: The CERT/CC issues two special communications (SC–99.59 and SC–99.59a) on Stacheldraht and one (SC–99.60) update on denial-of-service activities.
3 January 2000: The CERT/CC publishes advisory CA–2000–01 describing recent developments in denial-of-service attacks, sending a preliminary version early in the day in a Special Communication to sponsors (SC–2000.01).
Page 191 PREV PAGE TOP OF DOC
Please see attached or http://www.cert.org/advisories/CA–2000–01.html
7 January 2000: The CERT/CC issues a Special Communication (SC–2000.01) providing an update on denial-of-service attacks.
9 January 2000: Another update on denial-of-service attacks is issued in special communication SC–2000.08.
10 January 2000: The CERT/CC issues a special communication to sponsors (SC–2000.09) discussing packet processing performance issues.
18 January 2000: The CERT/CC issues a special communication (SC–2000.11) on another possible distributed denial-of-service tool.
CERT Advisory CA–2000–01 Denial-of-Service Developments
This advisory is being published jointly by the CERT Coordination Center and the Federal Computer Incident Response Capability (FedCIRC).
Original release date: January 3, 2000
Source: CERT/CC and FedCIRC
Systems Affected
Page 192 PREV PAGE TOP OF DOC
All systems connected to the Internet can be affected by denial-of-service attacks.
I. DESCRIPTION
Continued Reports of Denial-of-Service Problems
We continue to receive reports of new developments in denial-of-service tools. This advisory provides pointers to documents discussing some of the more recent attacks and methods to detect some of the tools currently in use. Many of the denial-of-service tools currently in use depend on the ability of an intruder to compromise systems first. That is, intruders exploit known vulnerabilities to gain access to systems, which they then use to launch further attacks. For information on how to protect your systems, see the solution section below.
Security is a community effort that requires diligence and cooperation from all sites on the Internet.
Recent Denial-of-Service Tools and Developments
One recent report can be found in CERT Advisory CA–99–17.
A distributed denial-of-service tool called ''Stacheldraht'' has been discovered on multiple compromised hosts at several organizations. In addition, one organization reported what appears to be more than 100 different connections to various Stacheldraht agents. At the present time, we have not been able to confirm that these are connections to Stacheldraht agents, though they are consistent with an analysis provided by Dave Dittrich of the University of Washington, available at http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Page 193 PREV PAGE TOP OF DOC
Also, Randy Marchany of Virginia Tech released an analysis of a TFN-like toolkit, available at http://www.sans.org/y2k/TFN—toolkit.htm
The ISS X-Force Security Research Team published information about trin00 and TFN in their December 7 Advisory, available at http://xforce.iss.net/alerts/advise40.php3
A general discussion of denial-of-service attacks can be found in a CERT/CC Tech Tip available at http://www.cert.org/tech—tips/denial—of—service.html
II. IMPACT
Denial-of-service attacks can severely limit the ability of an organization to conduct normal business on the Internet.
III. SOLUTION
Solutions to this problem fall into a variety of categories.
Awareness
We urge all sites on the Internet to be aware of the problems presented by denial-of-service attacks. In particular, keep the following points in mind:
Page 194 PREV PAGE TOP OF DOC
Security on the Internet is a community effort. Your security depends on the overall security of the Internet in general. Likewise, your security (or lack thereof) can cause serious harm to others, even if intruders do no direct harm to your organization. Similarly, machines that are not part of centralized computing facilities and that may be managed by novice or part-time system administrators or may be unmanaged, can be used by intruders to inflict harm on others, even if those systems have no strategic value to your organization.
Systems used by intruders to execute denial-of-service attacks are often compromised via well-known vulnerabilities. Keep up-to-date with patches and workarounds on all systems.
Intruders often use source-address spoofing to conceal their location when executing denial-of-service attacks. We urge all sites to implement ingress filtering to reduce source address spoofing on as many routers as possible. For more information, see RFC2267.
Because your security is dependent on the overall security of the Internet, we urge you to consider the effects of an extended network or system outage and make appropriate contingency plans where possible.
Responding to a denial-of-service attack may require the cooperation of multiple parties. We urge all sites to develop the relationships and capabilities described in the results of our recent workshop before you are a victim of a distributed denial-of-service attack. This document is available at http://www.cert.org/reports/dsit—workshop.pdf
Detection
Page 195 PREV PAGE TOP OF DOC
A variety of tools are available to detect, eliminate, and analyze distributed denial-of-service tools that may be installed on your network.
The National Infrastructure Protection Center has recently announced a tool to detect trin00 and TFN on some systems. For more information, see http://www.fbi.gov/nipc/trinoo.htm
Part of the analysis done by Dave Dittrich includes a Perl script named gag which can be used to detect stacheldraht agents running on your local network. See Appendix A of that analysis for more information.
Internet Security Systems released updates to some of their tools to aid sites in detecting trin00 and TFN. For more information, see http://www.iss.net/cgi-bin/dbt-display.exe/db—data/press—rel/release/122899199.plt
Prevention
We urge all sites to follow sound security practices on all Internet-connected systems. For helpful information, please see
http://www.cert.org/security-improvement
http://www.sans.org
Page 196 PREV PAGE TOP OF DOC
Response
For information on responding to intrusions when they do occur, please see
http://www.cert.org/nav/recovering.html
http://www.sans.org/newlook/publications/incident—handling.htm
The United States Federal Bureau of Investigation is conducting criminal investigations involving TFN where systems appears to have been compromised. U.S. recipients are encouraged to contact their local FBI Office.
We thank Dave Dittrich of the University of Washington, Randy Marchany of Virginia Tech, Internet Security systems, UUNet, the http://www.y2k.gov/Y2K–ICC, the National Infrastructure Protection Center, Alan Paller and Steve Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller of The Massachusetts Institute of Technology, Jim Ellis of Sun Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and Richard Forno of Network Solutions.
This document is available from: http://www.cert.org/advisories/CA–2000–01.html
CERT/CC CONTACT INFORMATION
Page 197 PREV PAGE TOP OF DOC
Email: cert@cert.org
Phone: +1 412–268–7090 (24-hour hotline)
Fax: +1 412–268–6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213–3890
U.S.A.
CERT personnel answer the hotline 08:00–20:00 EST(GMT–5) / EDT(GMT–4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT—PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
Page 198 PREV PAGE TOP OF DOC
CERT publications and other security information are available from our web site http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal—stuff.html
* ''CERT'' and ''CERT Coordination Center'' are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an ''as is'' basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
CERT Advisory CA–99–17 Denial-of-Service Tools
Page 199 PREV PAGE TOP OF DOC
Original release date: December 28, 1999, 15:00 EST (GMT –0500)
Last Updated: December 28, 1999, 20:00 EST (GMT –0500)
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
All systems connected to the Internet can be affected by denial-of-service attacks. Tools that run on a variety of UNIX and UNIX-like systems and Windows NT systems have recently been released to facilitate denial-of-service attacks. Additionally, some MacOS systems can be used as traffic amplifiers to conduct a denial-of-service attack.
I. DESCRIPTION
New Distributed Denial-of-Service Tools
Recently, new techniques for executing denial-of-service attacks have been made public. A tool similar to Tribe FloodNet (TFN), called Tribe FloodNet 2K (TFN2K) was released. Tribe FloodNet is described in http://www.cert.org/incident—notes/IN–99–07.html#tfn.
Like TFN, TFN2K is designed to launch coordinated denial-of-service attacks from many sources against one or more targets simultaneously. It includes features designed specifically to make TFN2K traffic difficult to recognize and filter, to remotely execute commands, to obfuscate the true source of the traffic, to transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP, and features to confuse attempts to locate other nodes in a TFN2K network by sending ''decoy'' packets.
Page 200 PREV PAGE TOP OF DOC
TFN2K is designed to work on various UNIX and UNIX-like systems and Windows NT.
TFN2K obfuscates the true source of attacks by spoofing IP addresses. In networks that employ ingress filtering as described in [1], TFN2K can forge packets that appear to come from neighboring machines.
Like TFN, TFN2K can flood networks by sending large amounts of data to the victim machine. Unlike TFN, TFN2K includes attacks designed to crash or introduce instabilities in systems by sending malformed or invalid packets. Some attacks like this are described in
http://www.cert.org/advisories/CA–98–13-tcp-denial-of-service.html
http://www.cert.org/advisories/CA–97.28.Teardrop—Land.html
Also like TFN, TFN2K uses a client-server architecture in which a single client, under the control of an attacker, issues commands simultaneously to a set of TFN2K servers. The servers then conduct the denial-of-service attacks against the victim(s). Installing the server requires that an intruder first compromise a machine by different means.
Asymmetric traffic from MacOS 9
MacOS 9 can be abused by an intruder to generate a large volume of traffic directed at a victim in response to a small amount of traffic produced by an intruder. This allows an intruder to use MacOS 9 as a ''traffic amplifier,'' and flood victims with traffic. According to [3], an intruder can use this asymmetry to ''amplify'' traffic by a factor of approximately 37.5, thus enabling an intruder with limited bandwidth to flood a much larger connection. This is similar in effect and structure to a ''smurf'' attack, described in http://www.cert.org/advisories/CA–98.01.smurf.html
Page 201 PREV PAGE TOP OF DOC
Unlike a smurf attack, however, it is not necessary to use a directed broadcast to achieve traffic amplification.
II. IMPACT
Intruders can flood networks with overwhelming amounts of traffic or cause machines to crash or otherwise become unstable.
III. SOLUTION
The problem of distributed denial-of-service attacks is discussed at length in [2], available at http://www.cert.org/reports/dsit—workshop.pdf
Managers, system administrators, Internet Service Providers (ISPs) and Computer Security Incident Response Teams (CSIRTs) are encouraged to read this document to gain a broader understanding of the problem.
For the ultimate victim of distributed denial-of-service attacks
Preparation is crucial. The victim of a distributed denial-of-service attack has little recourse using currently available technology to respond to an attack in progress. According to [2]:
Page 202 PREV PAGE TOP OF DOC
The impact upon your site and operations is dictated by the (in)security of other sites and the ability of of a remote attackers to implant the tools and subsequently to control and direct multiple systems worldwide to launch an attack.
Sites are strongly encouraged to develop the relationships and capabilities described in [2] before you are a victim of a distributed denial-of-service attack.
For all Internet Sites
System and network administrators are strongly encouraged to follow the guidelines listed in [2]. In addition, sites are encouraged to implement ingress filtering as described in [1]. CERT/CC recommends implementing such filtering on as many routers as practical. This method is not foolproof, as mentioned in [1]:
While the filtering method discussed in this document does absolutely nothing to protect against flooding attacks which originate from valid prefixes (IP addresses), it will prohibit an attacker within the originating network from launching an attack of this nature using forged source addresses that do not conform to ingress filtering rules.
Because TFN2K implements features designed specifically to take advantage of the granularity of ingress filtering rules, the method described in [1] means that sites may only be able to determine the network or subnet from which an attack originated.
Sites using manageable hubs or switches that can track which IP addresses have been seen at a particular port or which can restrict which MAC addresses can be used on a particular port may be able to further identify which machine(s) is responsible for TFN2K traffic. For further information, consult the documentation for your particular hub or switch.
Page 203 PREV PAGE TOP OF DOC
The widespread use of this type of filtering can significantly reduce the ability of intruders to use spoofed packets to compromise or disrupt systems.
Preventing your site from being used by intruders
TFN2K and similar tools rely on the ability of intruders to install the client. Preventing your system from being used to install the client will help prevent intruders from using your systems to launch denial-of-service attacks (in addition to whatever damage they may cause to your systems).
Popular recent attacks can be found at http://www.cert.org/current/current—activity.html
Sites are encouraged to regularly visit this page and address any issues found there.
For the ''Mac Attack''
Apple has developed a patch, as described in Appendix A. Please see the information there.
Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive or develop more information. If you do not see your vendor's name in Appendix A, the CERT/CC did not hear from that vendor. Please contact your vendor directly.
Page 204 PREV PAGE TOP OF DOC
APPENDIX A. VENDOR INFORMATION
Apple Computer
OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues.
The update is available from our software update server at http://asu.info.apple.com/swupdates.nsf/artnum/n11559
In addition, it will soon be available via the automatic update feature that is part of Mac OS 9.
References
[1] RFC2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, P. Ferguson, D. Senie, The Internet Society, January, 1998, available at http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
[2] Results of the Distributed-Systems Intruder Tools Workshop, The CERT Coordination Center, December, 1999, available at http://www.cert.org/reports/dsit—workshop.pdf
Page 205 PREV PAGE TOP OF DOC
[3] The ''Mac Attack,'' a Scheme for Blocking Internet Connections, John A. Copeland, December, 1999, available at http://www.csc.gatech.edu/copeland. Temporary alternate URL: http://people.atl.mediaone.net/jacopeland
The CERT Coordination Center thanks Jeff Schiller of the Massachusetts Institute of Technology, Professor John Copeland and Jim Hendricks of the Georgia Institute of Technology, Jim Ellis of Sun Microsystems, Wietse Venema of IBM, Rick Forno of Network Solutions, Inc., Dave Dittrich of the University of Washington, Steve Bellovin of AT&T, Jim Duncan and John Bashinski of Cisco Systems, and MacInTouch for input and technical assistance used in the construction of this advisory.
This document is available from: http://www.cert.org/advisories/CA–99–17–denial-of-service-tools.html
CERT/CC CONTACT INFORMATION
Email: cert@cert.org
Phone: +1 412–268–7090 (24-hour hotline)
Fax: +1 412–268–6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Page 206 PREV PAGE TOP OF DOC
Carnegie Mellon University
Pittsburgh PA 15213–3890
U.S.A.
CERT personnel answer the hotline 08:00–20:00 EST(GMT–5) / EDT(GMT–4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT—PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.
Page 207 PREV PAGE TOP OF DOC
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal—stuff.html
* ''CERT'' and ''CERT Coordination Center'' are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an ''as is'' basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Revision History
December 28, 1999: Initial release
December 28, 1999: Added information regarding a patch from Apple
CERT Incident Note IN–99–07
The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Page 208 PREV PAGE TOP OF DOC
DISTRIBUTED DENIAL OF SERVICE TOOLS
Updated: December 8, 1999 (added DSIT Workshop paper and IN–99–05) Thursday, November 18, 1999
Overview
We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks.
We have seen distributed tools installed on hosts that have been compromised due to exploitation of known vulnerabilities. In particular, we have seen vulnerabilities in various RPC services exploited. For more information see the following CERT Incident Notes:
IN–99–04, Similar Attacks Using Various RPC Services
IN–99–05, Systems Compromised Through a Vulnerability in am-utils
Two of the tools we have seen are known as trinoo (or trin00) and tribe flood network (or TFN). These tools appear to be undergoing active development, testing, and deployment on the Internet.
Page 209 PREV PAGE TOP OF DOC
Descriptions
Trinoo
Tribe Flood Network
Trinoo
Trinoo is a distributed tool used to launch coordinated UDP flood denial of service attacks from many sources. For more information about various UDP flood attacks, please see CERT Advisory CA–96.01. A trinoo network consists of a small number of servers, or masters, and a large number of clients, or daemons.
A denial of service attack utilizing a trinoo network is carried out by an intruder connecting to a trinoo master and instructing that master to launch a denial of service attack against one or more IP addresses. The trinoo master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time.
1. intruder ------ master; destination port 27665/tcp
2. master ------ daemons; destination port 27444/udp
3. daemons ------ UDP flood to target with randomized destination ports
The binary for the trinoo daemon contains IP addresses for one or more trinoo master. When the trinoo daemon is executed, the daemon announces it's availability by sending a UDP packet containing the string ''*HELLO*'' to it's programmed trinoo master IP addresses.
Page 210 PREV PAGE TOP OF DOC
daemon ------ masters; destination port 31335/udp
The trinoo master stores a list of known daemons in an encrypted file named ''. . .'' in the same directory as the master binary. The trinoo master can be instructed to send a broadcast request to all known daemons to confirm availability. Daemons receiving the broadcast respond to the master with a UDP packet containing the string ''PONG''.
1. intruder ------ master; destination port 27665/tcp
2. master ------ daemons; destination port 27444/udp
3. daemons ------ master; destination port 31335/udp
All communications to the master on port 27665/tcp require a password, which is stored in the daemon binary in encrypted form. All communications with the daemon on port 27444/udp require the UDP packet to contain the string ''l44'' (that's a lowercase L, not a one).
The source IP addresses of the packets in a trinoo-generated UDP flood attack are not spoofed in versions of the tool we have seen. Future versions of the tool could implement IP source address spoofing. Regardless, a trinoo-generated denial of service attack will most likely appear to come from a large number of different source addresses.
We have seen trinoo daemons installed under a variety of different names, but most commonly as
Page 211 PREV PAGE TOP OF DOC
ns
http
rpc.trinoo
rpc.listen
trinix
rpc.irix
irix
Running strings against the daemon and master binaries produces output similar to this (we have replaced master IP address references in the daemon binary with X.X.X.X)
Tribe Flood Network
TFN, much like Trinoo, is a distributed tool used to launch coordinated denial of service attacks from many sources against one or more targets. In additional to being able to generate UDP flood attacks, a TFN network can also generate TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast (e.g., smurf) denial of service attacks. TFN has the capability to generate packets with spoofed source IP addresses. Please see the following CERT Advisories for more information about these types of denial of service attacks.
Page 212 PREV PAGE TOP OF DOC
CA–96.01, TCP SYN Flooding and IP Spoofing Attacks
CA–98.01, ''smurf'' IP Denial of Service Attacks
A denial of service attack utilizing a TFN network is carried out by an intruder instructing a client, or master, program to send attack instructions to a list of TFN servers, or daemons. The daemons then generate the specified type of denial of service attack against one or more target IP addresses. Source IP addresses and source ports can be randomized, and packet sizes can be altered.
A TFN master is executed from the command line to send commands to TFN daemons. The master communicates with the daemons using ICMP echo reply packets with 16 bit binary values embedded in the ID field, and any arguments embedded in the data portion of packet. The binary values, which are definable at compile time, represent the various instructions sent between TFN masters and daemons.
Use of the TFN master requires an intruder-supplied list of IP addresses for the daemons. Some reports indicate recent versions of TFN master may use blowfish encryption to conceal the list of daemon IP addresses. Reports also indicate that TFN may have remote file copy (e.g., rcp) functionality, perhaps for use for automated deployment of new TFN daemons and/or software version updating in existing TFN networks.
We have seen TFN daemons installed on systems using the filename td. Running strings on the TFN daemon binary produces output similar to this.
Page 213 PREV PAGE TOP OF DOC
%d.%d.%d.%d
ICMP
Error sending syn packet.
tc: unknown host
3.3.3.3
mservers
randomsucks
skillz
rm -rf %s
ttymon
rcp %s@%s:sol.bin %s
nohup ./%s
Page 214 PREV PAGE TOP OF DOC
X.X.X.X
X.X.X.X
lpsched
sicken
in.telne
Solutions
Distributed attack tools leverage bandwidth from multiple systems on diverse networks to produce very potent denial of service attacks. To a victim, an attack may appear to come from many different source addresses, whether or not IP source address spoofing is employed by the attacker. Responding to a distributed attack requires a high degree of communication between Internet sites. Prevention is not straight forward because of the interdependency of site security on the Internet; the tools are typically installed on compromised systems that are outside of the administrative control of eventual denial of service attack targets.
There are some basic suggestions we can make regarding distributed denial of service attacks:
Prevent installation of distributed attack tools on your systems
Page 215 PREV PAGE TOP OF DOC
Remain current with security-related patches to operating systems and applications software. Follow security best-practices when administrating networks and systems.
Prevent origination of IP packets with spoofed source addresses
For a discussion of network ingress filtering, refer to
RFC 2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Monitor your network for signatures of distributed attack tools
Sites using intrusion detection systems (e.g., IDS) may wish to establish patterns to look for that might indicate trinoo or TFN activity based on the communications between master and daemon portions of the tools. Sites who use pro-active network scanning may wish to include tests for installed daemons and/or masters when scanning systems on your network.
If you find a distributed attack tool on your systems
It is important to determine the role of the tools installed on your system. The piece you find may provide information that is useful in locating and disabling other parts of distributed attack networks. We encourage you to identify and contact other sites involved.
If you are involved in a denial of service attack
Due to the potential magnitude of denial of service attacks generated by distributed networks of tools, the target of an attack may be unable to rely on Internet connectivity for communications during an attack. Be sure your security policy includes emergency out-of-band communications procedures with upstream network operators or emergency response teams in the event of a debilitating attack.
Page 216 PREV PAGE TOP OF DOC
In November 1999, experts addressed issues surrounding distributed-systems intruder tools. The DSIT Workshop produced a paper where workshop participants examine the use of distributed-system intruder tools and provide information about protecting systems from attack by the tools, detecting the use of the tools, and responding to attacks.
Results of the Distributed-Systems Intruder Tools Workshop
Acknowledgments
The CERT/CC would like to acknowledge and thank our constituency and our peers for important contributions to the information used in this Incident Note.
CERT Coordination Center
DENIAL OF SERVICE
1. Description
This document provides a general overview of attacks in which the primary goal of the attack is to deny the victim(s) access to a particular resource. Included is information that may help you respond to such an attack.
A ''denial-of-service'' attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include
Page 217 PREV PAGE TOP OF DOC
attempts to ''flood'' a network, thereby preventing legitimate network traffic
attempts to disrupt connections between two machines, thereby preventing access to a service
attempts to prevent a particular individual from accessing a service
attempts to disrupt service to a specific system or person
Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack.
Illegitimate use of resources may also result in denial of service. For example, an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic
2. Impact
Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization.
Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an ''asymmetric attack.'' For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.
Page 218 PREV PAGE TOP OF DOC
3. Modes of Attack
Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
consumption of scarce, limited, or non-renewable resources
destruction or alteration of configuration information
physical destruction or alteration of network components
A. Consumption of Scarce Resources
Computers and networks need certain things to operate: network bandwidth, memory and disk space, CPU time, data structures, access to other computers and networks, and certain environmental resources such as power, cool air, or even water.
1. Network Connectivity
Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the ''SYN flood'' attack described in
ftp://info.cert.org/pub/cert—advisories/CA
Page 219 PREV PAGE TOP OF DOC
–96.21.tcp—syn—flooding
In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus ''half-open'' connections.
You should note that this type of attack does not depend on the attacker being able to consume your network bandwidth. In this case, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from a dial-up connection against a machine on a very fast network. (This is a good example of an asymmetric attack.)
2. Using Your Own Resources Against You
An intruder can also use your own resources against you in unexpected ways. One example is described in
ftp://info.cert.org/pub/cert—advisories/CA
–96.01.UDP—service—denial
In this attack, the intruder uses forged UDP packets to connect the echo service on one machine to the chargen service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected.
Page 220 PREV PAGE TOP OF DOC
3. Bandwidth Consumption
An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect.
4. Consumption of Other Resources
In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For example, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes. Consult your operating system vendor or operating system manuals for details on available quota facilities for your system.
An intruder may also attempt to consume disk space in other ways, including
generating excessive numbers of mail messages. For more information, please see
Page 221 PREV PAGE TOP OF DOC
ftp://info.cert.org/pub/tech—
tips/email—bombing—spamming
intentionally generating errors that must be logged
placing files in anonymous ftp areas or network shares, For information on proper configuration for anonymous ftp, please see
ftp://info.cert.org/pub/tech—
tips/anonymous—ftp—config
In general, anything that allows data to be written to disk can be used to execute a denial-of-service attack if there are no bounds on the amount of data that can be written.
Also, many sites have schemes in place to ''lockout'' an account after a certain number of failed login attempts. A typical set up locks out an account after 3 or 5 failed login attempts. An intruder may be able to use this scheme to prevent legitimate users from logging in. In some cases, even the privileged accounts, such as root or administrator, may be subject to this type of attack. Be sure you have a method to gain access to the systems under emergency circumstances. Consult your operating system vendor or your operating systems manual for details on lockout facilities and emergency entry procedures.
An intruder may be able to cause your systems to crash or become unstable by sending unexpected data over the network. An example of such an attack is described in
Page 222 PREV PAGE TOP OF DOC
ftp://info.cert.org/pub/cert—advisories/CA–96.26.ping
If your systems are experiencing frequent crashes with no apparent cause, it could be the result of this type of attack.
There are other things that may be vulnerable to denial of service that you may wish to monitor. These include
printers
tape devices
network connections
other limited resources important to the operation of your organization
B. Destruction or Alteration of Configuration Information
An improperly configured computer may not perform well or may not operate at all. An intruder may be able to alter or destroy configuration information that prevents you from using your computer or network.
For example, if an intruder can change the routing information in your routers, your network may be disabled. If an intruder is able to modify the registry on a Windows NT machine, certain functions may be unavailable.
Page 223 PREV PAGE TOP OF DOC
For information on configuring UNIX machines, see
ftp://info.cert.org/pub/tech—tips/UNIX—configuration—guidelines
For information on configuring Microsoft Windows NT machines, please see
http://www.microsoft.com/security/
C. Physical Destruction or Alteration of Network Components
The primary concern with this type of attack is physical security. You should guard against unauthorized access to computers, routers, network wiring closets, network backbone segments, power and cooling stations, and any other critical components of your network.
Physical security is a prime component in guarding against many types of attacks in addition to denial of service. For information on securing the physical components of your network, we encourage you to consult local or national law enforcement agencies or private security companies.
4. Prevention and Response
Denial-of-service attacks can result in significant loss of time and money for many organizations. We strongly encourage sites to consider the extent to which their organization could afford a significant service outage and to take steps commensurate with the risk.
Page 224 PREV PAGE TOP OF DOC
We encourage you to consider the following options with respect to your needs:
Implement router filters as described in Appendix A of CA–96.21.tcp—syn—flooding, referenced above. This will lessen your exposure to certain denial-of-service attacks. Additionally, it will aid in preventing users on your network from effectively launching certain denial-of-service attacks.
If they are available for your system, install patches to guard against TCP SYN flooding as described in CA–96.21.tcp—syn—flooding, referenced above. This will substantially reduce your exposure to these attacks but may not eliminate the risk entirely.
Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack.
Enable quota systems on your operating system if they are available. For example, if your operating system supports disk quotas, enable them for all accounts, especially accounts that operate network services. In addition, if your operating system supports partitions or volumes (i.e., separately mounted file systems with independent attributes) consider partitioning your file system so as to separate critical functions from other activity.
Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic.
Page 225 PREV PAGE TOP OF DOC
Routinely examine your physical security with respect to your current needs. Consider servers, routers, unattended terminals, network access points, wiring closets, environmental systems such as air and power, and other components of your system.
Use Tripwire or a similar tool to detect changes in configuration information or other files. For more information, see
ftp://info.cert.org/pub/tech—tips/security—tools
Invest in and maintain ''hot spares''—machines that can be placed into service quickly in the event that a similar machine is disabled.
Invest in redundant and fault-tolerant network configurations.
Establish and maintain regular backup schedules and policies, particularly for important configuration information.
Establish and maintain appropriate password policies, especially access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator.
Many organizations can suffer financial loss as a result of a denial-of-service attack and may wish to pursue criminal or civil charges against the intruder. For legal advice, we recommend that you consult with your legal counsel and law enforcement.
U.S. sites interested in an investigation of a denial-of-service attack can contact their local FBI field office for guidance and information. For contact information for your local FBI field office, please consult your local telephone directory or see the FBI's field offices web page:
Page 226 PREV PAGE TOP OF DOC
http://www.fbi.gov/fo/fo.htm
For more information, please see the web page of the FBI National Computer Crime Squad (NCCS):
http://www.fbi.gov/programs/nccs/compcrim.htm
Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.
If you are interested in determining the source of certain types of denial-of-service attack, it may require the cooperation of your network service provider and the administration of the networks involved. Tracking an intruder this way may not always be possible. If you are interested in trying do to so, contact your service provider directly. The CERT(*) Coordination Center is not able to provide this type of assistance. We do encourage you to report your experiences, however. This helps us understand the nature and scope of security incidents on the Internet, and we may be able to relate your report to other activity that has been reported to us.
This document is available from: http://www.cert.org/tech—tips/denial—of—service.html
CERT/CC CONTACT INFORMATION
Page 227 PREV PAGE TOP OF DOC
Email: cert@cert.org
Phone: +1 412–268–7090 (24-hour hotline)
Fax: +1 412–268–6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213–3890
U.S.A.
CERT personnel answer the hotline 08:00–20:00 EST(GMT–5) / EDT(GMT–4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT—PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
Page 228 PREV PAGE TOP OF DOC
CERT publications and other security information are available from our web site http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal—stuff.html
* ''CERT'' and ''CERT Coordination Center'' are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an ''as is'' basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Revision History
Oct 02, 1997
Page 229 PREV PAGE TOP OF DOC
Initial
Feb 12, 1999
Release
Converted
to new web
format
CERT Incident Note IN–99–06
The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
DISTRIBUTED NETWORK SNIFFER
Monday, October 25, 1999
Overview
We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. The sniffer clients have been found exclusively on compromised Linux hosts.
Description
Page 230 PREV PAGE TOP OF DOC
The following characteristics may be present on compromised hosts running the sniffer client:
The sniffer clients have been found exclusively on compromised Linux hosts. Some reports indicate a vulnerability in the cron daemon may be used to leverage privileged access. We suspect user accounts with compromised passwords may be used to gain initial access.
The executing sniffer binary may appear in the process list using a deceptive name, such as in.telnetd. Here is an example of the client as found in a process list of a compromised host:
in.telnetd ARGS=/sbin/init 59300 NO—MOD—PARMS=install
ARGS=/USR/SBIN/CRON EMB= ARG=/tmp/passwd LOGHOST=xxx.xxx.xxx.xxx
The value of LOGHOST appears to be one or more IP addresses for remote sniffer servers.
The binary /sbin/init may be replaced with an intruder-supplied binary, with the original moved to /dev/init. The malicious /sbin/init binary makes use of kernel modules to conceal system changes. An existing /dev/init copy may be visible to stat() if it's full path is given (e.g., ''ls –l /dev/init'').
UDP packets containing username and password information may be sent to one or more remote sniffer servers using source port 21845/udp.
Page 231 PREV PAGE TOP OF DOC
The characteristics of the sniffer server include these:
Appears to listen for incoming UDP packets from sniffer clients on port 21845/udp.
May run as an ordinary user without privileges.
Solutions
If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise:
http://www.cert.org/tech—tips/root—compromise.html
We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities.
CERT* ADVISORY CA–98.01
Original issue date: Jan. 05, 1998
Last revised: August 24, 1998 Updated vendor information for Data General Corporation.
A complete revision history is at the end of this file.
''SMURF'' IP DENIAL-OF-SERVICE ATTACKS
Page 232 PREV PAGE TOP OF DOC
This advisory is intended primarily for network administrators responsible for router configuration and maintenance.
The attack described in this advisory is different from the denial-of-service attacks described in CERT advisory CA–97.28.
The CERT Coordination Center has received reports from network service providers (NSPs), Internet service providers (ISPs), and other sites of continuing denial-of-service attacks involving forged ICMP echo request packets (commonly known as ''ping'' packets) sent to IP broadcast addresses. These attacks can result in large amounts of ICMP echo reply packets being sent from an intermediary site to a victim, which can cause network congestion or outages. These attacks have been referred to as ''smurf'' attacks because the name of one of the exploit programs attackers use to execute this attack is called ''smurf.''
The CERT/CC urges you to take the steps described in Section III to reduce the potential that your site can be used as the origination site (Sec. III.C) or an intermediary (Sec. III.A.) in this attack. Although there is no easy solution for victim sites, we provide some recommendations in Sec. III.B.
We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.
I. DESCRIPTION
The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses.
Page 233 PREV PAGE TOP OF DOC
The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control messages. ICMP can be used to determine if a machine on the Internet is responding. To do this, an ICMP echo request packet is sent to a machine. If a machine receives that packet, that machine will return an ICMP echo reply packet. A common implementation of this process is the ''ping'' command, which is included with many operating systems and network software packages. ICMP is used to convey status and error information including notification of network congestion and of other network transport problems. ICMP can also be a valuable tool in diagnosing host or network problems.
On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network (as long as routers are configured to pass along that traffic).
IP broadcast addresses are usually network addresses with the host portion of the address having all one bits. For example, the IP broadcast address for the network 10.0.0.0 is 10.255.255.255. If you have subnetted your class A network into 256 subnets, the IP broadcast address for the 10.50 subnet would be 10.50.255.255. Network addresses with all zeros in the host portion, such as 10.50.0.0, can also produce a broadcast response.
In the ''smurf'' attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim).
Page 234 PREV PAGE TOP OF DOC
The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.
When the attackers create these packets, they do not use the IP address of their own machine as the source address. Instead, they create forged packets that contain the spoofed source address of the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. Even though we have not labeled the intermediary as a ''victim,'' the intermediary can be victimized by suffering the same types of problem that the ''victim'' does in these attacks.
Attackers have developed automated tools that enable them to send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can the subsequently be used as intermediaries in attacks.
For a more detailed description of the ''smurf'' attack, please consult this document:
''The Latest in Denial of Service Attacks: 'Smurfing':
Page 235 PREV PAGE TOP OF DOC
Description and Information to Minimize Effects''
Author: Craig Huegen <chuegen@quadrunner.com>
URL: http://www.quadrunner.com/chuegen/smurf.txt
II. IMPACT
Both the intermediary and victim of this attack may suffer degraded network performance both on their internal networks or on their connection to the Internet. Performance may be degraded to the point that the network cannot be used.
A significant enough stream of traffic can cause serious performance degradation for small and mid-level ISPs that supply service to the intermediaries or victims. Larger ISPs may see backbone degradation and peering saturation.
III. SOLUTION
A. Solutions for the Intermediary
1. Disable IP-directed broadcasts at your router.
One solution to prevent your site from being used as an intermediary in this attack is to disable IP-directed broadcasts at your router. By disabling these broadcasts, you configure your router to deny IP broadcast traffic onto your network from other networks. In almost all cases, IP-directed broadcast functionality is not needed.
Page 236 PREV PAGE TOP OF DOC
Appendix A contains details on how to disable IP-directed broadcasts for some router vendors. If your vendor is not listed, contact that vendor for instructions.
You should disable IP-directed broadcasts on all of your routers. It is not sufficient to disable IP-directed broadcasts only on the router(s) used for your external network connectivity. For example, if you have five routers connecting ten LANs at your site, you should turn off IP-directed broadcasts on all five routers.
2. Configure your operating system to prevent the machine from responding to ICMP packets sent to IP broadcast addresses.
If an intruder compromises a machine on your network, the intruder may try to launch a smurf attack from your network using you as an intermediary. In this case, the intruder would use the compromised machine to send the ICMP echo request packet to the IP broadcast address of the local network. Since this traffic does not travel through a router to reach the machines on the local network, disabling IP-directed broadcasts on your routers is not sufficient to prevent this attack.
Some operating systems can be configured to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. Configuring machines so that they do not respond to these packets can prevent your machines from being used as intermediaries in this type of attack.
Appendix A also contains details on how to disable responding to ICMP packets sent to IP broadcast addresses on some operating systems. If your operating system is not listed, contact your vendor for instructions.
Page 237 PREV PAGE TOP OF DOC
B. Solutions for the Victim
Unfortunately, there is no easy solution for victims receiving the potentially large number of ICMP echo reply packets. ICMP echo reply traffic (the traffic from the intermediary) could be blocked at the victim's router; however, that will not necessarily prevent congestion that occurs between the victim's router and the victim's Internet service provider. Victims receiving this traffic may need to consult with their Internet service provider to temporarily block this type of traffic in the ISP's network.
Additionally, victims in this position should contact the intermediaries and inform them of the attack and of the steps described in the previous section. (Please refer them to http://www.cert.org/nav/alerts.html or ftp://ftp.cert.org/pub/cert—advisories/ for the most recent version of this advisory.)
Victims can use the ''whois'' command to obtain contact information for the sites. More information on using whois is available in ftp://ftp.cert.org/pub/whois—how—to
C. Solution for the Site Where Attacks Originate
We recommend filtering outgoing packets that contain a source address from a different network.
Page 238 PREV PAGE TOP OF DOC
Attacks like the smurf attack rely on the use of forged packets, that is, packets for which the attacker deliberately falsifies the origin address. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can use filtering to reduce the likelihood of your site's networks being used to initiate forged packets.
As we mentioned in CERT advisory CA–97.28 on Teardrop and Land denial-of-service attacks, the best current method to reduce the number of IP-spoofed packets exiting your network is to install filtering on your routers that requires packets leaving your network to have a source address from your internal network. This type of filter prevents a source IP-spoofing attack from your site by filtering all outgoing packets that contain a source address from a different network.
A detailed description of this type of filtering is available in RFC 2267, ''Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing'' by Paul Ferguson of Cisco Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it to both Internet Service Providers and sites that manage their own routers. The document is currently available at ftp://ftp.isi.edu/in-notes/rfc2267.txt
APPENDIX A—VENDOR INFORMATION
Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.
Cray Research—A Silicon Graphics Company
Page 239 PREV PAGE TOP OF DOC
Current versions of Unicos and Unicos/mk do not have the ability to reject ICMP requests send to broadcast addresses. We are tracking this problem through SPR 709733.
Cisco Systems
Cisco recommends the following configuration settings as protection against being used as an intermediary in smurf attacks:
1. Disabling IP directed broadcast for all interfaces on which it is not needed. This must be done on all routers in the network, not just on the border routers. The command ''no ip directed-broadcast'' should be applied to each interface on which directed broadcasts are to be disabled.
Very few IP applications actually need to use directed broadcasts, and it's extremely rare for such an application to be in use in a network without the knowledge of the network administrator. Nonetheless, as when any functionality is disabled, you should be alert for possible problems.
This is the preferred solution for most networks.
2. If your network configuration is simple enough for you to create and maintain a list of all the directed broadcast addresses in your network, and if you have a well-defined perimeter separating your own network from potentially hostile networks, consider using a filter at the perimeter to prevent directed broadcasts from entering the network. For example, if your network number is 172.16.0.0, and you uniformly use a subnet mask of 255.255.255.0, then you might use Cisco access list entries like
Page 240 PREV PAGE TOP OF DOC
access-list 101 deny ip 0.0.0.0 255.255.255.255 172.16.0.255 0.0.255.0
access-list 101 deny ip 0.0.0.0 255.255.255.255 172.16.0.0 0.0.255.0
Note that this is not a complete access list; it's simply two entries. See the Cisco documentation for more information on configuring access lists. The best place to apply such a filter is usually on the incoming side of each router interface that connects to the potentially hostile network.
This solution may be administratively infeasible for networks using variable-length subnet masks, or which have complex external connectivity. There is also some possibility that legitimate directed broadcasts may be being sent into your network from the outside, especially if you're working in a research environment.
In addition to these protections against being used as an intermediary in a smurf attack, Cisco recommends that you take steps to prevent users within your own network from launching such attacks. For ''stub'' networks which do not provide transit connectivity (most corporate and institutional networks, many smaller ISPs), this is usually best done by installing filters at the network perimeter to prevent any packets from leaving your network unless their IP source addresses actually lie within your network's address space. For the example network above, you might place the following entry in the incoming access lists on the interface(s) facing your internal network:
access-list 101 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 255.255.255.255
Page 241 PREV PAGE TOP OF DOC
access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Data General Corporation
DG/UX has an option to enable/disable the forwarding of IP broadcast packets. It is disabled by default. This means that if DG/UX is used along the path, it will not forward the attack packets.
DG/UX B2 with Security Option has a 'netctrl' facility which enables the administrator to disable the response to a broadcast ICMP ping message.
DIGITAL EQUIPMENT CORPORATION
Currently DIGITAL products do not deny individual ICMP service to a host. That, outside the intranet, firewalls should protect from this kind of spoof/attack.
If the problem has to be dealt with inside the firewall and the intranet, then policy should address ''malicious acts''and the individuals responsible.
FreeBSD, Inc.
In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default. This behaviour can be changed via the sysctl command via mib net.inet.icmp.bmcastecho.
Page 242 PREV PAGE TOP OF DOC
IBM Corporation
AIX 4
There is a network attribute called ''bcastping'' that controls whether or not responses to ICMP echo packets to the broadcast address are allowed. A value of zero turns off responses and a value of one turns them on. The default is zero (i.e., by default AIX version 4 is not vulnerable to the described denial-of-service attack).
Use the following command to check the value of the bcastping attribute:
$ no –o bcastping
Use the following command to turn off responses to ICMP broadcast packets (as root):
# no –o bcastping=0
AIX 3
The ''bcastping'' attribute does not exist in version 3.
IBM and AIX are registered trademarks of International Business Machines Corporation.
Page 243 PREV PAGE TOP OF DOC
Livingston Enterprises, Inc.
Livingston Enterprises products don't respond to ICMP packets not sent to their own address, but do forward them. They're currently examining the problem to see what kind of solution they can provide.
The NetBSD Project
Under NetBSD you can disable forwarding of directed broadcast packets with this command, as root:
# sysctl –w net.inet.ip.directed-broadcast=0
NetBSD will always respond to broadcast ICMP packets. In the future, NetBSD may allow this to be disabled.
Sun Microsystems
To prevent incoming broadcast packets from entering your network (III. A. 1. in this advisory)
Solaris 2.6, 2.5.1, 2.5, 2.4, and 2.3:
Use the command: ndd –set /dev/ip ip—forward—directed—broadcasts 0
Page 244 PREV PAGE TOP OF DOC
SunOS 4.1.3—U1 and 4.1.4:
Do the following:
Add ''options DIRECTED—BROADCAST=0'' to system configuration file and rebuild kernel
To prevent systems from responding to broadcast ICMP packets (III. A. 2. in this advisory)
Solaris 2.6, 2.5.1, 2.5, 2.4, and 2.3:
Use the command: ndd –set /dev/ip ip—respond—to—echo—broadcast 0
A corresponding variable for ip—respond—to—echo—broadcast does not exist in SunOS 4.1.x.
The CERT Coordination Center thanks Craig A. Huegen. Much of the content in this advisory has been derived from his document on ''smurf'' attacks. The CERT Coordination Center also thanks Paul Ferguson and Daniel Senie for providing information on network ingress filtering, and John Bashinski of Cisco for his contributions.
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/)
Page 245 PREV PAGE TOP OF DOC
CERT/CC Contact Information
Email cert@cert.org
Phone +1 412–268–7090 (24-hour hotline)
CERT personnel answer 8:30–5:00 p.m. EST(GMT–5) / EDT(GMT–4) and are on call for emergencies during other hours.
Fax +1 412–268–6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213–3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT—PGP.key
Page 246 PREV PAGE TOP OF DOC
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://ftp.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to
cert-advisory-request@cert.org
In the subject line, type SUBSCRIBE your-email-address
Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorhsip information can be found in http://www.cert.org/legal—stuff/legal—stuff.html and ftp://ftp.cert.org/pub/legal—stuff. If you do not have FTP or web access, send mail to cert@cert.org with ''copyright'' in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
Revision history
Aug. 24, 1998 Updated vendor information for Data General Corporation.
Page 247 PREV PAGE TOP OF DOC
Aug. 14, 1998 Updated vendor information for Sun Microsystems.
Apr. 28, 1998 Updated vendor information for Cisco Systems and Sun Microsystems. Corrected URL for obtaining RFCs
Apr. 10, 1998 Updated vendor information for Cisco Systems
Feb. 10, 1998 Updates to Appendix A—Vendor Information
Jan. 29, 1998 Updated reference to the filtering document (now an RFC) in Section III–C.
Jan. 13, 1998 Updated vendor information for NetBSD.
Jan. 7, 1998 Updated or added vendor information for Digital Equipment Corporation and Livingston Enterprises, Inc.
CERT Advisory CA–96.21
Original issue date: September 19, 1996
Last Revised: August 24, 1998 Updated vendor information for Silicon Graphics, Inc.
A complete revision history is at the end of this file.
Page 248 PREV PAGE TOP OF DOC
TOPIC: TCP SYN FLOODING AND IP SPOOFING ATTACKS
This advisory supersedes the IP spoofing portion of CA–95.01.
Two ''underground magazines'' have recently published code to conduct denial-of-service attacks by creating TCP ''half-open'' connections. This code is actively being used to attack sites connected to the Internet. There is, as yet, no complete solution for this problem, but there are steps that can be taken to lessen its impact. Although discovering the origin of the attack is difficult, it is possible to do; we have received reports of attack origins being identified.
Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP server, or mail server) is potentially subject to this attack. Note that in addition to attacks launched at specific hosts, these attacks could also be launched against your routers or other network server systems if these hosts enable (or turn on) other TCP services (e.g., echo). The consequences of the attack may vary depending on the system; however, the attack itself is fundamental to the TCP protocol used by all systems.
If you are an Internet service provider, please pay particular attention to Section III and Appendix A, which describes step we urge you to take to lessen the effects of these attacks. If you are the customer of an Internet service provider, please encourage your provider to take these steps.
This advisory provides a brief outline of the problem and a partial solution. We will update this advisory as we receive new information. If the change in information warrants, we may post an updated advisory on comp.security.announce and redistribute an update to our cert-advisory mailing list. As always, the latest information is available at the URLs listed at the end of this advisory.
Page 249 PREV PAGE TOP OF DOC
I. DESCRIPTION
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections—telnet, Web, email, etc.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN–ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:
Client Server
------ ------
SYN---------------Z
a---------------SYN–ACK
ACK--------------Z
Client and server can now
send service-specific data
Page 250 PREV PAGE TOP OF DOC
The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN–ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN–ACK messages. This means that the final ACK message will never be sent to the victim server system.
The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections.
However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.
Page 251 PREV PAGE TOP OF DOC
The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering (see Appendix A).
II. IMPACT
Systems providing TCP-based services to the Internet community may be unable to provide those services while under attack and for some time after the attack ceases. The service itself is not harmed by the attack; usually only the ability to provide the service is impaired. In some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.
III. SOLUTION
There is, as yet, no generally accepted solution to this problem with the current IP protocol technology. However, proper router configuration can reduce the likelihood that your site will be the source of one of these attacks.
Appendix A contains details about how to filter packets to reduce the number of IP-spoofed packets entering and exiting your network. It also contains a list of vendors that have reported support for this type of filtering.
Page 252 PREV PAGE TOP OF DOC
NOTE to Internet Service Providers:
We STRONGLY urge you to install these filters in your routers to protect your customers against this type of an attack. Although these filters do not directly protect your customers from attack, the filters do prevent attacks from originating at the sites of any of your customers. We are aware of the ramifications of these filters on some current Mobile IP schemes and are seeking a position statement from the appropriate organizations.
NOTE to customers of Internet service providers:
We STRONGLY recommend that you contact your service provider to verify that the necessary filters are in place to protect your network.
Many networking experts are working together to devise improvements to existing IP implementations to ''harden'' kernels to this type of attack. When these improvements become available, we suggest that you install them on all your systems as soon as possible. This advisory will be updated to reflect changes made by the vendor
IV. DETECTING AN ATTACK
Users of the attacked server system may notice nothing unusual since the IP-spoofed connection requests may not load the system noticeably. The system is still able to establish outgoing connections. The problem will most likely be noticed by client systems attempting to access one of the services on the victim system.
Page 253 PREV PAGE TOP OF DOC
To verify that this attack is occurring, check the state of the server system's network traffic. For example, on SunOS this may be done by the command:
netstat –a –f inet
Note that use of the above command depends on the OS version, for example for a FreeBSD system use
netstat –s D grep ''listenqueue overflows''
Too many connections in the state ''SYN—RECEIVED'' could indicate that the system is being attacked.
APPENDIX A—REDUCING IP SPOOFED PACKETS
1. Filtering Information
With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can take steps to reduce the number of IP-spoofed packets entering and exiting your network.
Currently, the best method is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site.
Page 254 PREV PAGE TOP OF DOC
The combination of these two filters would prevent outside attackers from sending you packets pretending to be from your internal network. It would also prevent packets originating within your network from pretending to be from outside your network. These filters will *not* stop all TCP SYN attacks, since outside attackers can spoof packets from *any* outside network, and internal attackers can still send attacks spoofing internal addresses.
We STRONGLY urge Internet service providers to install these filters in your routers.
In addition, we STRONGLY recommend customers of Internet service providers to contact your service provider to verify that the necessary filters are in place to protect your network.
2. Vendor Information
The following vendor(s) have reported support for the type of filtering we recommend and provided pointers to additional information that describes how to configure your router. If we hear from other vendors, we will add their information to the ''Updates'' section at the end of this advisory.
If you need more information about your router or about firewalls, please contact your vendor directly.
Cisco
Page 255 PREV PAGE TOP OF DOC
Refer to the section entitled ''ISP Security Advisory'' on http://www.cisco.com for an up-to-date explanation of how to address TCP SYN flooding on a Cisco router.
NOTE to vendors:
If you are a router vendor who has information on router capabilities and configuration examples and you are not represented in this list, please contact the CERT Coordination Center at the addresses given in the Contact Information section below. We will update the advisory after we hear from you.
3. Alternative for routers that do not support filtering on the inbound side
If your vendor's router does not support filtering on the inbound side of the interface or if there will be a delay in incorporating the feature into your system, you may filter the spoofed IP packets by using a second router between your external interface and your outside connection. Configure this router to block, on the outgoing interface connected to your original router, all packets that have a source address in your internal network. For this purpose, you can use a filtering router or a UNIX system with two interfaces that supports packet filtering.
Note: Disabling source routing at the router does not protect you from this attack, but it is still good security practice to follow.
Page 256 PREV PAGE TOP OF DOC
On the input to your external interface, that is coming from the Internet to your network, you should block packets with the following addresses:
Broadcast Networks: The addresses to block here are network 0 (the all zeros broadcast address) and network 255.255.255.255 (the all ones broadcast network).
Your local network(s): These are your network addresses
Reserved private network numbers: The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router:
10.0.0.0 — 10.255.255.255 10/8 (reserved)
127.0.0.0 — 127.255.255.255 127/8 (loopback)
172.16.0.0 — 172.31.255.255 172.16/12 (reserved)
192.168.0.0 — 192.168.255.255 192.168/16 (reserved)
The CERT Coordination Center staff thanks the team members of NASIRC for contributing much of the text for this advisory and thanks the many experts who are devoting time to addressing the problem and who provided input to this advisory.
Page 257 PREV PAGE TOP OF DOC
UPDATES
3COM
Please refer to the ''Network Security Advisory'' for a thorough discussion of how to address TCP SYN flooding attacks on a 3Com router:
http://www.3com.com/
Berkeley Software Design, Inc.
BSDI has patches available.
PATCH
K210–021 (ftp://ftp.bsdi.com/bsdi/patches/patches–2.1/K210–021)
md5 checksum: c386e72f41d0e409d91b493631e364dd K210–021
This patch adds two networking features that can help defeat and detect some types of denial of service attacks.
This patch requires U210–025 which provides new copies of sysctl(8) and netstat(1) for configuration and monitoring of these new features.
Page 258 PREV PAGE TOP OF DOC
PATCH
K210–022 (ftp://ftp.bsdi.com/bsdi/patches/patches–2.1/K210–22)
md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210–022
This patch adds a TCP SYN cache which reduces and/or eliminates the effects of SYN-type denial of service attacks such as those discussed in CERT advisory CA 96.21.
PATCH
U210–025 (ftp://ftp.bsdi.com/bsdi/patches/patches–2.1/U210–025)
md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210–025
This patch should be installed in conjunction with IP source address check and IP fragmentation queue limit patch (K210–021) and SYN flooding patch (K210–022).
Additional details about these patches are available from
http://www.bsdi.com
ftp://ftp.bsdi.com
Page 259 PREV PAGE TOP OF DOC
Hewlett-Packard Company
HPSBUX9704–060
Description: SYN Flooding Security Vulnerability in HP–UX
HEWLETT-PACKARD SECURITY BULLETIN: #00060
Security Bulletins are available from the HP Electronic Support Center via electronic mail.
User your browser to get to the HP Electronic Support Center page at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com
(for Europe)
IBM Corporation
Any system that is connected to a TCP/IP-based network (Internet or intranet) and offers TCP-based services is vulnerable to the SYN flood attack. The attack does not distinguish between operating systems, software version levels, or hardware platforms; all systems are vulnerable. IBM has released AIX operating system fixes for the SYN flood vulnerability.
Page 260 PREV PAGE TOP OF DOC
NOTE: If you are using the IBM Internet Connection Secured Network Gateway (SNG) firewall software, you must also apply the fixes listed in the next section.
The following Automated Program Analysis Reports (APARs) for IBM AIX are now available to address the SYN flood attack:
AIX 3.2.5
No APAR available; upgrade to AIX 4.x recommended
AIX 4.1.x
APAR—IX62476
AIX 4.2.x
APAR—IX62428
Fixes for IBM SNG Firewall
The following Automated Program Analysis Reports (APARs) for the IBM Internet Connection Secured Network Gateway firewall product are now available to address the SYN flood and ''Ping o' Death'' attacks:
Page 261 PREV PAGE TOP OF DOC
NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section.
IBM SNG V2.1
APAR—IR33376 PTF UR46673
IBM SNG V2.2
APAR—IR33484 PTF UR46641
Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://service.software.ibm.com/aixsupport/ or send electronic mail to ''aixserv@austin.ibm.com'' with the word ''FixDist'' in the ''Subject:'' line.
Linux
A patch for the linux kernel source is available from:
http://www.dna.lth.se/ erics/software/tcp-syncookies-patch-1.gz
Page 262 PREV PAGE TOP OF DOC
The patch allows tcp/ip processing to continue as normal, until the queue gets close to full. Then, instead of just sending the synack back, it sends a syn cookie back, and waits for a response to IT before sending the synack. When it sends the cookie, it clears the syn from the queue, so while under attack, the queue will never fill up. Cookies expire shortly after they are sent. Basically this prevents people from filling up the queue completely. No one flooding from a spoof will be able to reply to the cookie, so nothing can be overloaded. And if they aren't flooding from a spoof, they would be getting a cookie they would have to respond to, and would have a hard time responding to all the cookies and continuing the flood.
Livingston Enterprises, Inc.
Refer to the following Applications Note for more information on configuring a Livingston IRX or PortMaster to help block outgoing SYN attacks from an ISP's users:
ftp://ftp.livingston.com/pub/le/doc/notes/filters.syn-attack
Silicon Graphics, Inc.
Updated Silicon Graphics information concerning SYN attacks can be found in SGI Security Advisory, ''IRIX IP Spoofing/TCP Sequence Attack Update,'' 19961202–01–PX, issued on August 6, 1998.
Patches are available via anonymous FTP and your service/support provider.
Page 263 PREV PAGE TOP OF DOC
The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ftp/security and ftp/patches directories, respectfully.
For subscribing to the wiretap mailing list and other SGI security related information, please refer to the Silicon Graphics Security Headquarters website located at:
http://www.sgi.com/Support/security
Sun Microsystems, Inc.
Sun published a bulletin on October 9, 1996—Sun security bulletin number 00136. Sun Security Bulletins are available via the security-alert@sun.com alias and on SunSolve.
Note: Advisories from vendors listed in this section can also be found at ftp://ftp.cert.org/pub/vendors/
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/)
CERT/CC Contact Information
Email cert@cert.org
Page 264 PREV PAGE TOP OF DOC
Phone +1 412–268–7090 (24-hour hotline)
CERT personnel answer 8:30–5:00 p.m. EST(GMT–5) / EDT(GMT–4) and are on call for emergencies during other hours.
Fax +1 412–268–6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213–3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT—PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
Page 265 PREV PAGE TOP OF DOC
ftp://ftp.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
Copyright 1996, 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal—stuff/legal—stuff.html and ftp://ftp.cert.org/pub/legal—stuff. If you do not have FTP or web access, send mail to cert@cert.org with ''copyright'' in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office
Revision history
Aug. 24, 1998 Updated vendor information for Silicon Graphics, Inc.
Sep, 24, 1997 Updated copyright statement
Page 266 PREV PAGE TOP OF DOC
July 18, 1997 Updates—added information
May 08, 1997 Updates—updated vendor information for Hewlett-Packard.
Jan. 02, 1997 Updates—added or modified vendor information for SGI, Livingston, HP, 3COM.
Dec. 19, 1996 Updates—corrected Sun Microsystems security-alert email address.
Dec. 10, 1996 Appendix A, #3—corrected next to last reserved private network number entry.
Dec. 09, 1996 Updates—added IBM patch information.
Nov. 12, 1996 Introduction, paragraph 2—added some clarification.
Oct. 10, 1996 Updates—added a pointer to Sun Microsystems advisory.
added a pointer to the CERT /pub/vendors directory.
Oct. 08, 1996 Appendix A, #3—revised the last item, reserved private network numbers
Updates—added BSDI patch information.
Page 267 PREV PAGE TOP OF DOC
Oct. 07, 1996 Updates—added a pointer to Silicon Graphics advisory.
Sep. 24, 1996 Modified the supersession statement.
RESULTS OF THE DISTRIBUTED-SYSTEMS INTRUDER TOOLS WORKSHOP
PITTSBURGH, PENNSYLVANIA USA
NOVEMBER 2–4, 1999
CERT and CERT Coordination Center are registered in the U.S. Patent & Trademark office by Carnegie Mellon University.
CONTRIBUTORS
The ideas in this paper were jointly developed by participants in the Distributed-Systems Intruder Tools Workshop. Their intellectual contributions and their spirit of cooperation made the workshop a success. Among the many participants who contributed to this paper are the following:
Jon David
AT&T Information Security Center
Cory Cohen, Kathy Fithen,
Page 268 PREV PAGE TOP OF DOC
Kevin Houle, Tom Longstaff,
John McHugh, Eric Mitchell,
Rich Pethia, Jed Pickel,
Tim Shimeall, Dara Sewell (resident affiliate)
CERT Coordination Center
Bradley Frank
Ken Rowe
Cisco Systems, Inc.
Brian Dunphy
Sean McAllister
DoD CERT
Sammy Migues
Infrastructure Defense
Pat Becker
Internet Security Systems, Inc.
Sven Dietrich
Aghadi Shraim
NASA Goddard Space Flight Center
John Green
Page 269 PREV PAGE TOP OF DOC
NSWC (Naval Surface Warfare Center) SHADOW Team
Richard Forno
Network Solutions, Inc.
Kenneth R. van Wyk
Para-Protect, Inc.
Kathleen Kimball
George Weaver
Penn State University
Clarissa Cook
Robert Stone
UUNET
Richard A. Kemmerer
University of California, Santa Barbara
David Dittrich
University of Washington
N.L.
EXECUTIVE SUMMARY
Page 270 PREV PAGE TOP OF DOC
On November 2–4, 1999, the CERT Coordination Center invited 30 experts from around the world to address a category of network attack tools that use distributed systems. Several tools are in use now, and the technology is maturing. As a result, a single, simple command from an attacker could result in tens of thousands of concurrent attacks on one or a set of targets. The attacker can use unprotected Internet nodes around the world to coordinate the attacks. Each attacking node has limited information on who is initiating the attack and from where; and no node need have a list of all attacking systems. Damaged systems include those used in the attack as well as the targeted victim. For the victim, the impact can be extensive. For example, in a denial-of-service attack using distributed technology, the attacked system observes simultaneous attacks from all the nodes at once—flooding the network normally used to communicate and trace the attacks and preventing any legitimate traffic from traversing the network.
Distributed intruder technology is not entirely new; however, it is maturing to the point that even unsophisticated intruders could do serious damage. The Distributed-Systems Intruder Tools (DSIT) Workshop provided a venue for experts around the world to share experiences, gain a common understanding, and creatively brainstorm possible responses and solutions before the dissemination of the maturing attack tools—and attacks themselves—become widespread.
One consideration is the approach typically taken by the intruder community. There is (loosely) organized development in the intruder community, with only a few months elapsing between ''beta'' software and active use in attacks. Moreover, intruders take an open-source approach to development. One can draw parallels with open system development: there are many developers and a large, reusable code base. Intruder tools become increasingly sophisticated and also become increasingly user friendly and widely available. As a result, even unsophisticated intruders can use them.
Page 271 PREV PAGE TOP OF DOC
There has already been some public discussion in the intruder community about distributed attack tools while development continues. In their development, intruders are using currently available technology to develop new technology. For example, they are building on previous scanning technology and automated intrusion tools to create more powerful intrusion tools. One concern of workshop participants is that in a relatively short time, it may be possible for unsophisticated intruders to gain control of and use systems distributed across significant portions of the Internet for their attacks.
This paper is one outcome of the DSIT Workshop. In it, workshop participants examine the use of distributed-system intruder tools and note that current experiences have highlighted the need for better forensic techniques and training, the importance of close cooperation, and a concern for the rapid evolution of intruder tools. They provide information about protecting systems from attack by the tools, detecting the use of the tools, and responding to attacks. The paper includes suggestions for specific groups in the Internet community:
managers
system administrators
Internet service providers (ISPs)
incident response teams (IRTs)
Page 272 PREV PAGE TOP OF DOC
The suggestions address actions each group should take immediately, along with actions for the short term and long term. They also remind readers that the security of any network on the Internet depends on the security of every other network. The widely varying implementation of security measures is what often makes a distributed attack successful.
The workshop participants hope that the information offered here will help reduce the impact of distributed attack tools on the Internet as those tools mature.
1. INTRODUCTION
On November 2–4, 1999, the CERT Coordination Center (CERT/CC) invited 30 experts from around the world to address a category of network attack tools that use distributed systems in increasingly sophisticated ways. Intruders are maturing an attack technology that goes beyond using individual systems as the starting point for an attack. Rather, they can potentially use tens of thousands of unprotected Internet nodes together in order to coordinate an attack against selected targets. Each attacking node has limited information on who is initiating the attack and from where; and no node need have a list of all attacking systems. For the victim, the impact can be extensive. For example, in a denial-of-service attack using distributed technology, the attacked system observes simultaneous attacks from all the nodes at once—flooding the network normally used to communicate and trace the attacks and preventing any legitimate traffic from traversing the network.
Distributed intruder technology is not entirely new; however, it is maturing to the point that even unsophisticated intruders could do serious damage. In the past, intruders have used IRC robots to control remotely networks of compromised machines. In addition, fapi, a denial-of-service (DoS) tool that appeared early in 1998, works in a similar way to some of the tools we are now seeing, but it was not as sophisticated or as widely used.
Page 273 PREV PAGE TOP OF DOC
During the Distributed-Systems Intruder Tools (DSIT) Workshop, participants discussed a large number of approaches to preventing, detecting, and responding to distributed-systems attacks. The CERT/CC specifically invited technical personnel that could contribute technically to the solutions regardless of their position in their home organization or political stature in the community. Thus, the workshop effectively provided a venue for experts around the world to share experiences, gain a common understanding, and creatively brainstorm possible responses and solutions to this category of attack before the dissemination of the attack tools—and the attacks themselves—become widespread.
One consideration is the approach typically taken by the intruder community. There is (loosely) organized development in the intruder community, with only a few months elapsing between ''beta'' software and active use in attacks. Intruders are actively developing distributed tools to use the many resources on the network; this has become easier because of the large number of machines ''available for public use''—that is, vulnerable to compromise and, thus, available for use by anyone who can exploit the vulnerabilities. Moreover, intruders typically take an open-source approach to development. One can draw parallels with open system development: there are many developers and a large, reusable code base. Intruder tools become increasingly sophisticated and also become increasingly user friendly and widely available. As a result, even unsophisticated intruders can use the available tools to identify and take advantage of a large number of vulnerable machines.
There has already been some public discussion in the intruder community about the distributed attack tools while development continues. Intruders are using currently available technology to develop new technology. For example, they are building on previous scanning technology and automated intrusion tools to create more powerful intrusion tools. One concern of workshop participants is that in a relatively short time, it may be possible for unsophisticated intruders to gain control of and use systems distributed across significant portions of the Internet for their attacks.
Page 274 PREV PAGE TOP OF DOC
As noted in the letter of invitation to the participants,
So far, we have seen only limited use of these new tools, but we believe it won't be long before the tools will move from the development by sophisticated intruders into wide use by the large population of less sophisticated intruders. When this happens, all of us will face new issues with impact on security, incident response, and future technology. . . .
I believe that security experts need to act now, before the tools are in widespread use. During the workshop, we hope to analyze these new attack tools; explore their possible evolution and kinds of impact we might see from their use; and outline techniques that can be used to detect, respond to, and recover from attacks.
One strong response to the workshop from the participants is that prior to the workshop, there was no way for the technical staff at important critical infrastructure sites to communicate the threat to management. The participants could understand the problem from an isolated perspective, but it was not until the workshop brought them together that the true nature of the threat was understood and could then be communicated to the management at their home organizations. In many cases, the resulting briefs given to the home organization (including government agencies, critical commercial providers, and university researchers) provided the first and best view of the nature of the changing threat in using networked systems. Finally, this paper, which summarizes output from the workshop, enables the Internet community to gain similar understanding and to take action.
Page 275 PREV PAGE TOP OF DOC
In the next section, workshop participants examine the use of distributed-system intruder tools. Later sections provide information for specific groups in the Internet community:
managers
system administrators
Internet service providers (ISPs)
incident response teams (IRTs)
The workshop participants hope that the information offered here will help reduce the impact of the attack tools on the Internet as those tools mature.
2. RECENT ACTIVITY INVOLVING DISTRIBUTED ATTACK SYSTEMS
Distributed systems based on the client/server model have become increasingly common. In recent months, we have seen an increase in the development and use of distributed sniffers, scanners, and denial-of-service tools. Attacks using these tools can involve a large number of sites simultaneously and be focused to attack one or more victim hosts or networks.
During the second half of 1999, several sites reported denial-of-service attacks involving distributed intruder tools. While some of the details presented here are specific to the incidents that were observed, the overall distributed strategy can be applied to attacks other than denial of service. The description in this section concentrates on the distributed aspects of the incidents while omitting unnecessary details.
Page 276 PREV PAGE TOP OF DOC
As shown in the figure below, in a typical distributed attack system, the ''intruder'' controls a small number of ''masters,'' which in turn control a large number of ''daemons.'' These daemons can be used to launch packet flooding or other attacks against ''victims'' targeted by the intruder.
67303a.eps
Figure 1—Distributed-Systems Attack
In the incidents that have occurred so far, daemons were installed at several hundred sites, typically through the exploitation of well-known vulnerabilities that lead to root privileges on the compromised machines. Though some implementations of the daemon program do not require root privileges to launch attacks, in practice most of the daemons were concealed by the installation of ''root kits'' designed to hide evidence of the intrusion. Intruders have also sometimes used system facilities such as ''cron'' to ensure that a daemon would continue to run even if one instance of it were deleted or the system was rebooted.
There are indications that the processes for discovering vulnerable sites, compromising them, installing daemons, and concealing the intrusion are largely automated, with each step being performed in ''batch'' mode against many machines in one ''session.'' Daemons have been discovered on a variety of operating systems with varying levels of security and system management.
Once installed and operating, the daemon announces its presence to several (usually three or four) predefined masters and awaits further commands. The master program records that the daemon is ready to receive commands in an internal list, which can be retrieved by the intruder. Lists recovered from incidents have included hosts in several different nations. Masters can cause daemons in the list to launch attacks, shut down gracefully, or even announce themselves to a new master server. Intruders have used cryptographic techniques to conceal the information recorded by the master daemons.
Page 277 PREV PAGE TOP OF DOC
Upon command from an intruder, the master can issue attack requests to the daemons in its list. These requests contain information about the requested attack, such as the address of the victim, the duration, and other parameters. Upon receipt of the request, the daemon proceeds to attack the victim, usually by flooding the victim with packets. No further contact from the master is necessary.
The master programs frequently operate as ordinary user programs on compromised hosts, where their activity can easily be hidden. Unlike the daemon programs, which are intended to be run on sites with a substantial network capacity, traffic to and from the master program is limited to control messages.
In one incident reported to the CERT Coordination Center, a flooding attack was aimed at a major university. This attack involved several hundred daemons scattered over a wide variety of locations, and it generated enough traffic to disable the university's Internet connectivity for a period of several days.
Several incidents have indicated that intruders are actively seeking systems with good network connectivity for compromise and installation of the daemon program. The indiscriminate installation of daemons on any system with a significant network capacity has included systems whose compromise could have life-threatening consequences.
The experiences of those who reported early attacks highlight the need for better forensic techniques and training, the importance of close cooperation, and concern for the rapid evolution of intruder tools.
Page 278 PREV PAGE TOP OF DOC
Better forensic techniques and training—Detecting and eliminating master programs is a critical part of disabling a distributed intruder system, but unfortunately the masters often do not leave obvious signs of intrusion on the system where they are installed. In most cases, the master hosts were identified after forensic examination of daemons involved in a denial-of-service attack. This forensic analysis was expensive and limited to a few knowledgeable people with experience in the field, but ultimately most of what we know today about how the systems work is a result of this analysis. Forensic techniques and training must be available to a much larger audience to respond to these attacks in the future.
Close cooperation and communication—Prior to the workshop, many participants had incomplete information regarding the tools and methods used by intruders in this kind of attack. By sharing their knowledge, they were able to establish a more complete understanding of distributed intruder tools.
Rapid evolution of intruder tools—The intruder tools encountered in the incidents leading to the creation of this document changed substantially during the planning of the workshop and have continued to evolve since then. As intruders learn to use established technologies to their advantage, the incident response community needs to be better prepared to meet this challenge.
3. AUDIENCE-SPECIFIC INFORMATION
Managers
Page 279 PREV PAGE TOP OF DOC
For management, the issues related to the ongoing development of distributed attack tools, such as trinoo and tribe flood network (for details, see CERT/CC incident note IN–99–07: http://www.cert.org/incident—notes/IN–99–07.html), center largely around the need to understand fully the ramifications of the intruder tools and to perform impact and organizational risk assessments on a priority basis. The results of these assessments then need to be incorporated into plans such as those for operational guidance, equipment acquisition, service contracts, and equipment configuration.
Planning and coordination before an attack are critical to ensuring adequate response when the attack is in progress. Since the attack methodology is complex and there is no single-point solution or ''silver bullet,'' resolution and restoration of your systems may be time-consuming. The bottom line for management is that your systems may be subject at any time to distributed attacks that are extremely difficult to trace or defend against.
Although an organization may be able to harden its own systems to help prevent implantation of the daemon portion of a distributed attack tool, there is essentially nothing a site can do with currently available technology to prevent becoming a victim of, for example, a coordinated network flood. The impact upon your site and operations is dictated by the (in)security of other sites and the ability of a remote attacker to implant the tools and subsequently to control and direct multiple systems worldwide to launch an attack. The result may be reduced or absent network connectivity to your enterprise for extended periods of time, possibly days or even weeks depending upon the number of sites attacking and the number of possible attack networks that could be activated in parallel or sequentially. Therefore, to minimize the effect on business operations, it is important to know and document in advance the actions the enterprise will take and the primary contingency contacts who must be notified.
Page 280 PREV PAGE TOP OF DOC
Below are some recommend actions for coping with the potential for an attack using distributed-system intruder tools:
Become fully informed with regard to the nature of the attacks and the potential ramifications. Senior management should receive direct briefings from security staff in an effort to facilitate full understanding.
Be cognizant of your own site's security posture. If your site is capable of being easily compromised due to inattention to security issues and your systems are used as either master(s) or daemon(s) for such an attack, it is possible you may share liability for damage caused to victim sites. (Consult with your organization's legal advisors and inform them of the attacks.) The reputation of your enterprise may also be at risk from the adverse publicity that may result.
Assess the services that are mission critical for your particular business. Determine the impact upon mission-critical services if Internet connectivity is unavailable for an extended period. Develop contingency plans for continuity of operations in the event of an extended Internet outage. Consider and plan to insure against possible revenue loss due either to lost opportunity (for example, the absence of connectivity to your site for staff members, external customers, and business partners) and in lost sales (for example, an electronic commerce site is flooded and orders cannot be received). Read insurance policies carefully, and seek legal opinion on coverage for distributed-systems attacks.
Develop an augmentation strategy to provide staff and other resources in the event of an attack. Determine which staff may be needed and where they should report. Be sure there are phone or alternative communications since electronic communication may be difficult or impossible.
Page 281 PREV PAGE TOP OF DOC
Be sure your staff have the time and resources needed to perform traffic analysis, intrusion detection, coordination with upstream providers, and other activities described under ''System Administrators'' below.
Ensure privacy issues associated with log retention and review have been addressed in policy and that adequate analytical information is readily available to critical staff in the event an attack occurs.
Examine your current policy requirements. In particular, ensure responsibility is defined for 1) enforcing minimum security standards; 2) cutting off users (even executive-level users) whose accounts may have been compromised or are at risk; and 3) disconnecting uncontrolled Internet connections.
Be sure that all levels of management understand and are held accountable for security planning and implementation. Be sure that an adequate and enforceable acceptable use policy exists enterprise-wide.
Realize that the escalating Internet threat environment must be matched by corresponding investments in security. Define security resources in the budget.
Examine your current network and security architecture. Many sites have optimized connectivity for speed of access, making decisions that complicate security measures. In the escalating threat environment, speed and reliability can be denied unless security is included in the architecture.
Page 282 PREV PAGE TOP OF DOC
Aggressively develop cooperative relationships to support security across organizations and policy to govern those relationships. To deal effectively with distributed agents, your organization may need to cooperatively support security at other Internet sites. Internet service providers and incident response organizations should be supported.
Pressure vendors to provide more security in their default services and configurations. Simply correcting known vulnerabilities in new releases would reduce the population of candidate sites for intruders. Ask your vendors specifically if they support the capabilities listed in the ''Internet Service Providers'' section.
Finally, managers need to consider these trends:
The intruder community is actively developing distributed technology.
There are multiple categories of existing distributed-systems tools, including distributed sniffers, denial of service, and information gathering.
In a relatively short amount of time, unsophisticated intruders can acquire sophisticated tools, enabling them to control and use significant portions of the Internet for their attacks.
System Administrators
With the increased sophistication of intruder tools comes the critical need for action. The following table lists actions identified at the Distributed-System Intruder Tools Workshop, along with a suggested time frame for dealing with attacks using distributed-system tools.
Page 283 PREV PAGE TOP OF DOC
Additional comments for system administrators:
When you set up intrusion detection software, ensure that it is both fault tolerant and capable of maintaining logs on a highly saturated network. The definition of a highly saturated network varies from organization to organization. A good metric is the amount of traffic seen divided by the maximum bandwidth available to the organization. Expect to see near 100% capacity during a distributed denial-of-service attack.
In setting up logs, have the ability to parse log information at a high rate. Workshop participants recommend attention be paid to searching based on host name/IP number.
Be able to search at least packet headers for attack signatures.
Finally, look to an incident response team for techniques and information for dealing with distributed attacks and the evolving attack tools.
Internet Service Providers (Network Operators)
For the purposes of this report, an Internet service provider (ISP) is considered to be an entity that operates an Internet backbone that is used to carry traffic between two or more other Internet-connected networks. The term ISP refers to commercial network operators, research and education networks, government-operated networks, etc.
The transport and access portions of networks characterize the unique role of an ISP in the context of a distributed-system attack. Packets generated from multiple sources during a distributed denial-of-service attack, for example, are likely to be transported across one or more ISP network backbones en route to the victim site. The access portions of an ISP's network (physical connection points of downstream hosts and networks) may be either components of an attack or the end victim.
Page 284 PREV PAGE TOP OF DOC
Considering only the transport and access portions of ISP networks, a network operator's role in a distributed attack is essentially composed of two things:
1. Identifying and controlling traffic flows from the point the traffic enters the network (ingress) to the point the traffic leaves the network (egress).
2. Ingress filtering at the network edge and/or network borders to prevent origination of packets with spoofed source IP addresses.
In addition to the unique characteristics of the ISP networks, the networked computer systems used by ISPs to deliver services such as DNS, email, and web hosting may be attractive locations for intruders to install distributed-system tools for several reasons:
Active traffic patterns may obscure the use of attack tools.
Close proximity to high-capacity network backbones enables attacks to have a high impact.
ISP systems themselves may also be high-impact targets for distributed-system attacks. People and systems depending on an ISP's services tend to use shared resources at some level. A carefully targeted attack on one or more critical shared resources may affect a large number of Internet users.
The issues facing an ISP with regard to its networked computer systems being used in an attack, or being the target of an attack, are otherwise not unique and can be considered to be on par with issues faced by system and network administrators at other Internet sites (see the section for system administrators).
Page 285 PREV PAGE TOP OF DOC
During an ongoing attack, an ISP may need to trace traffic flows from the point the traffic leaves the network (egress) to the point the traffic enters the network (ingress). This is especially true in cases where distributed attacks are launched using packets with spoofed source IP addresses.
Distributed attacks are likely to involve many source addresses, possibly from many diverse physical network paths. Near the target, traffic flows are likely to appear to be from many different source addresses and relatively few physical network paths. Near a point of origin, traffic flows may appear to be from a small number of source addresses and relatively few physical network paths. When tracing from a victim back to multiple attack sources, the traffic flows will probably deaggregate into many separate source addresses and physical network paths. The proximity of an ISP to the victim and the origin of an attack will determine the scope of an attack's traffic flow that is visible to the ISP.
Because distributed intruder systems may originate traffic from a number of different network backbones, it is likely that a global network operator will have a more complete view of the distributed nature of the attack. Smaller regional network operators are likely to see distributed attacks in aggregated form based on the number of upstream network connections.
In a distributed bandwidth denial-of-service attack, the proximity of an ISP to the end victim may have an indirect impact on the ISP and other downstream sites sharing the ISP's network resources. It is possible for portions of an ISP backbone to be overwhelmed, causing degradation and/or denial of service for sites that are not directly targeted in an attack.
Page 286 PREV PAGE TOP OF DOC
Coordination among network operators and among sites involved in incidents is essential for diagnosis, tracing, and control of distributed attacks.
The following table summarizes actions the ISP community can take to better deal with distributed attacks, some actions particularly for distributed denial-of-service attacks. After the table are further explanations.
Protective Measures
Immediate Actions
Establish crisis policies and procedures.
Communicate policies and procedures to your constituency and staff. Include procedures for handling reports of attacks from the constituency and from the Internet community. Include provisions for an out-of-band emergency reporting channel in case network communication is unavailable.
Maintain and enforce an acceptable use policy.
Include provisions to allow the ISP to track and limit service to those machines and/or networks that participate in attacks resulting from distributed-systems tools.
Page 287 PREV PAGE TOP OF DOC
Short-Term (6 months) Actions
Do ingress filtering.
Use ingress filtering to limit origination of IP packets with spoofed source addresses. The goal is to increase the ability to identify components of distributed systems.
Disable directed broadcasts.
Prevent the use of networks in packet amplification denial-of-service attacks such as ''smurf'' attacks.
Long-Term (12+ months) Actions
Educate customers.
Educate customers about potential security threats and about security best practices.
Implement automated anti-denial-of-service policy enforcement.
Work toward an infrastructure that is able to provide automatic enforcement of policies designed to prevent denial-of-service attacks.
Detecting Attacks
Page 288 PREV PAGE TOP OF DOC
Immediate Actions
Establish an incident response team.
Pre-allocate resources to respond to security incidents.
Short-Term (6 months) Action
Review high-profile target systems.
Establish the practice of reviewing infrastructure systems that may be highly visible targets for hosting distributed systems.
Long-Term (12+ months) Actions
Automate the review and patching of high-profile target systems.
This automation helps to reduce the risk of having critical systems compromised due to well-known vulnerabilities for which there are patches.
Move the initial detection point closer to the source(s) of attack.
Rather than detecting attacks close to the victim, work toward an infrastructure that makes it possible to detect attacks closer to the attack source(s).
Page 289 PREV PAGE TOP OF DOC
Reacting to Attacks
Immediate Actions
Do case-by-case egress filtering.
Apply egress filtering to identifiable packet streams to stop attacks from leaving the network backbone and to limit the immediate effects of an attack on a victim site. ''Blackholing'' the victim host or network might be necessary if filtering is not possible. This should usually be done only if it does not do more harm than good. It will, of course, deny service to the null-routed host or network but will probably stop the attack closer to the source and possibly restore service to other hosts or network elements.
Share information with others involved.
Working with other involved sites and sharing information is essential to disabling an entire distributed attack network.
Short-Term (6 months) Actions
Establish a method for tracing back ongoing attacks to their source.
Enhance your ability to trace distributed attacks back to the source(s) or ingress point(s) using existing features and tools.
Page 290 PREV PAGE TOP OF DOC
Do case-by-case ingress filtering.
Once an attack has been traced back to a source or an ingress point, use ingress filtering to prevent the attack from entering the network backbone. Filters should be tailored to stop the particular attack rather than being general anti-spoofing filters.
Long-Term (12+ months) Actions
Establish a method to trace back attacks in real-time.
Establish a method for real-time trace back attacks traffic flows from the victim or egress point to the source(s) or ingress point(s).
Perform historical traffic flow analysis.
Establish a method for historical traffic flow analysis to gain global visibility for identifying distributed attack systems.
Incident Response Teams (IRTs)
This section highlights issues for incident response teams to consider for detecting, responding to, and protecting against distributed attacks. Because IRTs generally collect and process incident information from a large constituency consisting of one or more large distributed networks, they play a crucial role in the detection of and response to distributed attacks.
Page 291 PREV PAGE TOP OF DOC
Because of the variation among response teams, it is difficult to provide suggestions that apply to all. When developing this section, workshop participants considered incident response teams that have one or more of the following responsibilities:
1. Coordinating and distributing security information (CERT/CC)
2. Setting and implementing site security policy (serve as a corporate IRT)
3. Coordinating response to incidents (university response teams)
4. Maintaining data integrity (audit teams)
5. Protecting very large networks (large ISPs)
6. Identifying and tracking intruders (law enforcement)
Regardless of a team's responsibilities, the best protection against attacks is to be prepared. General information about incident response teams, procedures, and policies can be found in the following sources:
Handbook for Computer Security Incident Response Teams (CSIRTs), by Moira J. West-Brown, Don Stikvoort, and Klaus-Peter Kossakowski. http://www.sei.cmu.edu/publications/documents/98.reports/98hb001/98hb001abstract.html
Page 292 PREV PAGE TOP OF DOC
Forming an Incident Response Team, by Danny Smith http://www.auscert.org.au/Information/Auscert—info/Papers/Forming—an—Incident—Response—Team.html
In addition, general security advice can be found on the web sites of members of the Forum of Incident Response and Security Teams (FIRST). Links can be found on the FIRST web site: http://www.first.org/
The suggestions below focus more specifically on attacks using distributed-systems intruder tools. The table provides highlights, and further details follow the table.
Protecting Systems
The best step a response team can take to prevent distributed-systems attacks is to raise awareness within your constituency. They need to be aware of the concept that the security of any network on the Internet depends on the security of all other networks. The widely varying implementation of security measures is what often makes a distributed attack successful.
Some of the suggestions below are not unique to distributed attacks, but as intruder tools become more distributed these issues become more important. The appropriate time frame for action depends on the mission of the IRT, so the time frames below are suggestions.
Immediate Actions
Page 293 PREV PAGE TOP OF DOC
Determine chain of command both internally for your team and externally for providers of critical infrastructure within your constituency.
This is not specific to distributed attacks but is important to understand when handling a crisis. The information should be available ahead of time to avoid delays when the IRT is working under pressure.
Be aware that your own infrastructure may experience consequences of distributed-systems attacks, such as denial-of-service attacks, if your network or one near your network is targeted.
Consider developing contingency plans, and establish immediate, short, and long term goals to handle distributed attacks. Use the points in this section as guidelines or a starting point.
Short-Term Actions
Open communication channels with your constituency.
1. Provide attack signatures—Providing signatures of known distributed attacks helps members of your constituency become sensors, contributing to your successful detection, scoping, and diagnosis of these attacks.
2. Encourage members of your constituency to report incidents—Receiving reports of attacks and anomalies is a fundamental and necessary piece of detecting distributed attacks.
Page 294 PREV PAGE TOP OF DOC
3. Distribute information about ongoing attacks—Communication about ongoing attacks needs to flow in both directions. Informing members of your constituency about significant ongoing attacks raises awareness and provides incentive for continuing to report incident data.
Encourage constituency to implement filters (both inbound and outbound) that can stop potential attacks.
At a minimum, encourage members of your constituency to block outbound spoofed traffic, inbound traffic associated with well-known vulnerabilities that are commonly used in tools for widespread compromise and allocation of resources, and ports that are used for communication and control in distributed intruder networks.
Detecting Attacks
Immediate Actions
Develop criteria for detecting distributed-systems attacks.
Because response teams are often in the unique position of processing incident data from one or more very large networks, they are one of the few entities capable of detecting and understanding the scope of an attack distributed across multiple networks. Thus, we encourage response teams to carefully examine data, reports of incidents, and output from intrusion detection systems looking for signs of distributed attacks. Ultimately, response teams should strive to distinguish distributed attacks from other activity.
Page 295 PREV PAGE TOP OF DOC
Relying on signatures for identifying specific distributed attacks is not enough since teams receive data about new and novel tools and attacks. It is important to consider how future attacks may be detected, considering that the intruder community is moving toward distributed models for many types of tools.
Short-Term Action
Develop procedures/algorithms for dealing with large amounts of traffic, and share them with other teams.
A problem not unique to distributed attacks is finding mechanisms to efficiently process large amounts of data received from diverse sources without missing anything important. As intruder tools continue to develop toward distributed models, it becomes increasingly important to use mechanisms for automatic processing of incident data. IRTs can benefit from sharing tools and effective algorithms for detecting distributed attacks.
Long-Term Action
Develop procedures/algorithms for handling automated incident reports.
In the long term, a community effort is needed to develop procedures and algorithms for handling automated incident reports. An important component of that is developing a common language for representing incidents. Several efforts are under way both in the IDS community and within the CERT/CC that will enable automated incident reporting in the near future.
Page 296 PREV PAGE TOP OF DOC
Responding to Attacks
Some of the distributed attacks that workshop participants have seen thus far have involved bandwidth consumption denial-of-service attacks. When responding to this specific type of distributed attack, keep in mind that resources that depend on available bandwidth (such as email) may not be reliable. In responding to attacks using distributed intruder tools, teams should take the following actions:
Immediate Actions
Scope the extent of attack, both locally and with other response teams.
One of the most important components in determining appropriate response is finding the scope of an attack. Determining scope may require communication with multiple sites within your constituency and, often, with other response teams.
Escalate the priority of identifying machines acting as masters.
Identifying masters is a key component of response to distributed attacks. Teams need to obtain contact information for those sites, and communicate with them to solve the problem. Depending on the situation, the optimal strategy may involve either immediately disabling masters or leaving them up to monitor and collect additional data.
Block traffic from known masters when possible.
Page 297 PREV PAGE TOP OF DOC
If it is possible, block traffic from machines known to be acting as masters. This option may be useful in situations where machines within your constituency are actively involved in an ongoing distributed attack.
When appropriate, distribute information to appropriate response teams or law enforcement authorities.
Short-Term Actions
Encourage members of your constituency to capture, log, and report suspicious traffic.
Deploy temporary sensors such as network sniffers or intrusion detection systems as appropriate.
Long-Term Action
Provide tools and methods for detecting installation of masters and daemons, if possible.
4. A FINAL WORD
Participants in the Distributed-Systems Intruder Tools Workshop spent two-and-a-half intensive days on distributed tools and ways to address this evolving threat. This paper contains the outcome of that work. Though we have described aspects of a response for separate audiences, it is clear that coordinated action by management, system administrators, Internet service providers and network operators, and incident response teams is needed to deal effectively with the threat of these tools. To a greater extent than previously, there is a systemic cause and the need for a systemic solution as reflected in many of the recommendations in this report.
Page 298 PREV PAGE TOP OF DOC
Distributed-system intruder tools demonstrate that the security of any site on the Internet depends, in part, on the security of all other sites on the Internet. Coordinated attacks across national boundaries have been observed. The tools and attacks demonstrate that a network that optimizes its technology for speed and reliability at the expense of security may experience neither speed nor reliability, as intruders abuse the network or deny its services. The intruder technology is evolving, and future tools may be more difficult to defeat.
Workshop participants encourage readers to distribute this paper widely, but also to be vigilant, keeping informed about further developments and checking web sites of organizations such as the CERT/CC, other members of the response community, and vendors.
This paper was last updated on December 10, 1999
CONSENSUS ROADMAP FOR DEFEATING DISTRIBUTED DENIAL OF SERVICE ATTACKS
A PROJECT OF THE PARTNERSHIP FOR CRITICAL INFRASTRUCTURE SECURITY—VERSION 1.10—FEBRUARY 23, 2000(see footnote 3)
Prepared for the Partnership By:
CERT/CC at Carnegie Mellon University (Rich Pethia*),
Page 299 PREV PAGE TOP OF DOC
The SANS Institute (Alan Paller(see footnote 4)), and
The Center for Education & Research in Information Assurance & Security (CERIAS) at Purdue University (Gene Spafford*)
Reflecting the active participation, shared experience and insights of:
Stephen Northcutt of the Global Incident Analysis Center
Bill Cheswick of Lucent Technologies
Steve Kent* of BBN Technologies
Kelly Cooper from GTE Internetworking
Randy Marchany, Phil Benchoff, Valdis Kletnieks and Ron Jarrell of Virginia Tech University CIRT
David Dittrich of the University of Washington
Mudge* of The L0pht and @Stake
Neal Ziring of the National Security Agency
Eric Cole of Vista IT
Gary Gagnon, Steven Christey, and David Mann of MITRE
Andre Frech of Internet Security Services
Kevin Ziese of Cisco
David LeBlanc of Microsoft
Craig Ozancin of Axent
Adam Shostack of BindView
Diego Zamboni, Tom Daniels and Pascal Meunier of Purdue University
Page 300 PREV PAGE TOP OF DOC
Henry Kluepfel of SAIC
DEFEATING DISTRIBUTED DENIAL OF SERVICE ATTACKS
Version 1.10 February 23, 2000
Introduction
The distributed denial of service attacks during the week of February 7 highlighted security weaknesses in hosts and software used in the Internet that put electronic commerce at risk. These attacks also illuminated several recent trends and served as a warning for the kinds of high-impact attacks that we may see in the near future. This document outlines key trends and other factors that have exacerbated these Internet security problems, summarizes near-term activities that can be taken to help reduce the threat, and suggests research and development directions that will be required to manage the emerging risks and keep them within more tolerable bounds. For the problems described, activities are listed for user organizations, Internet service providers, network manufacturers, and system software providers.
Key Trends and Factors
The recent attacks against e-commerce sites demonstrate the opportunities that attackers now have because of several Internet trends and related factors:
Attack technology is developing in an open-source environment and is evolving rapidly. Technology producers, system administrators, and users are improving their ability to react to emerging problems, but they are behind and significant damage to systems and infrastructure can occur before effective defenses can be implemented. As long as defensive strategies are reactionary, this situation will worsen.
Page 301 PREV PAGE TOP OF DOC
Currently, there are tens of thousands—perhaps even millions—of systems with weak security connected to the Internet. Attackers are (and will) compromising these machines and building attack networks. Attack technology takes advantage of the power of the Internet to exploit its own weaknesses and overcome defenses.
Increasingly complex software is being written by programmers who have no training in writing secure code and are working in organizations that sacrifice the safety of their clients for speed to market. This complex software is then being deployed in security-critical environments and applications, to the detriment of all users.
User demand for new software features instead of safety, coupled with industry response to that demand, has resulted in software that is increasingly supportive of subversion, computer viruses, data theft, and other malicious acts.
Because of the scope and variety of the Internet, changing any particular piece of technology usually cannot eliminate newly emerging problems; broad community action is required. While point solutions can help dampen the effects of attacks, robust solutions will come only with concentrated effort over several years.
The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrator technical competence has decreased dramatically in the last 5 years as non-technical people are pressed into service as system administrators. Additionally, there has been little organized support of higher education programs that can train and produce new scientists and educators with meaningful experience and expertise in this emerging discipline.
Page 302 PREV PAGE TOP OF DOC
The evolution of attack technology and the deployment of attack tools transcend geography and national boundaries. Solutions must be international in scope.
The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer crime is unlikely, and thus little deterrent value is realized.
The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These ''always-on, rarely-protected'' systems allow attackers to continue to add new systems to their arsenal of captured weapons.
Immediate Steps to Reduce Risk And Dampen the Effects of Attacks
There are several steps that can be taken immediately by user organizations, Internet service providers, network manufacturers, and system software providers to reduce risk and decrease the impact of attacks. We hope that major users, including the governments (around the world) will lead the user community by setting examples—taking the necessary steps to protect their computers. And we hope that industry and government will cooperate to educate the community of users—about threats and potential courses of action—through public information campaigns and technical education programs.
In all of these recommendations, there may be instances where some steps are not feasible, but these will be rare and requests for waivers within organizations should be granted only on the basis of substantive proof validated by independent security experts.
Page 303 PREV PAGE TOP OF DOC
Problem 1: Spoofing
Attackers often hide the identity of machines used to carry out an attack by falsifying the source address of the network communication. This makes it more difficult to identity the sources of attack traffic and sometimes shifts attention onto innocent third parties. Limiting the ability of an attacker to spoof IP source addresses will not stop attacks, but will dramatically shorten the time needed to trace an attack back to its origins.
Solutions:
User organizations and Internet service providers can ensure that traffic exiting an organization's site, or entering an ISP's network from a site, carries a source address consistent with the set of addresses for that site. Although this would still allow addresses to be spoofed within a site, it would allow tracing of attack traffic to the site from which it emanated, substantially assisting in the process of locating and isolating attacks traffic sources. Specifically user organizations should ensure that all packets leaving their sites carry source addresses within the address range of those sites. They should also ensure that no traffic from ''unroutable addresses'' listed in RFC 1918 are sent from their sites. This activity is often called egress filtering. User organizations should take the lead in stopping this traffic because they have the capacity on their routers to handle the load. ISPs can provide backup to pick up spoofed traffic that is not caught by user filters. ISPs may also be able to stop spoofing by accepting traffic (and passing it along) only if it comes from authorized sources. This activity is often called ingress filtering.
Page 304 PREV PAGE TOP OF DOC
Dial-up users are the source of some attacks. Stopping spoofing by these users is also an important step. ISPs, universities, libraries and others that serve dial-up users should ensure that proper filters are in place to prevent dial-up connections from using spoofed addresses. Network equipment vendors should ensure that no-IP-spoofing is a user setting, and the default setting, on their dial-up equipment.
Problem 2: Broadcast Amplification
In a common attack, the malicious user generates packets with a source address of the site he wishes to attack (site A) (using spoofing as described in problem 1) and then sends a series of network packets to an organization with lots of computers (Site B), using an address that broadcasts the packets to every machine at site B. Unless precautions have been taken, every machine at Site B will respond to the packets and send data to the organization (Site A) that was the target of the attack. The target will be flooded and people at Site A may blame the people at Site B. Attacks of this type often are referred to as Smurf attacks. In addition, the echo and chargen services can be used to create oscillation attacks similar in effect to Smurf.
Solutions:
Unless an organization is aware of a legitimate need to support broadcast or multicast traffic within its environment, the forwarding of directed broadcasts should be turned off. Even when broadcast applications are legitimate, an organization should block certain types of traffic sent to ''broadcast'' addresses (e.g., ICMP Echo Reply) messages so that its systems cannot be used to effect these Smurf attacks.
Page 305 PREV PAGE TOP OF DOC
Network hardware vendors should ensure that routers can turn off the forwarding of IP directed broadcast packets as described in RFC 2644 and that this is the default configuration of every router.
Users should turn off echo and chargen services unless they have a specific need for those services. (This is good advice, in general, for all network services—they should be disabled unless known to be needed.)
Problem 3: Lack of Appropriate Response To Attacks
Many organizations do not respond to complaints of attacks originating from their sites or to attacks against their sites, or respond in a haphazard manner. This makes containment and eradication of attacks difficult. Further, many organizations fail to share information about attacks, giving the attacker community the advantage of better intelligence sharing.
Solutions:
User organizations should establish incident response policies and teams with clearly defined responsibilities and procedures.
ISPs should establish methods of responding quickly and staffing to support those methods when their systems are found to have been used for attacks on other organizations.
Page 306 PREV PAGE TOP OF DOC
User organizations should encourage system administrators to participate in industry-wide early warning systems, where their corporate identities can be protected (if necessary), to counter rapid dissemination of information among the attack community.
Attacks and system flaws should be reported to appropriate authorities (e.g., vendors, response teams) so that the information can be applied to defenses for other users.
Problem 4. Unprotected Computers
Many computers are vulnerable to take-over for distributed denial of service attacks because of inadequate implementation of well-known ''best practices.'' When those computers are used in attacks, the carelessness of their owners is instantly converted to major costs, headaches, and embarrassment for the owners of computers being attacked. Furthermore, once a computer has been compromised, the data may be copied, altered or destroyed, programs changed, and the system disabled.
Solutions:
User organizations should check their systems periodically to determine whether they have had malicious software installed, including DDOS Trojan Horse programs. If such software is found, the system should be restored to a known good state.
User organizations should reduce the vulnerability of their systems by installing firewalls with rule sets that tightly limit transmission across the site's periphery (e.g. deny traffic, both incoming and outgoing, unless given specific instructions to allow it).
Page 307 PREV PAGE TOP OF DOC
All machines, routers, and other Internet-accessible equipment should be periodically checked to verify that all recommended security patches have been installed.
The security community should maintain and publicize a current ''Top-20 Exploited vulnerabilities'' and the ''Top 20 Attacks'' list of currently most-often-exploited vulnerabilities to help system administrators set priorities.
Users should turn off services that are not required and limit access to vulnerable management services (e.g., RPC-based services).
Users and vendors should cooperate to create ''system-hardening'' scripts that can be used by less sophisticated users to close known holes and tighten settings to make their systems more secure. Users should employ these tools when they are available.
System software vendors should ship systems where security defaults are set to the highest level of security rather than the lowest level of security. These ''secure out-of-the-box'' configurations will greatly aid novice users and system administrators. They will furthermore save critically-scarce time for even the most experienced security professionals.
System administrators should deploy ''best practice'' tools including firewalls (as described above), intrusion detection systems, virus detection software, and software to detect unauthorized changes to files. This will reduce the risk that systems are compromised and used as a base for launching attacks. It will increase confidence in the correct functioning of the systems. Use of software to detect unauthorized changes may also be helpful in restoring compromised systems to normal function.
Page 308 PREV PAGE TOP OF DOC
System and network administrators should be given time and support for training and enhancement of their skills. System administrators and auditors should be periodically certified to verify that their security knowledge and skills are current.
Longer Term Efforts to Provide Adequate Safeguards
The steps listed above are needed now to allow us to begin to move away from the extremely vulnerable state we are in. While these steps will help, they will not adequately reduce the risk given the trends listed above. These trends hint at new security requirements that will only be met if information technology and community attitudes about the Internet are changed in fundamental ways. In addition, research is needed in the areas of policy and law to enable us to deal with aspects of the problem that technology improvements will not be able to address by themselves. The following are some of the items that should be considered:
Establish load and traffic volume monitoring at ISPs to provide early warning of attacks.
Accelerate the adoption of the IPsec components of Internet Protocol Version 6 and Secure Domain Name System.
Increase the emphasis on security in the research and development of Internet II.
Support the development of tools that automatically generate router access control lists for firewall and router policy.
Page 309 PREV PAGE TOP OF DOC
Encourage the development of software and hardware that is engineered for safety with possibly vulnerable settings and services turned off, and encourage vendors to automate security updating for their clients.
Sponsor research in network protocols and infrastructure to implement real-time flow analysis and flow control.
Encourage wider adoption of routers and switches that can perform sophisticated filtering with minimal performance degradation.
Sponsor continuing topological studies of the Internet to understand the nature of ''choke points.'' Test deployment and continue research in anomaly-based, and other forms of intrusion detection.
Support community-wide consensus of uniform security policies to protect systems and to outline security responsibilities of network operators, Internet service providers, and Internet users.
Encourage development and deployment of a secure communications infrastructure that can be used by network operators and Internet service providers to enable real-time collaboration when dealing with attacks.
Sponsor research and development leading to safer operating systems that are also easier to maintain and manage.
Page 310 PREV PAGE TOP OF DOC
Sponsor research into survivable systems that are better able to resist, recognize, and recover from attacks while still providing critical functionality.
Sponsor research into better forensic tools and methods to trace and apprehend malicious users without forcing the adoption of privacy-invading monitoring.
Provide meaningful infrastructure support for centers of excellence in information security education and research to produce a new generation of leaders in the field.
Consider changes in government procurement policy to emphasize security and safety rather than simply cost when acquiring information systems, and to hold managers accountable for poor security.
A Living Document
This Roadmap is a living document and will be updated periodically when new or altered threats require changes to the document. Furthermore it is a consensus document—a product of the joint thinking of some of the best minds in security—and it will continue to improve if you share your experiences in implementing the prescriptions. Please send feedback and suggestions to sansro@sans.org with the subject: DDOS Roadmap.
The CHAIRMAN. And Mudge, you are welcome to testify next.
STATEMENT OF ''MUDGE,'' VICE PRESIDENT OF RESEARCH AND DEVELOPMENT, @STAKE, INC., CAMBRIDGE, MA
Page 311 PREV PAGE TOP OF DOC
Mr. MUDGE. Thank you very much, Mr. Chairman and members of the House and Senate; and thank you very much for the much more responsible introduction you gave me than was on the Website.
If there was one thing that the recent distributed denial-of-service attacks has pointed out, it is not that the Internet is fragile and wrought with peril. This is something that we have known for over a decade. What we are learning now is that knee-jerk reactions and short-term planning still rule the corporate mind-set. Luckily this can be changed and thus current computer security environments improved.
The cry of people to remove offensive information from the Internet shows a lack of understanding in the mechanics of how the Internet actually works: the Internet guarantees that information moves from where it is to where it is not. As such, you cannot stop information after the fact. If a piece of information is released, the price of copying and redistributing it is nothing. Once it has been released, it has essentially been irrevocably published. You cannot go back and stop it from being published at this point.
So how do you combat this? We cannot in this environment attempt to legislate what can and cannot be said and expected to hold across a network that exceeds our legal jurisdiction. If you have to fight bad information, you must do so with good information. Imagine that you are a fire department and you have no water at your disposal. You fight fire with fire. But therein lies the rub. How can tools of healing be so similar to tools of destruction and if they are so difficult to tell apart when there is no motive or action behind them to directly color their impact, how can we clamor for their removal?
Page 312 PREV PAGE TOP OF DOC
How can we believe that we are trying to help the world if we are not attempting to research and discover new tools of this nature on our own, if for no other reason than to understand where vulnerabilities exist and how to prevent them before they are exploited by others? After all, why do we bother with war colleges? Because the worst-case scenario that can happen should never be a surprise. You cannot make it illegal to publish information or block the information that is being presented on as you call them hacker sites. You cannot even tell if this information is a tool of healing or a tool of destruction.
In this case, I will argue that more often than not the information is good. Can we expect to stop useful information from being distributed? No. Can we stop useful information from being used for malicious purposes? No. Can we find and publish useful information slanting it for beneficial purposes? Yes. And can we do this in a preventive fashion as opposed to pretending that useful information can only be reactive in nature? We must.
Steal their thunder. Do research into finding security problems and shortcomings of these networks. Publish the results. If you wait for other people to find the problems, then they get to slant how the information is presented and ultimately used, not you. You were at that point relegated to cleaning up the mess that they have created. Would it not be a better situation to release the information on your own and be able to slant its uses toward beneficial goals?
Ask any corporation if they would prefer to air their own problems or have someone else do it for them and thus lose that control.
Page 313 PREV PAGE TOP OF DOC
Two years ago I gave testimony before the Senate Committee on Government Affairs along with my colleagues. We spoke about the weak infrastructure of the Internet. We touched upon topics dealing with massive disruption of service and how to prevent against them. Two years later I find myself attempting to impart similar information to the President. This along with other examples such as the reaction of industries to the DDoS attacks that have been known about for some time, would lead us to the conclusion that more effort should not be spent in helping companies recover or coordinate after the fact. Instead, effort should be made to ensure that companies make use of this information that is available and perform the due diligence that is expected of them by their customers and stockholders. Crying over spilled milk gets old after the second time.
I would also like to point out that there are much nastier distributed denial-of-service attacks and singular denial-of-service attacks which we have alerted people about and we are just going to wait until they hit.
If corporations are still calling for the various Federal agencies to assist them, then maybe one of the holdups is an inability for the Federal groups such as the FBI to educate companies as to what will help in investigations or claims. This would help in reducing the number of false positives that the FBI must disprove. One of the things I did this morning before coming over here is I called up the FBI computer crime squad and I asked them what was their biggest problem in this particular case; and they responded saying well, the trap and trace would be very helpful, and I said why. Their response to that was well then we can get the ISPs and the various vendors to give us the information before that information is destroyed or lost.
Well, I asked them what that information was and had they qualified it and can they publish that to people so they know what they are trying to protect and what they are trying to ensure the integrity of, and the answer was, no. So how can we ask people to actually fix this problem and protect the information if we can't tell them what it is that will help us solving it. So with the stance of distributing such information on what helps in investigating these crimes, one would be able to enforce underwriting. A price can be placed on ineptness. The potential victim is able to take appropriate steps in preventing attackers from removing or altering log files and accounting that will be useful in analysis.
Page 314 PREV PAGE TOP OF DOC
To close, allow me to point out our actions instead of just my words here. The organization that I have been involved with since 1992, the L0pht, now the R&D component of a newer company called @Stake, has been sharing our discoveries and methodologies since our inception. We have come out with descriptions of problems, how we found them, how people can test for them, and how to solve them. We decided that if information can be presented without encouraging people to misuse it, then people will use it for laudable purposes. We have ultimately improved our surroundings and those of the people and companies with whom we have been involved. That is, after all, the goal and something not many can lay claim to. Thank you.
The CHAIRMAN. Thank you, Mudge.
[The prepared statement of Mudge follows:]
PREPARED STATEMENT OF ''MUDGE,'' VICE PRESIDENT OF RESEARCH AND DEVELOPMENT, @STAKE, INC., CAMBRIDGE, MA
If there is one thing that the recent Distributed Denial of Service attacks has pointed out it is not that the Internet is fragile and wrought with peril. This is something that has been known for over a decade. What we are learning now is that knee-jerk reactions and short-term planning still rule the corporate mindset. Luckily, this can be changed.
The cry of people to remove offensive information from the Internet shows a lack of understanding in the mechanics of how the Internet operates. The Internet guarantees that information moves from where it is—to where it is not. As such, you cannot stop information after the fact. If a piece of information is released the price of copying and redistributing it is nothing. Once it has been released it has essentially been irrevocably published. You cannot go back and stop it from being published at this point.
Page 315 PREV PAGE TOP OF DOC
So how do you combat this? You cannot, in this environment, attempt to legislate what can and cannot be said and expect it to hold across a network that exceeds our legal jurisdiction. If you have to fight bad information you must do so with good information. Imagine that you are a fire department and you have no water at your disposal. You fight fire with fire. But therein lies the rub. How can tools of healing be so similar to tools of destruction, and if they are so difficult to tell apart when there is no motive or action behind them to directly color their impact how can we clamor for their removal? How can we believe that we are trying to help the world if we are not attempting to research and discover new tools of this nature? If for no other reason to understand where vulnerabilities exist and how to prevent them before they are exploited by others. After all, why do we bother with war colleges? Because the worst-case scenarios that can happen should never be a surprise!
You cannot make it illegal to publish information or block the information that is being presented on the 'as you call them' hacker sites. You cannot even tell if this information is a tool of healing or a tool of destruction. In this case I will argue that more often than not the information is good.
Can we expect to stop useful information from being distributed?—No.
Can we stop useful information from being used for malicious purposes?—No.
Can we find and publish useful information slanting it for beneficial purposes?—Yes.
Page 316 PREV PAGE TOP OF DOC
Can we do this in a preventative fashion as opposed to pretending that useful information can only be reactive in nature?—We must.
Steal their thunder! Do research into finding the security problems and shortcomings of these networks. Publish the results! If you wait for other people to find the problems then they get to slant how the information is presented, and ultimately used . . . not you. You are, at that point, relegated to cleaning up the mess that they have created. Would it not be a better situation to have released the information on your own and been able to slant its uses towards beneficent goals?
Ask any corporation if they would prefer to air their own problems or have someone else do it for them and thus loose that control.
Two years ago I gave testimony before the Senate Committee on Government Affairs along with my colleagues. We spoke about the weak infrastructure of the Internet. We touched upon topics dealing with massive disruption of service and how to prevent against them. Two years later and I find myself attempting to part similar information to the President. This, along with other examples such as the reaction of industry to the DDoS attacks that had been known about for some time, would lead us to the conclusion that more effort should not be spent in helping companies recover or coordinate after the fact. Instead, effort should be made to ensure that companies make use of the information available and perform the due-diligence that is expected of them by their customers and stockholders. Crying over spilled milk gets old after the second time.
Page 317 PREV PAGE TOP OF DOC
If corporations are still calling for the various federal agencies to assist them then maybe one of the hold-ups is an inability for the federal groups such as the FBI to educate the companies as to what will help in investigations or claims. This would help in reducing the number of false positives that the FBI must disprove. People implicitly know that they should not wander around a crime scene disturbing potential evidence. Further, when called in to look at a crime scene the investigators will restrict access to prevent others from destroying potential evidence. This is relatively common practice in the physical world. Unfortunately, it is still the exception when dealing with filesystems and transient data found on computers and networks.
The publishing of a clear and concise list of what types of information are useful to computer investigations would help to educate the entities that find themselves compromised or under attack. Here is an example of an instance in which publishing information can be used for good or bad purposes. If an attacker knows what information will aid in an investigation then he or she can try to remove it. If someone trying to protect their company assets or image knows what information will help the appropriate organizations or agencies track down the culprit then they can take steps to protect it and insure it's integrity.
Let us briefly examine what could happen if the incorrect stance of restricting useful information is taken. The victim had no idea what information or logging and accounting mechanisms to protect and therefore cannot be help responsible for not attempting to protect the system. Underwriting or insurance mechanisms cannot be called in to effect here as there is no official document stating the equivalent virtual construct to ''you have a wood frame building . . . where are your sprinklers''. The attackers? They are going to remove every log file or disable any accounting mechanism they can find.
Page 318 PREV PAGE TOP OF DOC
With the stance of distributing information on what helps in investigating these crimes one would be able to enforce underwriting. A price can be placed on ineptness. The potential victim is able to take appropriate steps in preventing attackers from removing or altering log files and accounting that will be useful in analysis.
I do not believe the older investigative components of the government are currently sufficiently up to speed in these areas. This might explain some of the reluctance for corporations to approach places like the FBI and instead turn to areas such as the CIAO for assistance.
To close, allow me to point to our actions instead of my words. The organization that I have been involved with since 1992—the L0pht, now the R&D component of a newer company called @Stake, has been sharing our discoveries and methodologies since our inception. We have come out with descriptions of problems, how we found them, how people can test for them, and how to solve them. We decided that if information can be presented without encouraging people to misuse it then people use it for laudable purposes.
We have ultimately improved our surroundings and those of the people and companies with whom we have been involved. That is, after all, the goal—and something not many can lay claim to.
The CHAIRMAN. Now, Mr. Dempsey, you are recognized for 5 minutes.
Page 319 PREV PAGE TOP OF DOC
STATEMENT OF JAMES X. DEMPSEY, ESQ., SENIOR STAFF COUNSEL, THE CENTER FOR DEMOCRACY & TECHNOLOGY, WASHINGTON, DC
Mr. DEMPSEY. Mr. Chairman, thank you very much; and Mr. Scott and members of the subcommittee, thank you for inviting me here today. It is a pleasure to appear before the subcommittee today on the important question of Internet security and the Federal Government response. I have two themes that I would like to stress today in terms of the Federal Government response, particularly the legislative response, the themes of caution and balance.
The Internet security is a problem, and it requires solutions. But those solutions must map onto this global, decentralized, user-controlled medium. The Internet has flourished, grown at such a tremendous pace, as members have pointed out, without government intervention. Building more secure networks is largely within the domain of the private sector. The Government contribution is limited and the Government's potential to do harm is great. There is a role for law enforcement. Hacking is a crime and should be punished appropriately. But the question of law enforcement's role cannot be separated from the issue of privacy.
The full privacy protections that we associate with our papers and computer hard drives in our home and office do not fully apply to information on networks. This huge amount of information that is available to the Government has outpaced the privacy protections in statute. Therefore, any legislation that were to develop in response to both the latest attacks and the broader computer security issue must be narrow and balanced with privacy legislation intended to tighten some of these standards for Government access to information.
Page 320 PREV PAGE TOP OF DOC
Now, the point has been suggested that investigating crime on the Internet is harder, and in some respects the Internet does pose challenges to law enforcement; but if you look at the testimony of Mr. Vatis of the FBI and if you look at the statement that FBI Director Freeh gave to the Senate 2 weeks ago, you will see a number of cases in which the FBI and other government agencies have been very successful in investigating Internet crime, including those crossing both State lines as well as international boundaries: the Phone Masters case, involving the theft of credit card numbers, calling-card numbers and their sale to Italy, that was solved; the Ardita case, where the hacker was in Argentina, he was identified by the FBI and ultimately brought back to the United States; the Solar Sunrise case. Many of these cases have in fact been successfully investigated and prosecuted by law enforcement using their current tools.
Congressman Scott after some questioning got the Justice Department witnesses to explain how the standards for some of these current legal authorities are extremely low. Look at the pen register statute. There has been some discussion today of extending the pen register statute, to have nationwide service of process, in essence, for these interception orders. That may or may not be a good idea, but I think we need to look at the standard under that statute.
That statute says that if a prosecutor signs a piece of paper certifying that the use of the pen register is relevant to an ongoing investigation, the judge shall issue the order. A piece of paper signed saying that it is relevant—the judge has to sign it—that is the legal standard that applies here. The judge doesn't have the opportunity to ask how is this relevant and why are you going into other jurisdictions. So that is one example of how we need to constantly look at these legal standards.
Page 321 PREV PAGE TOP OF DOC
That is a standard that was put on the books in 1986. Now it is being applied to the Internet. I don't think that people fully know, and I think there are questions even on the part of the Justice Department, how does that statute apply to surveillance at ISPs when an Internet service provider receives a pen register order, what are they supposed to provide. We are seeing a blurring of the line between content on the one hand which is highly protected and transactional information on the other side, which is increasingly revealing. These are the kinds of issues that need to be examined along with any request that comes from the Justice Department.
I was pleased when Mr. Nadler asked the question that Deputy Attorney General Holder said that the Justice Department was in fact prepared to include additional privacy protections in any legislation, and I think if anything is done it should be narrow and balanced in that regard. Thank you, Mr. Chairman.
The CHAIRMAN. Thank you, Mr. Dempsey.
[The prepared statement of Mr. Dempsey follows:]
PREPARED STATEMENT OF JAMES X. DEMPSEY, ESQ., SENIOR STAFF COUNSEL, THE CENTER FOR DEMOCRACY & TECHNOLOGY, WASHINGTON, DC
Chairman Thurmond, Chairman McCollum, and Subcommittee Members, thank you for the opportunity to testify on the important issue of Internet security and the federal response. The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include enhancing privacy protections for individuals and preserving the open architecture of the Internet. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
Page 322 PREV PAGE TOP OF DOC
CDT focuses much of its work on the Internet because we believe that, more than any other medium, it has characteristics that are uniquely supportive of democratic values. In framing policy solutions for the Internet, we believe it is imperative to recognize and preserve the open, global, decentralized, interactive, and user-controlled nature of this medium. The Internet has become the engine of our economy. It is transforming education, medicine, journalism, and entertainment. It also has the power to enhance the democratic relationship between government and its citizens. All one has to do is look at Thomas, the Web site of the Library of Congress, or consider how the Internet is being used in election campaigns to bring into the political process people never before involved in politics to see how it has the potential to revitalize democracy and restore trust in government. For the sake of the economic, social and political benefits of this medium, Congress should do nothing that will interfere with its open architecture and user-controlled nature.
Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all crimes, appropriately so, and the perpetrators of the recent denial of service attacks should be punished if caught. But Congress must recognize that the problem of Internet security is not one primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter for the private sector, which has built this amazing system in such a short time without government interference. It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match, given the rapid pace of technology change and the decentralized nature of the medium.
Page 323 PREV PAGE TOP OF DOC
It is always appropriate to consider whether our laws have been outdated by changes in technology, and several proposals have been under consideration since before the recent attacks to amend the computer crime statute and the electronic surveillance laws to enhance law enforcement authorities. The Subcommittees, after careful analysis, may find that some modest changes are appropriate. But we urge caution, especially in terms of any changes that would enhance surveillance powers or government access to information. Americans are already deeply concerned about their privacy, especially online. Changes in technology are making ever more information available to government investigators, often with minimal process falling far short of Fourth Amendment standards. You must be careful to ensure that the recent Internet attacks do not serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the openness and relative anonymity of the Internet. Such a course is especially unjustified when there is so much to be done to improve security without changing the architecture or protocols of the Internet or further eroding privacy.
The major problem we see in the law now is that the standards for government access to information are not high enough to protect the privacy of legitimate computer users. If the Congress concludes that any legislative changes are necessary in response to Internet security, those changes should be equally balanced with measures to improve privacy by tightening the standards for government surveillance and access to information. We are prepared to work with the Committees and the Justice Department to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for building consensus.
A major issue on the Internet today is trust. The cyber-attacks undermined that trust. But so would government mandates. Security and privacy go hand-in-hand. Trying to improve security without addressing privacy will leave a trust deficit.
Page 324 PREV PAGE TOP OF DOC
Finally, we caution against any government requirements on Internet service providers to keep additional records or to design the Internet to be easier to monitor. These are unlikely to have any long-term positive benefit, they pose obvious risks to privacy, and they could actually harm security. We must not head down the path of government mandates that could end up impeding the growth of this sector and eroding rather than building public trust. It is clear that the private sector is taking the lead to improve Internet security. The potential for the government to help is limited, while the risk of government doing harm is very high.
With that introduction, I would like to address three questions:
1. What was the nature of the attacks three weeks ago and what do they tell us about the problem of Internet security in general?
2. What are the best means to improve Internet security, and what can government do to support that goal?
3. What additional criminal or investigative authorities, if any, are needed and how should they be balanced with privacy protections to ensure that privacy also keeps pace with changes in technology?
1. INTERNET SECURITY HAS BEEN IGNORED FOR TOO LONG, BUT THE SOLUTIONS ARE IN THE HANDS OF THE INTERNET COMMUNITY, NOT THE GOVERNMENT
Starting three weeks ago in earnest, malicious hackers began attacking prominent e-commerce Web sites with what are known as ''denial of service attacks.'' The targeted e-commerce sites were not broken into. No data were stolen or destroyed. Nobody's credit card number was compromised. Instead, the targeted computers were bombarded with phony messages, so many that legitimate traffic could not get through. It was a little like pranksters repeatedly and rapidly calling your office phone number, tying up all the lines so that constituents could not get through. The impact of the attacks was magnified greatly because the attackers had commandeered a large number of other computers belonging to innocent third parties—universities, other businesses, perhaps even some government agencies—and programmed them to send out to the targeted sites this barrage of phony messages. Thus the name ''distributed'' denial of service attack.
Page 325 PREV PAGE TOP OF DOC
However, there are several things unique about these attacks—differences unique to the Internet—that make them quite unlike a barrage of phone calls to your office and that point the way to the proper policy response:
the method of attack was previously well-known and had been the subject of multiple alerts and warnings;
it exploited vulnerabilities in computer systems that were also well-known;
there are readily available fixes for those vulnerabilities that would have greatly diminished the force of the attacks, if conscientiously applied by the Internet community;
most importantly, victims of the attacks, such a eBay, were themselves able to change their systems and work with their Internet Service Providers in order to turn back the attacks and restore full service, usually within one or two hours.
First, the distributed denial of service (DDOS) attack methods were well-known and were the subject of many warnings and alerts before they were launched. The programs used to launch the attacks had been identified and analyzed. The Computer Emergency Response Center (CERT) at Carnegie Mellon had issued a DDOS alert in November 18, 1999, and an update on December 28, specifically describing the kind of software used in the denial of service attacks experienced earlier this month. (Indeed, as early as July 22, 1999, CERT warned of denial of service attacks of this general type.) The FBI issued alerts on December 6, 1999 and on December 30. In addition, various private Internet security companies issued warnings to their clients, and the Financial Services Information Sharing and Analysis Center (FS/ISAC) issued warnings to its members. The attacks were actually used on a smaller scale throughout last Fall. The existence of the DDOS tools was even reported by the major print media, in the San Diego Tribune on November 20 and in USA Today on December 7.) Rarely is any ''crime'' offline so widely commented upon and analyzed before it occurs.
Page 326 PREV PAGE TOP OF DOC
Second, the attackers who launched these attacks were able to break into hundreds of computers on the Internet and commandeer them because, like most hackers, they were able to exploit well-known system vulnerabilities. And, as with most malicious code, there were diagnostic tools that would have allowed systems administrators to determine if their computers had been hijacked for DDOS purposes. Some systems operators had carefully scrubbed their systems to detect and remove the malicious code; others were less diligent and did not practice good ''computer hygiene.''
Third, there has long been a means available to prevent DDOS attacks. The Internet Engineering Task Force, a private, non-profit standards-setting body, had recommended a simple and effective method to prohibit DDOS attacks using forged IP addresses in January 1998. Some systems operators had adopted this preventive measures; others, obviously, had not.
Finally, some of the owners of the attacked systems were able to respond to them, and to turn back the attack within less than two hours. For example, eBay testified in the Senate that, when the attack began, it quickly took a number of steps to fight back. Initially, it put in a number of firewalls to repel the bad traffic. When the volume became too great, it turned to its ISPs, and worked with them to develop filtering mechanisms to prevent bad traffic from even reaching eBay's site. Within 90 minutes, the filter effectively stopped the bad traffic and allowed eBay to return to normal service, even though the attack itself continued for an additional 90 minutes. The following day, when the attack resumed, eBay and its ISPs responded so quickly that there was no disruption in service. Within days of the attacks, other Internet security companies had come forward with other countermeasures.
Page 327 PREV PAGE TOP OF DOC
These factors should give pause to policymakers seeking to assign government a major role in Internet security. The tools for warning, diagnosing, preventing and even investigating Internet attacks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime. The ability of the government, and in particular the criminal law, to respond to this problem is quite limited. Even with vastly expanded powers, the government would never be able to respond to even a small percentage of cases as quickly as the private sector can.
It must be stressed that the source of the security problem is not the architectural openness of the Internet, nor does the problem have anything to do with anonymity. Security weaknesses in the Internet are not an inevitable byproduct of the architecture itself: indeed, the decentralized, open, user-controlled architecture is what makes the Internet as resilient as it is. Rather, the problem is that security measures compatible with the open and anonymous nature of the Internet have been given a low priority as the Internet has grown. The explosion of services and business online and the rapid roll-out of new software with new features have come at a price. In that sense, the denial of service attacks were a wake-up call, not because they highlighted the lack of security—everyone concerned should have known that long ago—but because they hit the bottom line. They had an impact in the market, both the stock market and the consumer market. As a result, competitive forces are far more likely to produce good security practice than anything the government could do.
The conclusion to be drawn from this is that computer security is not a problem soluble by criminal investigation and prosecution: basic system security has been ignored far too long. Good security can be achieved without sacrificing privacy, the relative anonymity that is now available online, or the democratic openness of the Internet. Invasive government measures are no substitute for the community effort needed to build better security.
Page 328 PREV PAGE TOP OF DOC
Some in government have argued that the Internet's uniqueness requires not less, but more intervention. In particular, they complain about the anonymity or lack of traceability on the Internet. This is a red herring. There is probably more traceability online than in the real world. An anonymous vandal can throw a brick through a bank window and run away down any number of streets. An anonymous pickpocket can lift your wallet with credit cards and melt into the crowd. But we do not require people to carry identification cards, nor do we install checkpoints on our streets. We do not have perfect traceability in the real world, for good reasons. We do not need perfect identity and traceability online either. Nobody has shown that authentication would have stopped these attacks. If anything, experts have explained that some authentication mechanisms would have made the problem worse.
2. THE GOVERNMENT HAS A LIMITED ROLE, FOCUSED ON GETTING ITS OWN HOUSE IN ORDER, HIRING TRAINED STAFF, AND SUPPORTING R&D
Given the unique decentralized, global and user-controlled nature of the Internet, the role of the government is limited. But the government does have a role. First, it must get its own computer security house in order. The Administration's ''National Plan'' for cyber-security, which focuses on protecting the government's own systems, has some laudable and long-overdue elements. We are concerned, though, that it relies too heavily on a monitoring system that threatens privacy and other civil liberties (''FIDNet'') and gives too little priority to closing the known vulnerabilities and fundamental security flaws in government computer systems. (Target date for establishment of the FIDNet monitoring system: October 2000. Target date for fixing ''the most significant known vulnerabilities'' in critical government computers: May 2003.) To improve government computer security and enforce the computer crime laws, the government needs the resources and Title 5 authority to hire and retain skilled investigators and computer security experts.
Page 329 PREV PAGE TOP OF DOC
The government should do more to support basic research and development in computer security. It is a positive step that the Administration has stopped fighting encryption. We are concerned, though, that CALEA is being used to build surveillance features into the telephone network without adequate attention to security—that is, the CALEA compliance measures themselves constitute a security vulnerability.
One point often raised is information sharing. The role of the government here, however, is limited. The private sector again is far ahead, and the involvement of the government only increases suspicion.
3. Privacy Protections Have Failed to Keep Pace with Technology, and Need to Be Strengthened to Extend the Fourth Amendment to Cyberspace
The next question that should be addressed is whether any legislative changes are needed: what changes in law, if any, would likely have deterred or made it easier to investigate and prosecute the denial of service attacks, or other exploitations of Internet vulnerability? There is a risk that the recent media focus on the attacks against the e-commerce sites will serve as the vehicle for unrelated enhancements in government authority. The proposals that have been floated in recent weeks predate the denial of service attacks—they are items that have been sought by the Justice Department for some time.
Secondly, if there is to be legislation modifying the computer crime law or government investigative authorities, how could those changes be balanced and defined so as to protect privacy? Just as there are ways in which law enforcement authorities may need to be updated in response to changing technologies or recognized gaps in the law, so the privacy protections can become outdated and need to be strengthened to keep pace with evolving technology.
Page 330 PREV PAGE TOP OF DOC
There are three major laws setting privacy standards for government interception of communications and access to subscriber information:
the federal wiretap statute (''Title III''), 18 USC 2510 et seq., requiring a probable cause order from a judge for real-time interception of voice and data communications;
the Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2701 et seq., setting standards for access to stored electronic communications and transactional records (subscriber identifying information, logs, toll records);
the pen register and trap and trace statute, enacted as part of ECPA, 18 USC 3121 et seq., governing real-time interception of ''the numbers dialed or otherwise transmitted on a telephone line.''
In many ways, these laws need to be updated to take account of technology changes. Both flaws that were in the laws when enacted and technology's evolution since leave many ambiguities or gaps. For example, does the pen register statute apply to email or Web communications? If so, what are ''the numbers dialed or otherwise transmitted''? When a person dials into their ISP from home, a pen register on the telephone line will pick up the seven digit number of the ISP. To get email addresses and URLs, can the government serve a pen register order on the ISP or must it use an order under ECPA? What information is collected under a pen register order and from whom in the case of a person who is using the Internet for voice communications? What standard applies if the person has DSL or a cable modem? Is a portal an electronic communications service under ECPA? Are search terms covered by ECPA? Are e-commerce sites covered by ECPA? Does ECPA cover government access to information about one's activity at an e-commerce site?
Page 331 PREV PAGE TOP OF DOC
In other respects, it is clear that the laws' protections are too weak:
The standard for pen registers (which collect phone dialing information in real time) is minimal—judges must rubber stamp any application presented to them.
Many of the protections in the wiretap law, including the special approval requirements and the statutory rule against use of illegally obtained evidence, do not apply to email and other Internet communications.
Data stored on networks is not afforded full privacy protection.
ISP customers are not entitled to notice when personal information is subpoenaed in civil lawsuits; notice of government requests can be delayed until it is too late to object.
Problems also exist under the 1968 wiretap law, notably in the courts' weakening of the rule against monitoring innocent conversations. And inconsistent standards apply to government access to information about one's activities depending on the type of technology used. For example, watching the same movie via satellite, cable TV, Internet cable modem and video rental is subject to four different privacy standards.
A. Law enforcement enhancements
The proposals being discussed to expand the computer fraud and abuse act (18 USC 1030) or to amend the surveillance laws include:
Page 332 PREV PAGE TOP OF DOC
Amend the Computer Fraud and Abuse Act to allow federal investigation and prosecution in cases where the total damage is less than $5,000. The Act already allows cumulation of loss to cover hacks that cause a small amount of damage to a large number of computers so long as the total damage in the course of any 1-year period is at least $5,000. 18 USC 1030(e)(8). The problem seems to be not that the threshold is too low, but that the definition of ''loss'' is unclear. The total estimated loss of revenue associated with the denial of service attacks earlier this month was $100 million. An alternative approach is to specify that loss for purposes of determining damage includes the reasonable costs to any victim of conducting a damage assessment, restoring the system and data to their prior condition, and any lost revenue. This is already in the sentencing guidelines. (Sec. 2B1.1, Commentary.)
Authorize judges in one jurisdiction to issue pen register and trap and trace orders to service providers anywhere in the country. 18 USC 3123(a) currently states that a judge shall authorize the installation and use of a pen register or trap and trace device ''within the jurisdiction of the court.'' The proposed change would not be limited to computer crime cases—it would also apply to plain old telephones. Nor would it be limited to situations where a communication passed through multiple service providers: it would allow a Miami judge to authorize the use of a pen register in New York on communications starting and ending in New York.
Increasing computer crime prosecutions by modifying a sentencing directive. Sen. Schumer has noted that a Congressional directive to the Sentencing Commission required a mandatory minimum sentence of six months in prison for violations of certain section 1030 violations. This has in effect discouraged some prosecutors from bringing small cases.
Page 333 PREV PAGE TOP OF DOC
Amend section 1030 to make juveniles 15 years of age and older eligible for federal prosecution in cases where the Attorney General certifies that such prosecution is appropriate.
Add computers located outside the United States to the definition of protected computers in 18 USC 1030(e)(2)(B).
Add forfeiture of any property used or intended to be used to commit or facilitate the crime to the penalties provided under 1030; and add forfeiture of any device used to copy a computer program or other item to which a counterfeit label is affixed, under 18 USC 2318.
Permit interception without a court order upon consent of an operator of a system when the system is the subject of attack.
B. Privacy enhancements
Many privacy issues have been identified, including the following, some of which are in legislation proposed by Sen. Leahy and others. If Congress starts ''fixing'' the problems identified by the Justice Department, no bill can be considered balanced and responsive to the needs of Internet users unless it addresses privacy as well:
To limit the pen register/trap and trace authority and to improve further the privacy protections adopted under ECPA for pen register and trap and trace investigations:
— Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on an Internet service provider or in other packet networks. Specify that the pen register or trap and trace authority authorizes collection only of information used for communication-routing purposes by the service provider upon whom the order is served and requiring that service providers and law enforcement agencies execute pen register and trap and trace orders in such a way as to minimize the disclosure and collection of content and other information not used for communication-routing purposes by the service provider upon whom the order is served. This would make it clear that a service provider is not responsible for tracing communications outside its network or providing routing information used by others service providers. (Sen. Leahy, E–PRIVACY bill, sec. 105.)
Page 334 PREV PAGE TOP OF DOC
— Increase the standard for pen registers. Under current law, a court order is required but the judge is a mere rubber stamp—the statute presently says that the judge ''shall'' approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. The proposal is to require the court to affirmatively find, based on a showing by the government, that the information sought is relevant and material. (Sen. Leahy, E–PRIVACY sec. 105(a), E-Rights sec. 103.)
— Add electronic communications to the Title III exclusionary rule in 18 USC 2515. This would respond to the McVeigh/AOL case, by prohibiting the government from using improperly obtained information about electronic communications.
— Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.
— Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.
— Require statistical reports for 2703 disclosures, similar to the reports required under Title III. (Sen Leahy's E-Rights bill, sec. 107.)
— Limit sale and disclosure of transactional information about Internet usage—bring 2703 standards for disclosure to private parties into line with rules applicable to telephones. (E-Rights, sec. 110.)
Page 335 PREV PAGE TOP OF DOC
— Clarify whether Internet queries are content, which cannot be disclosed without consent or legal process.
— Provide enhanced protection for information on networks: probable cause for seizure without prior notice, opportunity to object for subpoena access. (Sen. Leahy's E–PRIVACY bill, sec. 103; E-Rights, sec. 101.)
— Clarify and strengthen the minimization requirement.
— Limit authority for roving taps. (E-Rights, sec. 108.)
— Establish probable cause standard for access to wireless phone location data in real-time. (E–PRIVACY, sec. 104.)
— Enact clearer standard for interception of conference calls. (E-Rights, sec. 104.)
— Extend Title III to law enforcement interceptions overseas.
— Privacy standards for government access to data collected by DNS registrars and registries. (E-Rights sec. 106.)
— Add DVD to 18 USC 2710 (privacy protection for video rental records) and conform to cable viewing privacy standards, add satellites to cable viewing privacy standards (E-Rights sec. 401) and extend cable viewing rules to Internet over cable and DSL, thereby creating one standard for cable, Internet, satellite, or rental.
Page 336 PREV PAGE TOP OF DOC
CONCLUSION
Our message today is one of caution and balance: Internet security is a problem, and it requires solutions, but those solutions must map onto the uniquely global, decentralized, and user-controlled nature of the Internet. The Internet has flourished without government intervention. Building more secure networks is largely within the domain of the private sector. The government cannot offer much and can do grave harm. There is a role for law enforcement, but it cannot be separated from the issue of privacy. Fourth Amendment standards are not fully applicable to networks, and the continued availability of information has outpaced the privacy protections in statute. Any legislation enhancing law enforcement must be coupled with privacy legislation tightening the standards for government access.
The CHAIRMAN. Mr. Guiberson.
STATEMENT OF SAMUEL A. GUIBERSON, ESQ., HOUSTON, TX
Mr. GUIBERSON. Mr. Chairman and members of the subcommittees, on behalf of the National Association of Criminal Defense Lawyers, I thank you for inviting us to participate in this hearing. Leap years like this one occur only once every 400 years. Opportunities for social, economic and political renaissance on the scale the Internet affords us do not happen nearly so often. This is why there is no blueprint for the wise use of our newly wired world.
Page 337 PREV PAGE TOP OF DOC
Our margin for error is very narrow. If we overshoot the proper reach of government monitoring and intrusion in a digital world and sanction law enforcement to co-opt these advancing technological capabilities, our society may fall victim to a perhaps well-intended but relentlessly totalitarian surveillance apparatus, whose control over the people would boundlessly surpass the people's ability to control it.
But on the other hand, if we underestimate the potential threat to personal privacy, to property, commerce, and free speech inherent in the criminal exploitation of Internet technology, we will find ourselves at the total mercy of those who are both ruthless and technologically adept, no matter where on this planet they reside.
Without the best possible understanding of the social, economic, and constitutional consequences of advances in communications and computing, our criminal law could easily lose its good sense in so much great technology. If we try to govern a technologically aggressive society by writing laws to respond to specific technologies or to specific controversies that result from a particular technology, the legal framework we create obsolesces, just as does the particular technology it addresses. The only way to avoid having legislation bypassed by the pace of technological change is to focus on the uses to which the technology is put, and not the technology being put to use.
We are all well aware that the Internet is so powerful an agent of change that it is reshaping every society in which it plays a part. In so doing, it will require us to translate our democratic principles, constitutional guarantees, and our basic tenets of individual freedom, privacy, and free association into a new vocabulary for a digital world. We must be careful in the language we choose, because if we do not well-define our digital liberties in the next few years, we will have no liberty at all. The rise of Internet commerce has preoccupied the national attention and the economy. Yet, for all the dramatic changes that it has brought to the way we do business, provide commercial information, and market goods and services worldwide, it represents only a fraction of the Internet's true potential. We have given so much attention to the Internet as an earning tool that we have overlooked the potential of the Internet as a learning tool.
Page 338 PREV PAGE TOP OF DOC
While at present we struggle with the question of how many hundred Websites there need to be to sell watches, you as law makers must not be distracted from protecting the Internet's potential for the miraculous. A child born today will have a bounty of knowledge, literature, art and science that so far surpasses what was available to us in our youth that it will seem inconceivable that our generation and their generation were born and raised on the same planet. If we legislate the Internet, as we might do if it were no more than a forum for commerce, we might well be tempted to enact laws appropriate to markets but not appropriate to forums for intellectual and artistic and political exchange, leaving ourselves in a wired world that has everything for sale and nothing to say.
Our priority in Internet policing should be to ensure that the Internet maintain the civil order of an open and democratic society. Our citizens must have confidence that the personal and corporate information and electronic currency they convey over the Internet is secure. They must have confidence that when they express themselves on the Internet, whether through a commercial enterprise or a home page about their family life, their message, their content will not be destroyed or overridden by anyone's whimsy of malice against them, their ideas, or their enterprise. There is really no social benefit to turning computer criminals into long-term corrections statistics if, by correcting the technology, we can diminish the opportunity for crime to occur in the first place. The Federal Government can make the most effective gains in reducing hacking attacks by supporting research and development of more capable defensive technology and require greater diligence in the on-site monitoring and administration of commercial computing systems. The investigation of crime and the apprehension of perpetrators does not run on Internet time. No professional law enforcement agency can conduct a thorough and successful investigation of any criminal offense on or off the Internet without applying methodical and time-consuming investigative techniques. Law enforcement's performance to date in apprehending computer hackers is far from cause for panic. With the human resources and funding appropriate to the task, and in light of the overwhelming support and cooperation extended to them by the professional computing community, Federal law enforcement can enforce computer laws and deter computer crime by employing the tried and true traditional methods of meticulous investigation for which it is well known. But because the Internet is a computer network, an electronic apparatus, there is a temptation for us to encourage law enforcement to get its arms around the entirety, to put a policing overlay into the technical infrastructure itself so that the Government has the capability to monitor every Internet macro and microevent.
Page 339 PREV PAGE TOP OF DOC
While there are risks of criminal exploitation of the Internet, if we depart from the customary means of criminal investigation merely because it might be or might become technically possible to monitor every electronic action and reaction, we put our open society at a greater risk than criminals could ever pose. Our public dialogue about the Internet has relished its shortfalls and ignored its strengths. The Internet itself is not fragile. The Internet is not a crowded theater. The Internet has been brought into being by a generation of gifted and resourceful people who possessed a vision that has inspired the world. They are of many backgrounds, many beliefs, they have been motivated by many different personal and collective goals.
If this description seems familiar, it is because it is written in the same inks as the history of our Nation. The Internet is us. We should have the same confidence in its resilience, its fundamental virtue and its potential for greatness as we have always had in our Nation and in ourselves as a people. We have within our reach a great uplifting of our Nation and of all humankind, an unprecedented opportunity to make the coming generations more free, more prosperous and possibly wiser than we were. It would be insufferable and inexplicable to our children if, out of overreaction to the risks at hand, we fail to win that prize. Thank you.
The CHAIRMAN. Thank you, Mr. Guiberson, and thank you for all the panel for your testimony.
[The prepared statement of Mr. Guiberson follows:]
PREPARED STATEMENT OF SAMUEL A. GUIBERSON, ESQ., HOUSTON, TX
Page 340 PREV PAGE TOP OF DOC
Mr. Chairman and Members of the Committee, I appear today on behalf of the National Association of Criminal Defense Lawyers (NACDL). I thank you for inviting us to participate in this hearing.
Leap years like this one occur only once every four hundred years. Opportunities for social, economic and political renaissance on the scale the Internet affords us do not happen as often. There is no blueprint for the wise use of our newly wired world.
We should proceed with caution in how we shape the future of the Internet. Internet technology has become the lifeblood of commerce and a catalyst for global change. If we know anything about the profound change that is underway all around us, it is that we still do not know where it is taking us.
We should be careful and deliberate before acting with familiar political reflexes, trained over the years to deal with very different legal and social scenarios than the Internet presents to us today. We should do this not because there are no decisions about the Internet that need to be made, but rather because we don't have enough perspective of the changes that are upon us to foresee what unintended consequences these decisions will bring.
Our margin for error is very narrow. If we overshoot the proper reach of government monitoring and intrusion in a digital world and sanction law enforcement to co-opt these advancing technological capabilities, our society may fall victim to a perhaps well intended but relentlessly totalitarian surveillance apparatus, whose control over the people would boundlessly surpass the people's ability to control it.
Page 341 PREV PAGE TOP OF DOC
On the other hand, if we underestimate the potential threat to personal privacy, property, commerce and free speech inherent in the criminal exploitation of Internet technology, we will find ourselves at the total mercy of those who are both ruthless and technologically adept, no matter where on this planet they reside.
Having pulled this genie from its bottle, it would be wise for us to reflect more carefully on our choices before we wish the wrong future upon ourselves. Without the best possible understanding of the social, economic, and constitutional consequences of advances in communications and computing, our criminal law could easily lose its good sense in so much great technology.
How do we anticipate and prepare for the long-range consequences of the policies, legislation and legal precedents new technology will demand of us?
GOVERNING THE STATE OF TECHNOLOGICAL CHANGE
The Digital Age is just beginning. For all that has been written and said about the potential of the Internet, the story has barely begun to be told. For all the changes that the Internet has brought about, we have barely begun to experience the changes it will bring. Only when we appreciate the rate of transformation under way in our society can we appreciate that the only constant in our lifetimes will be constant change—change in technologies and change in the way those technologies are being used.
Despite its dominance in our everyday consciousness, all this technology is ephemeral, vanishing as it grows obsolete in a near blur of changing materiel used to express each new technological generation. If we try to govern a technologically aggressive society by writing laws to respond to specific technologies, or to specific controversies that result from a particular technology, the legal framework obsolesces just as does the particular technology it addresses. The only way to avoid having legislation bypassed by the pace of technological change is to focus on the uses to which the technology is put, and not the technology being put to use.
Page 342 PREV PAGE TOP OF DOC
HEARING THE FUNDAMENTAL CHORD
We are all well aware that the Internet is so powerful an agent of change that it is reshaping every society in which it plays a part. As it does so, it will increasingly become the vessel through which our society expresses itself in commerce, in education, in entertainment, in the arts and in political life. In time, it will become the primary framework for our culture. In so doing, it will require us to translate our democratic principles, constitutional guarantees and our basic tenets of individual freedom, privacy, and free association into a new vocabulary for a digital world. Not since the American Revolution has our society been confronted with such a change in our political and social condition as the Internet revolution will bring about. Words have never been more powerful nor granted a greater reach than they are upon the Internet; at no time since the Declaration of Independence was written has our choice of the words we now use to reinvigorate and expand the fundamental premises of our society been more important. The stakes are high, because if we do not define our digital liberties in the years to come, we will have no liberty at all.
THE INTERNET IS MORE THAN A MARKETPLACE; IT IS A MIRACLE
The rise of Internet commerce has preoccupied the national attention and the economy. Yet, for all the dramatic changes that it has brought to the way we do business, provide commercial information, and market goods and services worldwide, it represents but a fraction of the Internet's potential. It provides us with much more than a seemingly bottomless trough for dot com entrepreneurs, yet we have come to see the Internet only as an earning tool and not as a learning tool.
Page 343 PREV PAGE TOP OF DOC
Never before has so mighty an engine for the distribution of knowledge and culture stood idle at the doorstep of any society. If we can engage the Internet as an engine for public education, our children will have a bounty of knowledge, literature, art and science that so far surpasses what was available to us in our youth that it will seem inconceivable that our generation and their generation were born and raised on the same planet. These opportunities for intellectual enrichment, vocational training, shared professional expertise and teaching open doors for humankind that are simply beyond our present imagining.
While at present we struggle with the question of how many hundred websites there need to be to sell watches, you as lawmakers must not be distracted from protecting the Internet's potential for the miraculous. Whenever you are tempted to tinker with the Internet, take into consideration that within this decade, we will live in a world enveloped in a quivering electronic membrane of instantly accessible information, comprising all the knowledge, art, science and history ever committed to paper in any modern language at any time, humming over our heads for the rest of our lives, and growing exponentially without limits for as far into the future as we can imagine.
We have seen human history only in the parts that have been preserved, seeing our own past through the slivers of a shattered mirror. What we will give to posterity is a complete reflection of our time and of ourselves. That is the legacy for which we have responsibility.
If we legislate the Internet as we might do if it were no more than a forum for commerce, we might well be tempted to enact laws in ways appropriate to markets but not to forums for intellectual, artistic and political exchange. The freedoms of commerce are much more parochial than the freedoms of expression. We should strive to avoid seeing the Internet in too narrow a perspective. If we don't leave broad expanses for the independent growth of novel and eccentric means of free expression, for public education and the arts, we risk chilling the Internet as a venue for diversity of expression and political thought—leaving ourselves living in a wired world that has everything for sale and nothing to say.
Page 344 PREV PAGE TOP OF DOC
The Internet's great potential is not in raising capital, but in raising the human condition. For the Internet to do more than fulfill a mercantile mission, governments must be generous in underwriting the Internet's non-profit potentialities, and enlightened enough to forego taking control of it.
ENHANCING PREVENTIVE MEASURES IS A BETTER DETERRENT THAN ENHANCING PUNISHMENT
Our priority in Internet policing is to insure that the Internet maintain the civil order of an open and democratic society. Our citizens must have confidence that the personal and corporate information and electronic currency they convey over the Internet is secure. They must have confidence that when they express themselves on the Internet, whether through a commercial enterprise or homepage about their family life, their message, their content, will not be destroyed or overridden by anyone's whimsy of malice against them, their ideas, or their enterprise.
So great a consensus of public support exists for law enforcement to achieve this goal that any legislation enhancing punishment for denial of service attacks, theft of credit card information, invasion of privacy and confidentiality will be well received. Rather than simply make a political statement and throw more jail time at the problem, we would do well to measure what response is most likely to deter, if not defeat, the occurrence of criminal offenses for which we are all ready to punish severely.
Any punishment-based deterrent presumes that offenders act rationally, weighing the risks of capture and confinement against the benefits of succeeding in a criminal enterprise. The pragmatic lawmaker might first consider whether this presumption holds true in all cases of Internet crime. While it is certainly true that a thief who uses a computer to steal has no different motivation or intent than a common criminal who might burglarize with pliers instead of wires, many computer invasions and systems attacks seem motivated more by the desire to exercise a technical virtuosity than to profit from the crime.
Page 345 PREV PAGE TOP OF DOC
It is not a condonation of these acts to recognize that their motivation assumes an invulnerability to discovery that is in almost all cases, delusional. If the actor is psychologically disposed to believe that he or she is so clever that they cannot be apprehended, the deterrent effect of upwardly spiraling sentencing ranges is greatly diminished. There is really no social benefit to turning computer criminals into long term corrections statistics if by correcting the technology, we can diminish the opportunity for the crime to occur in the first place. The Federal Government can make the most effective gains in reducing hacking attacks of every stripe by supporting research and development of more capable defensive technology and requiring greater diligence in the on site monitoring and administration of commercial computing systems on and off the Internet.
ENCOURAGE RESPONSIVE NOT PROACTIVE COMPUTER LAW ENFORCEMENT
The investigation of crime and the apprehension of perpetrators do not run on Internet time. No professional law enforcement agency can conduct a thorough and successful investigation of any criminal offense, on or off the Internet, without applying methodical and time consuming investigative techniques. It is not a breach of professionalism, but a mark of professionalism, if these duties take time. In the realm of Internet crime, the public perception that a hacker can and should be caught before his fingers leave the keyboard is beyond naive. Law enforcement's performance in apprehending computer hackers is far from cause for panic. With the human resources, and funding appropriate to the task, and in light of the overwhelming support and cooperation extended to them by the professional computing community, federal law enforcement can enforce computer laws and deter computer crime by employing the tried and true traditional methods of meticulous investigation for which it is well known.
Page 346 PREV PAGE TOP OF DOC
Because the Internet is a computer network, an electronic apparatus, albeit an enormous one, there is a temptation for us to encourage law enforcement to get its arms around the entirety, to put a policing overlay into the technical infrastructure itself, so that the government has the capability to monitor every Internet macro and micro event. Were this mindset applied to any dimension of our society other than a technological one, there would be public outrage. In order to quell domestic violence, would we sit an officer on the sofa with husbands and wives in every home in the nation? Would this police tactic quell domestic violence? Absolutely, but at the cost of privacy in our familial communication and expression that would altogether inhibit and corrupt our social interactions. The consequences of surveillance of the whole as a proactive policing strategy are just as dire. Who would not hesitate to communicate with a loved one in sensitive terms, or convey privileged or confidential business information across a system under constant surveillance? The Internet's rich tapestry of expression on every subject would be reduced to a sterile and muted code language akin to what the husband and wife might use in the presence of the unwelcome officer. While there are risks of criminal exploitation of the Internet, if we depart from the customary means of criminal investigation merely because it might be, or become, technically possible to monitor every electronic action and reaction, we put our open society at a greater risk than criminals could ever pose.
INSURING INTERNET PRIVACY INSURES INTERNET SECURITY
The public debates on Internet privacy and Internet security have been on parallel tracks, despite being the same issue. The right to be secure in our personal and financial privacy on the Internet is viable only when the Internet as a whole is secure. The Internet must be a place in which we can trust that all information that is our property cannot be unwittingly compromised from us by criminal act or commercial fiat. What we invest as a nation in the upgrade of our network defenses against unauthorized access to computer resources of any kind should be reinforced by the enactment of laws that criminalize the surreptitious access and collection of personal information available in transit across the Internet and especially information residing on the individual and business computers connected to the Internet.
Page 347 PREV PAGE TOP OF DOC
THE INTERNET IS NOT A CROWDED THEATER
To everything new, we first attach our suspicions. The Internet is no different. Because it is more interesting if something we rely upon so absolutely as we do the Internet is portrayed as vulnerable, our public dialogue about the Internet has relished its shortfalls and ignored its strengths. The Internet itself is not fragile. Only our public will to trust in it is fragile. If we over commercialize the Internet, we will lose as a culture, if we over legislate the Internet, we will ultimately stunt its growth. If we fear the social, economic and political changes it will bring, we will try to control it to reflect what is familiar to us, rather than what is possible for us.
Today, the Internet as we know it has been brought into being by a generation of gifted and resourceful people who possessed a vision that has inspired the world. They are of many backgrounds, many beliefs, they have been motivated by many different personal and collective goals. If this description seems familiar, it is because it is written in the same inks as the history of our nation. The Internet is us. We should have the same confidence in its resilience, its fundamental virtue and its potential for greatness as we have always had in our nation and in ourselves as a people.
In ancient times along the Fertile Crescent, new civilizations were built from the fertility brought by the river to the people. The Internet is such a river, a river of knowledge, commerce and culture upon which a new millennium's civilization will be built. Building the electronic edifice which is the foundation of that next civilization is the legacy of our generation. For us to realize the full potential of the Internet would be a monument to human civilization that would make the Pyramids seem like grains of sand.
Page 348 PREV PAGE TOP OF DOC
Through the technology of today and of tomorrow, we have within our reach a great uplifting of our nation, and of all humankind—an unprecedented opportunity to make the coming generations more free, more prosperous and possibly wiser than we were. It would be insufferable and inexplicable to our children if, out of overreaction to the risks at hand, we fail to win that prize.
Thank you.
The CHAIRMAN. I will recognize myself, and then we will go in order for questions at this point in time. I am curious about several things, and I hardly know where to start with it because there are so many of you and so much to ask.
Mudge, I think I am going to ask you something. You said in your prepared statement that you and others have warned the Internet community about the dangers of denial-of-service attacks for some time. Why do you believe that the large Websites still remain largely unprotected?
Mr. MUDGE. Actually—and CERT has done the same thing, so has SANS—there have been many places where these are documented, and I seem to see a trend where there was a great amount of information being shared amongst these organizations after they were all in a duck-and-cover mode, after we lost a leg. What do we do. And there is not a great amount of information being shared beforehand, or maybe it is too much information. I don't know. We contributed these reports to the Department of Defense before we went to the Senate. We contributed under the Senate. I have contributed them to the National Security Council. What do we have to do in order to make sure that some people do some form of due diligence?
Page 349 PREV PAGE TOP OF DOC
The CHAIRMAN. Well, I can understand your concerns in that regard.
Mr. Rosensweig, you indicated in your testimony that the loss that was sustained at your company is not something that is based upon a revenue stream. If there is any loss, it is very hard to quantify, in your testimony, according to dollars and cents is because you have advertising is how you get your revenue. And I am curious because this concerns directly the question that is raised by some as to whether or not our current criminal laws would truly be applicable to the denial-of-service attack on a firm or site such as yours. What do you think?
Mr. ROSENSWEIG. It is a great question, and we sort of pondered this. Had the attack lasted longer, had we not put into place the preventive measures, it is entirely possible that we would not have been able to meet the contracts that we had agreed to do, which is essentially advertisers' contract to do a certain number of visits to the site, and if the site is not available, then we can't deliver on that.
The law that you referred to has to do with specifically a computer crime. We look at this as somebody preventing us from doing business, and I think the point that was made earlier was we should look at the application of the business, not that it happened on a computer. So my guess is that there are laws that prevent people from disrupting people's ability to do business, whether it is on-line or off-line. So we would suggest that we look at those as well.
The CHAIRMAN. You would be more comfortable if we clarified the law, I'm sure.
Page 350 PREV PAGE TOP OF DOC
Mr. ROSENSWEIG. Yes. I think the law is written so narrow that it really doesn't reflect, I think, what happened here. And so yes, we would be more comfortable if it were clarified.
The CHAIRMAN. One of the questions that I can ask the entire panel, is that it strikes me from what the FBI says, that they and others in our Government don't have the resources in dollars to pay the technical expertise they need to have aboard at any given time. Has any thought been given to collectively, or by some of your companies individually, Mr. Giancarlo, Mr. Rosensweig, to putting together a team to assist the FBI? I am talking now about the ability to do the investigations that they are doing. I suspect they can't afford to hire the very best people, and I am not sure that Congress will ever give them enough resources to do that. Has any discussion taken place to your knowledge about this, Mr. Giancarlo?
Mr. GIANCARLO. Yes. There are actually two forms of that taking place. One is in the area of coordinating efforts to provide prevention techniques and technologies and when—there are a number of attacks that do not make the newspapers where a companies such as Microsoft and Cisco and others that provide technology are notified fairly quickly and respond to that with changes to our software and code so that subsequent attacks will not be effective, and there is a lot of cooperation that takes place there and often the Federal Government is involved, as well, in the area of the FBI.
The CHAIRMAN. Mr. Schmidt, in that same regard, I am curious about your sense at Microsoft. It occurs to me we have two things we are concerned about: How do we keep this from ever happening, and find some technology to do that; and the other side is how do we catch the bad guys when they are doing it assuming that we have the laws right, and both of those require a lot of expertise on the part of the law enforcement community or somebody who is really aiding and assisting them. Have you any thoughts from the Microsoft perspective on how that can be accomplished?
Page 351 PREV PAGE TOP OF DOC
Mr. SCHMIDT. Yes, I do. This couples my Microsoft experience and my previous law enforcement experience in working these sorts of areas. One of the things is that the evidence generally resides on the private sector systems. So by virtue of the fact that our security investigations team was able to collect the evidence and provide that to the FBI and also provide them the expertise to help them analyze that evidence and do things to identify exactly where those attacks are coming from in one form or fashion; and we can do that on a regular basis as well as we do.
The other piece is providing the training part of it. We support the National White Collar Crime Center, which Marty Stansell-Gamm mentioned earlier, the National Cyber Crime Training Partnership which is designed to take our technology, provide it into a central location and feed that out to State and local folks, Federal agents, as well as the corporate security sector, to be able to provide us a place where we can share this information and be able to move not only from the prevention stage of it but also the evidence collection and the forensic processing of it.
The CHAIRMAN. Mr. Scott, you are recognized. Before we do that, if I may interrupt. Mr. Guiberson, understand you have to catch a plane and we are going to have to excuse you. Is there anyone who has a burning question you want to ask Mr. Guiberson?
Ms. Jackson Lee, you may ask him that question. You are recognized for the 5 minutes and whatever time Mr. Guiberson has before he races out.
Representative JACKSON LEE. I want to thank you very much for your leadership on this issue. I think it connotes the fact that Houston is competing very well with Silicon Valley, at least with experts on this issue; and now you bring another perspective to it in terms of the questions of legality. You do well.
Page 352 PREV PAGE TOP OF DOC
I want to focus on whether or not—you heard my question earlier about looking at the profile of individuals who may be engaged in this. I notice your position. Have you had the opportunity to defend and/or to talk to attorneys who have had to defend those who have been charged for such offenses?
Mr. GUIBERSON. I have had a variety of experiences, not any of them rising to——
Representative JACKSON LEE. Help me with the profile.
Mr. GUIBERSON. While I don't dispute that the criminal hacker from time to time—if his interest is in gaining an economic advantage through exploiting Internet technology—is not much different than a criminal who would burglarize with pliers instead of wires, it seems to me that many of the attacks that we experience are more the result of a desire to exercise a technical virtuosity than they are to do harm. They may not be any less damaging in their result, but they have a different motivation than most of the perpetrators that we encounter in criminal law.
Representative JACKSON LEE. And for fear of those listening suggesting ah, they are trying to distinguish between white collar crime or those individuals, that is not the direction that I am taking; but I think this is important because all of you know that it is important that we understand the profile of such individual to make the right decisions if we are even going to talk about any sort of criminal relief, if you want to call it that.
Page 353 PREV PAGE TOP OF DOC
I want to go immediately to my next question. Is the younger hacker, 15 and younger, 15 to 17—how would you categorize them? Is there a necessity for them to be under any sort of system that tries them as an adult?
Mr. GUIBERSON. I have had some personal interaction with individuals in early adulthood or the very young, and it is a concern and problematic for us that they seem to have made no connection between the intellectual endeavor of hacking into a system and consequences such as punishment ranges and incarceration. That is a disconnect, and it is one that we should take into account in our efforts to formulate effective deterrence. Perhaps we should rethink whether simply piling on years is going to result in a change—in an effective change in the level of deterrence. I think we need to realize that these people often have the delusion that they are beyond capture and that we should deal more on the defensive end to prevent their successes rather than trying to reeducate them with extreme terms of confinement.
Representative JACKSON LEE. I thank you for that. I pursued that line of questioning as you might have heard with the Attorney General and the first panel about ethical teachings and educational aspects of what this vehicle, what this unique tool happens to be; and so I think we are all sort of at a disadvantage in some instance about the largeness of the issue; and I thank you for that, and I would like to pursue that later. I hope you have a safe trip.
Mr. Dempsey, let me follow up with you on the question of privacy, and I believe the thing that I find interesting in reading your article is the whole question of the fourth amendment may be somewhat antiquated for what we are dealing with. The fourth amendment provides a specific warrant to be delivered at a specific time or at least expeditiously. What is our answer to that? We obviously have to find some basis of protection, but that is a problem. A never-ending search.
Page 354 PREV PAGE TOP OF DOC
Mr. DEMPSEY. I think the fourth amendment is fine just the way that it is. The problem is translating it to the Internet, and specifically applying it to the migration of information out of our homes, out of our file cabinets and onto networks. People now are putting their personal calendars on Internet services. They are putting their digital identities on-line. But through Supreme Court decisions that well predate electronic communications, we have evolved the concept that if information leaves your possession, then it loses its fourth amendment protections.
And so the information that is out there in remote servers and stored on networks is not fully protected. It is protected in its communication phase, although even there it is not the full coverage. The earlier panel had a little bit of dialogue on the fact that the wiretap law does not fully extend to electronic communications. And in 1986 when that law was adopted, well before most of this technology became as widespread as it is today, the Internet was barely beginning to emerge in the public consciousness. So we need to look at those ways in which we take those fourth amendment standards and translate them into a different environment to provide the same protection that you would enjoy if you kept the information in your possession.
Representative JACKSON LEE. We have a ways to go. Mr. Chairman, I would like indulgence on one general question to the business communities. What I heard from your collective testimony is that you are obviously—have had it effect you and therefore you have done research and you sort of have your hands around it as maybe we are still trying to do. Are there antitrust concerns that will keep you from working together—you would be collaborating—does that impact how much we can ask you to do if you have to be concerned about antitrust impact of your collaboration on security issues? If someone would give me that response, I would appreciate it.
Page 355 PREV PAGE TOP OF DOC
Mr. GIANCARLO. I think the answer is yes, but they are not the primary concerns.
Mr. SCHMIDT. Just one more comment on that. On the partnership for critical infrastructure security, we do have a working group. Part of the partnership is looking at that specific area and trying to get some more guidance, could this be a potential problem for us.
Representative JACKSON LEE. I would appreciate hearing back from you all because it certainly could pose a problem. Thank you.
The CHAIRMAN. Thank you, Ms. Jackson Lee. Mr. Barr, you are recognized for 5 minutes.
Representative BARR. Thank you. I would like to thank all of the panelists. This has been a very interesting, absolutely fascinating discussion. I made a number of notes and highlighted liberally as the witnesses have gone over it and look forward to reviewing it in more detail.
There has been some discussion with the previous panel about the very narrow scope of 18 U.S.C. 1030, including the amendments made a few years ago. Frankly, I have no problem with that. I think Federal criminal statutes ought to be very narrowly tailored, very carefully considered, and additional changes made expanding their scope made only under very unusual circumstances where it can be shown that there is indeed a legitimate Federal interest, that the existing powers of government, the existing criminal laws are insufficient to address that.
Page 356 PREV PAGE TOP OF DOC
There are insufficient State or local resources and laws available to do so, and that even then if we still need to provide additional authorities, that they do not run afoul of the important privacy concerns, for example. So even as we sit here discussing all of this, I frankly don't see any area that I can support expanding existing Federal statutes. I do think that it is very important that we go through this exercise and consider what the damages, if there is damage in a criminal sense, and do what we can, as a number of these witnesses have indicated, Mr. Chairman, take those legitimate steps that we can in partnership with industry and private concerns to help plug up any holes.
Let me ask the panel—this is somewhat related to some of the privacy concerns that obviously is not directly related to a DDoS. Are any of you familiar with the government Echelon Project, Project Echelon? Is this something that notwithstanding the general statements of the Government that it certainly complies with all constitutional and legal concerns and its surveillance is of concern to you?
Mr. DEMPSEY. If I may, Congressman Barr, you have been a leader on this issue and seeking the answers to precisely that question. One of the problems that we face in this global communications network is that our constitutional limitations do not in many cases govern the activities even of the U.S. Government overseas.
The Supreme Court has held that the warrant clause of the Constitution does not apply to extra-territorial surveillance or search and seizures. You are just trying to get the answers as to what are the legal rules for trying to carry out those surveillances. It happens to be an area cloaked, I think, in too much secrecy. I think there could be broader public discussion and debate of what actually are the legal standards. You can conduct that discussion without getting into specific cases and sensitive sources and methods. So I don't think we have the full answers there. We need to look at the question of applying the warrant clause to U.S. Government surveillance activities overseas, at least where they are carried out for law enforcement purposes, and we are seeing of course a bleeding between the intelligence gathering and that which is done for law enforcement purposes.
Page 357 PREV PAGE TOP OF DOC
Representative BARR. And between conversations involving U.S. persons and those that may or may not involve U.S. persons. Mudge, are you familiar with this Project Echelon and its scope?
Mr. MUDGE. Unfortunately, a bit. One of the things if I might add into there, just to make the waters more murky is not all the time is the NSA so—or whichever agencies are involved in this being should it even exist, just decrypting or analyzing the data that is going through, and they are many more years ahead of us in doing traffic and pattern analysis where you don't need to actually understand the data inside to understand what is going on.
This lends shall—this is very similar to the probing of Defense Department sites, grabbing nonclassified data to ascertain what would be classified information. This is very similar to the research work that I did on the electric power utilities and the ability to glean sensitive information. It is a lack of data classification internally, but I don't have to break any laws to do it. I can get them to explain enough around the picture that I can draw the picture myself.
If we pull this back into the privacy act as it goes to the distributor denial-of-service, if I might, one of the things, since I love the fact that you are so up on the privacy issues, that seems to be addressable might be the Cable Privacy Act. One of the things that we are seeing a lot of consternation in dealing with are people trying to subpoena the cable companies just to get records, were you being attacked or was this a HOP site; and due to the Cable Privacy Act, which happened when people were asking, we would like the records to see what sort of movies people are watching—and everybody went up in arms around that—the cable companies are now also Internet service providers, and although—I don't know of any case where it has gone to court and the court has not said yes, cable company, give them the information in this case. That does slow down the information-gathering process.
Page 358 PREV PAGE TOP OF DOC
What I would really like to see us not do—and I was looking at the third bullet of what this oversight committee was here for—is to examine the budget, and how we are approaching this problem is imagine a street with houses and there are no locks on any of the houses. Are we going to spend money to solve this problem by putting more cops on the beat?
Representative BARR. Very similar to the questions posed by Mr. Guiberson before he had to leave. I appreciate you all's testimony, and Mr. Chairman and my only regret is we don't have sufficient time to go into all the different areas that this hearing has directed us to; and hopefully with your leadership we will get into some of these other tangential but equally important areas in the coming weeks.
The CHAIRMAN. Thank you very much, Mr. Barr. You are quite right. This is a complicated issue and the Internet itself is complicated. Mr. Scott, you have been very patient and indulgent of your own members. You are recognized.
Representative SCOTT. Thank you, Mr. Chairman. Mr. Misener, you indicated just in passing evidence handling is something that we ought to be looking at. What general issues in evidence handling should we be focused on?
Mr. MISENER. Thank you very much for that question, Mr. Scott. Actually, it has come up several times in the testimony of several of the witnesses here. Our technologists in working with law enforcement officials have found that on a number of occasions we have been confronted with situations where the evidence was not properly handled. It had been tampered with in inadvertent fashions—no one deliberately tried to erase or damage evidence—but during the normal course of business, things were changed, files were moved around, and that inadvertent tampering with the evidence could actually have a detrimental effect on the prosecution eventually. So all we are asking for is for this partnership between government and industry to try to get to the bottom of how best to protect evidence for the prosecutors so that it is ready and adequate when it comes time to prosecute.
Page 359 PREV PAGE TOP OF DOC
Representative SCOTT. Is there an authentication problem that it is the same evidence or that it was—that it was created by the right person or chain of custody? Are these issues we need to look at?
Mr. MISENER. All of the above, sir.
Representative SCOTT. I did not hear much in terms of changes in the criminal law that may be needed. I mean, the people who are represented here would be the victims of these attacks. And the silence on which criminal laws need to be changed was somewhat deafening. You recognize of course that we have a problem and as a bunch of politicians we need to look like we are doing something, whether it makes any sense or not. And let me ask you directly whether or not specific criminal laws would be helpful in preventing these attacks or whether or not the criminal statutes appear to be reasonably sufficient at this point.
Mr. MISENER. Mr. Scott, thank you. If I might just quickly answer that. I think the Congress could do a lot in the area of resources first and foremost. We do believe that CFAA and other——
Representative SCOTT. Let me ask specifically on the criminal law because we like to pass criminal laws, we like to enhance penalties, we like to do all the criminal stuff because it postures us as looking tough on crime. Now, my question is what can we do tough on crime that will actually make a positive difference so that we can have our little one-liners in our brochures to show that we are tough on this kind of crime, or are those initiatives really not where we ought to be focusing our attention?
Page 360 PREV PAGE TOP OF DOC
Mr. ROSENSWEIG. I think that is at least two different questions. I think that the issue of where we ought to be focusing our time is education and communication and understanding so that we can be in the business of preventing these things and raising the bar through dialogue and communication, both private companies and the Government.
The issue over penalties it is difficult for us to be able to know whether or not these are the right statutes, the right laws because they have not really been tested in a way. And I think the denial-of-service attack is something that is different than what we have experienced before. And a lot of what we are talking about is not the denial-of-service attack today. In our opinion, what the denial-of-service attack did to us was prevent us from doing business. And so I think we should look at the laws that we have and find out whether or not there are laws on the books to prosecute people who prevent you from doing business.
Representative SCOTT. Any question somebody who has been doing this would have violated some law that they could be prosecuted for and the change in the law would not be effective?
Mr. ROSENSWEIG. I asked the FBI when I came in what are the penalties for this, and the answer was he didn't know. There may be no penalties for this. And so I think it is clarifying what the laws are before we decide whether or not we need to change them.
Mr. DEMPSEY. If I could, Congressman, we have a law on the books that says it is a crime to knowingly cause the transmission of information which causes damage to a protected computer. A protected computer is any computer used in interstate or foreign commerce. So that is effectively every e-commerce computer. And damage is defined as any impairment to the availability of a system. And it is a 5-year jail sentence maximum.
Page 361 PREV PAGE TOP OF DOC
Representative SCOTT. For each offense?
Mr. DEMPSEY. For each offense. Multiplied across multiple sites.
Representative SCOTT. Without getting into penalties, the activity is already illegal.
Mr. DEMPSEY. I believe that the activity is already illegal. In the case of one of the victims here, I think there was the sort of counter-intuitive effect that their Website traffic went up after the attack was over with and, therefore, they were able to satisfy their contracts with their advertisers for having visitors come to their Website. I think the others lost money. I have seen an estimate that the total aggregate loss of this attack was $100 million. So worrying about a $5,000 threshold, I am not sure is the right issue. I don't think the Federal Government prosecutes bank robberies less than $5,000; they are a crime, but I don't think the Government has the resources to prosecute them. That goes to the question raised by Congresswoman Jackson Lee, which is where are we putting our priorities. I think there is a little bit of a danger here, given the sort of focus of the moment, of getting our priorities a little out of whack.
Mr. MUDGE. There is no question that what happened was in violation of the law in some form. But I am curious, don't most criminal laws have some notion of culpability. For instance, if I had my money robbed from a bank, and that bank did not lock their vault, you know, how much protection does that bank get even if it is just from their underwriters? It might even make sense to take the passage that was just read and change the definition of protected systems not be protected as in protected under this law but as in protected as in due diligence had been done or some least effort had been made to mitigate said risk.
Page 362 PREV PAGE TOP OF DOC
Representative SCOTT. If I could ask one additional question to Mr. Schmidt. Mr. Nadler talked about the challenge in recruiting and retaining personnel. What chance does the FBI have in retaining well-trained computer experts when they are in competition with firms such as yours?
Mr. SCHMIDT. It is very difficult. And I am one of the recipients of that. I have spend almost 31 years total with the Government prior to leaving to come to Microsoft. But there is a way to do this, and I think part of it is with the partnership and the national plan on the cybersecurity scholarships. I think by bringing people into that sort of a service under a guaranty service term of X amount of years with paying off of their scholarships, I think we will do a lot of retaining those people.
The other thing is—I will switch for a moment to the military side of life with a real life example. One of the young enlisted folks that used to work for me at the Department of Defense, absolutely brilliant young man who spent 2 days a week scrubbing toilets and cleaning out barracks and the other 3 days a week doing some very complex technical tasks as part of an investigative issue, there was not a lot of incentive to retain him at the end of his 4-year period. So the military side of the house is—and also giving the scholarship type efforts to the FBI and those sort of law enforcement agencies, I think, will go a long way to be able to retain better. Needless to say an increase in pay wouldn't hurt either.
Representative SCOTT. How much increase are you talking about? We are on government scales.
Page 363 PREV PAGE TOP OF DOC
Mr. SCHMIDT. That is the thing. The stock options I believe Mr. Nadler mentioned earlier is a big differentiator. Not everybody leaves for that. There is the ability to be successful in your own employment. There is the ability to do your job and feel comfortable with what you are doing. That goes to the training issues, the resource issues and things like that. I know from friends that I have that are still in the law enforcement community there is a great deal of frustration, but not being able to successfully do their job because of those lack of resources I think that is part of the thing that is driving the folks out.
The CHAIRMAN. Ms. Jackson Lee has one more question you want to ask.
Representative JACKSON LEE. Let me conclude by thanking you for holding that hearing. As we started out an enormously timely—but I don't know if I raised this with Mudge; he might say deja vu. I noted a tinge of frustration—and I don't want to qualify your own thoughts by having been here 4 or 5 years ago, maybe not in these hallowed halls but maybe across the street—how can things be different now? What do you see differently—of course the President had his meeting. And then would you also comment with your expertise—you see my line of reasoning, why I am trying to go try to understand the hacker. I assume there is a conspiratorial criminal mind that deals with us and then there are others. Do we need to distinguish—how do we best do that? How do we utilize that talent? And of course, as you know, I talked about youth or children. I am particularly talking about the 15 to 17 and maybe under. Thank you for being here and all of the panelists.
Mr. MUDGE. Thank you for having us all. Allow me to take the second part of that question first. We have to distinguish between them. There are, to use all the standard buzz words, nation-states that are practicing this sort of work much more successfully in their research. Our country is practicing this work and trying to understand it and design stuff and distributed and other disruptive tactics, and that is completely different than the type of person that launched these attacks.
Page 364 PREV PAGE TOP OF DOC
The standard type of person that you see doing denial-of-service—first off, denial-of-service I cringe and some of my frustration ends up being with the fact that the phrase ''hackers'' is even attached to this. This is nothing more than spray painting graffiti or blowing up mailboxes. And it is something that is shunned even by the notorious group of people that call themselves hackers that are more criminal, let alone the people that invented the Internet or the people like myself that are trying to bring back the original good terminology of hacker back into vogue much the same way we don't call people over from Europe ex-vandals. It is a term that has changed its meaning over time.
The people that I have dealt with that have been engaged or who have admitted to fiddling with this sort of thing usually fit the mold of they are younger, they have very little guidance, and they are looking to people for guidance and their looking to various people for maybe it is attention. That is one of the things our organization tried to do very early on, which was to provide a more positive avenue. You know the phrase making the theoretical practical—something was talked about working smarter not harder and that the problems I believe Mr. Vatis had mentioned they don't seem to make a difference until they become practical has been a motto of us.
We have even managed to change some of the ways that Mr. Schmidt's organization has been doing business due to that. And the education is difficult. It is painful. But I ultimately think that that is the correct direction to go.
As for the first part of the question, which was what can be done, I think we have to realize that we are in the middle of a paradigm shift. And the paradigm shift is how we look at security as a whole. Many people are familiar with it from the military aspect. I am familiar with it from that aspect. Many are familiar from the Government environment, that is, that you have this closed environment. All of your assets you own, all of your people, and you can control that. As such, you can put a filter point here and you can say I am going to audit this, I can come back in 6 months, and I can audit it again; and that doesn't work anymore because now you have people that are roaming around the country; you are outside of this corporate umbrella, this security shield. You have customers if you are doing business on the Internet that need access all of a sudden, not just your Web page, but your inventory systems and maybe your data bases, you know, other stuff that used to be corporate internal that you would not give direct access to the outside world.
Page 365 PREV PAGE TOP OF DOC
As such, the paradigm shift—the most impressive thing that I have seen that goes back to the education was what Clinton and the administration did was a security ROTC program, where there was a certain amount of money set up as scholarship funds for computer security work, basically money going to them; and as such they were beholden to the government to come work for them after the fact. You can't compete with the private sector on what we can pay these people. I have gone and I trained the NSA, the Air Force's Information Center, the OSI, and almost all of them are going to jump out of there. But you can get them for a good period of time by helping put them through school.
The CHAIRMAN. Thank you.
Representative JACKSON LEE. Thank you, Mr. Chairman.
The CHAIRMAN. We are going to unfortunately have to break up this panel. But I want to say, Miss Fithen, you didn't really get to respond to questions here. I had one for you. I will ask it then. We will use the chairman's privilege. My understanding from listening to your testimony and reading it is that you discuss in detail quite a few measures that Internet sites could use to protect themselves against this denial-of-service. For whatever reason, many of them did not up to this point choose to do so. I assume these protections are readily available. Can you give me an idea of what it costs, how frequently they have to be updated, that sort of thing?
Ms. FITHEN. Yes, sir. The fixes are available. They are time consuming to install. They are resource intensive to maintain. Maintaining a system securely is very resource expensive right now. It takes a long time to install patches. There are updates and workarounds that need to be applied on a regular basis. Some of the patches or workarounds do not get installed into the updated versions of the operating systems.
Page 366 PREV PAGE TOP OF DOC
So I install the updated version, then I have to go and reinstall a patch I already installed. It is very costly to maintain that. It is very difficult if you are a system administrator and have you thousands of these systems to administer to apply that kind of resource to all of those systems. And all it takes is a few of those systems to launch these denial-of-service attacks.
So again, as I stated in the testimony, me as the victim, I will completely depend on how other sites securely maintain their systems, and it is very difficult and very costly as far as resources to maintain those systems. So we have a real challenge still facing us even though we understand some of the fixes that can be applied.
The CHAIRMAN. Well, I think you have given us a fine closing, touching thought about how difficult this really is. And there is hope. And as the panel says, not only is there hope, there is something we have to do. There is no challenge Americans aren't capable of meeting. I am convinced of that. So keep it up and thank you for coming. This hearing is adjourned. Thank you.
[Whereupon, at 5:40 p.m., the subcommittee was adjourned.]
A P P E N D I X
Material Submitted for the Hearing Record
SENATOR THURMOND FOLLOW-UP QUESTIONS FOR ERIC HOLDER
Page 367 PREV PAGE TOP OF DOC
1. Is it critical for criminal laws to remain technology neutral so that similar conduct that is illegal in the physical world is also illegal in the Internet environment?
2. I understand that Internet crime investigations often cross many jurisdictional lines through various states, and this makes it difficult to get court orders for each step in the chain of communications. Are law enforcement procedural tools, such as pen registers and trap and trace authority, adequate today to trace criminal computer communications to their source?
3. Should asset forfeiture or restitution be available under the Crime Fraud and Abuse Act?
4. I understand that software programs that are necessary to organize denial of service attacks may be readily available for free on the Internet. Should we consider making such computer programs or other types of destructive computer code, such as certain virus programs, illegal even before they are used in an attack?
5. It seems that computer technology changes so rapidly that it makes it very difficult for law enforcement to maintain the expertise and equipment it needs to keep up. Is this dynamic nature of technology the primary challenge that law enforcement faces in fighting cybercrime today? Please explain.
| U.S. Department of Justice, |
| Office of Legislative Affairs, |
| Washington, DC, September 25, 2000. |
Hon. BILL MCCOLLUM, Chairman,
Page 368 PREV PAGE TOP OF DOC
Subcommittee on Crime,
Committee on the Judiciary,
House of Representatives, Washington, DC.
DEAR MR. CHAIRMAN: Thank you for your fax of June 30, 2000, requesting that Deputy Assistant Attorney General Eric Holder respond to additional follow-up questions from Senator Thurmond, for the record, from the February 29, 2000, hearing on ''Internet Denial of Service Attacks and the Federal Response''.
Enclosed are the responses to these questions. Please do not hesitate to contact me if we may be of additional assistance.
Sincerely,
| Robert Raben, Assistant Attorney General. |
WRITTEN QUESTIONS FROM SENATOR THURMOND
1) Is it critical for criminal laws to remain technology neutral so that similar conduct that is illegal in the physical world is also illegal in the Internet environment?
Yes, the Internet has provided a powerful tool for communication, education, and economic growth. Yet as Internet use has blossomed, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security, and privacy of others. The Department strongly believes that conduct that is illegal in the physical world should be illegal in the Internet environment. Indeed, the Department recently participated in the drafting of a report, The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet (March 2000), that more fully discusses the issue of technological neutrality. This report can be accessed from the following website: www.cybercrime.gov/unlawful.htm
Page 369 PREV PAGE TOP OF DOC
Many criminal statutes written before the advent of the Internet adequately cover those same crimes when the actor uses the Internet to assist in committing them. For example, the prohibitions on wire fraud, enacted to criminalize the use of a telephone in a scheme to defraud, readily apply to electronic communications sent over the Internet. Congress may need to update other statutes, however, to assure that the conduct that they prohibit in the ''bricks and mortar'' world will apply equally when committed using the electronic medium. The Department looks forward to working with Congress to address the modernization of this class of criminal statutes.
The bigger difficulty with technology-specific laws, however, occurs in procedural rather than substantive statutes. Such procedural laws define the kinds of legal procedures that law enforcement can use to obtain evidence during criminal investigations. Technological advances have made many of these statutes outdated. For example, The Cable Communications Policy Act (''Cable Act'') needs to be amended to take into account changes in technology that have occurred in the sixteen years since it was passed.
Congress passed the Cable Act in 1984 to limit the ways in which providers of cable television programming can disclose the television viewing records of cable subscribers. It established an extraordinarily high level of protection for records pertaining to customers' television service. At that time, cable technology did not allow cable operators to provide Internet access or telephone service over cable lines. In the subsequent decades, technology improvements have allowed cable television providers to offer their customers Internet access and telephone service over the same cable lines. Indeed, the number of cable customers receiving broadband Internet access has risen dramatically and is expected to continue to do so for years to come.
Page 370 PREV PAGE TOP OF DOC
Although Congress intended the Electronic Communications Privacy Act of 1986 (''ECPA'') to regulate the disclosure of customer records by telephone carriers and other communication service providers, certain cable providers have refused to comply with lawful court orders seeking disclosure of telephone and Internet records, citing the requirements of the Cable Act. This refusal to comply has hindered important criminal investigations into such crimes as the distribution of child pornography.
Simply stated, the rules governing the disclosure of, the records possessed by a communication service provider should not depend on whether the company offers its service over telephone lines, cable lines, or some other medium. Cable companies—just like any telephone company or Internet service provider—should comply with court orders and other legal process pursuant to ECPA, the wiretap statute, and the pen register and trap and trace statute (with respect to their telephone and Internet customers). In making this change, an amendment need have absolutely no effect on the way in which the Cable Act treats the disclosure of customer television viewing habits.
2) I understand that Internet crime investigations often cross many jurisdictional lines through various states, and this makes it difficult to get court orders for each step in the chain of communications. Are law enforcement procedural tools, such as pen registers and trap and trace authority, adequate today to trace criminal computer communications to their source?
The Trap and Trace Statute needs to be modernized to take into account changes in communications technology and the telecommunications industry. Such changes need not have any affect on current industry practices, however, nor change the kinds of information that industry currently collects and retains.
Page 371 PREV PAGE TOP OF DOC
No longer does a single telephone company handle a call from end to end. Because of deregulation and decentralization of the telecommunications industry, a single call or electronic communication is usually carried by multiple providers, such as a local carrier, a long distance carrier, a local exchange carrier elsewhere in the U.S., a series of Internet service providers, or a cellular carrier. In addition, criminals who use online resources to commit crimes often ''weave'' from system to system before attacking their ultimate victim. Rather than having to obtain separate orders addressed to each communication provider along the chain, law enforcement needs a mechanism to serve a single order that reaches from the destination of the communication to its source.
Moreover, the current statute is technology specific, not technology neutral, and thus has become increasingly ill-suited to emerging communications technologies. The statute speaks of a pen register or trap and trace ''device'' being ''attached'' to a telephone ''line.'' However, no longer are such functions normally accomplished by physical hardware components attached to telephone lines. Instead, they are typically performed—even for ordinary phone calls—by the computerized collection and retention of call routing information passing through a communications system. Similarly, the pen register statute refers to telephone ''numbers'' rather than the broader concept of the destination of a user's communications.
These narrow problems could be solved with commensurately narrow amendments to current law. Such amendments would allow courts to issue a single order to completely trace communications emanating from a single telephone or computer, even if that order must be served on a regional telephone company, a long distance provider, and a cellular carrier. In addition, such amendments should clarify that the statute applies equally to telephones and Internet communications. References to a telephone ''line,'' for example, should be revised to encompass a ''line or other facility.''
Page 372 PREV PAGE TOP OF DOC
Thus, the Department urges Congress to consider legislation that would update law enforcement's existing tools for fighting crime to take into account the commercial and technological changes that have occurred as we enter the Information Age.
3) Should asset forfeiture or restitution be available under the [Computer] Fraud and Abuse Act?
The Department has found that forfeiture of property used in the commission of computer crime—or proceeds derived therefrom—can provide effective punishment and deterrence. Moreover, it makes little sense to return computers to convicted computer criminals. The Department therefore recommends that Congress add criminal and civil forfeiture provisions to the Computer Fraud and Abuse Act. Such forfeiture provisions should be based on the familiar forfeiture procedures set forth in section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. §853) and chapter 46 of title 18, as revised this year by the Civil Asset Forfeiture Reform Act of 2000.
With respect to restitution, section 3663A of title 18 already requires courts to order defendants to pay restitution to the victims of computer crimes. The Department is examining the application of this statute to determine whether it fully captures the harm caused to such victims.
4) I understand that software programs that are necessary to organize denial of service attacks may be readily available for free on the internet. Should we consider making such computer programs or other types of destructive computer code, such as certain virus programs, illegal even before they are used in an attack?
Page 373 PREV PAGE TOP OF DOC
Malicious hackers often use certain computer programs to commit their crimes that have little if any lawful use—such as ''scripts'' or ''exploits'' that allow an unauthorized user to ''break into'' a computer system and obtain complete control over it. Viruses, too, have the potential to cause vast damage to computers if released over the Internet and have no legitimate business or recreational purpose. Similarly, criminals use certain software tools to commit ''denial of service attacks''—attacks that disable a computer connected to the Internet by deluging it with harmful data traffic—and thereby disrupt legitimate communications and e-commerce. The grave potential for harmful use, as well as the lack of legitimate reasons to create or distribute such programs, suggests that Congress should consider enacting a statute that would address the production, use, possession, and distribution of these tools for criminal purposes. In fashioning an appropriate law, Congress should take into account, however, the potential First Amendment restrictions on the criminalization of the writing of computer programs. The Department looks forward to working with Congress to develop a legislative proposal that provides an appropriate balance between these First Amendment concerns and the grave harms caused by so called ''malicious code.''
5) It seems that computer technology changes so rapidly that it makes it very difficult for law enforcement to maintain the expertise and equipment it needs to keep up. Is this dynamic nature of technology the primary challenge that law enforcement faces in fighting cybercrime today? Please explain.
The Department faces an ongoing struggle to acquire and maintain the expertise and equipment necessary to respond to the problem of cybercrime. This area of crime is growing exponentially, and law enforcement needs substantial resources as it responds to this new mode of criminality. Indeed, the changing nature of criminal investigations and the need to develop effective computer crime prevention and response strategies requires a focused, national effort that considers the needs of local, state, and federal law enforcement entities. To keep pace with these changes, nearly every law enforcement officer requires at least a basic level of cybercrime training—such as how to handle electronic evidence at a crime scene so as to assure that it is not inadvertently damaged or altered. Investigators who focus specifically on computer crimes, of course, require more extensive, in-depth training. For example, the FBI needs more money to train computer forensic examiners, as well as funds to establish forensics laboratories and purchase up-to-date computers and software. Moreover, unlike traditional methods of equipping and training law enforcement officers, investigators focusing on cybercrime must receive continuous training and updated equipment in order to stay current with the rapidly changing technology.
Page 374 PREV PAGE TOP OF DOC
In addition, the Department also desperately needs more resources. The Attorney General has consistently tried to build the Department's ability to fight cyber-crime, but resource issues have prevented this effort from being completely successful. In order to be able to meet the growing threat, we need more prosecutors in each of the United States Attorney's offices to handle investigations and cases. In addition, the Computer Crime and Intellectual Property Section in the Criminal Division has acute funding short-falls. That section lies at the center of the Department's cybercrime strategy and has a broad set of tasks—from providing legal advice and training to agents and prosecutors, to coordinating computer intrusion investigations, to negotiating international cyber-crime agreements. Yet the current level of staffing prevents them from properly fulfilling their many important missions. Thus, the dynamic nature of the technology, and the resource challenges it creates, inhibit the ability of law enforcement to respond fully to the cyber-crime problem.
SENATOR THURMOND FOLLOW-UP QUESTIONS FOR MICHAEL VATIS
1. Law enforcement is having much difficulty recruiting and training information technology professionals. How are you responding to this problem?
2. Recent news reports indicate that the ''zombie'' tools that apparently allowed hackers to launch the denial of service attacks against Amazon and others a few weeks ago may now be available in a windows based computer and can be delivered via e-mail. If this is correct, does this make it likely that denial of service attacks will be even more frequent in the future?
Page 375 PREV PAGE TOP OF DOC
3. Is the Laboratory Division of the FBI becoming increasingly relied upon by state and local law enforcement in their efforts to intercept data regarding computer crimes? Please explain.
4. Do you think that state and local law enforcement are doing a sufficient job in focusing resources toward fighting cybercrime?
5. Many have said that the denial of service attacks is not a particularly sophisticated type of hacking attack. If this is correct, what could our adversaries accomplish though sophisticated, coordinated efforts to disrupt service?
6. I understand that Internet sites are sometimes reluctant to cooperate with law enforcement and acknowledge the extent of hacking attacks on their systems because of the fear of negative publicity for their companies. Have the companies targeted in the denial of service attacks a few weeks ago cooperated well with law enforcement, and how does their cooperation compare with victim companies generally?
7. What additional steps can be taken to encourage the high tech industry to communicate with each other and with law enforcement regarding potential and actual malicious hacking attacks?
8. Please explain the challenges the F.B.I. faces regarding encryption, and the status of your efforts to work with the high tech industry to develop recoverable encryption, including third party key recovery.
9. Please explain the difficulty that law enforcement faces when trying to trace down the source of denial of service attacks, especially when wrong Internet addresses are used to impede the investigation.
Page 376 PREV PAGE TOP OF DOC
[No Response Received.]
SENATOR THURMOND FOLLOW-UP QUESTIONS FOR PAUL MISENER
1. Are you concerned that denial of service attacks, such as the ones your company and other companies have experienced recently, could lead to a loss of consumer trust and confidence in electronic commerce?
2. As you know, a denial of service attack can cause more damage than just a loss of business while the Internet site is down. Please explain what other types of losses a victim company can face, such as system down-time and consumer loss of confidence in the site.
3. Do you think that sophisticated foreign military and intelligence services represent a greater threat to the Internet economy that denial of service attacks against commercial web sites?
[No Response Received.]
SENATOR THURMOND FOLLOW-UP QUESTION FOR CHARLES GIANCARLO
Page 377 PREV PAGE TOP OF DOC
1. How has the high tech industry responded to the recent denial of service attacks against Amazon and others, and do you think these attacks have been a wake up call for the high tech industry regarding system security?
[No Response Received.]
SENATOR THURMOND FOLLOW-UP QUESTIONS FOR DAN ROSENSWEIG
1. It appears that many in the high tech industry traditionally have viewed computer intrusions and attacks as pranks rather than as serious crimes. Do you think the high tech industry need to do more to recognize this type of hacking as a serious crime that can harm Internet sites and electronic commerce?
2. What is the high tech industry doing to encourage talented people to go into computer system security as a career?
[No Response Received.]
SENATOR THURMOND FOLLOW-UP QUESTIONS FOR KATHERINE FITHEN
1. It appears that your organization at Carnegie Melon, as well as the F.B.I., issued alerts regarding the possibility for denial of service attacks a few months ago. Do you think industry was caught off guard by the attacks against Amazon and others earlier this month, and if so why?
Page 378 PREV PAGE TOP OF DOC
2. Do you find that Internet companies sometimes sacrifice security in order to make their sites faster and more useful to legitimate users, and is this a significant problem?
3. Do high tech companies need to do more to cooperate with law enforcement and others when they find themselves the object of an actual or attempted denial of service attack or other type of intrusion?
| Carnegie Mellon |
| Software Engineering Institute, |
| Pittsburgh, PA, July 18, 2000. |
Mr. GLENN R. SCHMITT, Chief Counsel,
Subcommittee on Crime,
Committee on the Judiciary,
House of Representatives, Washington, DC.
DEAR MR. SCHMITT: Enclosed are the follow up questions from the joint hearing concerning ''Internet Denial of Service Attacks and the Federal Response.''
Please let me know if you need more information.
Thank you,
| Ms. Katherine T. Fithen, Manager, |
| CERT Coordination Center |
Enclosure
Page 379 PREV PAGE TOP OF DOC
REPLIES FROM KATHERINE T. FITHEN, CERT Coordination Center to Questions from United States Senator Strom Thurmond
1. It appears that your organization at Carnegie Mellon, as well as the F.B.I., issued alerts regarding the possibility for denial of service attacks a few months ago. Do you think industry was caught off guard by the attacks against Amazon and others earlier this month, and if so why?
Our organization did issue several alerts, including a white paper in November 1999; all the alerts were geared to technical readers.
I believe that industry was caught off guard by the attacks. In general, organizations fail to take corrective steps to known problems for many reasons. Some do not know of the general need to stay informed. Some miss the new announcements. Some do not understand how to take corrective steps. Some lack the resources to take those steps.
Although there is growing awareness of security issues in the Internet community, it is primarily at the technical level and not at the senior management level. More emphasis needs to be placed on helping senior managers understand the issues. The government needs to release computer crime information to the private sector to help managers understand the business risks they face.
All organizations who work in this area also face the challenge of educating new users. There are literally thousands of new users (organizations and individuals) connecting to the Internet each week. Getting the attention of all those people will continue to be a major challenge. Adding to the problem is the fact that the pool of technical experts is not keeping up with the need. Training for current members of the work force is essential, along with education for those Just entering the field. Resources are needed to address the needs of all these groups as well as mangers.
Page 380 PREV PAGE TOP OF DOC
At the CERT/CC, we continually add new subscribers to our advisory distribution lists and work to make more people aware of our web site. For major problems, like the distributed denial-of-service problem, we also issue press releases and work with the media to achieve the widest possible coverage. The government might consider sponsoring a broad awareness campaign that would alert organizations and individuals to the security problem and give them pointers to federal and private sector resources they could use to stay abreast of new vulnerabilities and threats.
2. Do you find that Internet companies sometimes sacrifice security in order to make their sites faster and more useful to legitimate users, and is this a significant problem?
Based on CERT/CC experience, I have found that both Internet companies and technology vendors often sacrifice security in favor of other factors. Web site developers sometimes overlook security issues as they strive to provide users with a fast, useful site. Technology vendors, under pressure of rapid time-to-market, competition, and functionality demanded by customers, may overlook security issues. When they do address the issues later, they may offer partial solutions and short-term ''patches'' and do not address the fundamental problem.
This is a serious problem because not only are organizations dependent on the technology, but the nation's economy itself is dependent on it. The risk to the economy is high, and not enough people understand the issues well enough to make good, well-informed decisions about business risk. There is awareness of security, and managers are making decisions; but those decisions aren't as good as they could be with better understanding and essential information. As more and more of the economy becomes dependent on the information infrastructure, the risk increases rapidly. So the problem is not just significant now; it is rapidly becoming an even bigger problem.
Page 381 PREV PAGE TOP OF DOC
Changes in functionality, access, configuration, etc. caused by business or mission needs, all affect security. Conversely, changes in security often affect the quality characteristics of the services a system provides and affect the system users. These issues must be dealt with at the local, rather than a central, level. There must be a focal point for security within each organization as well as defined responsibilities and accountabilities at all levels of management and at the staff level. Security requires the active participation by all the players within an organization. In addition, consumers must be educated about the security features of products and the risks that web sites pose so that market demand creates pressure on developers to build in security from the start.
3. Do high tech companies need to do more to cooperate with law enforcement and others when they find themselves the object of an actual or attempted denial of service attack or other type of intrusion?
Law enforcement and the private sector need to find ways to cooperate more effectively. In particular, law enforcement needs to find new ways to work with organizations to improve efficiency in the investigation of computer attacks. Traditional investigations move slowly—too slowly to be effective in addressing attacks that are over before investigators even get started. Additionally, the traditional investigative approach is intrusive with respect to the operation of systems. The investigative process makes a great deal of information about the problem available to the public. As a result, companies are reluctant to call in law enforcement when having this kind of problem, especially if the organization believes that it won't get a conviction.
Page 382 PREV PAGE TOP OF DOC
SENATOR THURMOND FOLLOW-UP QUESTIONS FOR JAMES DEMPSEY
1. The fact that cybercrime is not limited by jurisdictional lines creates problems for law enforcement. For example, pen registers and trap and trace orders currently can be issued only within the jurisdiction of the court. Do you think it is reasonable to consider permitting judges to issue pen registers and trap and trace orders beyond their jurisdictions to help address cybercrime?
2. I understand that there are concerns about aggressive law enforcement posing a threat to privacy on the Internet. However, should there also be concerns that unchecked hacking poses a threat to privacy?
3. What should the government do to work with academia and private industry to promote research and development into better ways to protect Internet security?
| Center for Democracy |
| and Technology, |
| Washington, DC, July 13, 2000. |
Mr. GLENN R. SCHMITT, Chief Counsel,
Subcommittee on Crime,
Committee on the Judiciary,
House of Representatives, Washington, DC.
Re: Responses to Follow-up Questions for February 29, 2000 Hearing
Page 383 PREV PAGE TOP OF DOC
DEAR MR. SCHMITT: Thank you again for the opportunity to testify at the joint hearing of the Subcommittee on Crime of the House Judiciary Committee and the Subcommittee on Criminal Justice Oversight of the Senate Judiciary Committee last February concerning ''Internet Denial of Service Attacks and the Federal Response.'' I am pleased to submit the following answers to questions submitted for the record by Senator Strom Thurmond, co-chair of the joint hearing.
Question 1. The fact that cybercrime is not limited by jurisdictional lines creates problems for law enforcement. For example, pen registers and trap and trace orders currently can be issued only within the jurisdiction of the court. Do you think it is reasonable to consider permitting judges to issue pen register and trap and trace orders beyond their jurisdictions to help address cybercrime?
Answer: It is reasonable to consider permitting judges to issue pen register and trap and trace orders beyond their jurisdictions, in cases where the government has made a showing sufficient to support a finding that such a broad order is needed, but this expansion of the government's surveillance authority should be enacted only if other deficiencies in the pen register/trap and statute are also corrected. A major problem with the current statute is that it does not offer adequate protection to privacy: judges have no discretion in reviewing pen register and trap and trace application. The statute says they must approve whatever the government asks for. Thus, under current law, judges are a mere rubber stamp. A second major deficiency that must be addressed before extending the pen register statute to address cybercrime is the lack of any specificity as to what a pen register/trap and trace order means when applied to computer communications. The statute currently refers to the ''numbers dialed on the telephone line to which the device is attached.'' Congress should specify in narrow terms what a pen register or trap and trace device is permitted to collect in the context of computer communications: it should not include any information that reveals the substance or purport of a communication, which is content that should be protected by the full probable cause standard.
Page 384 PREV PAGE TOP OF DOC
CDT has spelled out these points at greater length and recommended specific language to address them in the attached memo, entitled, ''Amending the Pen Register and Trap and Trace Statute in Response to Recent Denial of Service Attacks—and to Establish Meaningful Privacy Protection, '' which we would ask to be made part of the record along with these answers.
Question 2. I understand that there are concerns about aggressive law enforcement posing a threat to privacy on the Internet. However, should there also be concerns that unchecked hacking poses a threat to privacy?
Answer: Hacking is crime and should be investigated and prosecuted. Some forms of hacking can cause serious damage to system availability or can result in the theft of valuable information. However, hacking is not the main or even a major threat to privacy. The main threats to privacy are governmental intrusions and the failure to adhere to fair information principles in the commercial context. Furthermore, the criminal law is not the best means of protecting privacy from hackers. On the Internet particularly, the means of protecting privacy from hackers are primarily in the hands of system designers, who can build more secure systems, and users, who should practice safe computing routinely. Individuals should not depend on the government to protect their privacy from hackers.
Question 3. What should the government do to work with academia and private industry to promote research and development into better ways to protect Internet security?
Answer: The government's first responsibility is to improve the security of its own computer networks, which includes designing more secure systems and using them in more secure ways. Secondly, the government should continue to support and should increase its funding to private sector non-profit activities such as the Computer Emergency Response Team at Carnegie Mellon and the Center for Education and Research in Information Assurance and Security at Purdue University. Thirdly, the government should ensure that information about correcting computer vulnerabilities is disseminated as widely as possible. Steps to cloak in secrecy information provided to the government about computer vulnerabilities could have the perverse effect of limiting widespread awareness of this information.
Page 385 PREV PAGE TOP OF DOC
Please let me know if CDT can be of further assistance to the Subcommittees.
Sincerely,
| James X. Dempsey, Senior Staff Counsel. |
Attachment
PREPARED STATEMENT OF THE CENTER FOR DEMOCRACY AND TECHNOLOGY
APRIL 4, 2000
AMENDING THE PEN REGISTER AND TRAP AND TRACE STATUTE IN RESPONSE TO RECENT INTERNET DENIAL OF SERVICE ATTACKS—AND TO ESTABLISH MEANINGFUL PRIVACY PROTECTIONS
Pen registers are surveillance devices that capture the phone numbers dialed on outgoing telephone calls; trap and trace devices capture the numbers identifying incoming calls. They are not supposed to reveal the content of communications. They are not even supposed to identify the parties to a communication or whether a call was connected, only that one phone dialed another phone. Nonetheless, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture—a profile—of a person's associations, habits, contacts, interests and activities. For that reason, pen registers and trap and trace devices are very helpful to law enforcement and pose significant privacy concerns. Much of the current debate over surveillance standards relates to the collection of transactional data by these devices and by other means.
Page 386 PREV PAGE TOP OF DOC
A 1986 federal law requires a court order for use of such devices, but the standard for approval is so low as to be nearly worthless—a prosecutor does not have to justify the request and judges are required to approve every request.
These orders apply to email and other Internet activity, but it is not clear what is the Internet equivalent of the dialing information that must be disclosed. In crucial respects, Internet addressing information can be far more revealing than telephone dialing information—not only does it reveal the precise parties who are communicating, but it can even reveal the meaning or content of communications.
Federal law enforcement agencies conduct roughly 10 times as many pen register and trap and trace surveillances as they do wiretaps. In 1996, the Justice Department components alone obtained 4,569 pen register and trap and trace orders. Most orders covered more than one line: in 1996, 10,520 lines were surveilled by pen registers or trap and trace devices. So much information is collected that Justice Department agencies have developed several generations of computer tools to enhance the analysis and linking of transactional data from pen registers and trap and trace devices.
In response to a Justice Department proposal, legislation has been introduced to authorize judges in one jurisdiction to issue pen register and trap and trace orders to service providers anywhere in the country, S. 2092. Other provisions in the bill could have the effect of greatly expanding the scope of these supposedly limited surveillance devices, allowing the collection of more personally revealing information and imposing expensive burdens on ISPs, portals, and other service providers.
Page 387 PREV PAGE TOP OF DOC
Before the geographic reach of pen register and trap and trace orders is expanded, the privacy standards in the current law should be updated: some real substance should be put into the standard for issuing those orders and the scope of information they collect should be carefully limited.
The Framework of the Electronic Surveillance Laws
There are three major laws setting privacy standards for government interception of communications and access to subscriber information:
The federal wiretap statute (''Title III''), 18 USC §2510 et seq., which requires a probable cause order from a judge for real-time interception of the content of voice and data communications. This legal standard is high.
The Electronic Communications Privacy Act of 1986 (''ECPA''), 18 USC §2701 et seq., setting standards for access to stored email and other electronic communications and to transactional records (subscriber identifying information, logs, toll records). The standard for access to the contents of email is relatively high; the standards for access to transactional data are low.
The pen register and trap and trace statute, enacted as part of ECPA, 18 USC §3121 et seq., governing real-time interception of ''the numbers dialed or otherwise transmitted on the telephone line to which such device is attached.'' The standard is that of a rubber stamp.
Page 388 PREV PAGE TOP OF DOC
Title III governs the interception of the ''contents'' of communications, which the statute defines as ''any information concerning the substance, purport, or meaning of that communication.'' 18 USC §2510(8). Since the Supreme Court has held that the content of communications is fully protected by the Fourth Amendment's limitations on searches and seizures, Title III imposes strict limitations on the ability of law enforcement to obtain call content—limitations that embody, and in some respects go beyond, the protections guaranteed by the Fourth Amendment. A law enforcement agency may intercept content only pursuant to a court order issued upon findings of probable cause to believe that an individual is committing one of a list of specifically enumerated crimes, that communications concerning the specified offense will be intercepted, and that the pertinent facilities are commonly used by the alleged offender or are being used in connection with the offense. 18 USC §2518(3).
On the other hand, the Supreme Court has held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call. Smith v. Maryland, 442 U.S. 735, 742 (1979). Accordingly, the pen register and trap and trace provisions in 18 USC §3121 et seq. establish minimum standards for court-approved law enforcement access to the ''electronic or other impulses'' that identify ''the numbers dialed'' for outgoing calls and ''the originating number'' for incoming calls. 18 USC §3127(3)–(4). To obtain such an order, the government need merely certify that ''the information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 USC §3122–23. (There is no constitutional or statutory threshold for opening a criminal investigation.)
The Supreme Court has stressed how limited is the information collected by pen registers. ''Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.'' United States v. New York Tel. Co., 434 U.S. 159, 167 (1977) (emphasis added). Recent court decisions have reemphasized that such devices' ''only capability is to intercept'' the telephone numbers a person calls. Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) (emphasis added).
Page 389 PREV PAGE TOP OF DOC
The pen register/trap and trace statute lacks many of the privacy protections found in the wiretap law. Not only is the standard for judicial approval so low as to be meaningless, but the government can use pen register evidence even if it is intercepted without complying with the law's minimal provisions: Unlike the wiretap statute, which has a statutory exclusion rule, the pen register/trap and trace law has no such provision, and the Fourth Amendment's exclusionary rule does not apply. There is little chance of after-the-fact oversight, since innocent citizens are unlikely to find out about abuses of the statute: Unlike the wiretap law, the pen register/trap and trace statute has no provision requiring notice to persons whose communications activities have been surveilled. Nor, in contrast to the wiretap law, is there any provision for judicial supervision of the conduct of pen registers: Judges are never informed of the progress or success of a pen register or trap and trace. There is also no minimization rule: Section 3121(c) requires the government to use technology reasonably available to it that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information used in call processing, but the FBI has recently admitted that no such technology exists.
Applying Pen Registers to the Internet
The pen register and trap and trace statute was adopted before the Internet was widely available to ordinary citizens. The definition of pen register says that such devices capture only the ''numbers dialed or otherwise transmitted'' on the telephone line to which the device is attached. 18 USC §3127(3). The definition of trap and trace device refers only to ''the originating number of an instrument or device from which a wire or electronic communication was transmitted.'' 18 USC §3127(4).
Page 390 PREV PAGE TOP OF DOC
There are many questions posed by application of the pen register/trap and trace statute to the Internet. The statute almost certainly applies to email and the Web, for it refers to electronic communications. But what are ''the numbers dialed or otherwise transmitted''? Can the government serve a pen register order on an ISP or other service provider like Hotmail, to obtain the addresses of all incoming and outgoing emails for a certain account? Does the pen register /trap and trace authority encompass only numbers (Internet protocol addresses) or does it include email addresses or both? Can a pen register or trap and trace order be served on a portal or search engine? What does the statute mean when applied to URLs? Can the government serve a pen register or trap and trace order on CNN and get the address of everybody who has downloaded or viewed a certain article? What information is collected under a pen register order and from whom in the case of a person who is using the Internet for voice communications? What standard applies if the person has DSL or a cable modem?
The importance of these questions is heightened by the fact that transactional or addressing data of electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed.
First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. In many offices, while there is only one phone number normally called from the outside, each person has an individual email address. So while a pen register on a phone line only shows the general number called, a pen register served on an ISP will likely identify the specific recipient of each message. Even in a household, each person online may have a separate email, and may have different email addresses for different purposes, making it more likely that the government can determine precisely who is contacting whom.
Page 391 PREV PAGE TOP OF DOC
Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication. If you call (202) 637–9800 on the phone and asks for a copy of our statement on cybercrime and Internet surveillance, a pen register shows only that you called the general CDT number. If you ''visit'' our website and read the statement, your computer transmits the URL
http://www.cdt.org/security/000229judiciary.shtml, which precisely identifies the content of the communication. Does a pen register served on our ISP or our web hosting service require disclosure of that URL? If so, the government has no trouble knowing what you read, for typing in the same URL reveals the whole document.
Such revealing information appears in other addresses:
If you search Yahoo for information about ''FBI investigations of computer hacking,'' the addressing information you send to Yahoo includes your search terms. The URL looks like this:
http://search.yahoo.com/bin/search?p=FBI+and+hacking+investigations.
If you search AltaVista for ''hacker tools,'' the ''addressing'' data looks like this: http://www.altavista.com/cgi-bin/query?pg=q&sc=on&hl=on&q=hacker+
tools&kl=XX&stype=stext&search.x=25&search.y=11.
If you send a message to Amazon.com to buy a book, this is what the URL looks like: http://www.amazon.com/exec/obidos/handle-buy-box=0962770523/book-glance/002–9953098–4097847, where 0962770523 is the standardized international catalogue (ISBN) number of the book you are buying.
Page 392 PREV PAGE TOP OF DOC
Computer security expert Richard Smith has identified numerous ways in which the URLs sent to DoubleClick include personal information about travel plans, health, and other matters. See attached memo and http://www.tiac.net/users/smiths/privacy/banads.htm. Can a pen register order be served on DoubleClick? Would it cover the detailed information found in URLs delivered to DoubleClick?
These questions did not exist in 1986, when the pen register statute was enacted. They illustrate how outdated is the rubber-stamp standard of the current law. All of these questions should be addressed before the scope of the pen register statute is further extended.
Jurisdictional Expansion of the Pen Register/Trap and Trace Statute
18 USC §3123(a) currently states that a judge shall authorize the installation and use of a pen register or trap and trace device ''within the jurisdiction of the court.'' The Justice Department argues that this jurisdictional limitation (no different than the jurisdictional limitation that applies to search warrants or subpoenas in the ''real'' world) poses a burden to law enforcement conducting investigations in cyberspace, since a communication may jump from one computer to another.
While there is some apparent logic to the government's argument for tracing computer data across jurisdictional lines, the proposed change would not be limited to computer communications—it would also apply to plain old telephones. Nor would it be limited to situations where it appeared that communications were passing through multiple service providers: it would allow a Miami judge to authorize the use of a pen register in New York on communications starting and ending in New York.
Page 393 PREV PAGE TOP OF DOC
Furthermore, orders issued under the proposed change as introduced would have no limits. A normal subpoena, even one with nationwide effect, is addressed to a specific custodian of the desired information. Fed. R. Crim. Proc. 17(c). This requirement does not appear in S. 209; instead, the government would receive a blank order, which it could presumably serve on multiple, unnamed service providers, with no limit as to time or how often the subpoena could be used.
If the pen register and trap and trace provisions are given nationwide effect, it should not automatically apply to every such order. There should at least be some requirement that the applicant explain to the judge's satisfaction why authority is sought to conduct the investigation across jurisdictional lines: Section 3122(b) should be amended to require in the application, if an order with nationwide effect is sought, a full and complete statement as to the grounds for believing that some of the communications to be identified originate or will terminate outside the jurisdiction of the issuing court or are passing through multiple service providers and that the cooperation of multiple service providers or service providers in other jurisdictions will be necessary to identify their origin or destination. And 3123 should be amended to require the judge to specify to whom the subpoena is directed by name, as well as the geographic extent of the order and the time within which it is effective. (Limiting language on geographic extent already appears in the statute: 3123(b)(1)(C).)
Establishing Meaningful Privacy Standards for Pen Registers
Any territorial extension of the reach of trap and trace or pen register orders should also be coupled with a heightened standard for approval of such devices. Under current law, a court order is required but the judge is a mere rubber stamp—the statute presently says that the judge ''shall'' approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. Currently, the judge cannot question the claim of relevance, and isn't even provided with an explanation of the reason for the application. Given the obvious importance of this ''profiling'' information, section 3122(b)(2) should be amended to require the government's application to include a specific description of the ongoing investigation and how the information sought would be relevant and material to such investigation, and section 3123(a) should be amended to state that an order may issue only if the court finds, based on a showing by the government of specific and articulable facts, that the information likely to be obtained by such installation and use is relevant and material to an ongoing criminal investigation.
Page 394 PREV PAGE TOP OF DOC
The second change needed is to define and limit what information is disclosed to the government under a pen register or trap and trace order, especially those served on an Internet service provider or in other packet networks. Unfortunately, S. 2092 goes in the opposite direction. It would amend the definition of pen register devices to include ''dialing, routing, addressing, or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.'' This completely looses the current sense of the statute, which is limited to information identifying the destination of a communication. The phrase ''dialing, routing, addressing or signalling information'' is very broad. It increases the amount of information that can be ordered disclosed/collected, in ways that are unclear but that are likely to increase the intrusiveness of these devices, which are not supposed to identify the parties to a communication and not even supposed to disclose whether the communication was completed. It goes well beyond merely eliminating the archaic reference to telephone lines.
A much better way to phrase the pen register definition would be: ''dialing, routing, addressing or signalling information that identifies the destination of a wire or electronic communication transmitted by the telephone line or other subscriber facility to which such device or process is attached or applied''.
Similarly, the trap and trace definition could be amended to read: ''a device or process that captures the dialing, routing, addressing or signalling information that identifies the originating instrument or device from which a wire or electronic communication was transmitted.'' These amendments should be coupled with statutory language or legislative history making it clear that pen registers do not authorize interception of search terms, URLs identifying certain documents, files or web pages, or other transactional information.
Page 395 PREV PAGE TOP OF DOC
As an oversight matter, it would be useful to include reporting requirements in the pen register statute that are closer to those applicable to wiretaps. Currently, the statute requires only reports for pen registers and trap and trace devices applied for by the Justice Department, so there is no way of knowing what is done by other federal law enforcement agencies or state and local authorities.
Finally, it should be made clear that any changes to the statute do not expand the obligations on carriers under the Communications Assistance for Law Enforcement Act. Currently, a debate is underway over the meaning of CALEA. The government would almost certainly cite S. 2092's amendments to the definitions of pen register and trap and trace device as justification for requiring carriers to install additional surveillance features. It must be made clear, for example, that the pen register/trap and trace statute's reference to identifying the origin of communications does not imply a design mandate for identification or traceability.
67303c.eps
67303d.eps
SENATOR THURMOND FOLLOW-UP QUESTION FOR SAMUEL GUIBERSON
Page 396 PREV PAGE TOP OF DOC
1. As a general matter, do you think that Internet crime is any less serious than crime in the physical world?
[No Response Received.]
(Footnote 1 return)
Publication of vendor-initiated bulletins was discontinued in 1999.
(Footnote 2 return)
Special Communications are informal descriptions of problems, which we send to CERT/CC sponsors.
(Footnote 3 return)
This document is being updated. Before implementing the recommendations, email info@sans.org with the subject Roadmap. The latest version will be emailed to you.
(Footnote 4 return)
Participants in the meeting on cybersecurity with President Clinton on February 15.