Good afternoon. I am honored to join you here today.
My thanks to Robert Holleyman and the Business Software Alliance for organizing this meeting and for their longstanding support of the Bureau. Members of the Alliance consistently champion our efforts to foster private partnerships and educate the public about cyber crime. We are grateful to count you as friends and partners.
You are all here today because of the dramatic evolution of computer science and information technology. You are explorers and protectors of a new world that did not exist 20 years ago—certainly not in the sense we know today.
As you know, the FBI has long investigated bank robberies. But in recent years our work has changed, and a cartoon in a recent issue of The New Yorker highlights that change. The cartoon features a masked gunman robbing a bank teller. The teller, looking slightly annoyed, says, “You know, you could do this just as easily online.”
As this cartoon illustrates, you are not the only explorers in this new world. Information technology has become a force multiplier for criminals, from online fraud to exploitation to identity theft. With the advent of the Information Age, the world has become smaller and smarter, but the threats we face have become more dangerous and more diverse.
Cyber space has been likened to the Wild West—an open and largely unprotected frontier with seemingly limitless opportunities. Like any new frontier, there will be those who seek to stake their claims, whether by legal or illegal means. And like the outlaws of the Wild West, the outlaws of this new world operate without boundaries and without barriers. They are moving as fast and as far as the technology will take them.
In the classic western, “High Noon,” Gary Cooper was abandoned by the townspeople and left to face the gunslingers on his own. In today’s world, I am grateful that those of us in law enforcement are not facing these outlaws on our own.
In this world of globalization, we continue to build on one central theme: partnerships. Now, more than ever, our success depends on our collaboration with other federal agencies, with state and local law enforcement, private industry and academia, and community leaders and citizens alike.
When I served as the U.S. attorney in San Francisco, I worked with many of your companies. During that time—in February of 2000—some of the nation's most popular online businesses confronted large-scale denial-of-service attacks. Yahoo, eBay and eTrade were just a few of the targeted companies. At the time, these attacks were considered novel and they received a great deal of media attention. These attacks rendered some Internet services completely unavailable and hampered the operations of others.
Working with the targeted companies, cyber trained agents and prosecutors pursued the case nationwide. With the help of the Royal Canadian Mounted Police we identified the source of this attack—a Canadian teen-ager known as “mafiaboy.”
In responding to these and other computer attacks, I became convinced of the need for law enforcement and the private sector—at home and abroad—to work together to prevent, investigate and prosecute cyber crime.
Today I want to talk about the work we are doing in the Bureau to address cyber crime; the value of working together and sharing information; and our collective roles in preventing crime and terrorism in this new world.
The FBI: Protecting Our People and Our Infrastructure
Four years ago, we created the Cyber Division at FBI Headquarters to address cyber crime in a coordinated and cohesive manner. We have seen a considerable escalation in cyber threats since then, from professional hackers who sell information to the highest bidder to cyber spies who steal our technology for profit.
To combat these diverse threats, we must build our capabilities to investigate international cyber crime. We must be as agile and adaptive as the global organizations that threaten us today.
To that end, we have specially trained cyber squads at FBI Headquarters and in each of our 56 field offices. These agents and analysts protect against and investigate computer intrusions, theft of intellectual property and personal information, child pornography and exploitation, and online fraud.
Our 93 Computer Crimes task forces around the country combine state-of-the-art technology and the resources of our federal, state and local counterparts.
Here in San Jose, the Rapid Enforcement Allied Computer Team, known as REACT, includes 19 federal, state, and local agencies and 20 full-time investigators. Working together, we have seen numerous successes.
We are also working with the United States Secret Service to fight cyber crime. The Secret Service has created a nationwide network of electronic crimes task forces, combining the experience and the expertise of law enforcement, the private sector, and academia. The FBI and the Secret Service share federal jurisdiction for investigating cyber crime; our roles in detecting and suppressing computer-based crimes are complementary. We must continue to share information and resources.
Our partnerships are particularly important in computer intrusion cases, where time is of the essence. We must be able to respond rapidly, both to minimize the damage and to maximize the chances of finding those responsible. With our combined resources, we continue to break new ground in the investigation and prosecution of cyber criminals.
One recent case illustrates the point. In November 2004, with our partners in the Naval Criminal Investigative Service and the Department of Defense Criminal Investigative Service, we arrested Jeanson James Ancheta—a well-known member of the botmaster underground.
Just three weeks ago, in the first case of its kind here in the U.S., Ancheta pled guilty to seizing control of hundreds of thousands of Internet-connected computers and renting the network to people who mounted attacks on websites. The 20-year-old hacker faces four to six years in prison.
Global Partnerships and Information Sharing
Increasingly, cyber threats originate outside of the United States. Our information infrastructure is not ours alone—it can be accessed by anyone with a laptop and a modem. The once clear-cut divisions of responsibility and jurisdiction between agencies, states and even countries have been rendered obsolete by the fluid and far-reaching nature of today’s criminal threats.
Our 53 legal attaché offices, or legats, provide the global presence we need. Through these legats, we share information with our law enforcement counterparts and coordinate international investigations.
Our Cyber Action Teams travel around the world on a moment’s notice to assist in computer intrusion cases, whether in government, military, or commercial systems. These teams gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy.
Much of today’s malware is used to engineer and control botnets and viruses. It is difficult for law enforcement and private industry alike to stay ahead of the curve when it comes to these ever-evolving threats. Through our collaborative efforts, we are moving closer to identifying zero-day exploits. We are working together to identify the world’s preeminent hackers and their methods of operation.
Last year, cyber teams comprised of investigators and experts in malicious code and computer forensics worked closely with Microsoft and with law enforcement officials from Turkey and Morocco to find the criminals responsible for creating and spreading the Mytob and Zotob worms. We resolved this case within just two weeks of the attack, in large part because of the intelligence we received from our private sector partners.
These alliances with our law enforcement and private sector partners are vital to our efforts, but no more so than our collaboration with the citizens we serve. One of our most important links to the public is the Internet Crime Complaint Center, better known as IC3—a partnership between the FBI and the National White Collar Crime Center.
IC3 serves as a clearinghouse for Internet-related consumer complaints. On average, IC3 receives more than 18,000 consumer complaints each month. We use the information we receive from consumers and from our private sector partners to identify current online scams and to find those responsible.
In the wake of Hurricane Katrina, for example, we worked with the American Red Cross, eBay, PayPal, and MasterCard to review more than 6,000 websites purporting to be legitimate fund-raising efforts for hurricane victims. We shut down numerous fraudulent websites and referred nearly 100 related criminal matters to our state and local law enforcement partners.
We are also working with our private sector partners to educate the public about Internet fraud. Together with Monster.com, Target, and the Merchant Risk Council, among others, we are keeping consumers informed about auction fraud, identity theft, re-shipping scams, and foreign lotteries.
Our Collective Roles in Preventing Crime and Terror
Through these public and private alliances, we are moving from rhetoric to reality; we are improving our ability to confront criminal and terrorist threats to our national infrastructure. But information sharing is a two-way street. Those of you in the private sector are the first line of defense.
We recognize that in certain areas we lack the expertise that you possess. We lack the specific knowledge of threats that affect individual businesses every day. That is why we need your help and why we continue to ask for your cooperation.
The InfraGard program is one of our most important links to the private sector. Members from a host of industries, from computer security to the chemical sector, share information about threats to our infrastructure—both physical and virtual—through a secure server.
To date, there are more than 13,000 members of InfraGard, from Fortune 500 companies to small family-owned businesses. The goal is to maintain a two-way dialogue so that private companies can better protect themselves and alert the FBI to any pending threats. We cannot investigate if we are not aware of the problem.
Most companies that experience computer intrusions or breaches of security do not report the incidents to law enforcement because they fear negative publicity and the loss of competitive advantage.
We understand that you have practical concerns about reporting breaches of security. You may believe that notifying the authorities will adversely impact your position in the marketplace. There may be legitimate privacy concerns that you need to protect.
We do not want you to feel victimized a second time by an investigation. We will minimize the disruption to your business. We will not release proprietary or confidential information on a pending investigation. In some instances, such as when the crime involves theft of trade secrets, we can seek protective orders to preserve those secrets and your business confidentiality.
But maintaining a code of silence will not benefit you or your company in the long run. Our safety lies in protecting not just our own interests, but our critical infrastructure as a whole. Those of you in the private sector must make every effort to secure your computer networks and systems. And those of us in law enforcement must be innovative in our investigation and prosecution of cyber criminals. Together, we must find a way to stop these attacks.
Let me spend a moment on another story from my time as a U.S. attorney. We were investigating a computer intrusion case in which a company had been the victim of a zombie attack. I wanted the FBI to monitor the company’s network—with their permission, of course—in the event that the zombie controller returned. I was told that, by Department of Justice policy, the FBI was not allowed to do that. The applicable statute was unclear on whether you needed a court order, and the department took the conservative approach requiring us to get one. Because we had to move quickly, without delay, I questioned that policy.
I called Washington and talked to the head of the Computer Crimes Unit. I told him the policy was a stupid one. I was somewhat perturbed, and asked him to find out the name of the idiot who had come up with that policy. He called back in 10 minutes. “OK, who approved that policy?” I asked. He was inordinately quick to reply, “You did, sir.”
I was chagrined to learn that I had approved that policy when I was head of the Criminal Division at Justice. We learn that some things always come back to haunt us.
As it turns out, that policy was changed by the Patriot Act. If we have the concurrence of the victim, we do not need a court order.
I tell this story for two reasons. First, it is a lesson in humility. Second, it shows that we are finding solutions to such problems.
We are sharing information and combining resources; we are working with our domestic and international partners in law enforcement and in the private sector every day to prevent cyber attacks, and to investigate and prosecute when necessary.
Yet there is more work to be done. We must ensure that all countries have strong laws and the investigative capacity to combat cyber crime. We need to increase our ability to share information in real time. And we must continue to work together to ensure that cyber crimes are prosecuted vigorously around the world.
If recent events have taught us anything, it is that no person, no agency, no company and no country can prevent crime and terrorism on its own. There are too many potential weapons, too many avenues of attack.
We must continue to use our collective resources to protect America. We must stand together to confront criminal and terrorist threats to our economy and our security. The challenges we face are fierce. But together, we will not be defeated. Together, we will keep our nation safe.