2 November 2002
Source: http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=02110102.glt&t=/products/washfile/newsitem.shtml


US Department of State
International Information Programs

Washington File
_________________________________

01 November 2002

FBI Director Outlines Public-Private Plan to Improve Cybersecurity

(Cites cybercrime as agency's first priority) (2820)

Federal Bureau of Investigation (FBI) Director Robert S. Mueller III
outlined a plan to strengthen private and government cooperation to
improve security of the nation's information infrastructure in a
speech to the Informational Technology Association of America (ITAA)
October 31.

Mueller said the FBI has made cybercrime its number one criminal
priority in anticipation of dramatic increases in what he described as
"Internet-enabled crimes," that is, traditional crimes such as fraud,
identity theft, copyright infringement and child pornography that have
migrated online.

A second class of crimes, born with the Internet age, is also a
serious concern for national law enforcement. Those are computer
intrusions, denial of service attacks and cyber terrorism – all crimes
with "the potential to ruin businesses, cause staggering financial
losses, threaten our national security and even cost lives," Mueller
said.

The FBI is reorganizing itself to better respond and investigate
online criminal activity, Mueller said, with a particular emphasis on
tapping private sector expertise to help respond to crime.

"We are forming high tech task forces that include private sector
players, law enforcement and in some cases experts from academic
disciplines," Mueller explained to the ITAA audience in suburban
Washington. "So when there is a local cyber crime problem, the
worldwide network of the FBI and the resources of the other task force
participants can work together to assist."

The FBI director implored the private sector members of his audience
to provide more information to authorities about unauthorized
intrusions into their computer networks. He estimated that the FBI is
receiving reports on only one third of such incidents. Mueller
acknowledged business leaders' concerns that reporting these cases to
authorities might make them subject to investigation, expose protected
corporate information or attract unwelcome media attention that could
adversely affect stock prices. Mueller offered assurances that the FBI
would take care to minimize such consequences.

"We will try to find the origin of the attacker, help you preserve
evidence and avoid counter-surveillance. We will help protect you
legally," Mueller said. "And we will do what no one else can -- hunt
down the perpetrator and shut him or her down."

Following is the text of the Mueller speech as prepared for delivery:

(begin text)

Remarks by
Robert S. Mueller III
Director, Federal Bureau of Investigation
at the
Information Technology Association of America National Summit
Falls Church, Virginia

October 31, 2402

Thank you. Good morning. I am genuinely pleased to be here. I have
tremendous respect for you and your companies, which I especially
developed when I had the privilege to serve as U.S. Attorney for
Northern California. We were, as you might imagine, busy there with
emerging issues in the cyber area. In February 2000, we set up the
first unit in a U.S. Attorney's office dedicated to prosecuting
computer crimes and intellectual property cases -- the CHIP Unit. It
was at that point I saw clearly how important government-private
sector partnerships were going to be in this dynamic area.

We have a quote by J. Edgar Hoover on a courtyard wall at FBI
Headquarters. It says, "The most effective weapon against crime is
cooperation ...the efforts of all law enforcement agencies with the
support and understanding of the American people." In Hoover's day,
"support and understanding" may have been enough; he did not have a
complex, interconnected, information infrastructure to worry about. We
do. And our efforts to secure that infrastructure and to fight cyber
crime require a new level of engagement -- an active partnership
between the private sector and law enforcement, and an unprecedented
level of cooperation.

Conferences like this one, and the working groups that will come out
of it, are going to help us build that active partnership. I know that
each of you is already heavily engaged in fighting cyber crime and
that your private sector initiatives have led to some significant
victories. This morning, I want to talk about cyber threats from the
FBI's vantage, and about our role in fighting those threats. Above all
I want to talk about the partnership that is needed to get the job
done, and how we can build trust, share information, and ultimately
benefit from each others' strengths.

In broad terms, the FBI sees threats to cyber security as two separate
but related problems. The first is the explosive growth of traditional
crimes that have migrated on-line: the frauds, identity theft,
copyright infringement, child pornography and exploitation. The
powerful, interconnected systems that have done so much to improve our
lives, also nurture the worst elements of society. Small time
criminals can develop into international crime rings on the Internet.
Malcontents can find like-minded hate groups. And scam artists think
they can escape detection in the anonymity of the Web.

Our projections indicate that the number of Internet-enabled crimes
will increase radically in the next few years, potentially driving
down consumer confidence in Internet security, stunting the growth of
e-commerce. In the future, a great number of crimes will have some
cyber component. That is why we have made cyber our number one
criminal priority.

The second problem is a new category of crime that includes computer
intrusions, denial of service attacks, attacks on the Internet Domain
Name System, and cyber terrorism -- not to mention attacks against the
root servers of the Internet, such as we saw the other week. These
types of attacks obviously did not exist in the days before computers,
networks, and the Web. Yet today, they have the potential to ruin
businesses, cause staggering financial losses, threaten our national
security, and even cost lives.

Addressing these threats poses special challenges for law enforcement.
One is the rapid speed of change. We are, after all, a bureaucracy.
With the government procurement system and our own rules and
regulations, it is a challenge for us to keep up with rapidly changing
technology. Another challenge is the distinctly international nature
of cyber crimes. Often when we follow a hacker's footprints across a
border, our foreign counterparts lack the skills or resources to pick
up the chase and put on the handcuffs. In many cases, our crimes are
not their crimes. We tracked the man responsible for the "I Love You"
virus to the Philippines. He caused tens of billions of dollars in
damage; yet his country had no law against disseminating such a virus.
Then too, corruption in foreign businesses and governments in some
parts of the world can make the hottest trail go cold.

The Bureau has very broad jurisdiction in the cyber area -- from
traditional crimes that have migrated online to new forms of cyber
intrusions. We are also the sole U.S. domestic agency responsible for
cyber threats affecting national security, including foreign
intelligence activities and cyber terrorism. And we have a critical
role to play in the comprehensive plan for homeland security.

The creation of the proposed Department of Homeland Security will not
change our jurisdiction, only sharpen our focus. At this point we
expect to migrate the Analysis and Warning Section and the Training,
Outreach and Strategy Section of our National Infrastructure
Protection Center or "NIPC," over to the new Department, but we will
keep NIPC's operational and investigative components.

These transfers make sense, given our different mandates. The Homeland
Security Department will have leadership in the area of vulnerability
assessment and protection -- in other words, making U.S. networks more
secure by patching holes and throwing defenses up around them. The
FBI, by contrast, is taking the lead on actual threats -- that is,
identifying who out there is planning an attack and stopping them --
terrorists and criminals, individuals and organizations. This also
means getting our information to you and letting you know when attacks
might be imminent, so you can protect yourselves.

Think of the distinction in terms of risk analysis. DHS tells you
where you are vulnerable and what patches and fixes are available. But
when you need to make a decision about how much money and energy to
put into protecting your IT infrastructure, this information is not
enough. You also need to know the likelihood that you will be hit. DHS
says there is a problem with some code and it will take X number of
dollars to fix it, but is there a hacker out there who knows how to
exploit it? The FBI and DHS, working together, will give you the
information you need to assess the risks.

The Secret Service, of course, is also playing a key role. We are
working constructively on issues across the board. Recently, to help
us maximize cooperation, we have created three pilot joint FBI Secret
Service High Tech Task Forces, in Los Angeles, Minneapolis, and
Columbia, South Carolina. Vile are also working on improving
information exchange between both agencies.

Let me just briefly outline how the FBI has changed its organization
to maximize our effectiveness in the cyber area.

First, we created a consolidated new Division at FBI Headquarters --
the Cyber Division -- headed by Assistant Director Larry Mefford. I
know you met with Larry this past July. The Cyber Division is
dedicated to supporting counterterrorism, counterintelligence, and
criminal investigations that call for technical expertise, and also to
managing investigations into Internet- facilitated crimes such as
denial of service attacks and the theft of sensitive data over the
Internet.

At the street level -- in all our field offices -- we are
restructuring cyber investigative resources. We anticipate that by the
end of this year, 47 of our field offices will have a specialized
cyber squad; eight of these will have multiple cyber squads. And we
plan to build more Regional Computer Forensic Labs.

Cyber Action Teams or "CATs" will assist with specialized expertise.
They will be deployed on major cases, traveling oversees as needed.
This is a new model for handling these types of cases, and long
overdue.

For leadership and special projects, we are tapping into the private
sector, bringing in experts on an ad hoc basis to help analyze
intelligence; I would like to see a lot more of this.

We are forming high tech task forces that include private sector
players, law enforcement, and in some cases experts from academic
disciplines. So when there is a local cyber crime problem, the
worldwide network of the FBI and the resources of the other task force
participants can work together to assist.

To help cover international threats we are increasing our presence
abroad. We already have 45 offices in foreign cities where our people
work closely with their local counterparts. And many more offices are
in the works.

One last piece of reengineering related to Bureau cyber investigations
is needed: re-tooling the skill sets of the investigators who do the
intelligence gathering and evidence collection. And that means
blue-chip, state-of-the-art training, not just for our own people, but
for task force members and for our state, local, and international
partners. Here is where we need your help, particularly in the highly
technical cyber intrusion area. To get and keep us on the cutting
edge, we need your talented people, perhaps as contractors. Already,
some companies have offered free training on their systems, which may
well be key to our future success.

With this structure in place the next step is to build a stronger
intelligence base, one that will reliably identify threats to the IT
infrastructure and prevent crimes. For our part, we are dumping
everything we have into the base -- interviews, forensic results,
names and identities, financial information, surveillance data, IP
addresses, calling cards, and tips from citizens -- including good
corporate citizens. New provisions in the USA Patriot Act will help
with these efforts.

But again, your help and cooperation is absolutely vital in getting
this intelligence base up to speed. Right now, we are concerned about
the lack of reporting. We estimate we are getting reports of only
one-third of actual unauthorized intrusions into computers or
networks. And when we do get reports, they often lack the specific
information we need. We not only need more reporting, we need better,
more inclusive reporting. Until that happens, our database will be
incomplete and necessarily faulty. In the long run, that will keep us
from seeing the big picture, and keep us from accurately identifying
imminent threats and long-term trends.

We understand the reluctance to report. No company wants
interruptions, negative publicity, release of information that could
help competitors, or the potential for legal liability. Above all, I
hope we will make progress on these concerns today and establish some
genuine trust.

Let me first tell you what will not happen if you report a cyber crime
or intrusion. We will not surround your building with agents clad in
jackets emblazoned with the letters F.B.I. We understand the value of
a low-key approach in these matters. We are coming to assist the
victim company, not prosecute it. Our specialists will come in plain
clothes, perhaps in the guise of contractors or consultants, if
needed.

We will not hold a press conference or issue a press release. At no
time do we hold press conferences on pending cases. As for leaks --
they are forbidden. If one happens, whoever is responsible will answer
to me personally.

We will not take over your system or attach foreign machines to your
networks.

And we will not read your files to study your regulatory compliance
plan. I assure you we are not interested in your files.

These are the urban myths of cyber crime reporting.

What we will do is help you mitigate the damage, preserve your logs,
or start logging if necessary. We will try to find the origin of the
attacker, help you preserve evidence and avoid counter-surveillance.
We will help protect you legally. And we will do what no one else can
-- hunt down the perpetrator and shut him or her down.

Second, let me address your greatest concern, and therefore our
greatest concern: the chance of having your reports made public under
the Freedom of Information Act. We completely understand your
ambivalence and your lawyers' warnings, but we are confident this
issue can be worked out to everyone's satisfaction. Let us approach
Congress together with a plan that will provide the tools you need to
protect your equities and that we need to do our job.

Let me turn now to the issue of information sharing. This is really
the flip side of reporting and every bit as essential to prevention. I
know you have some impatience with what looks like an unequal exchange
of information. The question from our point of view is: how can we
share information that is classified and that could, if leaked,
compromise an investigation or endanger national security?

This is a real obstacle. But let me be clear: our goal, and our plan,
is to share with you detailed, analyzed, information that will help
you protect yourselves. We will advise you of troublesome trends. If
we see an increase in Distributed Denial of Service Attacks, we will
give you a heads up. We will notify you of organized crime activities
that may threaten your infrastructure. If we know a particular IP
address is a trouble spot, we will let you know. We will point out
hackers and let you know what they are doing, so you can patch the
hole before they get to you. We see this as the future role of our
Infragard program -- now with 70 chapters nationwide.

To make this happen, we have several new initiatives. One is to get
security clearances for the private sector people who need them. We
are working on ways to streamline that process. We have also created a
new liaison unit in the Cyber Division that is dedicated to finding
solutions with individual companies and people.

We understand that reducing the risks posed by cyber criminals cannot
be left to a few players. The federal government cannot, by itself,
secure the computer networks of privately owned banks, energy
companies, transportation firms, and the like. And certainly it should
not dictate how families, businesses, universities, and local
governments protect themselves against cyber attacks. We are at the
table, but we need you to fill the other seats. According to Fortune
Magazine, the private sector will spend over $150 billion on homeland
security-related expenses, such as insurance, workplace security,
logistics, and information technology -approximately four times the
federal government's announced homeland security budget.

It is a new world out there. We need your help if we are to be
effective in protecting you and the American people. Help us build a
comprehensive intelligence base. Respond quickly and completely to the
threats we uncover. Help us train our people and task force members.
Help us make the arguments that will get us the resources we need to
fight cyber crimes and attacks.

I am confident that we can work together in partnership to create a
marketplace that is both free and open, safe and secure -- which is
exactly what all of us, and all Americans want.

Thank you very much.

(end text)

(Distributed by the Office of International Information Programs, U.S.
Department of State. Web site: http://usinfo.state.gov)