Good morning Chairman Horn, thank you
for inviting me here today to discuss cyber security issues. While I
am going to discuss broad aspects of cyber security and the role of
the NIPC in helping to secure the nation's critical infrastructures, I
am going to focus on some recent incidents that demonstrate the
success we can have when government partners with other nations and
with the private sector. I will then discuss the NIPC’s role in
cyber security with respect to predicting, preventing, detecting, and
responding to incidents with an emphasis on computer viruses and
worms. The final part of my statement will focus on some of the recent
virus and worm cases we have faced.
A virus is malicious computer code
embedded within an executable program that victims activate on their
machines, usually by opening an e-mail attachment. Often viruses are
sent with notes instructing recipients to open the attachment, such as
the note with the Melissa Macro Virus which stated "here is the
document you requested," or with a tantalizing title such as
"sexxxy.jpg," or "naked wife." Worms, on the other
hand, require no action by the victims to activate. They spread on
their own from system to system without need for the victim to do
anything. The Code Red Worm, for example, automatically sends itself
to 99 IP addresses it generates. Once activated, viruses and worms can
do anything from deleting files to sending themselves, together with
documents on your hard drive, to some or all of the names in your
address book or to any internet protocol address.
Arrest in Leave Worm case
On June 23, 2001, the NIPC issued
“Advisory 01-014,” “New Scanning Activity (with W32-Leave.worm)
Exploiting SubSeven Victims,” regarding the Leave Worm activity.
This particular worm allowed the intruder access to an infected system
while the victim machine was connected to the Internet. It is believed
that home-users’ computers, without updated anti-virus software,
were the systems primarily infected by this worm. Current anti-virus
software will detect the presence of the W32-Leave.worm. Full
descriptions and removal instructions can be found at various
anti-virus web sites.
A 24-year-old male was arrested on
July 23, 2001, in the United Kingdom for violation of its “Computer
Misuse Act 1990.” The announcement of his arrest was delayed to
avoid potentially compromising the ongoing investigation. This
individual who, under British Law, cannot be identified at this time,
was arrested in connection with designing and propagating malicious
code, known as the W32-Leave.worm, or Leaves worm, into Windows-based
computer systems. This individual has been released from custody and
ordered to return to New Scotland Yard on September 24, 2001.
This malicious code was discovered by
the analytical efforts of the employees of the Systems Administration
and Network Security (SANS) Institute and reported by SANS to the NIPC.
This arrest came as a result of a joint FBI/New Scotland Yard, UK,
investigation, and illustrates the benefits of law enforcement and
private industry working together.
Ongoing Efforts on Code Red
The Code Red Worm was discovered in
the wild on July 13, 2001, by network administrators who were
experiencing a large number of attacks targeting the buffer overflow
vulnerability first reported in June, 2001. On June 19, 2001, the NIPC
and FedCIRC issued a joint advisory about the buffer overflow
vulnerability that targeted Microsoft Windows NT and Microsoft Windows
2000 operating systems running IIS 4.0 and 5.0. On July 19, 2001, the
NIPC issued an advisory on the code red worm. The advisory stated
that, "the activity of the Ida Code Red Worm has the potential to
degrade services running on the Internet." In one day alone the
Code Red Worm infected more than 250,000 systems in just nine hours.
The Code Red Worm, which was first reported by eEye Digital Security,
takes advantage of known vulnerabilities in the Microsoft IIS Internet
Server Application Program Interface (ISAPI) service. Un-patched
systems are susceptible to a "buffer overflow" in the
Idq.dll, which permit the attacker to run embedded code on the
affected system. This memory resident worm, once active on a system,
first attempts to spread itself by creating a sequence of random IP
addresses to infect unprotected web servers. Each worm thread will
then inspect the infected computer’s time clock. The trigger time
for the DOS execution of the Code Red Worm was at midnight on July 20,
2001. Upon successful infection, the worm proceeded to use the time
thread in an effort to bring down the www.whitehouse.gov domain by
having the infected systems simultaneously send 100 connections to
port 80 of the White House’s Internet Protocol address.
The original variant of the worm also
placed the words "Welcome to worm.com! Hacked by Chinese!"
on the victim sites. Two other variants of the original worm do not
deface victim web sites. The NIPC, along with its government and
private sector partners, realized that persons using Microsoft Windows
NT and Microsoft Windows 2000 operating systems running IIS 4.0 and
5.0 needed to be warned to patch their systems for the safety of the
entire Internet. Officials from the following organizations were all
involved in the response effort working through the weekend of July
28-29: National Infrastructure Protection Center (NIPC) of the FBI,
Critical Infrastructure Assurance Office (CIAO) of the Department of
Commerce, Federal Computer Incident Response Center (FedCIRC) of the
General Services Administration, Computer Emergency Response Team
Coordination Center (CERT/CC) of Carnegie Mellon University, Systems
Administration and Network Security (SANS) Institute, Microsoft,
Internet Security Systems, Inc. (ISS), Cisco Systems, Inc.,
Partnership for Critical Infrastructure Security (PCIS), Information
Technology Association of America (ITAA), Digital Island, Inc.,
Information Technology Information Sharing and Analysis Center (IT-ISAC),
Internet Security Alliance (ISA), UUNet, and America Online.
On Sunday July 29, the NIPC, Microsoft Corporation, Federal Computer
Incident Response Center (FedCIRC), the Information Technology
Association of America (ITAA), CERT Coordination Center (CERT/CC),
SANS Institute, Internet Security Systems (ISS), and the Internet
Security Alliance (ISA) issued a joint warning message about Code Red.
The NIPC posted the warning and
numerous updates on its public website (www.nipc.gov) and pushed the
warning to InfraGard members through the InfraGard communications
network, to state and local police through the National Threat Warning
System, and to tens of thousands of private sector companies via the
FBI's Awareness National Security Issues and Response (ANSIR) network.
By forwarding the warning message to those who may need it, the NIPC
strives to ensure that those who are part of its information sharing
networks receive the information as quickly as possible with minimal
effort on their part. In other cases InfraGard has already prevented
cyber attacks by discretely alerting InfraGard members to compromises
on their systems. For efforts such as the one made on Code Red, the
InfraGard initiative recently received the 2001 WorldSafe Internet
Safety Award from the Safe America Foundation.
On July 30 a joint news conference was
held at the Ronald Reagan Building in Washington, D.C. The presence of
representatives of agencies, companies, and organizations which
produced the Code Red warning demonstrated the seriousness of the
threat and the public-private partnership that has developed with
regard to protecting our information systems from attack. The urgency
of the news conference lay in the fear that the spread of the worm
could absorb so much bandwidth as to degrade the overall functioning
of the Internet. Since business, medical, and government professionals
increasingly depend on the Internet's functioning to conduct normal
operations, service degradation poses an emerging threat to America's
economy and security.
Microsoft has developed a patch for
the identified vulnerability. According to Microsoft, over 2 million
copies of the IIS patch have been downloaded. The July 30 news
conference no doubt accelerated this process. Since the patches can be
downloaded and installed on a number of machines, the actual number of
systems patched may be higher than 2 million. The NIPC and its
partners have received much positive feedback from the user community
regarding these efforts on Code Red.
We are hopeful that the worst of the
damage feared was averted based on this awareness campaign.
Nevertheless Computer Economics, a California-based Internet research
organization, estimates that the worm has already cost $2.4 billion in
economic impact, including $1 billion to cleanse, inspect, patch, and
return systems to normal service, and $1.4 billion for other support
functions related to lost productivity due to the worm. As of August
8, the SANS Internet Storm Center noted that 661,044 unique IP
addresses have been infected, with 150-175,000 machines infected
(machines can have more than one associated IP address). While all of
these figures are subject to revision, two trends seem clear. First,
the rate of infections from the original worm have been substantial,
although not at the same rate as in July. Second, the aggressive
efforts on the part of the government and private sector urging
computer users to patch their systems seems to have paid off.
Self-propagating worms that exploit vulnerabilities in commonly used
software platforms will continue to pose a security challenge. These
worms require no social engineering (i.e. no one needs to be tricked
into revealing any information) and require no action on the part of
users (i.e. the opening of attachments). As we saw with Code Red, they
can hurt us in two ways: they can consume Internet bandwidth during
their propagation phase if enough machines are infected, and they can
carry harmful payloads, like the instructions to launch against a
chosen target. Anyone can be the next target as future worms may
result in much more destructive activity.
There is another worm we have been
tracking since early August dubbed “Code Red II.” This worm
exploits the same vulnerability as the original Code Red Worm and its
variants, but instead of compromising a system to launch Denial of
Service attacks, it installs a backdoor into infected systems that can
be accessed by anyone knowing that the victim system has been
compromised.
On August 16 the NIPC released an
assessment entitled "Code Red Reminder and Clarification,
Assessment 01-018." That assessment clarifies issues related to
which operating systems and software are vulnerable to Code Red and
also makes clear that, contrary to some reports, we have not yet
identified a Code Red III.
The NIPC Approach to the Problem
Because the NIPC is an interagency
Center, it could quickly react to the recent infections of the Leave
and Code Red Worms. Senior leadership positions in the NIPC are held
by personnel from several agencies. The NIPC Director is a senior FBI
executive. The Deputy Director of the NIPC is a two-star Navy Rear
Admiral and the Executive Director is detailed from the Air Force
Office of Special Investigations. The Section and Unit Chiefs in the
Computer Investigation and Operations Section and the Training,
Outreach, and Strategy Section are from the FBI. The Assistant Section
Chief for Training, Outreach and Strategy is detailed from the Defense
Criminal Investigative Service. The Section Chief of the Analysis and
Warning Section is from the CIA and his deputy is a senior FBI agent.
The head of the NIPC Watch and Warning Unit is reserved for a
uniformed service officer, and the head of the Analysis and
Information Sharing Unit is reserved for a National Security Agency
manager. This breadth of leadership has meant that when worms such as
Code Red appear, coordination across the civilian and military
agencies of the government is rapid and efficient.
But it is not just in the leadership
ranks that the NIPC has broad representation. Currently the Center has
representatives from the following agencies: FBI, Office of the
Secretary of Defense, Army, Air Force Office of Special
Investigations, Defense Criminal Investigative Service, National
Security Agency, United States Postal Service, Department of
Transportation/Federal Aviation Administration, Central Intelligence
Agency, Department of Commerce/Critical Infrastructure Assurance
Office, and the Department of Energy. This representation has given us
the unprecedented ability to reach back to the parent organizations of
our interagency detailees on intrusions and infrastructure protection
matters in order to provide and receive information. In addition, we
have formed an interagency coordination cell at the Center which holds
monthly meetings with U.S. Secret Service, U.S. Customs Service,
representatives from DoD investigative agencies, the Offices of
Inspector General of NASA, Social Security Administration, Departments
of Energy, State, and Education, and the U.S. Postal Service, to
discuss topics of mutual concern.
This representation is not enough,
however. The NIPC would like to see all lead agencies represented in
the Center. The more broadly representative the NIPC is, the better
job it can do in responding to viruses, worms, and other intrusions
into critical U.S. systems.
We have established four strategic
directions for our capability growth: prediction, prevention,
detection, and mitigation/response. None of these are new concepts but
the NIPC will renew its focus on each of them in order to strengthen
our strategic analysis capabilities. The NIPC will work to further
strengthen its longstanding efforts on the early detection and
mitigation of cyber attacks. These strategic directions will be
significantly advanced by our intensified cooperation with federal
agencies and the private sector.
Prediction:
Our most ambitious strategic
directions, prediction and prevention, are intended to forestall
attacks before they occur. We are seeking ways to forecast or predict
hostile capabilities in much the same way that the military forecasts
weapons threats. The goal here is to forecast these threats with
sufficient warning to prevent them. A key to success in these areas
will be strengthened cooperation with intelligence collectors and the
application of sophisticated new analytic tools to better learn from
day-to-day trends. The strategy of prevention is reminiscent of
traditional community policing programs but with our infrastructure
partners and key systems vendors. As the recent Leave and Code Red
Worm incidents demonstrate, our working relations have never been
closer with key federal agencies, like FedCIRC, NSA, CIA, and the
Joint Task Force - Computer Network Operations (JTF-CNO), and private
sector groups such as SANS, the anti-virus community, major Internet
Service Providers, and the backbone companies. These close
relationships aid in predicting events before they happen.
Prevention:
Our role in preventing the spread of
computer viruses and worms as well as other cyber intrusions into
critical U.S. systems is not to provide advice on what hardware or
software to use or to act as a federal systems administrator. Rather,
our role is to provide information about threats, ongoing incidents,
and exploited vulnerabilities so that government and private sector
system administrators can take the appropriate protective measures.
The NIPC has a variety of products to inform the private sector and
other domestic and foreign government agencies of the threat,
including: alerts, advisories, and assessments; biweekly CyberNotes;
monthly Highlights; and topical electronic reports. These products are
designed for tiered distribution to both government and private sector
entities consistent with applicable law and the need to protect
intelligence sources and methods, and law enforcement investigations.
For example, Highlights is a publication for sharing analysis and
information on critical infrastructure issues. It provides analytical
insights into major trends and events affecting the nation’s
critical infrastructures. It is usually published in an unclassified
format and reaches national security and civilian government agency
officials as well as infrastructure owners and operators. CyberNotes
is another NIPC publication designed to provide security and
information system professionals with timely information on cyber
vulnerabilities, hacker exploit scripts, hacker trends, virus
information, and other critical infrastructure-related best practices.
It is published on our website and disseminated in hardcopy to
government and private sector audiences.
The NIPC has elements responsible for
both analysis and warning. What makes the NIPC unique is that it has
access to law enforcement, intelligence, private sector, foreign
liaison, and open source information. No other entity has this range
of information. Complete and timely reporting of incidents from
private industry and government agencies allows NIPC analysts to make
the linkages between government and private sector intrusions. We are
currently working on integrating our databases consistent with the law
to allow us to more quickly make the linkages among seemingly
disparate intrusions. This database will leverage both the unique
information available to the NIPC through FBI investigations and
information available from the intelligence community and open
sources. Having these analytic functions at the NIPC is a central
element of its ability to carry out its preventive mission.
The NIPC also shares information via
its InfraGard Initiative. All 56 FBI field offices now have InfraGard
chapters. Just in the last six months the InfraGard Initiative has
added over 1000 new members to increase the overall membership to over
1800. It is the most extensive government-private sector partnership
for infrastructure protection in the world, and is a service we
provide to InfraGard members free of charge. InfraGard expands direct
contacts with the private sector infrastructure owners and operators
and shares information about cyber intrusions and vulnerabilities
through the formation of local InfraGard chapters within the
jurisdiction of each of the 56 FBI Field Offices and several of its
Resident Agencies (subdivisions of the larger field offices).
A key element of the InfraGard
initiative is the confidentiality of reporting by members. The
reporting members edit out the identifying information about
themselves on the notices that are sent to other members of the
InfraGard network. This process is called sanitization and it protects
the information provided by the victim of a cyber attack. Much of the
information provided by the private sector is proprietary and is
treated as such. InfraGard provides its membership with the capability
to write an encrypted sanitized report for dissemination to other
members. This measure helps to build a trusted relationship with the
private sector and at the same time encourages other private sector
companies to report cyber attacks to law enforcement.
InfraGard held its first national
congress from June 12-14, 2001. This conclave provided an excellent
forum for NIPC senior managers and InfraGard members to exchange
ideas. InfraGard's success is directly related to private industry's
involvement in protecting its critical systems, since private industry
owns most of the infrastructures. The dedicated work of the NIPC and
the InfraGard members is paying off. InfraGard has already prevented
cyber attacks by discretely alerting InfraGard members to compromises
on their systems.
The NIPC is also working with the
Information Sharing and Analysis Centers (ISACS) established under the
auspices of PDD-63. The North American Electric Reliability Council (NERC)
serves as the electric power ISAC. The NIPC has developed a program
with the NERC for an Indications and Warning System for physical and
cyber attacks. Under the program, electric utility companies and other
power entities transmit incident reports to the NIPC. These reports
are analyzed and assessed to determine whether an NIPC alert,
advisory, or assessment is warranted to the electric utility
community. Electric power participants in the program have stated that
the information and analysis provided by the NIPC makes this program
especially worthwhile. NERC has recently decided to expand this
initiative nationwide. This initiative will serve as a good example of
government and industry working together to share information, and the
Electric Power Indications and Warning System will provide a model for
the other critical infrastructures.
With the assistance of NERC, the NIPC
conducted a six-month pilot program and a series of workshops to
familiarize participants with the program's operating procedures. The
workshops included hands-on table-top exercises that required program
participants to work through simulated scenarios dealing with credible
cyber and physical attacks directed against the power industry. In the
summer of 2000, a half-day table-top exercise was held for companies
in NERC's Mid-Atlantic region allowing them to role-play in responding
to simulated incidents pre-scripted by NIPC and company
representatives. Since October 2000, the NIPC supported by NERC
conducted three workshops around the country in order to provide
program participants with hands-on experience in responding to attacks
against the electric power grid. Eventually, the NIPC will strive to
have similar models and exercises for all the infrastructures.
The NIPC serves as sector liaison for
the Emergency Law Enforcement Services (ELES) Sector at the request of
the FBI. The NIPC completed the ELES Sector Plan in February, 2001.
The ELES Sector Plan was the first completed sector report under
PDD-63 and was delivered to the White House on March 2, 2001. At the
Partnership for Critical Infrastructure Security in Washington, D.C.,
in March, 2001, the ELES Plan was held up as a model for the other
sectors. The NIPC also sponsored the formation of the Emergency Law
Enforcement Services Sector Forum, which meets quarterly to discuss
issues relevant to sector security planning. The Forum contains
federal, state, and local representatives. The next meeting of the
Forum is scheduled for September, 2001.
The Plan was the result of two years'
work in which the NIPC surveyed law enforcement agencies concerning
the vulnerabilities of their infrastructure, in particular their data
and communications systems. Following the receipt of the survey
results, the NIPC and the ELES Forum produced the ELES Sector Plan.
The NIPC also produced a companion "Guide for State and Local Law
Enforcement Agencies" that provides guidance and a
"toolkit" that law enforcement agencies can use when
implementing the activities suggested in the Plan.
The importance of the ELES Sector Plan
and the Guide cannot be overstated. These documents will aid some
18,000 police and sheriff’s departments located in towns and
neighborhoods to better protect themselves from attack by providing
them with useful checklists and examples of procedures they can use to
improve their security. Since the local police are usually among the
first responders to any incident threatening public safety, their
protection is vital.
Also, the NIPC has prepared model
agreements to promote information sharing and has presented them for
negotiation to the following existing or potential ISACs: Association
of Metropolitan Water Agencies (AMWA), Financial Services, Information
Technology, National Association of State Chief Information Officers (NASCIO),
National Coordinating Center (NCC) for Telecommunications, National
Emergency Management Association (NEMA), National Petroleum Council (NPC),
and US Fire Administration (USFA). Offers for information sharing
arrangements will be made to the emerging Rail and Aviation ISACs. We
are promoting the establishment of an ISAC for the Public Health
Services Sector. With respect to the federal agencies, NIPC has
developed a model agreement for use in promoting information sharing
with the other 70 plus executive branch agencies, and will soon launch
a campaign to formalize these arrangements.
Detection:
Given the ubiquitous vulnerabilities
in existing Commercial Off-the-Shelf (COTS) software, intrusions into
critical systems are inevitable for the foreseeable future. Thus
detection of these viruses, worms, and other intrusions is crucial if
the U.S. Government and critical infrastructure owners and operators
are going to be able to respond effectively. To improve our detection
capabilities, we first need to ensure that we are fully collecting,
sharing, and analyzing all extant information. It is often the case
that intrusions can be discerned simply by collecting bits of
information from various sources; conversely, if we do not collate
these pieces of information for analysis, we might not detect the
intrusions at all. Thus the NIPC's role in collecting information from
all sources and performing analysis in itself serves the role of
detection.
Federal Agency system administrators
need to work with NIPC. PDD-63 makes clear the importance of such
reporting. It states, “All executive departments and agencies shall
cooperate with the NIPC and provide such assistance, information and
advice that the NIPC may request, to the extent permitted by law. All
executive departments shall also share with the NIPC information about
threats and warning of attacks and about actual attacks on critical
government and private sector infrastructures, to the extent permitted
by law.”
In order to carry out this mandate,
the NIPC is working closely with FedCIRC and the anti-virus community.
The NIPC and the Computer Emergency Response Team (CERT) at Carnegie
Mellon University have formed a mutually beneficial contractual
relationship. The NIPC receives information from the CERT that it
incorporates into strategic and tactical analyses and utilizes as part
of its warning function. The NIPC is routinely in telephonic contact
with CERT/CC and the anti-virus community for purposes of sharing
vulnerability and threat information on a real-time basis. CERT/CC
input is often sought when an NIPC warning is in production. The NIPC
also provides information to the CERT that it obtains through
investigations and other sources, using CERT as one method for
distributing information (normally with investigative sources
sanitized) to security professionals in industry and to the public.
The Watch also provides the NIPC Daily Report to the CERT/CC via
Internet e-mail. On more than one occasion, the NIPC provided CERT
with the first information regarding a new threat, and the two
organizations have often collaborated in putting information out about
incidents and threats.
The NIPC has an excellent relationship
with the General Services Administration’s Federal Computer Incident
Response Center (FedCIRC). NIPC and FedCIRC are both crucial to
effective cyber defense but serve different roles. When an agency
reports an incident, FedCIRC works with the agency to identify the
type of incident, mitigate any damage to the agency's system, and
provide guidance to the agency on recovering from the incident.
FedCIRC has detailed a person to the NIPC Watch Center. In addition,
the NIPC sends draft alerts, advisories, and assessments on a regular
basis to FedCIRC for input and commentary prior to their release. NIPC
and FedCIRC information exchange assists both centers with their
analytic products. The NIPC and FedCIRC are currently discussing ways
to improve the flow of information between the two organizations and
encourage federal agency reporting of incident information to the NIPC.
In response to victim reports, the
NIPC sponsored the development of tools to detect malicious software
code. For example, in December 1999, in anticipation of possible Y2K
related malicious conduct, the NIPC posted a detection tool on its web
site that allowed systems administrators to detect the presence of
certain Distributed Denial of Service (DDoS) tools on their networks.
In those cases, hackers planted tools named Trinoo, Tribal Flood Net (TFN),
TFN2K, and Stacheldraht (German for barbed wire) on a large number of
unwitting victim systems. Then when the hacker sent a particular
command, the victim systems in turn began sending messages against
target systems. The target systems became overwhelmed with the traffic
and were unable to function. Users trying to access the victim system
were denied its services. The NIPC’s detection tools were downloaded
thousands of times and have no doubt prevented many DDoS attacks. In
fact, in this cutting edge area of network security, the NIPC’s
Special Technologies and Applications Unit (STAU) received the 2000
SANS Award.
If we determine that an intrusion is
imminent or underway, the NIPC Watch is responsible for formulating
assessments, advisories, and alerts, and quickly disseminating them.
The substance of those products will come from work performed by NIPC
analysts. We can notify both private sector and government entities
using an array of mechanisms so they can take protective steps. In
some cases these warning products can prevent a wider attack; in other
cases warnings can mitigate an attack already underway. This was the
case both with our warnings regarding e-commerce vulnerabilities and
the more recent warnings posted about Code Red. Finally, these notices
can prevent attacks from ever happening in the first place. For
example, the NIPC released an advisory on March 30, 2001, regarding
the “Lion Internet Worm,” which is a DDoS tool targeting
Unix-based systems. Based on all-source information and analysis, the
NIPC alerted systems administrators how to look for this compromise of
their system and what specific steps to take to remove the tools if
they are found. This alert was issued after consultation with FedCIRC,
JTF-CNO, a private sector ISAC, and other infrastructure partners.
Mitigation/Response:
Despite our efforts, we know that
critical U.S. systems will continue to be attacked. The perpetrators
could be criminal hackers, teenagers, cyber protestors, terrorists, or
foreign intelligence services. In order to identify an intruder, the
NIPC coordinates an investigation that gathers information using
either criminal investigative or foreign counter-intelligence
authorities, depending on the circumstances. We also rely on the
assistance of other nations when appropriate.
In the cyber world, determining the
“who, what, where, when, and how” is difficult. An event could be
a system probe to find vulnerabilities or entry points, an intrusion
to steal data or plant sniffers or malicious code, the spreading of a
virus or worm, an act of teenage vandalism, an attack to disrupt or
deny service, or even an act of war. The crime scene itself is totally
different from the physical world in that it is dynamic--it grows,
contracts, and can change shape. Further, the tools used to perpetrate
a major infrastructure attack can be the same ones that are freely
available on the Internet and used for other cyber intrusions (such as
simple hacking, foreign intelligence gathering, or organized crime
activity to steal property), making identification more difficult.
Obtaining reliable information is necessary not only to identify the
perpetrator but also to determine the size and nature of the intrusion
and what information security response may prevent further attack: how
many systems are affected, what techniques are being used, and what is
the purpose of the intrusions--disruption, economic espionage, theft
of money, etc..
Relevant information could come from
existing criminal investigations or other contacts at the FBI Field
Office level. It could come from the U.S. Intelligence Community,
other U.S. Government agency information, private sector contacts, the
media, other open sources, or foreign law enforcement contacts. The
NIPC’s role is to coordinate, collect, analyze, and disseminate this
information. Indeed this is one of the principal reasons the NIPC was
created.
Because the Internet by its nature
embodies a degree of anonymity, our government’s proper response to
an attack first requires significant investigative steps.
Investigators typically need a full range of criminal and/or national
security authorities to determine who launched the attack or authored
the malicious code. There are many federal statutes that criminalize
unauthorized conduct over the Internet. The law prohibits a wide
variety of acts conducted with computers, some of which are
traditional crimes (such as wire fraud and pornography) and others of
which are more technology-specific crimes, such as hacking.
The primary Federal statute that
criminalizes breaking into computers and spreading malicious viruses
and worms is the Computer Fraud and Abuse Act, codified at Title 18 of
the United States Code, Section 1030. Other statutes that are
typically implicated in a hacking case include Section 1029 of Title
18, which criminalizes the misuse of computer passwords, and Section
2511 of Title 18, which criminalizes those hackers that break into
systems and install "sniffers" to illegally intercept
electronic communications. In order to investigate these violations,
law enforcement relies on traditional sources and techniques to gather
evidence, ranging from the public's voluntary assistance to court
authorized searches and court authorized surveillance. We have similar
investigative capabilities when pursuing cases in which foreign powers
or terrorist organizations are impairing the confidentiality,
integrity, or availability of our networks, although in these cases
our legal authority typically is derived from the National Security
Act of 1947 and the Foreign Intelligence Surveillance Act (FISA), both
codified in Title 50 of the United States Code, rather than pursuant
to the Federal Criminal Code.
The FBI has designated the NIPC to act
as the program manager for all of its computer intrusion
investigations, and the NIPC has made enormous strides in developing
this critical nationwide program. In that connection, the NIPC works
closely with the Department of Justice Criminal Division’s Computer
Crime and Intellectual Property Section, Office of Intelligence Policy
and Review, and the U.S. Attorney’s Offices in coordinating legal
responses.
In the event of a national-level set
of intrusions into significant systems or a major virus outbreak, the
NIPC will form a Cyber Crisis Action Team (C-CAT) to coordinate
response activities and use the facilities of the FBI's Strategic
Information and Operations Center (SIOC). The team will have expert
investigators, computer scientists, analysts, watch standers, and
other U.S. government agency representatives. Part of the U.S.
government team might be physically located at FBI Headquarters and
part of the team may be just electronically connected. The C-CAT will
immediately contact field offices responsible for the jurisdictions
where the attacks are occurring and where the attacks may be
originating. The C-CAT will continually assess the situation and
support/coordinate investigative activities, issue updated warnings,
as necessary, to all those affected by or responding to the crisis.
The C-CAT will then coordinate the investigative effort to discern the
scope of the attack, the technology being used, and the possible
source and purpose of the attack.
The NIPC’s placement in the FBI’s
Counterterrorism Division will allow for a seamless FBI response in
the event of a terrorist action that encompasses both cyber and
physical attacks. The NIPC and the other elements of the FBI’s
Counterterrorism Division have conducted joint operations and
readiness exercises in the FBI’s SIOC. We are prepared to respond
when called upon.
As the Worm Turns
Over the past several years we have
seen a wide range of cyber threats ranging from defacement of websites
by juveniles to devastating worms and viruses released on the
Internet. Some of these are obviously more significant than others.
The theft of national security information from a government agency,
or the interruption of electrical power to a major metropolitan area
would have greater consequences for national security, public safety,
and the economy than the defacement of a web-site. But even the less
serious categories have real consequences and, ultimately, can
undermine confidence in e-commerce and violate privacy or property
rights. A web site hack that shuts down an e-commerce site can have
disastrous consequences for a business. An intrusion that results in
the theft of credit card numbers from an online vendor can result in
significant financial loss and, more broadly, reduce consumers’
willingness to engage in e-commerce. Because of these implications, it
is critical that we have in place the programs and resources to
investigate and, ultimately, to deter these sorts of crimes.
Virus attacks have become more
prevalent in recent years. While tens of thousands of viruses and
worms exist in the wild, the vast majority of them are not serious
threats. But just a few of them have unleashed havoc on the networks.
A survey by InformationWeek and PriceWaterhouseCoopers conducted in
the summer of 2000 estimated viruses would cause $1.6 trillion worth
of damage in the year 2000 worldwide. That figure is larger than the
gross domestic product of all but a handful of nations and
demonstrates the huge economic costs that viruses and worms can have
on the global economy.
In addition, because it is often
difficult to determine whether a virus outbreak or worm propagation is
the work of an individual with criminal motives or a foreign power, we
must treat certain cases for their potential as a national security
matter until we gather sufficient information to determine the nature,
purpose, scope, and perpetrator of the attack. While we cannot discuss
ongoing investigations, we can discuss closed cases that involve FBI
and other agency investigations in which the intruder’s methods and
motivation were similar to what we are currently seeing. A few
illustrative cases are described below:
As discussed above, Code Red infected
over 150,000 systems and has yet to be stopped. But this is only the
most recent in a growing list of computer worms. The first worm to get
the attention of the computer users community was the Morris worm,
released on November 2, 1988, by Robert Tappan Morris, a 23-year-old
graduate student at Cornell University. The infant Internet community
had never seen anything like this worm. In a matter of hours it had
infected 6,000 machines and, while it did not damage files, it clogged
the machines and made them unusable. The machines had to be
disconnected from the Internet and repaired. Morris was convicted of
violating the Computer Fraud and Abuse Act and sentenced to three
years probation, 400 hours of community service, and fined $10,500.
In May 2000 companies and individuals
around the world were stricken by the “Love Bug,” a virus (or,
technically, a “worm”) that traveled as an attachment to an e-mail
message and propagated itself extremely rapidly through the victim’s
address books. The virus/worm also reportedly penetrated at least 14
federal agencies including the Department of Defense (DOD), the Social
Security Administration, the Central Intelligence Agency, the
Immigration and Naturalization Service, the Department of Energy, the
Department of Agriculture, the Department of Education, the National
Aeronautics and Space Administration (NASA), along with the House and
Senate.
Investigative work by the FBI’s New
York Field Office, with assistance from the NIPC, traced the source of
the virus to the Philippines within 24 hours. The FBI then worked,
through the FBI Legal Attaché in Manila, with the Philippines’
National Bureau of Investigation, to identify the perpetrator. The
speed with which the virus was traced back to its source is
unprecedented. The prosecution in the Philippines was hampered by the
lack of a specific computer crime statute. Nevertheless, Onel de
Guzman was charged on June 29, 2000, with fraud, theft, malicious
mischief, and violation of the Devices Regulation Act. However, those
charges were dropped in August by Philippine judicial authorities. As
a postscript, it is important to note that the Philippines’
government on June 14, 2000, reacted quickly and approved the
E-Commerce Act, which now specifically criminalizes computer hacking
and virus propagation. Also, the NIPC continues to work with other
nations to provide guidance on the need to update criminal law
statutes.
In some cases, we have been able to
prevent the release of malicious code viruses against public systems.
On March 29, 2000, FBI Houston initiated an investigation when it was
discovered that certain small businesses in the Houston area had been
targeted by someone who was using their Internet accounts in an
unauthorized manner and causing their hard drives to be erased. The
next day, FBI Houston conducted a search warrant on the residence of
an individual who allegedly created a computer "worm" that
seeks out computers on the Internet. This "worm" looked for
computer networks that have certain enabled sharing capabilities, and
uses them for the mass replication of the worm. The worm caused the
hard drives of randomly selected computers to be erased. The computers
whose hard drives are not erased actively scan the Internet for other
computers to infect and force the infected computers to use their
modems to dial 911. Because each infected computer can scan
approximately 2,550 computers at a time, this worm could have the
potential to create a denial of service attack against the 911 system.
The NIPC issued a warning to the public through the NIPC webpage,
SANS, InfraGard, and teletypes to government agencies. On May 15,
2000, Franklin Wayne Adams of Houston was charged by a federal grand
jury with knowingly causing the transmission of a program onto the
Internet that caused damage to a protected computer system by
threatening public health and safety and by causing loss aggregated to
at least $5000. Adams was also charged with unauthorized access to
electronic or wire communications while those communications were in
electronic storage. On April 5, 2001, Adams was sentenced to 5 years
probation and fined $12,353 restitution. Under the terms of his
sentencing, Adams is restricted to using a computer only for work and
educational purposes.
National security threats remain our
top concern. As Dr. Lawrence Gershwin, National Intelligence Officer
for Science and Technology, told the Joint Economic Committee in June,
2001, "For attackers, viruses and worms are likely to become more
controllable, precise, and predictable--making them more suitable for
weaponization. Advanced modeling and simulation technologies are
likely to assist in identifying critical nodes for an attack and
conducting battle damage assessments." The NIPC is concerned
about three specific categories of national security intruders:
terrorists, foreign intelligence services, and information warriors.
As Gershwin noted in June, "Most U.S. adversaries have access to
the technology needed to pursue computer network operations."
Terrorists groups are increasingly
using new information technology and the Internet to formulate plans,
raise funds, spread propaganda, and to communicate securely. In his
statement on the worldwide threat in 2000, Director of Central
Intelligence George Tenet testified that terrorists groups,
“including Hizbollah, HAMAS, the Abu Nidal organization, and Bin
Laden’s al Qa’ida organization are using computerized files,
e-mail, and encryption to support their operations.” In one example,
convicted terrorist Ramzi Yousef, the mastermind of the World Trade
Center bombing, stored detailed plans to destroy United States
airliners on encrypted files on his laptop computer. While we have not
yet seen these groups employ cyber tools as a weapon to use against
critical infrastructures, their reliance on information technology and
acquisition of computer expertise are clear warning signs. During the
riots on the West Bank in the fall of 2000, Israeli government sites
were subjected to e-mail flooding and "ping" attacks. The
attacks originated with sympathetic Islamic elements trying to
inundate the systems with email messages. As one can see from these
examples overseas, “cyber terrorism” which refers to malicious
conduct in cyberspace to commit or threaten to commit acts dangerous
to human life, or against a nation’s critical infrastructures, such
as such as energy, transportation, or government operations in order
to intimidate or coerce a government or civilian population, or any
segment thereof, in furtherance of political or social objectives - is
a very real threat.
Foreign intelligence services have
adapted to using cyber tools as part of their information gathering
tradecraft. While I cannot go into specific cases, there are overseas
probes against U.S. government systems every day. It would be naive to
ignore the possibility or even probability that foreign powers were
behind some or all of these probes. The motivation of such
intelligence gathering is obvious. By coordinating law enforcement and
intelligence community assets and authorities in one Center, the NIPC
can work with other agencies of the U.S. government to detect these
foreign intrusion attempts.
The prospect of "information
warfare" by foreign militaries against our critical
infrastructures is perhaps the greatest potential cyber threat to our
national security. We know that many foreign nations are developing
information warfare doctrine, programs, and capabilities for use
against the United States or other nations. In testimony in June,
2001, National Intelligence Officer Gershwin stated that "for the
next 5 to 10 years or so, only nation states appear to have the
discipline, commitment, and resources to fully develop the
capabilities to attack critical infrastructures."
Conclusion
While the NIPC has accomplished much
over the last three years in building the first national-level
operational capability to respond to cyber intrusions, much work
remains. We have learned from cases that successful network
investigation is highly dependent on expert investigators and
analysts, with state-of-the-art equipment and training. We have had
the resources to build some of that capability both in the FBI Field
Offices and at the NIPC, but we have much work ahead if we are to
build our resources and capability to keep pace with the changing
technology and growing threat environment, while at the same time
being able to respond to several major incidents at once.
We are building the agency to agency,
government to private sector, foreign liaison, and law enforcement
partnerships that are vital to this effort. The NIPC is well suited to
foster these partnerships since it has analysis, information sharing,
outreach, and investigative missions. We are working with the
executives in the infrastructure protection community to foster the
development of safe and secure networks for our critical
infrastructures. While this is a daunting task, we are making
progress.
Within the federal sector, we have
seen how much can be accomplished when agencies work together, share
information, and coordinate their activities as much as legally
permissible. But on this score, too, more can be done to achieve the
interagency and public-private partnerships called for by PDD-63. We
need to ensure that all relevant agencies are sharing information
about threats and incidents with the NIPC and devoting personnel and
other resources to the Center so that we can continue to build a truly
interagency, "national" center. Finally, we must work with
Congress to make sure that policy makers understand the threats we
face in the Information Age and what measures are necessary to secure
our Nation against them. I look forward to working with the Members
and Staff of this Subcommittee to address these vitally important
issues.
Thank you.
source: www.fbi.gov
