2 November 2002
Source:
http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=02110102.glt&t=/products/washfile/newsitem.shtml
US Department of State
International Information Programs
Washington File
_________________________________
01 November 2002
(Cites cybercrime as agency's first priority) (2820) Federal Bureau of Investigation (FBI) Director Robert S. Mueller III outlined a plan to strengthen private and government cooperation to improve security of the nation's information infrastructure in a speech to the Informational Technology Association of America (ITAA) October 31. Mueller said the FBI has made cybercrime its number one criminal priority in anticipation of dramatic increases in what he described as "Internet-enabled crimes," that is, traditional crimes such as fraud, identity theft, copyright infringement and child pornography that have migrated online. A second class of crimes, born with the Internet age, is also a serious concern for national law enforcement. Those are computer intrusions, denial of service attacks and cyber terrorism all crimes with "the potential to ruin businesses, cause staggering financial losses, threaten our national security and even cost lives," Mueller said. The FBI is reorganizing itself to better respond and investigate online criminal activity, Mueller said, with a particular emphasis on tapping private sector expertise to help respond to crime. "We are forming high tech task forces that include private sector players, law enforcement and in some cases experts from academic disciplines," Mueller explained to the ITAA audience in suburban Washington. "So when there is a local cyber crime problem, the worldwide network of the FBI and the resources of the other task force participants can work together to assist." The FBI director implored the private sector members of his audience to provide more information to authorities about unauthorized intrusions into their computer networks. He estimated that the FBI is receiving reports on only one third of such incidents. Mueller acknowledged business leaders' concerns that reporting these cases to authorities might make them subject to investigation, expose protected corporate information or attract unwelcome media attention that could adversely affect stock prices. Mueller offered assurances that the FBI would take care to minimize such consequences. "We will try to find the origin of the attacker, help you preserve evidence and avoid counter-surveillance. We will help protect you legally," Mueller said. "And we will do what no one else can -- hunt down the perpetrator and shut him or her down." Following is the text of the Mueller speech as prepared for delivery: (begin text) Remarks by Robert S. Mueller III Director, Federal Bureau of Investigation at the Information Technology Association of America National Summit Falls Church, Virginia October 31, 2402 Thank you. Good morning. I am genuinely pleased to be here. I have tremendous respect for you and your companies, which I especially developed when I had the privilege to serve as U.S. Attorney for Northern California. We were, as you might imagine, busy there with emerging issues in the cyber area. In February 2000, we set up the first unit in a U.S. Attorney's office dedicated to prosecuting computer crimes and intellectual property cases -- the CHIP Unit. It was at that point I saw clearly how important government-private sector partnerships were going to be in this dynamic area. We have a quote by J. Edgar Hoover on a courtyard wall at FBI Headquarters. It says, "The most effective weapon against crime is cooperation ...the efforts of all law enforcement agencies with the support and understanding of the American people." In Hoover's day, "support and understanding" may have been enough; he did not have a complex, interconnected, information infrastructure to worry about. We do. And our efforts to secure that infrastructure and to fight cyber crime require a new level of engagement -- an active partnership between the private sector and law enforcement, and an unprecedented level of cooperation. Conferences like this one, and the working groups that will come out of it, are going to help us build that active partnership. I know that each of you is already heavily engaged in fighting cyber crime and that your private sector initiatives have led to some significant victories. This morning, I want to talk about cyber threats from the FBI's vantage, and about our role in fighting those threats. Above all I want to talk about the partnership that is needed to get the job done, and how we can build trust, share information, and ultimately benefit from each others' strengths. In broad terms, the FBI sees threats to cyber security as two separate but related problems. The first is the explosive growth of traditional crimes that have migrated on-line: the frauds, identity theft, copyright infringement, child pornography and exploitation. The powerful, interconnected systems that have done so much to improve our lives, also nurture the worst elements of society. Small time criminals can develop into international crime rings on the Internet. Malcontents can find like-minded hate groups. And scam artists think they can escape detection in the anonymity of the Web. Our projections indicate that the number of Internet-enabled crimes will increase radically in the next few years, potentially driving down consumer confidence in Internet security, stunting the growth of e-commerce. In the future, a great number of crimes will have some cyber component. That is why we have made cyber our number one criminal priority. The second problem is a new category of crime that includes computer intrusions, denial of service attacks, attacks on the Internet Domain Name System, and cyber terrorism -- not to mention attacks against the root servers of the Internet, such as we saw the other week. These types of attacks obviously did not exist in the days before computers, networks, and the Web. Yet today, they have the potential to ruin businesses, cause staggering financial losses, threaten our national security, and even cost lives. Addressing these threats poses special challenges for law enforcement. One is the rapid speed of change. We are, after all, a bureaucracy. With the government procurement system and our own rules and regulations, it is a challenge for us to keep up with rapidly changing technology. Another challenge is the distinctly international nature of cyber crimes. Often when we follow a hacker's footprints across a border, our foreign counterparts lack the skills or resources to pick up the chase and put on the handcuffs. In many cases, our crimes are not their crimes. We tracked the man responsible for the "I Love You" virus to the Philippines. He caused tens of billions of dollars in damage; yet his country had no law against disseminating such a virus. Then too, corruption in foreign businesses and governments in some parts of the world can make the hottest trail go cold. The Bureau has very broad jurisdiction in the cyber area -- from traditional crimes that have migrated online to new forms of cyber intrusions. We are also the sole U.S. domestic agency responsible for cyber threats affecting national security, including foreign intelligence activities and cyber terrorism. And we have a critical role to play in the comprehensive plan for homeland security. The creation of the proposed Department of Homeland Security will not change our jurisdiction, only sharpen our focus. At this point we expect to migrate the Analysis and Warning Section and the Training, Outreach and Strategy Section of our National Infrastructure Protection Center or "NIPC," over to the new Department, but we will keep NIPC's operational and investigative components. These transfers make sense, given our different mandates. The Homeland Security Department will have leadership in the area of vulnerability assessment and protection -- in other words, making U.S. networks more secure by patching holes and throwing defenses up around them. The FBI, by contrast, is taking the lead on actual threats -- that is, identifying who out there is planning an attack and stopping them -- terrorists and criminals, individuals and organizations. This also means getting our information to you and letting you know when attacks might be imminent, so you can protect yourselves. Think of the distinction in terms of risk analysis. DHS tells you where you are vulnerable and what patches and fixes are available. But when you need to make a decision about how much money and energy to put into protecting your IT infrastructure, this information is not enough. You also need to know the likelihood that you will be hit. DHS says there is a problem with some code and it will take X number of dollars to fix it, but is there a hacker out there who knows how to exploit it? The FBI and DHS, working together, will give you the information you need to assess the risks. The Secret Service, of course, is also playing a key role. We are working constructively on issues across the board. Recently, to help us maximize cooperation, we have created three pilot joint FBI Secret Service High Tech Task Forces, in Los Angeles, Minneapolis, and Columbia, South Carolina. Vile are also working on improving information exchange between both agencies. Let me just briefly outline how the FBI has changed its organization to maximize our effectiveness in the cyber area. First, we created a consolidated new Division at FBI Headquarters -- the Cyber Division -- headed by Assistant Director Larry Mefford. I know you met with Larry this past July. The Cyber Division is dedicated to supporting counterterrorism, counterintelligence, and criminal investigations that call for technical expertise, and also to managing investigations into Internet- facilitated crimes such as denial of service attacks and the theft of sensitive data over the Internet. At the street level -- in all our field offices -- we are restructuring cyber investigative resources. We anticipate that by the end of this year, 47 of our field offices will have a specialized cyber squad; eight of these will have multiple cyber squads. And we plan to build more Regional Computer Forensic Labs. Cyber Action Teams or "CATs" will assist with specialized expertise. They will be deployed on major cases, traveling oversees as needed. This is a new model for handling these types of cases, and long overdue. For leadership and special projects, we are tapping into the private sector, bringing in experts on an ad hoc basis to help analyze intelligence; I would like to see a lot more of this. We are forming high tech task forces that include private sector players, law enforcement, and in some cases experts from academic disciplines. So when there is a local cyber crime problem, the worldwide network of the FBI and the resources of the other task force participants can work together to assist. To help cover international threats we are increasing our presence abroad. We already have 45 offices in foreign cities where our people work closely with their local counterparts. And many more offices are in the works. One last piece of reengineering related to Bureau cyber investigations is needed: re-tooling the skill sets of the investigators who do the intelligence gathering and evidence collection. And that means blue-chip, state-of-the-art training, not just for our own people, but for task force members and for our state, local, and international partners. Here is where we need your help, particularly in the highly technical cyber intrusion area. To get and keep us on the cutting edge, we need your talented people, perhaps as contractors. Already, some companies have offered free training on their systems, which may well be key to our future success. With this structure in place the next step is to build a stronger intelligence base, one that will reliably identify threats to the IT infrastructure and prevent crimes. For our part, we are dumping everything we have into the base -- interviews, forensic results, names and identities, financial information, surveillance data, IP addresses, calling cards, and tips from citizens -- including good corporate citizens. New provisions in the USA Patriot Act will help with these efforts. But again, your help and cooperation is absolutely vital in getting this intelligence base up to speed. Right now, we are concerned about the lack of reporting. We estimate we are getting reports of only one-third of actual unauthorized intrusions into computers or networks. And when we do get reports, they often lack the specific information we need. We not only need more reporting, we need better, more inclusive reporting. Until that happens, our database will be incomplete and necessarily faulty. In the long run, that will keep us from seeing the big picture, and keep us from accurately identifying imminent threats and long-term trends. We understand the reluctance to report. No company wants interruptions, negative publicity, release of information that could help competitors, or the potential for legal liability. Above all, I hope we will make progress on these concerns today and establish some genuine trust. Let me first tell you what will not happen if you report a cyber crime or intrusion. We will not surround your building with agents clad in jackets emblazoned with the letters F.B.I. We understand the value of a low-key approach in these matters. We are coming to assist the victim company, not prosecute it. Our specialists will come in plain clothes, perhaps in the guise of contractors or consultants, if needed. We will not hold a press conference or issue a press release. At no time do we hold press conferences on pending cases. As for leaks -- they are forbidden. If one happens, whoever is responsible will answer to me personally. We will not take over your system or attach foreign machines to your networks. And we will not read your files to study your regulatory compliance plan. I assure you we are not interested in your files. These are the urban myths of cyber crime reporting. What we will do is help you mitigate the damage, preserve your logs, or start logging if necessary. We will try to find the origin of the attacker, help you preserve evidence and avoid counter-surveillance. We will help protect you legally. And we will do what no one else can -- hunt down the perpetrator and shut him or her down. Second, let me address your greatest concern, and therefore our greatest concern: the chance of having your reports made public under the Freedom of Information Act. We completely understand your ambivalence and your lawyers' warnings, but we are confident this issue can be worked out to everyone's satisfaction. Let us approach Congress together with a plan that will provide the tools you need to protect your equities and that we need to do our job. Let me turn now to the issue of information sharing. This is really the flip side of reporting and every bit as essential to prevention. I know you have some impatience with what looks like an unequal exchange of information. The question from our point of view is: how can we share information that is classified and that could, if leaked, compromise an investigation or endanger national security? This is a real obstacle. But let me be clear: our goal, and our plan, is to share with you detailed, analyzed, information that will help you protect yourselves. We will advise you of troublesome trends. If we see an increase in Distributed Denial of Service Attacks, we will give you a heads up. We will notify you of organized crime activities that may threaten your infrastructure. If we know a particular IP address is a trouble spot, we will let you know. We will point out hackers and let you know what they are doing, so you can patch the hole before they get to you. We see this as the future role of our Infragard program -- now with 70 chapters nationwide. To make this happen, we have several new initiatives. One is to get security clearances for the private sector people who need them. We are working on ways to streamline that process. We have also created a new liaison unit in the Cyber Division that is dedicated to finding solutions with individual companies and people. We understand that reducing the risks posed by cyber criminals cannot be left to a few players. The federal government cannot, by itself, secure the computer networks of privately owned banks, energy companies, transportation firms, and the like. And certainly it should not dictate how families, businesses, universities, and local governments protect themselves against cyber attacks. We are at the table, but we need you to fill the other seats. According to Fortune Magazine, the private sector will spend over $150 billion on homeland security-related expenses, such as insurance, workplace security, logistics, and information technology -approximately four times the federal government's announced homeland security budget. It is a new world out there. We need your help if we are to be effective in protecting you and the American people. Help us build a comprehensive intelligence base. Respond quickly and completely to the threats we uncover. Help us train our people and task force members. Help us make the arguments that will get us the resources we need to fight cyber crimes and attacks. I am confident that we can work together in partnership to create a marketplace that is both free and open, safe and secure -- which is exactly what all of us, and all Americans want. Thank you very much. (end text) (Distributed by the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)