Segment 3 Of 3     Previous Hearing Segment(2)

SPEAKERS       CONTENTS       INSERTS    
 Page 190       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
FIGHTING CYBER CRIME:
EFFORTS BY PRIVATE BUSINESS INTERESTS

THURSDAY, JUNE 14, 2001

House of Representatives,
Subcommittee on Crime,
Committee on the Judiciary,
Washington, DC.

    The Subcommittee met, pursuant to call, at 10:10 a.m., in Room 2237, Rayburn House Office Building, Hon. Lamar Smith, Chairman of the Subcommittee, presiding.

    Mr. SMITH. Since we are expecting votes in about 45 minutes, and because it would interrupt us if we are not finished, we are going to try to proceed fairly quickly.

    I also want to mention that the Ranking Member, Bobby Scott, is testifying before another Committee, or he would be here now, and we still expect him shortly. Nevertheless, I'm going to recognize myself for an opening statement, and other Members if they have them, and then we'll proceed.

    This is the third and last hearing in a series. I expect this hearing to assist Congress in deciding how to reduce cyber crime.

 Page 191       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    At the prior two hearings, Federal and local law enforcement officials told us that better training, additional resources, and increased cooperation and coordination are needed. Crime is still crime, whether it occurs on the street or on the Web.

    While other crime rates continue to drop, cyber crime is dramatically increasing. According to law enforcement officials, cyber crime causes billions of dollars in losses every year. For example, last May one computer virus disrupted the communications of hundreds of thousands of computers, causing losses estimated in the billions of dollars. And in March of this year the FBI issued a warning that an organized group of Russian hackers had stolen more than a million credit card numbers from companies' databases.

    In addition, the witnesses testified that the statutes governing processes and procedures to investigate and prosecute cyber crime must be updated.

    Today the Subcommittee on Crime will hear testimony from representatives of private industry on how they deal with the growing problem of cyber crime, and also on their recommendations for how Congress should reduce cyber crime.

    Businesses are losing billions of dollars from cyber crime activities that range from fraud to piracy to sabotage. The Internet has fostered an environment where hackers retrieve private data for amusement, individuals distribute software illegally, and viruses circulate with the sole purpose of debilitating computers.

    In confronting this issue, the business community faces a dilemma. Do they report cyber crime at the risk of losing the public's confidence in their ability to protect customer information, or do they fail to act and risk losses and repeat attacks?
 Page 192       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Legislation alone cannot adequately combat the prevalence of cyber crime we face today. Private industry want to protect their businesses and customers provide the first line of defense. The private sector is usually ahead of Government on the latest technology, and must be willing to cooperate with law enforcement agencies. Technology holds the key to the future, and private businesses are leading the way in innovation and products, but if left unchecked, cyber crime will stifle that progress.

    I hope to hear from the witnesses on how their companies and businesses are working to reduce cyber crime. I would also like to hear about their concerns and suggestions regarding legislation.

    [The prepared statement of Mr. Smith follows:]

PREPARED STATEMENT OF THE HONORABLE LAMAR SMITH, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS

    This is the third and final hearing in a series on cyber crime. I expect that, as the other two hearing have done, this hearing will offer valuable insight for Congress to assist in the country's efforts against cyber crime.

    At the prior two hearings, federal and local law enforcement officials told us that better training, additional resources and increased cooperation and coordination are needed.

 Page 193       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    The witnesses provided us with examples of successful cooperation between state and local law enforcement. They all agreed that Congress should assist in establishing more regional computer forensic laboratories as a way to pool resources and enhance coordination. In addition, the law enforcement witnesses testified that the statutes governing processes and procedures to investigate and prosecute cyber crime must be updated.

    The Subcommittee also heard from the privacy and civil rights community. The witness urged the Subcommittee to consider privacy issues in drafting any legislation, which we will do as a matter of course.

    Today, the Subcommittee on Crime will hear testimony from representatives of private industry regarding their efforts to deal with the growing problem of cyber crime. Businesses are losing millions of dollars from cyber crime activities that range from intrusions to piracy.

    In confronting this issue, the business community faces a dilemma. Do they report cyber crime at the risk of losing the public's confidence in their ability to protect customer information? Or, do they not report the event and risk additional losses in money and business and perhaps repeat attacks? In making this decision, businesses should remember blackmailers rarely ask for one lump sum and bullies thrive on the vulnerable.

    With so much at stake, businesses have a strong incentive to prevent cyber crime. In addition to relying on the criminal laws, businesses are cooperating with federal, state and local governments and law enforcement to share information and educate the community to reduce vulnerabilities.
 Page 194       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Legislation, alone, cannot adequately combat the level of cyber crime we face today. Private industry that wants to protect their businesses and their customers provide the first line of defense. The private sector will always be ahead of government on the latest technology, and must be willing to cooperate with each other and with law enforcement.

    I hope to hear from the witnesses on exactly how their companies and businesses are working towards better cooperation. I also would like to hear about there concerns and suggestions regarding legislation and thank them for their participation.

    At this time, I recognize Bobby Scott, the ranking Member, for an opening statement.

    Mr. SMITH. I'll recognize Mr. Green, if he has an opening statement or comments.

    Mr. GREEN. No.

    Mr. SMITH. And if not, then we'll proceed and look forward to hearing from our witnesses. They are Mr. Harris N. Miller, President, Information Technology Association of America; Mr. Robert Chesnut, Vice President and Deputy General Counsel, eBay, Incorporated; Mr. Robert Kruger, Vice President for Enforcement, Business Software Alliance; and the Honorable Dave McCurdy, President, Electronic Industries Alliance, a former colleague of ours in Congress.

 Page 195       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    We welcome you all, and Mr. Miller, we'll start with you.

STATEMENT OF HARRIS N. MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA

    Mr. MILLER. Thank you very much, Chairman Smith. It's a great honor to be here before the Subcommittee, and to be working with you again. You've managed to graduate from that immigration merry-go-round to a more interesting, different kind of challenge here as the Chairman of this Subcommittee.

    I commend the Subcommittee for holding a series of hearings, and recognizing the cyber crime issue, as you pointed out in your opening statement, is an enormous challenge, and that industry leadership, in meaningful partnership with Government, is essential.

    The stakes involved are enormous. Information technology currently represents over 6 percent of the global domestic product, and over 8 percent of US GDP, according to Digital Planet 2000, a study released last year by the World Information Technology and Services Alliance. In addition, the IT industry has a particular challenge, because not only are we a vertical industry, as is health care or transportation or retail, for example, we're also a horizontal industry in this Internet world, underlying all those other vertical industries. So we have a double challenge, to protect our own systems, and also, of course, our customers' systems.

    Cyber crime places the digital economy at risk, but too many times the assumption is made that fighting cyber crime can be done with technology alone. That is wrong. Just as the best alarm system will not protect a building if the alarm code falls into the wrong hands, a network will not be protected if the passwords are given out freely. Failures in the process and people part of the cyber crime solution may in fact be a factor in the majority of the problems we see.
 Page 196       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The business marketplace is responding to the technology component of the equation. Our customers demand it, and therefore, IT companies supply it. However, the processes and people element tend to be more problematic elements of the challenge. The two are closely linked. From a strategic point of view, the challenge is to make information security a top priority issue for CEOs, for Government officials, and for leaders in the non-governmental sector. Moving from platitudes to practical action requires the sustained commitment of senior management in both the public and private sectors. Industry and Government must share the view that given the nation's extensive dependence on information systems, information security equates to economic security. Partnership and outreach are critical to success. We must work across industry and industry with Government. Protecting our infrastructure is a collective responsibility, not just the IT community's role.

    ITAA itself is working on multiple fronts to improve the current mechanisms for combatting threats and responding to attacks. Elements of our plan internally include information sharing, awareness, education, training, best practices, research and development, and international cooperation.

    In the brief time this morning, I will just focus on one of these, namely information sharing. As you pointed out in your opening statement, Mr. Chairman, sharing information about corporate information security practices is very difficult. Companies are understandably reluctant to share sensitive proprietary information about prevention practices, intrusions and actual crimes, with either Government agencies or competitors. Gimbel's doesn't like to tell Macy's. Information sharing is a risky proposition with often less than clear benefits. No company wants information to surface that they had given in confidence that may jeopardize their market position, strategies, customer base or capital investments.
 Page 197       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Public policy factors can also be a barrier. One of the obstacles is the Freedom of Information Act. Companies worry that if information sharing with Government really becomes a two-way street, FOIA requests for information they have provided to an agency could prove embarrassing or costly. We are working with Congressman Tom Davis and Senator Bob Bennett, and other key players on legislation to address this concern. There's also a concern about antitrust, about sharing information leading to antitrust violations. We've been in dialog with the Department of Justice, and we believe this issue can be partially addressed through letters from the Department of Justice, but it is something we need to take a closer look at.

    The IT industry has adopted several formal approaches to the information-sharing challenge. For instance, in January of 2001, 19 of the Nation's leading high-tech companies announced the formation of a new Information Technology—Information Sharing Analysis Center, the IT ISAC, to cooperate on cyber security issues. The objective of the IT ISAC is to enhance the availability, confidentiality, and integrity of network information systems. It is a non-for-profit organization that will allow information sharing, including the possibility of anonymous information sharing within the IT industry, and ultimately between various segments of the industry, and ultimately between industry and Government. The IT ISAC has made excellent progress in the 6 months since its founding, and is in the process of being formally ''stood up.''

    Another example is the Partnership for Critical Information Security. This partnership, which was started under the previous Administration and continues to be supported by Secretary of Commerce Don Evans in the current Administration, brings together key sectors of our economy to work across sectors, so that the financial sector, the retail sector, the health sector, the energy sector, the IT sector and others, share information. Again, this is not a stove-pipe issue, and they must work together. The PCIS had a major meeting in Washington, D.C. in March, which was addressed by the National Security Advisor, Dr. Rice, and that meeting helped to pull together and coalesce this partnership. We now have formal mechanisms being developed to provide information sharing.
 Page 198       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    In sum, Mr. Chairman, the challenge is large so the achievement will be formidable. While cyber crime will never be eliminated, it can be contained through effective information security products, intelligent practices, and suitably trained people. But none of this will occur, again I repeat, without leadership from the top, both in the private sector and in Government and collaboration between the two.

    ITAA is proud to do its part. Thank you. And I welcome the opportunity to answer any questions the Subcommittee may have.

    [The prepared statement of Mr. Miller follows:]

PREPARED STATEMENT OF HARRIS N. MILLER

INTRODUCTION

    Chairman Smith and Members of the Subcommittee, thank you for inviting me here to testify today on cyber crime. My name is Harris N. Miller, and as President of the largest information technology trade association, the Information Technology Association of America <http://www.itaa.org/>, I am proud that ITAA has emerged as the leading association on the issue of information security. ITAA represents over 500 corporate members. These are companies that have a vested economic interest in assuring that the public feels safe in cyberspace; in the United States, most of the Internet related infrastructure is owned and operated by the private sector.

 Page 199       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    I am also President of the World Information Technology and Services Alliance <http://www.witsa.org>, a consortium of 41 global IT associations from economies around the world, so I offer a global perspective. ITAA also houses the Global Internet Project <http://www.gip.org/>, an international group of senior executives committed to fostering continued growth of the Internet, which is spearheading an effort to engage the private sector and governments globally on the Next Generation Internet and related security and reliability issues.

    I commend this Subcommittee for holding a series of hearings on cyber crime and recognizing that to solve this enormous challenge, industry leadership, in meaningful partnership with government, is essential.

    The stakes involved are enormous. Information technology represents over 6 percent of global gross domestic product (GDP), a spending volume of more than $1.8 trillion, and over 8 percent of US GDP, according to Digital Planet 2000, a report released last year by WITSA. According to the US Department of Commerce, IT accounted for approximately one-third of the nation's real economic growth from 1995 to 1999. Despite the current slowdown, IT-driven productivity increases have enabled our country to have what many economists thought we could not have: high growth, low unemployment, low inflation, and growth in real wages.

    The IT industry's importance to the economy goes beyond the numbers I just recited, however, because the IT industry is not only a vertical industry-such as financial services or health care-it is also a horizontal industry whose technology and services under gird all the other industry sectors. For instance, the failure of a particular IT company to meet the information security challenge not only hurts that company's bottom line, it also hurts the bottom line of companies to which it provides software or IT services.
 Page 200       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

ECONOMY AT RISK

    Cyber crime places the digital economy at risk. Just as the reality or threat of real crime can drain the economic vitality of neighborhoods, cities and even nations, so to can the reality or threat of crimes committed online against people and property shutter businesses and cause an otherwise motivated digital public to break their Internet connection.

    Cyber crime falls into several categories. Most incidents are intended to disrupt or annoy computer users in some fashion. Distributed denial of service (DoS) attacks crash servers and bring down websites through the concerted targeting of thousands of email messages to specific electronic mailboxes. Viruses and other malicious code introduce phantom computer software programs to computers, designed intentionally to corrupt files and data. Other online intrusions are conducted to deface websites, post political messages or taunt particular groups or institutions. Even though no one stands to profit, damages caused by such attacks can run from the trifling to the millions of dollars. What motivates these attackers? Hackers may view the attack as a technology challenge, may be seeking to strike a blow against the establishment, may be looking for group acceptance from fellow hackers, or may be just indulging themselves in a perverse thrill.

    Other cyber criminals are more material guys and gals. They hope to profit from their intrusions by stealing valuable or sensitive information, including credit card numbers, social security numbers, even entire identities. Targets of opportunity also include trade secrets and proprietary information, medical records, and financial transactions.

 Page 201       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    For some cyber criminals, the Internet is a channel for the dissemination of child pornography and a tool used in the furtherance of other crimes against children and adults. These crimes include fraud, racketeering, gambling, drug trafficking, money laundering, child molesting, kidnapping and more.

    Cyber terrorists may seek to use the Internet as a means of attacking elements of the physical infrastructure, like power stations or airports. As we have seen in the Middle East, cyber terrorists encouraging political strife and national conflict can quickly turn the Internet into a tool to set one group against another and to disrupt society generally.

    Another class of cyber criminal and, unfortunately, the most common is the insider who breaks into systems to eavesdrop, to tamper, perhaps even to hijack corporate IT assets for personal use. These could be employees seeking revenge for perceived workplace slights, stalking fellow employees, looking for the esteem of peers by unauthorized ''testing'' of corporate security, or other misguided individuals.

    Regardless of category, the threat is real. A recent study produced by Asta Networks and the University of California San Diego monitored a tiny fraction of the addressable Internet space and found almost 13,000 DoS attacks launched against over 5000 targets in just one week. While most targets were attacked only a few times, some were victimized 60 or more times during the test period. For many small companies, being knocked off the Internet for a week means being knocked out of business for good.

    The Computer Security Institute/FBI also documents the problem in a widely reported study on computer breaches. This year's survey of 538 respondents found 85 percent experiencing computer intrusions, with 64 percent serious enough to cause financial losses. Estimated losses from those willing to provide the information tallied $378 million, a 43 percent increase from the previous year.
 Page 202       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    A nationwide public opinion poll released last year by ITAA and EDS showed that an overwhelming majority of Americans, 67 percent, feel threatened by or are concerned about cyber crime. In addition, 62 percent believe that not enough is being done to protect Internet consumers against cyber crime. Roughly the same number, 61 percent, say they are less likely to do business on the Internet as a result of cyber crime, while 33 percent say crime has no effect on their e-commerce activities. The poll of 1,000 Americans also revealed that 65 percent believe online criminals have less of a chance of being caught than criminals in the real world, while only 17 percent believe cyber criminals have a greater chance of being caught.

BATTLING CYBER CRIME: INFORMATION SECURITY

    Information security is the multifaceted discipline that counteracts cyber crime. Information security—or InfoSec—deals with cyber crime prevention, detection and investigation. How do we achieve information security?

INFORMATION SECURITY IS BUILT FROM TECHNOLOGY, PROCESSES AND PEOPLE

    Too many times, the assumption is made that fighting cyber crime can be done with technology alone. That is wrong. Just as the best alarm system will not protect a building if the alarm code falls into the wrong hands, a network will not be protected if the passwords are given out freely. Failures in the ''process and people'' part of the cyber crime solution may, in fact, be the majority of the problems we see.

    The marketplace is responding to the technology component of this equation. Our customers demand it and, therefore, ITAA members supply it. Beyond that simple yet effective commercial dynamic, we also see market pressures beginning to coalesce. As cyber crime becomes more common and more pervasive, we will hear a building chorus of demand for information security solutions from insurance firms, health care providers, financial services companies, utilities, and the public at large.
 Page 203       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The degree to which such products are necessary is in large part determined by the level of risk incurred. In most cases, for instance, security levels required to protect an email application would not be as robust as those protecting electronic funds transfer. Organizations must be able to select the technology solution that is adequate to the job at hand. The marketplace must have the commercial incentive to deploy a variety of technology solutions, be they password protection, encryption, firewalls, biometrics or other means.

    Processes and people tend to be the more problematic elements of the policy puzzle. The two are closely linked. From a strategic point of view, the challenge is to make information security a top priority issue. Moving from platitudes to practical action requires the sustained commitment of senior management.

    The goal is to embed information security in the corporate culture. That is not always easy to do. CEO's want their IT systems to be as fast as a Maserati—but as safe as a Brinks truck. Whenever tradeoffs arise, the bias is towards speed, not safety. The challenge for the IT sector and its customers working together is to provide security at the speed of business.

    Organizations must be willing to invest in the development of comprehensive security procedures and to educate all employees—continuously. The primary focus of improving processes and changing behaviors is inside the enterprise. However, the scope of the effort must also take into account the extended organization-supply chain partners, subcontractors, customers, and others that must interact on a routine basis.

 Page 204       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
ORGANIZATIONS MUST ALSO BE PREPARED TO COOPERATE WITH LAW ENFORCEMENT

    Unfortunately, companies often feel that the disruption to operations and potential damage to reputation outweigh the benefits of such cooperation. Until the private sector feels that it can do so on a reasonable basis, hackers and cyber criminals will have a significant advantage. ITAA and the Department of Justice conducted a series of executive level meetings and conferences last year, including participation by then Attorney General Janet Reno, to work towards a new dialogue on this issue. More such events will be held later this year. Companies can move this process along by working through trade associations and groups like the Partnership for Critical Infrastructure Security <http://www.pcis-forum.org>, to achieve the necessary balance of public and private interests.

    The challenge of processes and people is not a concern for the private sector alone. The federal government must play a significant role as well. The Administration, for instance, must bring substantial leadership to the information security arena and help raise the nation's level of awareness about cyber attacks and preventative measures. A major part of this message must be that, given the nation's extensive dependence on information systems, information security means economic security.

    The responsibility is both national and international. The U.S. has critical defense and economic relationships around the globe. A breakdown in any link of this chain can have cascading consequences. It is, therefore, incumbent on the U.S. government to accept its global information security role and educate foreign governments as to the nature of the threat and how to respond to it. Industry stands ready to work with multinational organizations and NGOs to help in this process.
 Page 205       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

INDUSTRY PLAN FOR CYBER SECURITY

    ITAA and its members have been working to execute a multi-faceted plan designed to improve U.S. cooperation on issues of information security. However, Mr. Chairman, we would all be remiss if we believed it was just the IT industry that must cooperate within its own industry—we must work cross industry, and industry with government. Protecting our infrastructure is a collective responsibility, not just the IT community's role.

    We are working on multiple fronts to improve the current mechanisms for combating threats and responding to attacks through our role as a Sector Coordinator for the Information and Communications sector, appointed by the U.S. Department of Commerce. Through ITAA's InfoSec Committee, our member companies also are exploring joint research and development activities, international issues, and security workforce needs. Elements of the plan include Information Sharing, Awareness, Education, Training, Best Practices, Research and Development, and International Coordination.

    INFORMATION SHARING: Sharing information about corporate information security practices is inherently difficult. Companies are understandably reluctant to share sensitive proprietary information about prevention practices, intrusions, and actual crimes with either government agencies or competitors. Information sharing is a risky proposition with less than clear benefits. No company wants information to surface that they have given in confidence that may jeopardize their market position, strategies, customer base, or capital investments. Nor would they risk voluntarily opening themselves up to bogus but costly and time-consuming litigation. Releasing information about security breaches or vulnerabilities in their systems presents just such risks. Negative publicity or exposure as a result of reports of information infrastructure violations could lead to threats to investor—or worse—consumer confidence in a company's products. Companies also fear revealing trade secrets to competitors, and are understandably reluctant to share such proprietary information. They also fear sharing this information, particularly with government, may lead to increased regulation of the industry or of electronic commerce in general.
 Page 206       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Public policy factors also act as barriers to industry information sharing. One of the obstacles is the Freedom of Information Act (FOIA). Companies worry that if information sharing with government really becomes a two-way street, FOIA requests for information they have provided to an agency could prove embarrassing or costly. FOIA requests place the private sector's requirement for confidentiality at odds with the public sector's desire for sunshine in government information. We are working with Congressman Tom Davis (R-VA), Senator Robert Bennett (R-UT), and other key players on legislation to meet this concern.

    Anti-trust concerns are a second potential legal hurdle to information sharing. Fortunately, such risks appear small. The antitrust laws focus on sharing information concerning commercial activities. Information Sharing Advisory Centers (ISACs) should be in compliance with the antitrust laws because they are not intended to restrain trade by restricting output, increasing prices, or otherwise inhibiting competition, on which the antitrust laws generally focus. Rather, ISACs facilitate sharing of information relating to members' efforts to enhance and to protect the security of the cyber infrastructure, so the antitrust risk of such exchange is minimal. The Justice Department has also indicated that there are minimal antitrust concerns involving properly structured joint industry projects for dealing with externalities. An entity created to share information regarding common threats to critical infrastructure should fall into this category.

    Given the changing nature of the cyber crime threat and in spite of the many business, operational and policy hurdles standing in the way, many companies in the private sector recognize the need to have formal and informal information sharing mechanisms. Internet Service Providers are an example of the latter circumstance. Because these firms provide networking capability commercially, these businesses often have extensive network security expertise. Such firms act as virtual Information Sharing and Analysis Centers, gathering information about detected threats and incursions, sanitizing it by removing customer specific data, and sharing it with customers.
 Page 207       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The IT industry has adopted a formal approach to the information sharing challenge. In January 2001, nineteen of the nation's leading high tech companies announced the formation of a new Information Technology Information Sharing and Analysis Center (IT-ISAC) to cooperate on cyber security issues. The objective of the IT-ISAC is to enhance the availability, confidentiality, and integrity of networked information systems. The group has made excellent progress in the six months since its founding and is in the process of being formally ''stood up,'' although information sharing is already beginning to take place within this ISAC.

    The IT-ISAC is a not-for-profit corporation that will allow the information technology industry to report and exchange information concerning electronic incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures. Its internal processes will permit information to be shared anonymously. The organization is a voluntary, industry-led initiative with the goal of responding to broad-based security threats and reducing the impact of major incidents. Membership in the IT-ISAC is open to all U.S.-based information technology companies. It will offer a 24-by-7 network, notifying members of threats and vulnerabilities. The group also is clear on what is will not undertake. Excluded activities include standards setting, product rating, audits, certifications or dispute settlement. Similarly, the IT-ISAC is not a crime fighting organization. The nineteen Founding Member companies of the IT-ISAC, all represented at the announcement, are AT&T, Cisco Systems, Computer Associates, CSC, EDS, Entrust Technologies, Hewlett-Packard Company, IBM, Intel Corporation, KPMG Consulting, Microsoft Corporation, Nortel Networks, Oracle Corp., RSA Security, Securify Inc., Symantec Corporation, Titan Systems Corp., Veridian and VeriSign, Inc.

    The group plans to evolve its information sharing activities over time, starting with IT companies and then moving across sectors. It is also expected that the ISAC will enable sensitive information to be shared between industry and government. But that sharing must be a two-way street, if it is going to be effective.
 Page 208       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The Software Engineering Institute's CERT Coordination Center plays an information sharing role for numerous industries. The oldest and largest of information sharing programs, CERT is a Federally funded research and development center at Carnegie Mellon University in Pittsburgh. The organization gathers and disseminates information on incidents, product vulnerabilities, fixes, protections, improvements and system survivability. The organization strives to maintain a leak proof reputation while collecting thousands of incident reports yearly. These could be anything from a single site reporting a compromise attempt to a virus with worldwide impact.

    The IT-ISAC is specifically designed to support the IT industry in this country. Other ISACs have been formed in the financial services and telecommunications industries. And I would like to mention two other groups that play an important information sharing role. The Partnership for Critical Infrastructure Security provides a venue for organizations from numerous industries to pool their knowledge and experience about information infrastructure risks and protections. PCIS also examines critical interdependencies among infrastructure providers and seeks common solutions to risk mitigation. The Partnership for Global Information Security <http://www.pgis.org/> provides a forum for executives from both the public and private sector in economies around the world to share information about InfoSec topics. PGIS members are focused on five areas for collaboration: sound practices, workforce, research and development, cyber crime and law enforcement and public policy. ITAA is proud to have played a leadership role in the formation of both organizations, and I sit on the Boards of Directors of both.

    AWARENESS: ITAA and its member companies are raising awareness of the issue within the IT industry and through partnership relationships with other vertical industries, including finance, telecommunications, energy, transportation, and health services. We are developing regional events, conferences, seminars and surveys to educate all of these industries on the importance of addressing information security. An awareness raising campaign targeting the IT industry and vertical industries dependent on information such as the financial sector, insurance, electricity, transportation and telecommunications is being overlaid with a targeted community effort directed at CEOs, end users and independent auditors. The goal of the awareness campaign is to educate the audiences on the importance of protecting a company's infrastructure, and instructing on steps they can take to accomplish this. The message is that information security must become a top tier priority for businesses and individuals.
 Page 209       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    EDUCATION: In an effort to take a longer-range approach to the development of appropriate conduct on the Internet, the Department of Justice and the Information Technology Association of America have formed the Cybercitizen Partnership. Numerous ITAA member companies and recently the Department of Defense have joined this effort. The Partnership is a public/private sector venture formed to create awareness in children of appropriate on-line conduct. This effort extends beyond the traditional concerns for children's safety on the Internet, a protective strategy, and focuses on developing an understanding of the ethical behavior and responsibilities that accompany use of this new and exciting medium. The Partnership is developing focused messages, curriculum guides and parental information materials aimed at instilling a knowledge and understanding of appropriate behavior on-line. The Partnership hosted a very successful event last fall at Marymount University in Northern Virginia that brought together key stakeholders in this area. Ultimately, a long range, ongoing effort to insure proper behavior is the best defense against the growing number of reported incidents of computer crime. The Cybercitizen website has received over 600,000 hits in the past year.

    TRAINING: ITAA long has been an outspoken organization on the impact of the shortage of IT workers—whether in computer security or any of the other IT occupations. Our groundbreaking studies on the IT workforce shortage, including the latest, ''When Can You Start,'' have defined the debate and brought national attention to the need for new solutions to meet the current and projected shortages of IT workers. We believe it is important to assess the need for and train information security specialists, and believe it is equally important to train every worker about how to protect systems.

    We have planned a security skills set study to determine what the critical skills are, and will then set out to compare those needs with courses taught at the university level in an effort to determine which programs are strong producers. We encourage the development of ''university excellence centers'' in this arena, and also advocate funding for scholarships to study information security. We commend the Administration and Congress for supporting training more information security specialists.
 Page 210       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The challenge to find InfoSec workers is enormous, because they frequently require additional training and education beyond what is normally achieved by IT workers. Many of the positions involving InfoSec require US citizenship, particularly those within the federal government, so using immigrants or outsourcing the projects to other countries is not an option.

    BEST PRACTICES: We are committed to promoting best practices for information security, and look to partners in many vertical sectors in order to leverage existing work in this area. In addition, our industry is committed to working with the government—whether at the federal, state or local levels. For example, we are working with the Federal Government's CIO Council on efforts to share industry's best information security practices with CIOs across departments and agencies. At the same time, industry is listening to best practices developed by the government. This exchange of information will help industry and government alike in creating solutions without reinventing the wheel.

    While we strongly endorse best practices, we strongly discourage the setting of ''standards.'' Why?

    Broadly, the IT industry sees standards as a snapshot of technology at a given moment, creating the risks that technology becomes frozen in place, or that participants coalesce around the ''wrong'' standards. Fighting cyber crime can be thought of as an escalating arms race, in which each time the ''good guys'' develop a technology solution to a particular threat, the ''bad guys'' develop a new means of attack. So to mandate a particular ''solution'' may be exactly the wrong way to go if a new threat will soon be appearing.

 Page 211       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    It is also critical that best practices are developed the way much of the Internet and surrounding technologies have progressed—through ''de facto'' standards being established without burdensome technical rules or regulations. While ITAA acknowledges the desire within the Federal government to achieve interoperability of products and systems through standard-setting efforts, the reality is that the IT industry can address this simply by responding to the marketplace demand. The marketplace has allowed the best technologies to rise to the top, and there is no reason to treat information security practices differently.

    RESEARCH AND DEVELOPMENT: While the information technology industry is spending billions on research and development efforts—maintaining our nation's role as the leader in information technology products and services—there are gaps in R&D. Frankly, for industry, more money is frequently spent on ''D''-development-then ''R''-long-term research. Government, mainly in the Department of Defense, focuses its information security R&D spending on defense and national security issues. We believe that between industry's market-driven R&D and government's defense-oriented R&D projects, gaps may be emerging that no market forces or government mandates will address. Government funding in this gap-bringing together government, academia and industry—is necessary.

    INTERNATIONAL: In our work with members of the information technology industry and other industries, including financial services, banking, energy, transportation, and others, one clear message constantly emerges: information security must be addressed as an international issue. American companies increasingly are global corporations, with partners, suppliers and customers located around the world. This global business environment has only been accented by the emergence of on-line commerce—business-to-business and business-to-consumer alike.
 Page 212       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Addressing information security on a global level clearly raises questions. Many within the defense, national security and intelligence communities rightly raise concerns about what international actually means. Yet, we must address these questions with solutions and not simply ignore the international arena. To enable the dialogue that is needed in this area, ITAA and WITSA conducted the first Global Information Security Summit in Fall 2000. This event brought together industry, government and academia representatives from around the world to begin the process of addressing these international questions. A second Summit is planned for later this year to continue the dialogue. The governmental international linkages must be strengthened—and not just among the law enforcement and intelligence communities. Government ministries around the world involved in economic issues—such as our own Department of Commerce—need to be key players.

HOW GOVERNMENT CAN HELP

    In many ways, solutions to information security challenges are no different than any other Internet-related policy issue. Industry leadership has been the hallmark of the ubiquitous success of our sector. Having said that, we also believe that government has several roles to play in helping achieve information security and combating cyber crime:

 First and foremost, like a good physician practicing under the Hippocratic oath, do no harm. Excessive or overly broad legislation and subsequent regulation crafted in a rapidly changing technology environment is apt to miss the mark and likely to trigger a host of unintended consequences. In many instances, existing laws for crimes in the physical world are adequate to address crimes conducted in cyberspace. New legislation should always be vetted for circumstances that single out the Internet for discriminatory treatment.
 Page 213       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 Practice what you preach. The rules of technology, process and people apply equally to the public sector. The U.S. government must lead by example in preventing intrusions into agency websites, databanks and information systems. Leadership in this area means substantial investments of new money in information security technology and services. Responding to the issue by reallocating existing dollars from current programs is robbing Peter to pay Paul and likely to play out at the expense of the American public and their confidence in e-government. It also means insisting that government agencies implement rigorous information security processes and practice them on a daily basis. Making InfoSec part of the corporate culture will require extensive senior management commitment.

 Reach out to international counterparts for crucial discussion of cyber security, and in particular, how to most constructively and effectively enforce criminal law in the increasingly international law enforcement environment fostered by the Internet and other information networks. The Council of Europe draft Convention on Cyber Crime, which, as the first such attempt to create an international convention in this area, has become a central subject of debate. It is no secret that the private sector has expressed significant concerns about several aspects of the treaty. When governments engage in the development of cyber crime legislation or participate in international organizations on this issue, government should ensure that the process is inclusive of industry, civil society and the appropriate ministries that represent these constituencies. Governments should also match the private sector's efforts to secure their information systems swiftly, robustly, and continuously.

 Bring leadership to bear through existing structures and establish an InfoSec Czar position similar to the role played by John Koskinen during the Year 2000 date rollover. With minimal staff, but strong backing from the President, Mr. Koskinen was able to have substantial influence on both the governmental and private sector efforts in Y2K. ITAA, its members and the IT industry continue to work hard to develop collegial and constructive relationships with the leadership and staff of the Critical Information Assurance Office (CIAO), the Commerce Department (DOC), the National Institute of Standards and Technology (NIST), and the Critical Information Infrastructure Assurance Program Office (CIIAP) at NTIA, as well as the National Security Council (NSC), Department of Justice (DOJ), Department of Energy, the National Information Protection Center (NIPC), and the National Security Agency (NSA).
 Page 214       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 Funding will also help in the areas of workforce development and research. We have a critical shortage of information technology professionals generally and information security specialists specifically. In general, we support legislation to increase the number of appropriately skilled workers in this critical area. We also support additional R&D funding.

CONCLUSION

    Society's reliance on information technology will only increase over time. Ultimately, the level of information security we achieve will go far in defining our level of economic security. Market forces will push us to this inevitable conclusion. These forces will include:

 Insurance companies seeking to control and assess the risk of cyber crime related losses;

 Banks seeking to assure that Internet-dependent businesses have mitigated InfoSec related risks;

 Shareholders insisting that their equity be protected through executive level attention to information security;

 Medical establishments that must assure the absolute privacy of individually identifiable patient records; and

 Critical suppliers needing to assure unimpeded flow of goods and services to plants and factories.
 Page 215       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The challenge is large, so the achievement will be formidable. While cyber crime may never be eliminated, it can be contained through effective information security products, intelligent practices and suitably trained people. Industry and government have important roles to play in achieving this purpose.

    The Information Technology Association of America is proud to do its part.

    Thank you and I welcome any questions from the Committee.

    Mr. SMITH. Thank you, Mr. Miller.

    Mr. Chesnut.

STATEMENT OF ROBERT CHESNUT, VICE PRESIDENT AND DEPUTY GENERAL COUNSEL, eBAY, INCORPORATED

    Mr. CHESNUT. Mr. Chairman, thank you for inviting eBay here this morning to talk a little bit about what eBay does to fight cyber crime.

    Before I talk about eBay's efforts, I'd like to put some of our efforts in context with some numbers, because we certainly hear a lot of numbers about online auction fraud and complaints of different Government agencies, but I think it's important to keep in mind the volume of commerce that's taking place over the Internet when thinking about these numbers. Let me give you some numbers about eBay.
 Page 216       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Every single day on eBay there are over 6 million items put up for—that are on sale by people all over the world. Every day over 1 million items right now are being added for sale on eBay. Over 2 million bids every single day are being placed for items from users, and we have, according to our last report, over 29 million users. We have websites in 19 countries, and we have users in virtually every country in the world. For every second, on every second on eBay, $251 in business is being transacted. That's $251 per second, 24 hours a day, 7 days a week. If you took our numbers from the first quarter this year, assuming no growth, that's $8 billion worth of gross merchandise sales for 2001.

    Looking at some of the complaints, Federal Trade Commission in 1999——

    Mr. SMITH. Why haven't you offered members stock options? [Laughter.]

    Mr. CHESNUT. I'm trying to get some myself.

    You know, if you look at some of the numbers—because the growth is really phenomenal. In 1999 we ran 125 million auctions on our website, and during 1999, that same period, the Federal Trade Commission received 14,000 complaints about—relating to online auction fraud, and that's industry wide. In the year 2000 the number of listings on eBay more than doubled from 125 million to 260 million. You would expect that the number of complaints to the Federal Trade Commission would have increased by more than double as the business grew by more than double. In fact, the numbers went down as an absolute number, to 11,000. Why are the number of auction fraud complaints going down with the FTC? I think it's been a combination of a number of things. I think law enforcement is catching up, the training, their efforts in these cases. They're to be commended. I think that the Government has also done a great job of educating people about how to trade smart online. I also think that we've been able to do some things that have been successful, and let me just mention a couple.
 Page 217       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    One, say payments. You know, when we originally came online most of our users were doing business with money orders, sending checks, cashier's checks to other individuals, and that's a process, a payment process that offers no recourse if you send the money and you don't get the goods. And what we've been able to pioneer is a payment method where consumers can pay each other through credit cards, where ordinary consumers, like you and I selling things to each other out of our garage, can pay each through credit cards using a third-party bank, a service. eBay, I know is in partnership with Wells Fargo Bank and Billpoint through one of those services. So if there is a problem and if the item doesn't arrive, or if the item isn't as advertised, the consumer's got full recourse, 100 percent protection through the charge-back protections of their credit card. And I think that's the wave of the future really in dealing with online person-to-person trading fraud, as it's been reported.

    On top of that, we also offer third-party escrow, so that if a consumer wants to send the money to a third party and have that third party hold onto the money until the goods arrive, they've got that available.

    On top of that, we have made a business decision that we're going to insure transactions on our website, every single one of them, up to $200. Cost of doing business. People don't have to pay for that insurance. It's automatic. So if a consumer has a bad experience on eBay, doesn't get the goods as promised, we're going to protect that up to $200 with a $25 deductible.

    We've also had a lot of success with an education program, we're actually working with the Government to teach people about what they can and can't do online. The best example is something we've done with the Consumer Product Safety Commission. We've given the Consumer Product Safety Commission free web space on eBay, as well as a number of other Government agencies like the U.S. Customs Service, where they can teach consumers on eBay about their mission, and consumers can actually learn about safe trading directly from the Government. I know that in the month after we partnered with the Consumer Product Safety Commission, hits on their database tripled. They had to go out and buy new servers because we were able to drive so much traffic to them from consumers who really wanted to learn more about how to trade safely and make sure they didn't buy recalled products.
 Page 218       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The last thing I'm going to mention is our Fraud Investigation Team. My wife used to be a special agent with the INS before she came to eBay. She now manages a full-time force within eBay that does nothing but work with law enforcement every day, full time. And we have contacts, literally thousands of contacts in law enforcement, not just in the United States, but worldwide, so that if a consumer has a problem on eBay, they need to get in touch with law enforcement. My wife's team works with them, gets cases promptly to the right person in law enforcement so that we can prevent further losses and get the cases investigated.

    A number of other efforts we have are detailed in my statement, but I'll finish here.

    [The prepared statement of Mr. Chesnut follows:]

PREPARED STATEMENT OF ROBERT CHESNUT

    Mr. Chairman and members of the Subcommittee:

    My name is Robert Chesnut, Vice President and Deputy General Counsel of eBay, Inc. (''eBay''). eBay is the world's first and largest online trading community. It was founded in September 1995 and currently has over 29 million registered users. Essentially, eBay's business is to bring together buyers and sellers from across the United States, and the world, to facilitate trading of goods and services.

    I appreciate the opportunity to testify today about some of the creative steps being taken by private industry to fight crime online and the cooperative approach that we at eBay have found with federal and state law enforcement officials. Finally, I will conclude my testimony with a brief discussion of one problem that eBay believes needs new federal legislation—a criminal prohibition against email address harvesting for the purpose of sending illegal spam. Such a prohibition, will eliminate another area of cybercrime and make the Internet safer.
 Page 219       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

EBAY'S EFFORTS TO ELIMINATE ONLINE CRIME

    When I first came to eBay two and one-half years ago, I heard many people marvel at what a tough task it must be to fight crime on the Internet, and how the Internet presented so many challenges to lawful business activity. But what I have come away with from my work at eBay is that the Internet provides law enforcement and private businesses so many opportunities to fight crime with creative solutions, many of which could exist only because of the Internet. Let me highlight some of the creative measures we use at eBay that have had a significant impact in combating unlawful activity on our website.

1. Our ''Feedback Forum'' gives users the opportunity to share their experiences with other users—every user of our service has a numerical feedback profile available for all to see so that good sellers and buyers are rewarded for fair dealing and bad ones are weeded out for failing to do the right thing.

2. Our Verified Rights Owners' Program (VeRO) protects intellectual property owners—it is a highly successful joint effort between eBay and private rightsowners (more than 2,000) as diverse as Adobe, the MPAA, Muhammad Ali and Bruce Springsteen to identify pirated goods, take them off our site and report repeat infringers to law enforcement.

3. Our education program teaches users about the law, and explains in plain English why certain items (like prescription drugs, alcohol and tobacco, items made from endangered species) cannot be sold on eBay. This is a permanent part of our site devoted solely to the law, and we have built it by creating partnerships with state and federal agencies. We provide free web space to government agencies right on our site to teach users about key laws that might affect their ability to trade, and many agencies, including the Customs Service, the Environmental Protection Agency (EPA) and the Food and Drug Administration (FDA) are using our services.
 Page 220       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

   For example: in early 2000, eBay approached the Consumer Product Safety Commission (CPSC) and proposed a joint project to prevent users from trading recalled goods on the Internet. Within weeks, the CPSC had a free web page within the eBay site that linked to the CPSC records on recalled products, and users in key categories like baby items, power tools and sporting goods were encouraged to check out their items on the CPSC website before buying or listing them for sale on eBay.

   The result? Amazing—In the first month, queries to the CPSC recall database tripled, requiring the agency to add new servers to handle the loadYand many consumers were educated about recalled products, a positive outcome for the agency and eBay users.

4. We have made large strides in improving methods of safe payment for goods and services traded on our site. We encourage and support third-party escrow services that allow buyers to send money to the service receive the goods from the seller and then release the funds to the seller. Escrow protects both parties to the transaction. We have partnered with Wells Fargo Bank in a service known as Billpoint. Billpoint allows users to pay for items with a credit card, even when the are buying items from ordinary people who are not merchants and that could otherwise not accept credit card payments. This brings the protection of credit cards into person-to-person trading on the Internet. Consumers who pay with a credit card have nearly complete protection against fraud through charge back rights provided by credit card issuers. Billpoint has already paid significant dividends in the fight to protect consumers on the Internet.

5. And when things do go wrong (and unfortunately they will go wrong whenever ordinary people do business directly with each other from remote points around the globe), we have devised additional new strategies to assist them. One important element is online mediation. eBay played a key role in the formation of the online mediation industry and its leader Square Trade. Square Trade helps consumers resolve disputes with each other (even in different language from all over the world) with the help of professional mediators online. This program is subsidized by eBay so that users never have to pay more than $15 to have a case mediated online. The response has been overwhelmingly positive. It is cost efficient even for small disputes between users anywhere, the legal system is not clogged with these small matters, and users love an independent voice of reason that is often crucial to resolving online disputes. Square Trade handled over 60,000 disputes in 2000 and nearly 90% were concluded with positive results for both parties.
 Page 221       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

6. Similar to the offline world, we have witnessed larger fraud cases involving a number of victims. eBay has attacked the problem with the creation of our Fraud Assistance Team. The Team devotes themselves full-time to putting victims in touch with the right law enforcement agency who can help them, from Hong Kong to London to New York and California. We work with law enforcement to get them key records in a matter of hours, not days. We have created electronic victim's complaint forms that can be filled out online and emailed directly to an investigative agent in a matter of hours. This is crucial to gathering evidence from many victims around the globe. Law enforcement is so impressed with the tools we place at their disposal that in the last month, one federal prosecutor in Illinois stated that eBay's cooperation was Aphenomenal.@ The best he had ever seen from a private company. Another federal prosecutor in Alabama told us last week that without our work in putting a case together, the case would have never been prosecuted. Most importantly, cases are getting prosecutedYdozens of Internet criminals are going to jail, paying fines and returning money to victims in state and federal cases across the country and around the world. Each successful prosecution sends an important message that the law does apply on the Internet and particularly on eBay.

7. And when all else fails, eBay provides a free insurance to all its users through Lloyd's of London—if a transaction goes bad, eBay makes good on it, up to $200. It is automatic—no premiums or pre-registration. For eBay, it is a cost of doing business and takes a lot of the sting out of bad experiences. How many bad experiences occur on eBay? Less than 1\/\10\th of 1 percent of all listings on eBay result in an insurance claim payment,. a record we would match with any other retailer anywhere in the world any day of the week.

THE RESULTS
 Page 222       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Are these creative strategies working? The latest statistics suggest that these strategies are making a significant difference. In 1999, the FTC received 13,091 complaints about online auction fraud. Remember that not all of these complaints are actual fraud . . . many of these complaints were resolved by the users after the complaint was filed, or were never fraud in the first place . . . and not all involved eBay. During 1999, eBay alone hosted 125 million listings of goods and services.

    In 2000, eBay grew at a dramatic pace, hosting more than twice as many listings—approximately 265 million. But the number of FTC fraud complaints? They went down, to 10,872 . . . a remarkable drop, almost 20%, particularly when compared with the growth of the industry. We are proud of these numbers, and we are committed to introducing new measures to continue these positive trends in 2001 and beyond.

THE NEED FOR ANTI-HARVESTING LEGISLATION

    It is worth noting that some forms of cybercrime could be reduced if Congress were to adopt a criminal prohibition against the automate harvesting of email address for the purpose of sending illegal Spam. eBay users are increasingly receiving illegal Spam, from people who obtained their email addresses illegitimately from the eBay web site. These harvesters are building a growing and lucrative business by attacking popular websites with automated tools that suck in millions of e-mail addresses and spew them out again for use by Spammers. This parasitic process undermines public confidence in e-commerce, feeds public fears about threats to privacy on the Internet and becomes a breeding ground for fraudulent conduct.

 Page 223       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    All of eBay's anti-fraud activities, outlined above, are undermined when Spammers convince eBay users to engage in transactions off the eBay site. We believe that a cybercrime bill should include a provision, amending the Computer Fraud and Abuse Act, 18 U.S.C. Section 1030, to outlaw the automated bulk harvesting of e-mail addresses for the purpose of sending illegal spam. Such a provision will guarantee additional protection to America's online consumers.

    Thank you. I am available to answer any questions you may have.

    Mr. SMITH. Thank you, Mr. Chesnut.

    And that's the second reference, Mr. Harris, to immigration so far. I might say that I know a number of other people, and that includes myself, are relieved that I was able to become Chairman of the Crime Subcommittee, but I appreciate what your wife is doing for the INS.

    Mr. Kruger.

STATEMENT OF ROBERT KRUGER, VICE PRESIDENT FOR ENFORCEMENT, BUSINESS SOFTWARE ALLIANCE

    Mr. KRUGER. Mr. Chairman, no references to immigration in my testimony.

    Good morning. My name is Bob Kruger. For the past 8 years I have been Vice President of Enforcement at the Business Software Alliance, an association of leading software and e-commerce developers. Prior to that I was a Federal prosecutor.
 Page 224       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    While we sit here this morning, perfect copies of software programs that cost American businesses hundreds of millions of dollars to develop, are being unlawfully copied, counterfeited, sold and downloaded from the Internet. Those acts are costing the economy billions of dollars in lost sales and millions of lost jobs every year.

    Digital piracy is not a new phenomenon for software publishers. It has always been possible to make perfect copies of software programs, but it is a problem that is now worsening. The card table pirate, who used to sell to dozens of customers at flea markets, now reaches millions through Internet auction sites and e-mail spams. Counterfeiters, including organized criminal groups, have discovered that if you don't have to pay anyone for the research and development of those programs, selling them is a high-margin and low-risk proposition.

    And a new species of pirate has emerged, one who sets up sites on the Internet where software can be freely downloaded, inviting the world to loot some of the crown jewels of the American economy. Software developers also face a problem on the demand side as new generations of computer users come to believe that because piracy is so rampant it can't be so bad. If it was, they reason, someone would do something about it.

    For its part, the industry is working very hard to combat piracy. BSA's members are pouring resources into this effort, diverting money and manpower that would otherwise be used to develop new products. We are pursuing education and awareness campaigns. For example, BSA recently obtained a DOJ grant to develop educational programs to prevent intellectual property theft and cyber crime. This effort will include creating public service announcements that reach out to American youth with the message that piracy is wrong. We are seeking to forge partnerships with and enlist the cooperation of Internet businesses. BSA has, for example, issued a set of model business practices for Internet auction sites, designed to reduce the incidence of piracy. We are making ample use of the notice and takedown procedures set out in the Digital Millennium Copyright Act, and we are aggressively pursuing civil litigation against auction vendors and other types of Internet pirates.
 Page 225       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    But in addition to these industry efforts, there is a critical need for Federal law enforcement attention to this problem. Thanks to congressional action, tools needed for effective prosecution already exist. I commend Members of this Committee for passage of the No Electronic Theft Act, and for your leadership in securing enhancements to the Federal Sentencing Guidelines for intellectual property crime.

    There are several reasons why Federal prosecutions are an important part of the solution to this problem. First, we are in a period of tremendous opportunity. Attitudes and behaviors are still forming over the issue of respect for intellectual property online. Effective action to close the barn door now will have greater impact than years of chasing the horse later one. Second, criminal prosecution and penalties provide deterrence in a way that civil judgments cannot. Pirates need to know that they stand to lose not just money, but also their liberty. Third, law enforcement has investigative capabilities unavailable to private industry, such as subpoena and search warrant authority, and the ability to enlist the assistance of law enforcement agencies overseas. And finally, because of the preemptive effect of Federal copyright law, State and local enforcement agencies are limited in what they can do. In effect, Federal prosecutions are the only game in town.

    Now, we have seen some signs of progress. There have been an increase in the number of software piracy prosecutions announced by the Justice Department this year. Last month a Federal jury in Chicago returned a guilty verdict against a member of the Pirates with Attitude software ring, after the first trial under the NET Act. The jury's verdict, reached in a mere 30 minutes, is a statement that the public, like Congress, condemns software piracy. We also applaud recent efforts by the Customs Service to fight counterfeiting, particularly by international organized rings, and we welcome the Attorney General's statement before the full Judiciary Committee that fighting piracy will be a priority within his department.
 Page 226       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    But to be effective, the law enforcement effort requires sustained activity. Resources must be adequate. Agents and prosecutors must be well trained. Cases must be aggressively pursued, and attention must be paid to communicating the deterrence message as broadly as possible.

    Mr. Chairman, we look to this Committee to ensure that law enforcement remains a integral part of the solution to this problem. We ask that you continue your oversight to preserve the positive momentum that has been building. BSA stands ready to assist you in any way to address these important issues.

    [The prepared statement of Mr. Kruger follows:]

PREPARED STATEMENT OF ROBERT KRUGER

    Good morning, my name is Bob Kruger. I am Vice-President for Enforcement for the Business Software Alliance, an association of leading software and e-commerce companies.(see footnote 4) I thank the Committee for the opportunity to testify about a matter of great concern to the software industry. BSA's members create approximately 90% of the office productivity software in use in the U.S. and around the world. I would like to give the Subcommittee some background on the state of software piracy today, what the industry is doing to protect itself and the critical role that law enforcement must play. Congressional attention to the piracy problem has been invaluable in meeting the serious challenges faced by copyright owners in the past and will be needed to ensure that creators of IP can continue to make important contributions to the economy in the future.
 Page 227       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

MY BACKGROUND

    I have been BSA's Vice-President for Enforcement for eight years. Prior to my joining the Business Software Alliance, I served as a federal prosecutor in the U.S. Attorney's Office in the District of Columbia and before that as Associate Counsel to President Reagan. During my tenure at the Business Software Alliance, I have learned firsthand how pervasive, multi-faceted, and resistant the software piracy problem is and what a devastating impact it has on software developers.

THE PROBLEM

    BSA was formed by leading software companies to combat a major threat to their markets, domestic and overseas, and to their ability to continue to create new programs. That threat is piracy. Software publishers occupy something of unique position when it comes to digital piracy. It has always been possible to reproduce and distribute perfect copies of software programs because from its creation software is available only in digital form.

    A look at software piracy statistics provides insight into the scope and severity of the problem. Every year the International Planning and Research Corporation undertakes an international survey of the level of software piracy on a country-by-country basis along with its economic impact. Last month, BSA released the survey for the year 2000. On a worldwide basis, the survey found that the piracy rate averaged 37% resulting in revenue losses of $11.75 billion dollars. In a few countries, the piracy rate exceeded 90%. In the US, the piracy rate for 2000 was 24% with a revenue loss of $2.6 billion. These numbers are very high, but they actually represent an improvement from the 1994 statistics when the international piracy rate was 49%—meaning that half of the world's software was pirated. Unfortunately, after several years of decreasing software piracy rates worldwide since 1994, we've witnessed a slight increase from 1999 to 2000. Several factors were responsible for this increase, notably the growth in the total software market in developing nations where the software piracy rate far exceeds the world average. The market growth in these nations was not offset enough by market growth in more established nations with lower piracy rates.
 Page 228       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    The statistics collected in this study reflect the real financial harm piracy inflicts on American software companies. Publishers invest hundreds of millions of dollars every year and immeasurable amounts of creativity in designing, encoding and bringing new products to market. They depend upon the revenue they receive from those products to obtain a return on their investment and to fund the development of new products. The impact of software piracy extends beyond the lost sales. Piracy results in thousands of lost jobs and millions of dollars in lost wages and tax revenue.

    For years, software piracy has generally been practiced on a limited, if not small, scale. Its scope and its reach were constrained by such factors as time, physical space, geography and production and distribution costs. It is now possible to see that period in time as ''the good old days.'' Four trends explain this change:

 The online market is exponentially larger than traditional retail markets for pirated products.

 Technology can result in the creation of better software tool for consumers; misuse of that technology also makes the theft of intellectual property much easier and faster to accomplish

 It's harder to catch and take action against perpetrators who operate on the Internet

 Software theft has become an attractive enterprise for organized crime

    First, the Internet has exponentially expanded the market for pirated software. Contrast, the number of people who can crowd around a card table at a flea market with the number that can simultaneously access and download software from a pirate website. Instead of pirated copies being sold one at a time, millions of pirated copies can be downloaded every day. Geography no longer matters. A pirate can sell and transfer stolen intellectual property to someone located here in Washington, DC, just as easily as he or she can sell and transfer it to someone in Australia.
 Page 229       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Second, the Internet has also made locating and obtaining pirated software much easier. Consumers in every city can use the phone book to find legitimate software vendors who have a real, physical location. There is, however, no phone book or other tool to locate software pirates who operate from real, physical locations. But computer users can easily employ an Internet search engine to find both legitimate and illegitimate sellers of software. Or consumers can visit popular auction sites and what appear to be legitimate websites to find pirated or counterfeit products that often purport to be genuine. From the buyer's perspective, the Internet also significantly lowers the stigma of knowingly purchasing stolen goods by allowing the transaction to occur in the comfort of one's house or workplace. Advances in bandwidth and compression technology enable downloading to occur in a fraction of the time previously required.

    Third, the ability of Internet pirates to hide their identities on the Internet or operate from remote jurisdictions makes it that much more difficult for rights holders to take responsive action or hold them accountable. Once BSA's investigators identify where pirated software being distributed online, they can have a much harder time finding the responsible party than in the offline world. We do not have, nor would we want, surveillance capability and our ability to establish the true identity of website owners, spammers, vendors can be limited by their efforts to avoid detection and legitimate privacy concerns. Intellectual property owners can and do use online tools. For example, the Whois database lists the registered owner of a website, although the information is sometimes false or out of date. False Whois contact information may be an issue that this Committee wishes to look into further.

    Let me give you an example of how complicated an Internet investigation can be—a software pirate who lives in Canada can advertise his stolen products on a website hosted by a Chilean Internet Service Provider that lists an email address in India as the point of contact. After an email from the seller directing the purchaser to wire money to a bank account in Japan, the pirate then tells the purchaser via an anonymous email account to go to a website in Mexico to download the software. In order to build a successful case, BSA must work with authorities in each of the countries even though none of the illegal activity occurred in the pirates's home country of Canada. Obviously, this complicated scenario is fortunately uncommon, but it does show the complexity of what we can and do face on a daily basis.
 Page 230       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Finally, the presence of very large amounts of high quality counterfeit software in the market continues to pose a serious problem for BSA's members. During the past 12–18 months, we have seen a dramatic increase in the amount of high quality counterfeit software imported into the U.S. from overseas, especially from Asia. Moreover, international counterfeiting rings have become even more sophisticated in their methods of producing ''look alike'' software and components. For example, recent raids in Hong Kong uncovered evidence of sophisticated research and development laboratories where counterfeiters reverse-engineered the security features of at least one member company's software media. Not surprisingly, investigations in Asia, Europe, and Latin America have revealed the involvement of serious criminal organizations in the manufacture and distribution of high quality counterfeit software. Compared to loan sharking, bank robbery, and protection rackets, software piracy is an easy, rarely prosecuted crime. Finally, the Internet has transformed the business of distributing counterfeit software, making possible for major exporters in Asia and elsewhere to sell directly to corrupt resellers anywhere in the world. One recent example demonstrates the potential of this distribution method to cause serious harm to U.S. software publishers: during a period of only three months, a small reseller operating out of trailer in Flugerville, Texas, imported over 47,000 counterfeit copies of Microsoft Office and Windows programs, with an estimated value of $13 million.

HOW DOES SOFTWARE THEFT OCCUR ON THE INTERNET?

    There are two primary means of software theft that occurs on the Internet: retail piracy and downloading. Retail piracy includes of auction and mail order websites along with email spam advertising pirated programs. Basically, the card table vendors have migrated online. As I noted earlier in my testimony, they can reach an international marketplace 24x7. By making their wares available on legitimate commercial sites such as auction sites, pirates acquire a patina of legitimacy.
 Page 231       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Downloading theft occurs on a wide range of sites and locations where users can download unauthorized copies of copyrighted software programs, e.g, web sites, IRC channels, newsgroups, and peer-to-peer systems like Gnutella. The persons who are making these programs available are essentially throwing a brick through the storefront window and inviting others around the world to loot at their leisure. Clearly, this conduct is not tolerated in the bricks and mortar world and it should not be tolerated online.

WHAT THE INDUSTRY IS DOING TO PROTECT ITSELF

    The members of the Business Software Alliance are in the business of developing popular software programs, not enforcing their intellectual property rights. I know for a fact that they would rather spend the money they pay me to hire another programmer. It is, therefore, a testament to the impact piracy is having on their businesses that they devote considerable financial and human resources to copyright education and awareness campaigns, policy initiatives, and enforcement actions.

    The Business Software Alliance does not solely take a reactive response to software piracy. Indeed, BSA's worldwide piracy campaigns emphasize education, awareness and compliance over enforcement. Our website offers tools for end-users to determine if their installed software base contains an appropriate number of licenses. Other public awareness projects are also listed on our website. Even our enforcement efforts are undertaken with an eye towards sending the message as widely as possible that it is more expensive to violate copyright laws than to comply with them in the first place.

 Page 232       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    As an example, let me describe just some of what BSA and its members are doing to protect themselves against piracy in its modern form:

 Notice and takedown programs: BSA maintains a team of investigators in the U.S. and in Europe with additional coverage in Latin America and Asia. We constantly receive referrals from our members, complaints from consumers, and identify infringing activity through proactive investigation. Thousands of notices to ISPs, auction sites, redirect services and others have been sent this year alone. In the United States BSA and other intellectual property owners use the Digital Millennium Copyright Act (DMCA) passed in 1998 to shut down US based websites that contain stolen software.

 Civil litigation: BSA's members have filed suit against dozens of individuals offering pirated software for free download on an Internet relay chat channel that caters to cable-modem users. In November, BSA filed suit against thirteen vendors who offered pirated software for sale on popular Internet auction sites. To give you some idea of how brazen some of these software pirates can be, at least four of those thirteen vendors continue to sell pirated software even after being sued.

 Model business practices for auction sites and ISPs: Software publishers seek the cooperation and engagement of other Internet entities in protecting intellectual property and reducing the incidence of piracy. BSA has, for example, developed model business practices for Internet service providers and for auction sites. We have already received the public support of Amazon.com for the auction site practices and are working with other sites to gain their support.

 Companies are exploring technological solutions that balance interest in intellectual property protection and legitimate needs of users. Experience indicates, however, that there is no silver bullet technological solution to what is, at bottom, an ethical problem.
 Page 233       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

THE NEED FOR FEDERAL LAW ENFORCEMENT OF U.S. COPYRIGHT LAW

    Notwithstanding all of BSA efforts in this area, there is a critical need for engagement by federal law enforcement authorities in combating this problem. And thanks to Congressional attention, the tools needed for effective investigation and prosecutions already exist. I commend the members of this Committee for passage of the No Electronic Theft (NET) Act in 1998 and for its leadership in securing enhancements to the federal sentencing guidelines for intellectual property crime.

    There are several reasons why federal law enforcement is a critical component of an effective approach to combating piracy:

 We are now in a period of tremendous opportunity. Attitudes and behaviors are still forming over respect for intellectual property online. Congress has spoken in the form of strong laws against piracy, but Congress' voice can only be heard if law enforcement plays its role and prosecutes those laws.

 Only criminal prosecution and penalties can provide effective deterrence. The threat of a civil judgment is insufficient to deter pirates, many of whom already operate on the margins of society. Pirates need to understand that breaking the law could force them to surrender something more precious-their liberty.

 Law enforcement brings superior investigative capabilities that private industry does not have access to such as search warrants.
 Page 234       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Software publishers are used to operating in Internet time in which taking years to ramp up or respond can be fatal to a company's bottom line. That is why we have been frustrated in the past by the length of time it has taken to see some meaningful progress in the number of intellectual property cases prosecuted. We are encouraged though by recent indications that intellectual property cases are receiving a higher priority. Ten software piracy cases have been reported on the Department of Justice Computer Crimes and Intellectual Property Section's website this year. While hardly a torrent of activity, that number compares quite favorably to the two such cases announced last year and the one in 1999.

    Prosecutions under the NET Act are one indicator of DOJ's willingness to combat Internet piracy. We are encouraged, therefore, by the fact that just last month, the U.S. Attorney's Office in Chicago secured a the first conviction by jury trial of a defendant prosecuted under the NET Act. The defendant was a member of the notorious ''Pirates With Attitude'' software ring. Although there had been previous pleas under the NET Act, a conviction after trial is the truest validation of whether a new criminal statute operates as intended and can serve as an effective prohibition and deterrent. And while there have been other prosecutions of Internet piracy, nothing demonstrates law enforcement's commitment better than taking a case through trial. Finally, a guilty verdict embodies more than legislative or prosecutorial condemnation of particular conduct—it reflects, in the purest sense, a popular judgment that Internet piracy is and should be a criminal offense. In short, the people have now spoken. For pirates out there who were hoping that they would be let off the hook by a jury of their peers, this has to be a major disappointment. To underscore the jury's feelings of the strong case against the defendant, I would point out that the jury deliberated for only 30 minutes before rendering their guilty verdict.
 Page 235       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    BSA also applauds the recent efforts by federal law enforcement agencies, particularly the U.S. Customs Service, to devote more resources to fighting counterfeiting. We are aware of international investigations currently being pursued by Customs and several U.S. Attorneys involving the importation of hundreds of thousands of counterfeit CDs. The aggressive pursuit of the organized criminal rings involved in these cases stands out, and is extremely important to our members. At the same time, however, the overall federal law enforcement resources devoted to anti-counterfeiting efforts is still quite inadequate. We are aware of more than a few cases where raids have been delayed or not pursued at all because of the lack of prosecutorial or agent resources. In addition, lack of prosecutorial interest in pursuing these cases continues to pose a serious obstacle to effective enforcement in some jurisdictions.

    There is still work to be done in new areas of software theft. Coordinated action against mail order piracy is necessary to end the consumer fraud and the crime against the rights holder that occurs when an auction site is used to sell pirated or counterfeit software to sometimes unsuspecting buyers. We also need assistance in engaging law enforcement overseas.

OTHER ACTIONS THE FEDERAL GOVERNMENT CAN TAKE TO FIGHT SOFTWARE PIRACY

    The message also needs to be sent to our nation's youth that stealing something on the Internet is no different than walking into a department store and stealing a sweater or videocassette. To that end, the Hamilton Fish Institute on School and Community Violence at George Washington University and BSA recently obtained a grant from the Department of Justice for the ''Crime Prevention and Educational Programs for Intellectual Property Theft and Cyber Crime'' project. This project will better define the scope and nature of electronic crime and will identify effective education strategies to raise public awareness about cyber crime. Part of this effort will be to create public service announcements that reach out to American youth with the message that piracy is wrong.
 Page 236       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

THE ROLE OF CONGRESS

    Your continued oversight of DOJ is necessary to ensure that software piracy prosecutions are a serious threat and therefore deterrent to those who would plunder the results of someone else's hardwork, investment and creativity. Last week, Attorney General Ashcroft testified before the full Judiciary Committee that

''I can say to you that we take very seriously piracy and theft and the invasion of privacy and a whole variety of issues that are related to the advent of the capacity of individuals to utilize the computer both in the industry and personally. And given the fact that much of America's strength and the world economy is a result of our being the developer and promoter of most of the valuable software, we cannot allow the assets that are held electronically to be pirated or infringed, and so we will make cyber crime issues a priority and additional resources have been requested in next year's budget for that and that's not just in this Administration's submission regards to the FBI budget''

    Actions that back up statements like this are the only way that software pirates can be stopped either directly by cases brought against them or by receiving the message that software theft is not an easy crime. In FY2000 Congress approved dedicated appropriations for fighting cybercrime. Continued efforts such as this will ensure that DOJ investigators and prosecutors will have the necessary resources to bring these cases.

CONCLUSION

 Page 237       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    I would like to thank the Subcommittee again for the opportunity to testify today. Only through a combined effort of by intellectual property owners, educators, policymakers and the law enforcement community will the scourge of software piracy be reduced. I would be happy to answer any questions this Committee may have.

    Mr. SMITH. Thank you, Mr. Kruger.

    Mr. McCurdy.

STATEMENT OF DAVE McCURDY, PRESIDENT, ELECTRONIC INDUSTRIES ALLIANCE

    Mr. MCCURDY. Thank you, Mr. Chairman, and thank you for the opportunity to testify today. I appreciate the invitation, as well as Mr. Scott.

    Mr. Chairman, I ask that my testimony be submitted in the record full, because I want to summarize, and I'll leave it to you all to read the testimony, but there are a couple points that I'd like to summarize.

    Mr. SMITH. All right. Without objection, the complete testimony of all witnesses will be included in the record.

    Mr. MCCURDY. Mr. Chairman, I want to commend my colleagues on the panel today because I think they've stated very clearly the nature of the problem and the significance of it. And I think we're preaching to the choir in the recognition of the problem. This is not a question of ''if'', it's a question of ''when'' and ''how much.''
 Page 238       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    If I can, refer just to a quick chart. This is a chart, and it's actually, I think, attached, included in the statements for the panel members or for the Committee. These are the number of incidents reported to the CERT Center at Carnegie Mellon. You can see just the pure graphics, that up until 1999, there were less than 5,000 incidents reported. Each incident is a different kind of attack, whether it's a virus—the ''I love you'' counts as one on this chart. But from 2000, 2001, it jumped over 22,000 reported incidents. So you can see the trend line is very significant. The types of attacks are increasing.

    The important thing that goes with that, Mr. Chairman, is as on one hand, the tools that are available today to perpetrate these attacks have increased. We're no longer in the password guessing game. We're using sniffers and scanning techniques. We have sweepers that live on the Net. You now can go into—and I'll give you some examples of these—tremendously collaborative tools that are available to relatively unsophisticated users and attackers, so you no longer have to be a software genius to be able to perpetrate the attacks. So this is a dangerous trend line that is reported here.

    There was a recent report, Mr. Chair—and actually, if I could, at some point we'll get this site for you, but this is a marvelous forensic analysis by a person, Steve Gibson, at the Gibson Research Corporation, after they were subjected to a denial-of-service attack. And they had two T-1 lines, a lot of gigabit capability. They were completely shut down. He went to the FBI. Didn't get any help; he didn't meet the threshold. And he went to the ISP, didn't get any help. So he went and worked his own way to try to find an answer, and tracked it down. Come to find out it was a 13-year-old person that was collaborative working with others, using 455 Zombie computers, that you and I may have if we're online all the time. Our computer can be taken over with software, and then used to initiate attacks against third parties. It's a marvelous story. It's long, but it's worth reading.
 Page 239       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    But when you read that story, you also find that the different types of attacks have changed. From January to June of this year there were new vulnerabilities in software products that were reported from at least 39 different countries. While more traditional models of security often focus on the perimeter defenses, securing your own network from unauthorized access, this model is insufficient for today's networks for a variety of reasons, including the level of technical sophistication and the tools that are now being used.

    Some of the attacks that were shown and some of the tools were virus, denial-of-service, reconnaissance, misuse of resources, deception, false alarm, hoaxes. But we now see that 54 percent couldn't identify the real source. And I don't know, I'll leave it to you, much smarter than I, but I think it was Socrates said that the real knowledge is knowing that we don't know, and so I think there's a lot of this that still needs to be investigated and followed through.

    And there is no magic bullet, silver bullet to solve this. So it takes more—and this is where Mr. Miller and I agree—this is no longer just an issue of cyber crime or national security, this is an economic security issue that needs to be addressed at the board level and CEO level of corporations working cooperatively to develop policies, best practices, tools, share the information, and working with Government to, when appropriate, to try to address this.

    There are a number of policy recommendations. I submit those to the Committee within the written statement, and would be glad to answer any questions with regard to those specifics.
 Page 240       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    [The prepared statement of Mr. McCurdy follows:]

PREPARED STATEMENT OF DAVE MCCURDY

    Chairman Smith, Ranking Member Scott, and members of the Judiciary Subcommittee on Crime: I appreciate the opportunity to testify today on behalf of the Electronic Industries Alliance. I am deeply thankful to the Chairman for holding this series of timely and informative hearings on cybercrime. There are few issues that are of more importance to the 2,300 member companies of EIA than cybercrime and a secure Internet.

    This is not news, but it still amazes me how quickly the Internet became such an important part of our lives—both personally and professionally. From the simplest personal task like checking your bank account to the most complicated business transaction, the Internet and information technologies have changed the way we live.

    Unfortunately, the Internet was not designed with security, privacy or civil liberties in mind. It was designed to be an open platform for communication, with distributed control and mutual trust among users. I'm sure the architects of the Internet had no concept of what it would become, just as we have no concept of what it will become twenty years from now.

    Our dependence on this new technology in all areas of our lives has created a true challenge for policymakers: how to protect users of the Internet from the abusers.

 Page 241       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    As policymakers contemplate how to best protect the Internet from cybercriminals and try to ascertain the proper role of government on the Internet, the reality remains: as a rule, technology has exponentially outpaced the establishment of sound policy.

    Dependence on information technologies has opened the door to a host of vulnerabilities. Cybercriminals take advantage of these vulnerabilities every day, including threats to staff, physical assets, networks, transmission and stored data. Any of these critical parts of our information infrastructure are susceptible to sophisticated attacks from anonymous cyber-operators such as ''benevolent hackers'', delinquents, industrial competitors, organized crime, foreign adversaries and terrorists.

    The question is not whether or not an attack will come—because it will come. The question is what will government and business do to prepare for the next imminent attack and preserve critical systems and assets to maintain operability in the information world.

SOPHISTICATION OF CYBERATTACKS

    ''Nothing more than a whim of a 13-year old hacker is required to knock any user, site or server right off the internet''—Steve Gibson, Gibson Research Corporation, June 2, 2001

    Between January 1, 2001, and June 12, 2001 new vulnerabilities in software products were reported from at least 39 different countries. Furthermore, traditional models of security often focus on perimeter defenses—securing your own network from unauthorized access. This model is insufficient for today's networks for a variety of reasons including the level of technical of sophistication and the tools criminals use to launch attacks has evolved very rapidly. This is further complicated by the ability of intruders to evade law enforcement by launching their attacks from intermediate machines they have previously compromised. Here are some examples of some of the common tools associated with cybercrime activities:
 Page 242       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 Automated scanners—programs that scan a range of Internet addresses looking for computers of a particular type.

 Probes—programs that examine a computer, once it is located, searching for one or more vulnerabilities. These vulnerabilities are often present in operating system, network, or applications software. They are problems because even when corrected by vendors, system owners often do not upgrade their software with those corrections.

 Root kit—a program that takes control of a penetrated computer and disguises its presence so the legitimate system owners don't know that the system has been compromised. Once a computer is compromised in this way, the attackers have full access to all data on that computer and often to all data on the local network the computer is connected to.

 Sniffers—programs that are installed on compromised machines to scan network traffic as it passes by and look for data the attackers can use to their advantage (computer account names and passwords, credit card numbers, and other unencrypted sensitive data).

 Attack networks—compromised computers that attackers aggregate into networks controlled by one or more master computers. These networks can be programmed to attack other machines on the Internet, often with crippling denial-of-service attacks.

 IP spoofing—a technique attackers use to hide the identity of their attack computers and fool (spoof) the attacked machine into believing the attacks have come from a different source.
 Page 243       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    As the Internet grows,, so does the risk. For the first time, intruders are developing techniques to harness the power of hundreds of thousands of vulnerable systems on the Internet. Using what are called distributed-system attack tools, intruders can involve a large number of sites simultaneously, focusing all of them to attack one or more victim hosts or networks. The sophisticated developers of intruder programs package their tools into user-friendly forms and make them widely available. As a result, even unsophisticated users can use them. Subsequently, serious attackers have a pool of technology they can use and mature to launch damaging attacks and to effectively disguise the source of their activities (See attachments).

    Attack technology is developing in an open source environment and is evolving rapidly. Technology experts and users are improving their ability to react to emerging problems, but we are behind. Significant damage to our systems and infrastructure can occur before effective defenses can be implemented. As long as our strategies are reactionary, this trend will worsen.

Current Cybercrime Policy

    The control of U.S. cybercrime policy has traditionally been viewed as an issue for the law enforcement and national defense communities—not an economic policy issue. Solutions for cybercrime have been expressed in terms of criminal sanctions, counter-terrorism efforts and law enforcement training rather than the prevention managed by the users of the information assets, like businesses and individuals.

    However, law enforcement and national security communities do not have all the answers. In addition to leadership from private industry, the following goals need to be met in any national policy on cybercrime:
 Page 244       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 A National strategy from the President after consultation with leadership of constituencies for coordinated responses to threats and attacks, such as was developed for Y2K including:

Establishment of empowered organizations for sharing information about cyber-threats, attacks and remedies such as the Internet Security Alliance, the sectoral ISACs, and similar government and international groups

 Incentives for industrial and government institutions to adopt top-down policies of institutional security—including information technology/network security—that include:

Clear designation of responsibility/delegation from CEO

Creation of risk management plan

Investments in employee enculturation and user education

Establishment of best practices regarding high value/high risk environments in information technology, for example:

Establishment of organizational CIO

Employee education on IT security practices

Deployment of best practices technologies
 Page 245       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

Firewalls

Antiviral software

PKI authentication/encryption for e-mail/Internet

In government, necessary training and funding for these types of programs.

What we need to avoid in establishing a national policy:

New technology-specific criminal statutes that will result in the hobbling of vendor industries and slowing of deployment of leading edge technologies to the mass of internet users.

Where can the private sector help?

    In order to protect all Internet consumers, organizations must search for an industry-led, global, cross-sector network focused on providing solutions to the challenges of the Internet Economy. We are at risk, and the business community must make it a leadership priority. The following are examples of what the private sector should be doing:

Information Sharing

Maintaining an adequate level of security in this dynamic environment is a challenge, especially with new vulnerabilities being discovered daily and attack technology evolving rapidly in an open-source environment. To help organizations stay current with vulnerabilities and emerging threats the private sector must concentrate on providing the following:
 Page 246       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 Vulnerability catalog: a complete record of past vulnerability reports. New entries would be added to the catalog as they were reported.

 Technical threat alerts: in the form of ''special communications'' provide early warning of newly discovered security threats and are updated as analysis activities uncover additional information. Ranging from alerts on newly discovered packages of malicious code, such as viruses and trojan horses, to in-depth analysis reports of attack methods and tools, these reports would help organizations defend against new threats and associated attack technology.

 Member information exchange: augmenting the basic services listed above, an organization would have to develop an automated information sharing mechanism that allows business and individuals to anonymously report vulnerability, threat, and other security information that they are willing to share with other secure channels.

 Threat analysis reports: today the great majority of Internet security incidents are conducted by unknown perpetrators who act with unknown motivations to achieve unknown goals. Managing security risks in the long-term will require a better understanding of the perpetrators and the economic, political and social issues that drive them.

Best Practices/Standards

Effective management of information security risks requires that organizations adopt a wide range of security practices. From basic physical security controls that prevent unauthorized access to computing hardware, to user-focused practices on password selection, to highly-detailed system administration practices focused on configuration and vulnerability management, these practices help organizations reduce their vulnerability to attacks from both outsiders and insiders.
 Page 247       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 Practices catalog: beginning with existing practice collections and standards, and in collaboration with any participating companies an organization must develop a catalog of practices that span the full range of activities that must be addressed when developing an effective risk management program. The catalog will contain high-level descriptions of the required practices and should be made publicly available

Security Tools

While a sizeable commercial marketplace has developed for hardware and software tools that can be used to enhance an organization's security and a variety of tools can now be purchased, comprehensive tool sets are lacking. To fill the gaps, organizations build their own or find and evaluate public domain tools—a time consuming and expensive activity. An organization would have to establish a tools exchange: a restricted access repository where network administrators only can exchange special purpose tools they have created as well as information about, and evaluation of, public domain tools available over the Internet.

Policy Development

While there are many things an organization can do to enhance its security, some issues require broad action. For example, overall security could be improved through increased information sharing between industry and government, but FOIA (Freedom Of Information Act) regulations deter companies from sharing sensitive information with the government. Other issues like privacy and the proposed HIPPA legislation could also affect network security. An organization needs to identify these overarching issues and work with the appropriate industry and government organizations to advocate policy that effectively addresses the issues.
 Page 248       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

Other Critical Areas

    The current state of Internet security is the result of many additional factors, such as the ones listed below. A change in any one of these can change the level of Internet security and survivability.

 Enhanced incident response capabilities—The incident response community has handled most incidents well, but is now being strained beyond its capacity. In the future, we can expect to see multiple broad-based attacks launched at the Internet at the same time. With its limited resources, the response community will fragment, dividing its attention across the problems, thereby slowing progress on each incident.

 The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These ''always-on, rarely-protected'' systems allow attackers to continue to add new systems to their arsenal of captured weapons.

 The problem is the fact that the demand for skilled system administrators far exceeds the supply.

 Internet sites have become so interconnected and intruder tools so effective that the security of any site depends, in part, on the security of all other sites on the Internet.

 The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer criminals is unlikely, and thus little deterrent value is realized.
 Page 249       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 As we face the complex and rapidly changing world of the Internet, comprehensive solutions are lacking. There is increased reliance on ''silver bullet'' solutions, such as firewalls and encryption. The organizations that have applied a ''silver bullet'' are lulled into a false sense of security and become less vigilant. Solutions must be combined, and the security situation must be constantly monitored as technology changes and new exploitation techniques are discovered.

 There is little evidence of improvement in the security features of most products. developers are not devoting sufficient effort to apply lessons learned about the sources of vulnerabilities. Until their customers demand products that are more secure, the situation is unlikely to change.

 Engineering for ease of use is not being matched by engineering for ease of secure administration. Today's software products, workstations, and personal computers bring the power of the computer to increasing numbers of people who use that power to perform their work more efficiently and effectively. Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers. Unfortunately, it is difficult to configure and operate many of these products securely. This gap leads to increasing numbers of vulnerable systems.

SUMMARY

    While it is important to react to crisis situations when they occur, it is just as important to recognize that information assurance is a long-term problem. The Internet and other forms of communication systems will continue to grow and interconnect.
 Page 250       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

 More and more people and organizations will conduct business and become otherwise dependent on these networks.

 More and more of these organizations and individuals will lack the detailed technical knowledge and skill that is required to effectively protect systems today.

 More and more attackers will look for ways to take advantage of the assets of others or to cause disruption and damage for personal or political gain.

 The network and computer technology will evolve and the attack technology will evolve along with it.

 Many information assurance solutions that work today will not work tomorrow.

    Managing the risks that come from this expanded use and dependence on information technology requires an evolving strategy that stays abreast of changes in technology, changes in the ways we use the technology, and changes in the way people attack us through our systems and networks. To move forward, we will need to make improvements to existing capabilities as well as fundamental changes to the way technology is developed, packaged, and used.

    Cybercrime needs to be attacked at the security level. Attacks will happen—they will become more sophisticated as our technology becomes more sophisticated. The best defense we can take as a nation is to ensure our networks and systems are properly fortified against attack.
 Page 251       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Mr. SMITH. Thank you, Mr. McCurdy.

    As you all know, this is our last of three hearings on a very important subject. We're having more hearings on this subject, in fact, than any other that I'm aware of this year. We hope that these hearings will result in some legislation. Much of the legislation is outdated, and we really haven't had as much or any significant legislation since probably the mid 1980's, and we all know what's happened in the high-tech field since the mid 1980's.

    I really distilled all my questions to ask each one of you to address. And it is this: specifically what type of cyber crime is the greatest threat to your business or to your membership, and what does it cost in dollars, either you or the economy? And second of all, what specific suggestions do you have for legislation that will help reduce cyber crime in America?

    I know, Mr. Kruger, in your written testimony you mention that there was some type—some laws that were not being enforced. If you'll go into a little bit more detail on that.

    And, Dave McCurdy, I know that you have a feeling that there are some types of a national policy we should not have and some that we should have. If you'll go into a little bit more detail on that as well. But if you can try to address those two questions in about a minute a person, that would be great. Mr. Miller.

    Mr. MILLER. Mr. Chairman, as far as the cost, I think the answer is nobody knows. The Computer Security Institute and the Federal Bureau of Investigation do a survey each year, and they come up with a number, but that number is reported crimes. And as Mr. McCurdy pointed out, and I certainly concur, most of these crimes are not reported because companies simply decide the cost of exposing it is simply not worth the candle. And so I think the answer is we really don't know. And certainly the numbers that the FBI/CSI numbers come up with half a billion dollars, three-quarters of a billion dollars, which doesn't sound like a lot given the size of our economy, but our feeling is the number is in fact a lot larger, particularly given the growing sophistication.
 Page 252       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    In terms of the greatest threat, the greatest threat is to the fundamental operations and infrastructure. Sure it's a headline when some popular website gets defaced, that's inconvenient, but that really isn't a threat to basic electronic commerce. So the focus has to be on when businesses is actually being done or when Government work is actually being done. The surveys that ITAA has done, with EDS for example, show that 65 percent of consumers are unwilling to do electronic commerce because of concerns about security, not privacy, which sometimes people confuse, but the issue of security. So it's a deterrent to people going online and doing commercial activity.

    Similarly, a study we did showed that 62 percent of Americans are unwilling to do transactions with Government because of concerns about security, that they are concerned that information that may pass back and forth about whatever the particular transaction they're doing with the Government is at risk, again, not because of privacy concerns, but because of security. So it's a major deterrent.

    In terms of specific legislative recommendations, the only one specifically I focused on was FOIA. I think there a couple of issues go beyond. One is the need to deal with this issue internationally. There is an attempt currently underway, that you're aware of, through the Council of Europe, which is kind of an odd-duck organization we know about, to develop some international standards. In theory we support what the Council of Europe is doing, because as we found out last year, for example, with the ''I love you'' virus, which was initiated from the Philippines, at the time the Philippines Government had no laws against the crime that was committed, and ultimately they could not prosecute to individuals, even though they were identified. Since then the Philippines has changed the law. So I think what we need to do is to get more international focus to get some standards. The Council of Europe Treaty, unfortunately, is flawed. It's getting better. There have been more dialog. We think some more improvements are needed.
 Page 253       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    And lastly I would say what Congress needs to do in the Government side of this is to put more money to the effort, and this isn't necessarily your Subcommittee, but what we're hearing is a lot of rhetoric out of the Administration. I think the Administration is committed—and this was also true of the previous Administration, so this isn't a partisan comment—but it comes to really giving the CIOs the financial resources they need to protect the Government infrastructure. The money simply isn't there. If you use as a baseline what the financial services industry uses, which is the most advanced, they spend—about 10 percent of their IT spend goes to security. The Government estimates are around 1 percent, if that. So you simply can't get there from here if you're not going to spend the money, no matter how good the rhetoric is, to put the information technology in place, to train the people, to have good processes, then the security is simply not going to happen.

    Mr. SMITH. Thank you, Mr. Miller. Mr. Chesnut.

    Mr. CHESNUT. The most important area, I think, is help us protect our websites. You know, eBay, for example, every day we are literally—we literally have people coming at us dozens of times a day at different levels, and we have to spend enormous resources in trying to make sure that these attacks aren't successful and disrupting the operation of our site. If eBay is taken down for any period of time, it not only affects eBay, but we have tens of thousands of people who depend on us to make a living full time. They're selling goods. So if we're taken down, it's not just our business that's being harmed, but their business as well.

    So legislation that would help us protect our site by enhancing penalties for people who attempt to hack into websites, denial-of-service attacks. I think that's critical.
 Page 254       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    In addition, helping us protect our websites against spiders, people who come at us in order to harvest e-mail addresses of our users. You know, we are constantly subjected to individuals who come to our site, steal e-mail addresses, and then use those e-mail addresses to send illegal spam, and often the spam itself encourages illegal activity or is encouraging fraud. And in order for us to really help our users and protect them against fraud, we've got to be able to protect their information and their e-mail addresses against these pirates.

    Mr. SMITH. Thank you, Mr. Chesnut. Mr. Kruger.

    Mr. KRUGER. Mr. Chairman, the competition for which form of piracy is costing us the most losses is pretty stiff these days. One thing I can say with certainty is that Internet piracy is a growing percentage of the losses that we're suffering. We can't quantify it much more than that, other than to say that we're losing more to Internet piracy tomorrow than we lost yesterday, and that trend will continue.

    Credit does go, as I said during my written and my oral testimony, Mr. Chairman, to Members of this Committee for enactment of the NET Act and for the encouragement of the U.S. Sentencing Commission to enhance the Sentencing Guidelines. Those effective tools are out there. They are available. As you said, Mr. Chairman, the question is enforcement using those tools and that's where we think there's much work to be done, and where effective oversight by this Committee in providing law enforcement agencies with the resources they need would accomplish our goal.

 Page 255       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    Mr. SMITH. Thank you. Mr. McCurdy.

    Mr. MCCURDY. Mr. Chairman, just very quickly to your question. With regard to legislation, we do believe that the legislation proposed by Congressman Davis (Va.) on FOIA is a step in the right direction, similar to what occurred with Y2K, because without the information sharing, we're not going to be able to address some of these unknown issues, which is really what the threat is in the long term.

    There is a need for a national strategy, and it needs to be led both from the top of Government, from the President on down, but as I said, it needs to be implemented working with the private sector. But there are some things that I think you need to be careful of, and there's always a tendency to look for quick answers and solutions. With a national policy, we should not have any technology specific criminal statutes, because I believe that just ends up hobbling industry and vendor industries, and slowing the deployment of leading edge technologies to the mass of Internet users. And what I'm really saying is that the pace of change in the technological change is so fast, policy just can't keep up with that. And so be very careful not to specifically target that.

    And only one last thing—I can't resist this—this is not an industry chart, I can assure you, and having been on the other side in Government, only Government could draw a chart like that. That's just a description of the number of agencies that have jurisdiction or claim jurisdiction within the Federal Government on this issue, and being able to have a little interagency cooperation and clearing, I think, would go a long way, and also working with the private sector—we're down here at the bottom someplace—and there needs to be some real focus to address that issue in the long term.
 Page 256       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Mr. SMITH. Thank you, Mr. McCurdy. I think you're right about not being specifically targeted on certain technology, because that will in turn become outdated.

    I'm going to ask the—oh, we have 3 Members left—if you all will limit yourself to 3 minutes, we can finish before the series of votes, or we can come back. But let's start, and let's assume we can get through the questions with 3 minutes allowed for each Member, and Ms. Jackson Lee from Texas is recognized for her questions.

    Ms. JACKSON LEE. Thank you very much, Mr. Chairman. Let me thank the witnesses for their testimony. I think they were very thorough, and in light of the restraints that we've voluntarily placed upon ourselves, let me say to you that I do have a great concern with the competing interests, of a question of child pornography that one can find invading on the Web and on the Internet, the violations and the, if you will, misuse of your business sites and the kind of unfortunate results that can come of that, and then of course, the privacy question, of being able to protect the personal information that is shared with you, particularly if it's shared anonymously and shared by legitimate business interests or an adult.

    I'd like to go to you, Mr. McCurdy, and thank you very much for joining us. Thank you for your leadership and the other members. How do we protect the personal—the personal information that you receive, the various businesses receive, from individuals who are sending it for a particular reason?

    Mr. MCCURDY. Well, thank you, Congresswoman, and that's a very good question. I think there's been a lot of progress made on the privacy front. This issue has arisen, and I think there's been a great deal of debate. Each of us here have been engaged in this for quite some time. And you see progress—I don't know if at home in your mail you've been recently—from your bank you're getting statements of their privacy policy, and a lot of people are adopting those, and on the websites there's provisions for that as well.
 Page 257       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    This is always an issue of balance and is going to be. We can have privacy, but you can't have privacy without security, so security is where you really need to focus first. Now, you can have security and violate policy and privacy, but you really—the two have to match. And from our perspective—and I'm not talking about the—since we've had computers, there have been those who know how to get inside computers, including this Government. And some of my previous experience on the Intelligence Committee, I can assure you that that's a fact. The private sector I think has done a good job of trying to secure the information. The issue that comes up here is if we are to collaboratively have worked together, we need to be able to share information that's generated from different sources, and that should not be subject to public disclosure in some way, and that's why the FOIA legislation is so critical.

    So, one, I think progress has been made on privacy. We would hope that Congress not overreact and go too far on the privacy front, because I think there is a sufficient degree of movement there, and at the same time that they work with us on the overall security issue of being able to share this information because ultimately it's the consumers and the market's going to determine whether or not this is a success, and if they feel that this is threatened, their privacy's threatened, they won't use our products.

    Ms. JACKSON LEE. Thank you very much, Mr. Chairman.

    Mr. SMITH. Thank you, Ms. Jackson Lee. Mr. Goodlatte, I know you're on your way out the door. Do you want to ask a quick question?

    Mr. GOODLATTE. Yeah. The area that I wanted to follow up in, Mr. Kruger, I have a series of questions I've given the Chairman that I would ask that you respond to in writing. We don't have enough time to do that. But if you could comment briefly on the enforcement of the NET Act, No Electronic Theft Act, thus far, it would be very helpful to us to know what has been happening in terms of the Justice Department fighting piracy on the Internet. This is legislation that Congress passed a few years ago, that cracks down on this multibillion a year problem, and I don't think we're making as much progress as we would like. We asked the Attorney General about this last week. We'd like to hear your perspective.
 Page 258       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Mr. KRUGER. Congressman Goodlatte, well, first I'd like to recognize you as one of our champions on this issue. You have certainly helped the industry in the past.

    On the NET Act specifically, we're encouraged but very modestly encouraged by some recent trends that are reported on the Department of Justice website. From January through May, there were 10 prosecutions involving software piracy. Two of those, I think, fall under the NET Act, and while that's hardly a torrent of activity, it compares very favorably to two prosecutions all of last year, and one in 1999. So I think we're seeing a modest uptick.

    And in addition, as I mentioned during my oral testimony, there was a conviction last month by a Federal jury, after the first jury trial under the NET Act of a member of the notorious Pirates With Attitude software ring in Chicago. So we finally have won after a jury trial. And I think that's an indication of something. I think when a jury speaks, it adds sort of public condemnation to what we've already had, which is congressional statements and prosecutorial statements to that effect.

    So I think there is some progress being made, but we would urge this Committee to continue to exercise its oversight to ensure that progress continues.

    Mr. SMITH. Thank you, Mr. Goodlatte. Mr. Goodlatte, do you want to have these questions submitted to Mr. Kruger?

    Mr. GOODLATTE. Yes. If the Committee would do that, and he would respond in writing, I would appreciate that.
 Page 259       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Mr. SMITH. We have some questions we would like you to answer, if you would, in writing, get back to us within 2 weeks.

    Mr. KRUGER. Be happy to do that.

    Mr. SMITH. Also, without objection, the complete statement of the gentlewoman of Texas, Ms. Jackson Lee, will be made a part of the record.

    [The prepared statement of Ms. Jackson Lee follows:]

PREPARED STATEMENT OF THE HONORABLE SHEILA JACKSON LEE, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS

    I want to thank Chairman Smith and Ranking Member Scott for convening an oversight hearing on ''Fighting Cybercrime—Efforts by Private Business Efforts Interests.'' This is the third of a four part hearing series on Cybercrime. The first hearing held on June 12, 2001, covered state and local efforts to combat Cybercrime. The second hearing focused on federal efforts to combat Cybercrime. The hearing today addresses industry efforts to combat Cybercrime.

    As lawmakers and concerned citizens, we are painfully aware of the dilemma posed by Cybercrime. The role played by industry is very critical to our efforts to stem continuing abuse and threats against private business and even government. At the hearings on Cybercrime issues, both the companies that these laws would protect, and privacy/civil liberties advocates for users of electronic services, sounded alarms about the adverse impact that could result from law enforcement that is too heavy-handed. For example, testimony revealed that the laws on the book may be more than is needed in that judges, juries and even prosecutors were balking in some cases at finding young hackers guilty because of the necessity of a 6-month mandatory minimum sentences upon conviction.
 Page 260       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    I have often expressed my reluctance to support mandatory minimums in other settings. But the primary concern about legislative efforts to combat Cybercrime was their impact on traditional exceptions of privacy and protections of civil liberties. We cannot ignore these concerns in our battle against Cybercrime.

    Accordingly, we have considered a number of legislative remedies to address this serious matter, including increasing the penalties for invasions into stored communications, forfeiture of any property used or intended to facilitate a crime, making computer crime a RICO predicate, and other valuable measures.

    As the industry contemplates crafting solutions, there are the major laws setting privacy standards for government interception of communications and access to subscriber information. These include the federal wiretap statute (''Title III''), 18 USC 2510 et seq., requiring a probable cause order from a judge for real-time interception of voice and data communications; the Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2701 et seq., setting standards for access to stored electronic communications and transactional records; and the pen register which governs real-time interception of ''the numbers dialed or otherwise transmitted on a telephone line.''

    We continue to revisit the same concerns regarding privacy and civil liberties in these Cybercrime hearings. That is partly because the field of electronic communications is a developing one. While there is a role for law enforcement in enforcing these laws, prudence must be utilized. Additionally, there is a growing list of law enforcement horror stories demonstrating that the electronic communications industry be given a full opportunity to develop effective security measures to ensure protections of privacy.
 Page 261       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Like many of you, I recognize that horror stories such as a recent Texas case involving confiscation of all of one business' computers based on an accusation of electronic communications sabotage by a rival business reflect the dangers of too much involvement of law enforcement. The accused business, against which charges were eventually dropped, lost months of business while incurring legal and other costs to get its equipment back.

    Given the global nature of the information age, there is a need for coordination of law enforcement efforts between federal, state and local entities, and more resources from the federal government to state and local entities for training, equipment, and other needs, to enable them to keep up with criminals who operate in the Cybercrime environment.

    Mr. Chairman, I look forward to the testimony today regarding the industry's role in curbing the threat of Cybercrime in all possible permutations. We cannot do this without your input. Thank you.

    Mr. SMITH. And we'll look to Mr. Delahunt for his questions.

    Mr. DELAHUNT. I'll be very brief, Mr. Chairman, and——

    Is it a fair statement the say that the problems as you perceive them in terms of Government response are jurisdictional issues? I think that might have been part of the rationale that Mr. McCurdy showed us the diagram. And what you would say, not inadequate, but insufficient resources at this point in time, or do you think that in terms of—and I do concur with Mr. McCurdy as far as insuring that whatever substantive legislation passes, that we be careful not to try to create technology-specific bills. Otherwise, we're getting ourselves, I think, into a quagmire. Mr. Miller.
 Page 262       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Mr. MILLER. Mr. Delahunt, I think it's important to note that the Bush Administration has a effort under way now to try to deal with the problem that Mr. McCurdy identified in his chart. There is an effort under way to try to coordinate the efforts better. ITAA itself has advocated the creation of a Federal czar, similar to the role John Koskinen played in Y2K. I'm not sure the Administration's going to go for that, but we are encouraged by the fact that under the national security adviser——

    Mr. DELAHUNT. You're suggesting a tech czar as well as a——

    Mr. MILLER. Absolutely. Not a big staff, the same kind of role that Mr. Koskinen played, which was a whip hand that had the backing of the President.

    Mr. DELAHUNT. Analogous to the drug czar.

    Mr. MILLER. Exactly. But if they won't go that far, at least what we hear from the National Security Council, from Mrs. Rice and the Department of Commerce, is there is a sophisticated——

    Mr. DELAHUNT. One other just quick question. You referred to the international dimension here, and I think that's something that we have to recognize. What is happening internationally? Is there planning in terms of a possible convention that the United States could promote with an eventual treaty to be considered by the various governments?

 Page 263       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
    Mr. MILLER. That's what the Council of Europe has been trying to develop, Mr. Delahunt. We think much of that is very positive. There are still a few problematic areas that industry is trying to work with. The U.S. is not a member of the Council of Europe, but they do have advisory status, and the Department of Justice has provided a lot of input, and we're hopeful that that final treaty can be something that industry would support.

    Mr. DELAHUNT. I think that's something, Mr. Chairman, that we should take note of.

    Mr. MCCURDY. The point is, it is far from perfect. If anything, it is fundamentally flawed at this point, and I would like—we encourage international cooperation, but that treaty is not the answer right now. So there are—you know, it's moving, but we have direct input other than an advisory role, and so I think there—if we're really going to work on a much broader cooperative role internationally the U.S. needs to take a more——

    Mr. DELAHUNT. You encourage——

    Mr. MCCURDY. I think the Administration understands this, but again, this is not just a cyber crime or national security issue. We need to focus on the economic security aspect of this.

    Mr. MILLER. If I could——

    Mr. SMITH. Thank you, Mr. Delahunt. Mr. Harris (sic), I'm afraid we're going to have to move on.
 Page 264       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

    Thank you all for your testimony. It's been very, very helpful. I might add—and I didn't go into much detail today—but I've seen examples of all the different types of cyber crime you talk about, back home in my district as I visited various high-tech companies. And I've seen $500, you know, pieces of software duplicated for 5 cents in Korea, sold on the underground market here. I've seen my own website in Congress—now, you talk about a real threat, Harris, it's when a member's website is broken into, and no telling what embarrassing information might be put there to distance the member from the constituency, which is not a good thing to have happen.

    Anyway, regardless of the type of cyber crime, it's a real threat. It's just as serious as physical crime, and we appreciate your help in making suggestions to combat it.

    So thank you all for being here, and we stand adjourned.

    [Whereupon, at 10:54 a.m., the Subcommittee was adjourned.]

A P P E N D I X

Statements Submitted for the Hearing Record

PREPARED STATEMENT OF THE COUNCIL OF EUROPE DRAFT CONVENTION ON CYBER-CRIME FROM THE WORLD INFORMATION TECHNOLOGY AND SERVICES ALLIANCE (WITSA)

G1.eps
 Page 265       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

G2.eps

G3.eps

G4.eps

G5.eps

G6.eps

Material Submitted for the Hearing Record

A1.eps

A2.eps

A3.eps

B1.eps

B2.eps

B3.eps

 Page 266       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
B4.eps

B5.eps

C1.eps

C2.eps

C3.eps

D1.eps

D2.eps

D3.eps

D4.eps

D5.eps

D6.eps

E1.eps

E2.eps
 Page 267       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

E3.eps

E4.eps

E5.eps

E6.eps

E7.eps

E8.eps

E9.eps

F1.eps

F2.eps

F3.eps

F4.eps

F5.eps

 Page 268       PREV PAGE       TOP OF DOC    Segment 3 Of 3  
F6.eps

F7.eps

H1.eps

H2.eps

H3.eps

H4.eps

I1.eps

I2.eps

I3.eps

I4.eps

J1.eps

J2.eps

J3.eps
 Page 269       PREV PAGE       TOP OF DOC    Segment 3 Of 3  

J4.eps

J5.eps

J6.eps

J7.eps

J8.eps

J9.eps











(Footnote 4 return)
Since 1988, the Business Software Alliance has been the voice of the world's leading software developers before governments and with consumers in the international marketplace. Its members represent the fastest growing industry in the world. BSA educates computer users on software copyrights; advocates public policy that fosters innovation and expands trade opportunities; and fights software piracy. BSA members include Adobe, Apple Computer, Autodesk, Bentley Systems, CNC Software/Mastercam, Compaq, Dell, Entrust, IBM, Intel, Intuit, Macromedia, Microsoft, Network Associates, Novell, Sybase, and Symantec. BSA websibes: www.bsa.org; www.nopiracy.com.