Major Executive Speeches

Robert S. Mueller, III, Director, FBI
Information Technology Association of America Conference on Combatting E-Crime
Fairfax, VA
October 31, 2002

Thank you. I want to spend a few moments thanking Paul [McNulty, U.S. Attorney for the Eastern District of Virginia] for putting this together. I think it is important that we have meetings such as this. I see a number of people who have done other things in their lives and now come to talk about cyber-crime, which is an important development in law enforcement. You understand that this is the wave of the future and understand that in the future, to address crime, we will have to look at it from the perspective of the cyber-world.

I want to say that -- it's in my written remarks, so I have to say it: "It is also a pleasure to follow an old friend, Paul McNulty, to this podium." That's true.

"The U.S. Attorney's Office that Paul runs in the Eastern District of Virginia is one of the finest in the country." That is also true.

But what is most striking about my written notes is that it says: "It's almost as good as the United States Attorney's Office that we had in the Northern District of California" -- which is where I was for a number of years.

I will tell you that when I served as U.S. Attorney in San Francisco, I worked with many of your companies. And many of those companies were a part of ITAA. And I want to say that this association represents many of the most important and I would say most vibrant companies in the United States today. That's actually underscored by the fact that there is something like $800 billion in revenue in the year 2001 attributable to ITAA member companies. That is truly remarkable, and it says something not only about our economy today, but about our economy in the future.

I want to talk a little bit about San Francisco and what we did in San Francisco, because I think it has become, with Marty [Stansell-Gamm, Chief, Department of Justice Computer Crime and Intellectual Property Section] -- who is up here -- and with Paul and with other U.S. Attorneys around the country, a way of doing things. We started a unit in San Francisco that was set up exclusively to prosecute computer crimes and intellectual property crimes. While I was out there, I saw a necessity to staff that unit with individuals who were both talented prosecutors and who understood and could work with the technology. And whether it is computer crimes cases, or hacking and denial of service cases, or the intellectual property cases, you need that combination.

We were very lucky, particularly in the San Jose area, to have had a strike force that addressed computer crimes, established by the police chief and the district attorney there. What I wanted to do in San Francisco was to complement that state and local law enforcement network with FBI agents and with the prosecutors that would have the expertise in that area. Since that time, across the country, there have been a number of similar units set up, which I believe is the way to go.

I particularly want to talk today about how we relate -- how you in private industry relate to those units -- and how we can work together to maximize our cooperation in the future.

Let me talk at the outset about what I see as the two great threats to cyber-security and some related problems. First, from our perspective, there are a number of traditional crimes that have migrated online: the garden variety frauds, identity theft, copyright infringement, child pornography and child exploitation. What has happened, as you all know, is that the powerful technologies that have done so much to improve the quality of our lives are also being used by some of the worst elements of our society: small-time criminals who can take on a whole new persona on the Internet; malcontents who can find like-minded hate groups; and scam artists who think they can escape detection in the anonymity of the Web.

Our projections indicate that the number of Internet-enabled crimes will increase radically over the next few years, with the potential for driving down consumer confidence in Internet security and stunting the growth of e-commerce, neither of which we can afford.

The second problem is the evolution of a new category of crime that includes computer intrusions, the denial-of-service attacks, the worms, the viruses and the like. We saw an example of that just last week with the attacks against the root servers on the Internet. These types of attacks, quite obviously, did not exist in the days before computers, but they are something that we must address.

In response to these problems, we are reshaping the FBI -- and reshaping it in a number of ways. We're reshaping the bureau to focus hard on terrorism, which is our number-one priority, and to focus on counter-intelligence, our second priority, because there is no other agency with the skills and network to do it.

Our third priority is cyber crime, and there are a number of reasons why. It is our responsibility ultimately, we believe, to protect the technological infrastructure of the United States. If we do not do it, who else will?

We are working closely and cooperatively with the Secret Service, but it is important for the FBI as an institution to recognize that five, ten years down the road, we must have the expertise to address cyber-attacks on our infrastructure and to address cyber-crime in all of its iterations. We must prepare and get that expertise now. That is why, when we sent out our list of priorities in the wake of September 11, cyber crime was one of our top three priorities.

For us that means doing a number of things.

In the past, we had organizationally fragmented our responsibilities in a number of different divisions at headquarters and in a number of different units in the field. Since September 11, we have consolidated those strands within our organization in a new cyber division, and we are in the process of similarly consolidating these responsibilities in each of our field offices. We hope by doing so to accumulate the expertise -- the investigative expertise, along with the expertise of prosecutors -- to work with our state and locals in discrete units, so that all players will know where to go, whether at headquarters or in the field.

The second thing we have done is to change our hiring philosophy. The minimum age at which we will hire is 23: we are looking for people who have had other careers and who have the judgment and maturity to hold a badge and carry a gun. Now, in the past we have looked at hiring in basically four categories--lawyers, accountants, former law enforcement, and former military. But what we are looking for now are individuals with specific and different skills.

In the wake of September 11, for instance, we are looking for computer programmers. We are looking for IT specialists who have had some other career and who want to be FBI agents. We are also looking for language specialists, engineers, and scientists who can assist with things like the anthrax investigation. Bottom line: we want to bring in new types of agents, with expanded brands of experience.

It is important for us, in developing these IT capabilities, to ensure that we get quality people who have that bedrock experience so that they start with a profound understanding of the computer world. Then we can teach them the techniques that are so necessary to becoming a good investigator.

The third area in which we are doing a better job is in working cooperatively with others at the federal level as well as the state and local level. That takes many forms. For example, we have formed joint teams to address cyber-crime with the Secret Service in three cities around the country. By combining our capabilities with Secret Service capabilities, we can work cooperatively on the federal level to maximize our effect.

As another example, we have established regional computer forensics laboratories in several cities, starting in San Diego. Many of you know about this. The individuals who put that concept together had, I think, a remarkable idea. They understood that when you take a hard drive out of a doper's computer or from some person who has committed some sort of Ponzi scheme, you have to analyze it. You have to download the information. And then you have to be prepared to go to court and testify as to what you have found. So by combining, in these forensics laboratories, state and local and federal experts, an interchange of ideas occurs and requirements and standards begin to be commonly developed that enable us to go into a court room and testify with expertise and credibility.

We are establishing these laboratories around the country--and not just at the FBI, but also at Secret Service, Customs, INS, and with state and local authorities. These are the wave of the future and enable us to work together with state and local law enforcement in ways that we have not done in the past.

One last example on how we are working cooperatively.

It is important for us as an agency, as an organization, to understand that while we bring substantial investigative and organizational talents to the table, there are other agencies, whether at the federal, state or local level, who bring to the table equal talents and capabilities. The challenge for us in the future is to fully understand the strengths we bring to the table, but not to overwhelm others who bring equally important skills there.

Take the cooperative effort involved in the recent sniper investigation with [Assistant Director in Charge of the FBI Washington Field Office] Van Harp and [Special Assistant in Charge of the Baltimore Field Office] Gary Bald, with state and local officers, with Chief Moose, and with all other involved parties. While there was some low level grousing, the fact of the matter is that it worked -- that cooperative effort maximized the talents of many agencies and resulted in a successful conclusion.

And that is the way we, as an agency, have to work in the future, whether it be sniper attacks, whether it be in addressing counter- terrorism threats or in the cyber-arena. And to the extent that we expand as an agency, we should expand understanding that we want to complement others in the law enforcement community.

The last point I would like to discuss this morning, as I said, is how we -- the private sector and law enforcement -- can work together better. And by that I mean it is critically important for us to work with private industry in ways that we do not work with other, quote, "victims."

There are number of reasons for this. We lack the expertise in particular areas, for instance, and we need your help in that.

As we address cyber crimes -- whether it be denial-of-service attacks, hacking attacks or worms or the like -- we need to work with you, share with you, get your expertise, and be attentive to your practical concerns. You who are here from the corporate world are the real victims in these cases. And it is important for us, as we found out in San Francisco, to understand your very real concerns about being identified as victim companies.

We have to understand that when we are called into an investigation, the mere fact of you calling on us can adversely impact the image of your company.

We have to understand in law enforcement that there may be privacy concerns that you need to protect in order to protect the image of your company.

We have to understand that if we put on raid jackets and come in with a lot of publicity, that will not help us do the job. I think the FBI has learned that you do not want us there in raid jackets; you want us there quietly. You want to have discussions about the problem. You want to discuss how we can initiate the logs that may be needed to identify the perpetrator. And you want us to understand, and we need to understand, your concerns regarding your intellectual property -- that if a particular case ever goes to court and there is a problem about publicizing what happened in it, that might open to the public those items that are important to your profit margins.

We have to understand all that.

And we are beginning to understand, but we still need to work through the incidents and issues with you. I am confident that when we have those issues, there are mechanisms, for instance protective orders, to protect the things you think need to be protected. I am confident that we can do this in a low-key fashion, and that we can work with you -- the victims -- to reach some resolution.

Let me specifically address the subject of you reporting to us cyber attacks on your computer systems. We probably get one-third of the reports that we would like to get, probably for all the reasons I have just discussed. But for us, you are not enabling us to do the job we need to do.

If we as an agency are to become more predictive in the future and prevent attacks from happening, we need a comprehensive database that pulls in -- and I understand part of the dialogue this afternoon is to see how we can better communicate -- that pulls in all those instances where your infrastructure has been attacked. So our bedrock need at the outset is to be notified of all attacks. I encourage you to discuss this afternoon, and to discuss with the special agent in charge in your area, how these attacks can be reported in such a way that the reporting does not adversely affect your industry.

The other side of this coin, of course, is that there has to be a sanction on the attackers. You want attacks stopped; you want hackers stopped; you don't want to face this down the road; so you put up the best possible protection. But then the attacker will just wander down the street and hit the next company, and that's not good for the industry, and it is not good for your friends and peers in the industry. There has to be a sanction. And the sanction is locking up these people -- putting the cuffs on them.

So the future of cyber cases is not just protecting your systems. If there are people out there who are going to be hitting company after company after company, it is important that we go after them. The sanction has to be arresting them. And in the future we need you as the victim companies to help provide us with the information that will enable us to do that.

One of the things that the FBI must do better than we have in the past is to address the international dimensions of these attacks. We are now beefing up our international capabilities, because denial-of-service attacks or hacking attacks can start in Bulgaria and hit us in the United States.

Any one individual company cannot address this problem. But we can. We can do that with our contacts, with our 45 legal attache offices overseas, where we have established the contacts that will enable us to address that kind of conduct. But we need your reporting at the outset to be able to trace the attacker.

About a month and a half ago, when I was in Germany, my legal attache there told me of an instance where an attack began in the German telephone system and maybe from one of the German ISPs. Because we were there and had developed relationships with a German telephone company and the spinoff ISPs, we were invited to go over with our experts to help them understand what had happened in this series of attacks.

That is the kind of relationship that is very important for us to develop. In the future, these will serve as a foundation for other cases down the road. It is that kind of international cooperation that will stand us all in good stead.

The core law enforcement value in all of this is the cooperative effort among law enforcement entities at every one of the levels, the cooperative efforts between law enforcement entities within the United States and with our counterparts overseas, and, critically, the cooperative efforts between private industry and law enforcement -- us and you.

Symposia like this today enable us to discuss issues, to come up with solutions, and to establish the relationships that will help us address these problems in the future. I thank you for your attention this morning, and I look forward to our continuing dialogue.