Multi-Agency Federal Task Force : PCCIP


Here is the answer to WHY so many federal agencies / military departments
have been visiting The SPYder Web lately - after nearly 70,000 visitor log entries
analysis - we found 'cybergate' - a Presidential commission which includes a dozen
Federal Agencies / Military and N.S.A. whose purpose is to investigate potential
security breaches on nonclassified computer systems from 'terrorists' and those
'recreational hackers', and anyone 'with a PC and modem ...'


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


                           UPDATE 2000 :


                           February 16, 2000

                           Statement for the Record of
                             Louis J. Freeh, Director
                          Federal Bureau of Investigation

                                    on
                               Cybercrime

                                Before the
                      Senate Committee on Appropriations
               Subcommittee for the Departments of Commerce, Justice, 
                      State, the Judiciary, and Related Agencies
                               Washington, D.C.
  
      Good morning, Mr. Chairman and members of the Subcommittee. I am privileged to join
      Attorney General Reno in this opportunity to discuss cybercrime -- one of the fastest
      evolving areas of criminal behavior and a significant threat to our national and economic
      security.

      Twelve years ago the "Morris Worm" paralyzed half of the Internet, yet so few of us
      were connected at that time that the impact on our society was minimal. Since then,
      the Internet has grown from a tool primarily in the realm of academia and the
      defense/intelligence communities, to a global electronic network that touches nearly
      every aspect of everyday life at the workplace and in our homes. There were over 100
      million Internet users in the United States in 1999. That number is projected to reach
      177 million in the United States and 502 million worldwide by the end of 2003.
      Electronic commerce has emerged as a new sector of the American economy,
      accounting for over $100 billion in sales during 1999, more than double the amount in
      1998. By 2003, electronic commerce is projected to exceed $1 trillion. The recent
      denial of service attacks on leading elements of the electronic economic sector,
      including Yahoo!, Amazon.com, Ebay, E*Trade, and others, had dramatic and
      immediate impact on many Americans.

      I would like to acknowledge the strong support this Subcommittee has provided to the
      FBI over the past several years for fighting cybercrime. This Subcommittee was the first
      to support resources -- back in FY 1997 -- for establishing a computer intrusion
      investigative capability within the FBI. You have generously provided support for our
      efforts against on-line sexual exploitation of children and child pornography -- the
      Innocent Images initiative, as well as to develop our Computer Analysis Response
      Team (CART) program, and the creation of computer crime squads in our field offices.
      For that support, I would like to say thank you.

      In my testimony today, I would like to first discuss the nature of the threat that is posed
      from cybercrime and then describe the FBI's current capabilities for fighting cybercrime.
      Finally, I would like to close by discussing several of the challenges that cybercrime
      and technology present for law enforcement.

      Cybercrime Threats Faced by Law Enforcement

      Before discussing the FBI's programs and requirements with respect to cybercrime, let
      me take a few minutes to discuss the dimensions of the problem. Our case load is
      increasing dramatically. In FY 1998, we opened 547 computer intrusion cases; in FY
      1999, that had jumped to 1154. At the same time, because of the opening the National
      Infrastructure Protection Center (NIPC) in February 1998, and our improving ability to
      fight cybercrime, we closed more cases. In FY 1998, we closed 399 intrusion cases,
      and in FY 1999, we closed 912 such cases. However, given the exponential increase in
      the number of cases opened, cited above, our actual number of pending cases has
      increased by 39%, from 601 at the end of FY 1998, to 834 at the end of FY 1999. In
      short, even though we have markedly improved our capabilities to fight cyber intrusions,
      the problem is growing even faster and thus we are falling further behind. These figures
      do not even include other types of crimes committed by a computer such as Internet
      fraud or child pornography on-line.

      As part of our efforts to counter the mounting cyber threat, the FBI uses both full
      National Infrastructure Protection and Computer Intrusion squads located in 16 field
      offices and is developing baseline computer intrusion team capabilities in non-squad
      field offices. Further, we are establishing partnerships with state and local law
      enforcement through cybercrime task forces.

      Cyber Threats Facing the United States

      The numbers above do not provide a sense of the wide range in the types of cases we
      see. Over the past several years we have seen a range of computer crimes ranging from
      simple hacking by juveniles to sophisticated intrusions that we suspect may be
      sponsored by foreign powers, and everything in between. A website hack that takes an
      e-commerce site off-line or deprives a citizen of information about the workings of her
      government or important government services she needs, these are serious matters. An
      intrusion that results in the theft of credit card numbers or proprietary information or the
      loss of sensitive government information can threaten our national security and
      undermine confidence in e-commerce. A denial-of-service attack that can knock
      e-commerce sites off-line, as we've seen over the last week, can have significant
      consequences, not only for victim companies, but also for consumers and the economy
      as a whole. Because of these implications, it is critical that we have in place the
      programs and resources to confront this threat. The following is a breakdown of types of
      malicious actors and the seriousness of the threat they pose.

      Insider Threat. The disgruntled insider is a principal source of computer crimes. Insiders
      do not need a great deal of knowledge about computer intrusions, because their
      knowledge of victim systems often allows them to gain unrestricted access to cause
      damage to the system or to steal system data. The 1999 Computer Security
      Institute/FBI report notes that 55% of respondents reported malicious activity by
      insiders.

      There are many cases in the public domain involving disgruntled insiders. For example,
      Shakuntla Devi Singla used her insider knowledge and another employee's password
      and logon identification to delete data from a U.S. Coast Guard personnel database
      system. It took 115 agency employees over 1800 hours to recover and reenter the lost
      data. Ms. Singla was convicted and sentenced to five months in prison, five months
      home detention, and ordered to pay $35,000 in restitution.

      In January and February 1999 the National Library of Medicine (NLM) computer system,
      relied on by hundreds of thousands of doctors and medical professionals from around
      the world for the latest information on diseases, treatments, drugs, and dosage units,
      suffered a series of intrusions where system administrator passwords were obtained,
      hundreds of files were downloaded which included sensitive medical "alert" files and
      programming files that kept the system running properly. The intrusions were a
      significant threat to public safety and resulted in a monetary loss in excess of $25,000.
      FBI investigation identified the intruder as Montgomery Johns Gray, III, a former
      computer programmer for NLM, whose access to the computer system had been
      revoked. Gray was able to access the system through a "backdoor" he had created in
      the programming code. Due to the threat to public safety, a search warrant was
      executed for Gray's computers and Gray was arrested by the FBI within a few days of
      the intrusions. Subsequent examination of the seized computers disclosed evidence of
      the intrusion as well as images of child pornography. Gray was convicted by a jury in
      December 1999 on three counts for violation of 18 U.S.C. 1030. Subsequently, Gray
      pleaded guilty to receiving obscene images through the Internet, in violation of 47
      U.S.C. 223.

      Hackers. Hackers are also a common threat. They sometimes crack into networks
      simply for the thrill of the challenge or for bragging rights in the hacker community.
      More recently, however, we have seen more cases of hacking for illicit financial gain or
      other malicious purposes. While remote cracking once required a fair amount of skill or
      computer knowledge, hackers can now download attack scripts and protocols from the
      World Wide Web and launch them against victim sites. Thus while attack tools have
      become more sophisticated, they have also become easier to use. The recent
      denial-of-service attacks are merely illustrations of the disruption that can be caused by
      tools now readily available on the Internet. Hacks can also be mistaken for something
      more serious. This happened initially in the Solar Sunrise case, discussed below.

      Hactivism. Recently we have seen a rise in what has been dubbed "hacktivism"--
      politically motivated attacks on publicly accessible web pages or e-mail servers. These
      groups and individuals overload e-mail servers and hack into web sites to send a
      political message. While these attacks generally have not altered operating systems or
      networks, they still damage services and deny the public access to websites containing
      valuable information and infringe on others' rights to communicate. One such group is
      called the "Electronic Disturbance Theater," which promotes civil disobedience on-line
      in support of its political agenda regarding the Zapatista movement in Mexico and other
      issues. This past spring they called for worldwide electronic civil disobedience and have
      taken what they term "protest actions" against White House and Department of
      Defense servers. In addition, during the recent conflict in Yugoslavia, hackers
      sympathetic to Serbia electronically "ping" attacked NATO web servers. Russians, as
      well as other individuals supporting the Serbs, attacked websites in NATO countries,
      including the United States, using virus-infected e-mail and hacking attempts.

      Supporters of Kevin Mitnick hacked into the Senate webpage and defaced it in May and
      June of last year. Mitnick had pled guilty to five felony counts and was sentenced in
      August 1999 to 46 months in federal prison and ordered to pay restitution. Mitnick was
      released from custody in January 2000 after receiving credit for time served on prior
      convictions.

      The Internet has enabled new forms of political gathering and information sharing for
      those who want to advance social causes; that is good for our democracy. But illegal
      activities that disrupt e-mail servers, deface web-sites, and prevent the public from
      accessing information on U.S. Government and private sector web sites should be
      regarded as criminal acts that deny others their First Amendment rights to
      communicate rather than as an acceptable form of protest.

      Virus Writers. Virus writers are posing an increasingly serious threat to networks and
      systems worldwide. As noted above, we have had several damaging computer viruses
      this year, including the Melissa Macro Virus, the Explore.Zip worm, and the CIH
      (Chernobyl) Virus. The NIPC frequently sends out warnings or advisories regarding
      particularly dangerous viruses.

      The Melissa Macro Virus was a good example of our response to a virus spreading in
      the networks. The NIPC sent out warnings as soon as it had solid information on the
      virus and its effects. On the investigative side, the NIPC acted as a central point of
      contact for the field offices who worked leads on the case. A tip received by the New
      Jersey State Police from America Online, and their follow-up investigation with the FBI's
      Newark Field Office, led to the April 1, 1999 arrest of David L. Smith. Search warrants
      were executed in New Jersey by the New Jersey State Police and FBI Special Agents
      from the Newark Field Office. Mr. Smith pleaded guilty to one count of violating Title 18,
      U.S.C. 1030 in Federal Court. Smith stipulated to affecting one million computer
      systems and causing $80 million in damage.

      Criminal Groups. We are also seeing the increased use of cyber intrusions by criminal
      groups who attack systems for purposes of monetary gain. In September, 1999, two
      members of a group dubbed the "Phonemasters" were sentenced after their conviction
      for theft and possession of unauthorized access devices (18 USC §1029) and
      unauthorized access to a federal interest computer (18 USC §1030). The
      "Phonemasters" were an international group of criminals who penetrated the computer
      systems of MCI, Sprint, AT&T, Equifax, and even the FBI's National Crime Information
      Center. Under judicially approved electronic surveillance orders, the FBI's Dallas Field
      Office made use of new data intercept technology to monitor the calling activity and
      modem pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded
      thousands of Sprint calling card numbers, which he sold to a Canadian individual, who
      passed them on to someone in Ohio. These numbers made their way to an individual in
      Switzerland and eventually ended up in the hands of organized crime groups in Italy.
      Mr. Cantrell was sentenced to two years as a result of his guilty plea, while one of his
      associates, Cory Lindsay, was sentenced to 41 months.

      The "Phonemaster's" methods included "dumpster diving" to gather old phone books
      and technical manuals for systems. They then used this information to trick employees
      into giving up their logon and password information. The group then used this
      information to break into victim systems. It is important to remember that often "cyber
      crimes" are facilitated by old fashioned guile, such as calling employees and tricking
      them into giving up passwords. Good "cyber security" practices must therefore address
      personnel security and "social engineering" in addition to instituting electronic security
      measures.

      Distributed Denial of Service Attacks. In the fall of 1999, the NIPC began receiving
      reports about a new threat on the Internet--Distributed Denial of Service Attacks. In
      these cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN), TFN2K, or
      Stacheldraht (German for barbed wire) on a number of unwitting victim systems. Then
      when the hacker sends the command, the victim systems in turn begin sending
      messages against a target system. The target system is overwhelmed with the traffic
      and is unable to function. Users trying to access that system are denied its services.
      The NIPC issued an alert regarding these tools in December 1999 in order to notify the
      private sector and government agencies about this threat. Moreover, the NIPC's Special
      Technologies and Applications Unit (STAU) created and released to the public a
      software tool that enables system administrators to identify DDOS software installed on
      victimized machines. The public has downloaded these tools tens of thousands of times
      from the web site, and has responded to the FBI by reporting many intrusions and
      installations of the DDOS software. The public received the NIPC tool so well that the
      computer security trade group SANS awarded their yearly Security Technology
      Leadership Award to members of the STAU. The availability of this tool has helped
      facilitate our investigations of ongoing criminal activity by uncovering evidence on victim
      computer systems.

      On February 8, 2000, the FBI received reports that Yahoo had experienced a denial of
      service attack. In a display of the close cooperative relationship the NIPC has developed
      with the private sector, in the days that followed, several other companies also reported
      denial of service outages. These companies cooperated with our National Infrastructure
      Protection and Computer Intrusion squads in the FBI field offices and provided critical
      logs and other information. Still, the challenges to apprehending the suspects are
      substantial. In many cases, the attackers used "spoofed" IP addresses, meaning that
      the address that appeared on the target's log was not the true address of the system
      that sent the messages.

      The resources required in these investigations can be substantial. Already we have five
      FBI field offices with cases opened: Los Angeles, San Francisco, Atlanta, Boston, and
      Seattle. Each of these offices has victim companies in its jurisdiction. In addition, so far
      seven field offices are supporting the five offices that have opened investigations. The
      NIPC is coordinating the nationwide investigative effort, performing technical analysis of
      logs from victims sites and Internet Service Providers, and providing all-source analytical
      assistance to field offices. Agents from these offices are following up literally hundreds
      of leads. While the crime may be high tech, investigating it involves a substantial
      amount of traditional police work as well as technical work. For example, in addition to
      following up leads, NIPC personnel need to review an overwhelming amount of log
      information received from the victims. Much of this analysis needs to be done manually.
      Analysts and agents conducting this analysis have been drawn off other case work. In
      the coming years we expect our case load to substantially increase.

      Terrorists. Terrorists are known to use information technology and the Internet to
      formulate plans, raise funds, spread propaganda, and to communicate securely. For
      example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center
      bombing, stored detailed plans to destroy United States airliners on encrypted files on
      his laptop computer. Moreover, some groups have already used cyber attacks to inflict
      damage on their enemies' information systems. For example, a group calling itself the
      Internet Black Tigers conducted a successful "denial of service" attack on servers of Sri
      Lankan government embassies. Italian sympathizers of the Mexican Zapatista rebels
      attacked web pages of Mexican financial institutions. Thus, while we have yet to see a
      significant instance of "cyber terrorism" with widespread disruption of critical
      infrastructures, all of these facts portend the use of cyber attacks by terrorists to cause
      pain to targeted governments or civilian populations by disrupting critical systems.

      Foreign intelligence services. Foreign intelligence services have adapted to using cyber
      tools as part of their information gathering and espionage tradecraft. In a case dubbed
      "the Cuckoo's Egg," between 1986 and 1989 a ring of West German hackers
      penetrated numerous military, scientific, and industry computers in the United States,
      Western Europe, and Japan, stealing passwords, programs, and other information
      which they sold to the Soviet KGB. Significantly, this was over a decade ago -- ancient
      history in Internet years. While I cannot go into specifics about the situation today in an
      open hearing, it is clear that foreign intelligence services increasingly view computer
      intrusions as a useful tool for acquiring sensitive U.S. Government and private sector
      information.

      Sensitive Intrusions. In the last two years we have seen a series of intrusions into
      numerous Department of Defense computer networks as well as networks of other
      federal agencies, universities, and private sector entities. Intruders have successfully
      accessed U.S. Government networks and taken enormous amounts of unclassified but
      sensitive information. In investigating these cases, the NIPC has been coordinating with
      FBI Field Offices, Legats, the Department of Defense (DOD), and other government
      agencies, as circumstances require. The investigation has determined that these
      intrusions appear to originate in Russia. The NIPC has also supported other very
      sensitive investigations, including the possible theft of nuclear secrets from Los Alamos
      National Laboratory in New Mexico. It is important that the Congress and the American
      public understand the very real threat that we are facing in the cyber realm, not just in
      the future, but now.

      Information Warfare. One of the greatest potential threats to our national security is the
      prospect of "information warfare" by foreign militaries against our critical infrastructures.
      We know that several foreign nations are already developing information warfare
      doctrine, programs, and capabilities for use against each other and the United States or
      other nations. Foreign nations are developing information warfare programs because
      they see that they cannot defeat the United States in a head-to-head military encounter
      and they believe that information operations are a way to strike at what they perceive as
      America's Achilles Heel -- our reliance on information technology to control critical
      government and private sector systems. For example, two Chinese military officers
      recently published a book that called for the use of unconventional measures, including
      the propagation of computer viruses, to counterbalance the military power of the United
      States. A serious challenge we face is even recognizing when a nation may be
      undertaking some form of information warfare. If another nation launched an information
      warfare attack against the United States, the NIPC would be responsible to gather
      information on the attack and work with the appropriate defense, intelligence, and
      national command authorities.

      Traditional Threats to Society Moved to the Cyber Realm

      Computers and networks are not just being used to commit new crimes such as
      computer intrusions, denial of service attacks, and virus propagation, but they are also
      facilitating some traditional criminal behavior such as extortion threats, fraud and the
      transmission of child pornography. For example, the NIPC recently supported an
      investigation involving e-mail threats sent to a Columbine High School student
      threatening violence.

      Child Pornography and Exploitation. While the Internet has been a tremendous boon for
      information sharing and for our economy, it unfortunately has also become a zone
      where predators prey on the weakest and most vulnerable members of our society, our
      children. The sex offender using a computer is not a new type of criminal. Rather it is
      simply a case of modern technology being combined with an age old problem. The use
      of computers has made child pornography more available now than at any time since
      the 1970s. An offender can use a computer to transfer, manipulate, or even create child
      pornography. Images can be stored, transferred from video tape or print media, and
      transmitted via the Internet. With newer technology, faster processors and modems,
      moving images can now also be transmitted. In addition, the information and images
      stored and transmitted can be encrypted to deter or avoid detection. As computers and
      technological enhancements, such as faster modems and processors, become less
      expensive and more sophisticated, the potential for abuse will grow.

      Challenges to Law Enforcement in Investigating Cybercrime

      The burgeoning problem of cuber crime poses unique challenges to law enforcement.
      These challenges require novel solutions, close teamwork among agencies and with the
      private sector, and adequate numbers of trained and experienced agents and analysts
      with sophisticated equipment.

      Identification and Jurisdictional Challenges

      Identifying the Intruder. One major difficulty that distinguishes cyber threats from
      physical threats is determining who is attacking your system, why, how, and from
      where. This difficulty stems from the ease with which individuals can hide or disguise
      their tracks by manipulating logs and directing their attacks through networks in many
      countries before hitting their ultimate target. The now well know "Solar Sunrise" case
      illustrates this point. Solar Sunrise was a multi-agency investigation (which occurred
      while the NIPC was being established) of intrusions into more than 500 military, civilian
      government, and private sector computer systems in the United States, during February
      and March 1998. The intrusions occurred during the build-up of United States military
      personnel in the Persian Gulf in response to tension with Iraq over United Nations
      weapons inspections. The intruders penetrated at least 200 unclassified U.S. military
      computer systems, including seven Air Force bases and four Navy installations,
      Department of Energy National Laboratories, NASA sites, and university sites.
      Agencies involved in the investigation included the FBI, DOD, NASA, Defense
      Information Systems Agency, AFOSI, and the Department of Justice (DOJ).

      The timing of the intrusions and links to some Internet Service Providers in the Gulf
      region caused many to believe that Iraq was behind the intrusions. The investigation,
      however, revealed that two juveniles in Cloverdale, California, and several individuals in
      Israel were the culprits. Solar Sunrise thus demonstrated to the interagency community
      how difficult it is to identify an intruder until facts are gathered in an investigation, and
      why assumptions cannot be made until sufficient facts are available. It also vividly
      demonstrated the vulnerabilities that exist in our networks; if these individuals were able
      to assume "root access" to DOD systems, it is not difficult to imagine what hostile
      adversaries with greater skills and resources would be able to do. Finally, Solar Sunrise
      demonstrated the need for interagency coordination by the NIPC.

      Jurisdictional Issues. Another significant challenge we face is hacking in multiple
      jurisdictions. A typical hacking investigation involves victim sites in multiple states and
      often many countries. This is the case even when the hacker and victim are both
      located in the United States. In the United States, we can subpoena records and
      execute search warrants on suspects' homes, seize evidence, and examine it. We can
      do none of those things ourselves overseas, rather, we depend on the local authorities.
      In some cases the local police forces simply do not understand or cannot cope with the
      technology. In other cases, these nations simply do not have laws against computer
      intrusions. Our Legats are working very hard to build bridges with local law enforcement
      to enhance cooperation on cybercrime. The NIPC has held international computer crime
      conferences with foreign law enforcement officials to develop liaison contacts and bring
      these officials up to speed on cybercrime issues. We have also held cybercrime
      training classes for officers from partner nations.

      Despite the difficulties, we have had some success in investigating and prosecuting
      these crimes. In 1996 and 1997, the National Oceanic and Atmospheric Administration
      (NOAA) suffered a series of computer intrusions that were linked to a set of intrusions
      occurring at the National Aeronautics and Space Administration (NASA). Working with
      the Canadian authorities, it was determined that the subject resided in Canada. In April
      1999, Jason G. Mewhiney was indicted by Canadian authorities. In January 2000, he
      pled guilty to 12 counts of computer intrusions and the Canadian Superior Court of
      Justice sentenced him to 6 months in jail for each of the counts, with the sentences
      running concurrently. In another case, Peter Iliev Pentchev, a Princeton University
      student, was identified as an intruder on an e-commerce system. An estimated 1800
      credit card numbers, customer names, and user passwords were stolen. The company
      had to shut down its web servers for five days to repair the damages estimated at
      $100,000. Pentchev has fled to his native Bulgaria and the process is being determined
      to return Pentchev to the United States to face charges.

      In 1994-95, an organized crime group headquartered in St. Petersburg, Russia,
      transferred $10.4 million from Citibank into accounts all over the world. After
      investigation by the FBI's New York field office, all but $400,000 of the funds were
      recovered. Cooperation with Russian authorities helped bring Vladimir Levin, the
      perpetrator, to justice. In another case, the FBI investigated Julio Cesar Ardita, an
      Argentine computer science student who gained unauthorized access to Navy and
      NASA computer systems. He committed these intrusions from Argentina, and
      Argentine authorities cooperated with the FBI on the investigation. While he could not
      be extradited for the offenses, he returned voluntarily to the United States and was
      sentenced to three years probation. 

      In all of these cases, Legats have been essential to the investigation. As the Internet
      spreads to even more countries, we will see greater demand placed on the Legats to
      support computer intrusion investigations.

      Human and Technical Challenges

      The threats we face are compounded by human and technical challenges posed by
      these types of investigations. The first problem is, of course, having enough positions
      for agents, computer scientists, and analysts to work computer intrusions. Once we
      have the authorized positions, we face the issue of recruiting people to fill these
      positions, training them in the rapidly changing technology, and retaining them. There is
      a very tight market out there for information technology professionals. The Federal
      Government needs to be able to recruit the very best people into its programs.
      Fortunately, we can offer exciting, cutting-edge work in this area and can offer agents,
      analysts, and computer scientists the opportunities to work on issues that no one else
      addresses, and to make a difference to our national security and public safety.

      Our current resources are stretched paper thin. We only have 193 agents assigned to
      NIPC squads and teams nationwide. Major cases, such as the recent DDOS attacks
      on Yahoo, draw a tremendous amount of personnel resources. Most of our technical
      analysts will have to be pulled from other work to examine the log files received from the
      victim companies. Tracking down hundreds of leads will absorb the energy of a dozen
      field offices. And this is all reactive. My goal is for the FBI to become proactive in this
      area just as we have in other areas such as drugs and violent crime. In a few minutes I'll
      discuss what we need to do to improve our cybercrime fighting capabilities to become
      proactive in fighting cybercrime.

      The technical challenges of fighting crime in this arena are equally vast. We can start
      just by looking at the size of the Internet and its exponential growth. Today it is
      estimated that more than 60,000 individual networks with 40 million users are
      connected to the Internet. Thousands of more sites and people are coming on line every
      month. In addition, the power of personal computers is vastly increasing. The FBI's
      Computer Analysis Response Team (CART) examiners conducted 1,260 forensic
      examinations in 1998 and 1,900 in 1999. With the anticipated increase in high
      technology crime and the growth of private sector technologies, the FBI expects 50
      percent of its caseload to require at least one computer forensic examination. By 2001,
      the FBI anticipates the number of required CART examinations to rise to 6,000.

      It is important to note that personnel resources with very specific technical skills are
      required not only for computer and Internet based crimes such as the DDOS incidents,
      but are increasingly necessary for more traditional matters as well. Examples of this
      type of problem include the approximately 6000 man hours that the NIPC was required
      to expend investigating a recent computer-based espionage case. The NIPC's Special
      Technologies and Applications Unit (STAU) received approximately one million raw files
      from CART, and was required by the investigators to reproduce the activities of
      individuals over a period of years from that raw data. The amount of information which
      was required to be processed by STAU, and is still necessary to process, would fill the
      Library of Congress nearly twice. This type of case illustrates where technical analysis
      of the highest order has become necessary in sophisticated espionage matters. A
      recent extortion and bombing illustrate how traditional violent criminals are also turning
      to high technology. In this extortion case, the bomber's demands included that the
      victim post their responses to his requirements on their web site. The STAU was
      required to sort through millions of web site "hits" to discern which entries may have
      come from the bomber. Based on information generated by the STAU's efforts, agents
      were able to trace the bomber to a specific telephone line to his home address.

      Clearly, the FBI needs engineering personnel to develop and deploy sophisticated
      electronic surveillance capabilities in an increasingly complex and technical
      investigative environment, skilled CART personnel to conduct the computer forensics
      examinations to support an increasingly diverse set of cases involving computers, as
      well as expert NIPC personnel to examine network log files to track the path an intruder
      took to his victim. In cases such as Los Alamos or Columbine, both NIPC and CART
      personnel were called in to bring their unique areas of expertise to bear on the case.

      During the last part of 1998, most computers on the market had hard drives of 6-8
      gigabytes (GB). Very soon 13-27 GB hard drives will become the norm. By the end of
      2000, we will be seeing 60-80 GB hard drives. All this increase in storage capacity
      means more data that must be searched by our forensics examiners, since even if
      these hard drives are not full, the CART examiner must review every bit of data and
      every area of the media to search for evidence.

      The FBI has an urgent requirement for improved tools, techniques and services for
      gathering, processing, and analyzing data from computers and computer networks to
      acquire critical intelligence and evidence of criminal activity. Over the past three years,
      the FBI's Laboratory Division (LD) has been increasingly requested to provide data
      interception support for such investigative programs as: Infrastructure Protection,
      Violent Crimes (Exploitation of Children, Extortion), Counterterrorism, and Espionage. In
      fact, since 1997, the LD has seen a dramatic increase in field requests for assistance
      with interception of data communications. Unless the FBI increases its capability and
      capacity for gathering and processing computer data, investigators and prosecutors will
      be denied timely access to valuable evidence that will solve crimes and support the
      successful prosecutions of child pornographers, drug traffickers, corrupt officials,
      persons committing fraud, terrorists, and other criminals.

      One of the largest challenges to FBI computer investigative capabilities lies in the
      increasingly widespread use of strong encryption. The widespread use of digitally-based
      telecommunications technologies, and the unprecedented expansion of computer
      networks incorporating privacy features/capabilities through the use of cryptography (i.e.
      encryption), has placed a tremendous burden on the FBI's electronic surveillance
      technologies. Today the most basic communications employ layers of protocols,
      formatting, compression and proprietary coding that were non-existent only a few years
      ago. New cryptographic systems provide robust security to conventional and cellular
      telephone conversations, facsimile transmissions, local and wide area networks,
      Internet communications, personal computers, wireless transmissions, electronically
      stored information, remote keyless entry systems, advanced messaging systems, and
      radio frequency communications systems. The FBI is already encountering the use of
      strong encryption. In 1999, 53 new cases involved the use of encryption.

      The FBI is establishing a centralized capability for development of investigative tools
      which support the law enforcement community's technical needs for cybercrime
      investigations, including processing and decrypting lawfully intercepted digital
      communications and electronically stored information. A centralized approach is
      appropriate since state and local law enforcement have neither the processing power
      nor trained individuals to assume highly complex analysis or reverse engineering tasks.
      The FY 2001 budget includes $7,000,000 for this effort.

      The need for a law enforcement centralized civilian resource for processing and
      decrypting lawfully intercepted digital communications and electronically stored
      information is well documented in several studies, including:

           The National Research Council's Committee Report entitled "Cryptography's
           Role in Securing the Information Society." Specifically, the Committee
           recommended that high priority be given to the development of technical
           capabilities, such as signal analysis and decryption, to assist law enforcement
           in coping with technological challenges.
           In 1996, Public Law 104-132 Section 811, the 104th Congress acknowledged the
           critical need and authorized the Attorney General to "...support and enhance the
           technical support [capabilities]..." of the FBI.
           The Administration policy position as set forth in the September 16, 1998, press
           release acknowledges that "The Administration intends to support FBI's
           establishment of a technical support [capability] to help build the technical
           capacity of law enforcement - Federal, State, and local - to stay abreast of
           advancing communications technology." 

      It has been the position of the FBI that law enforcement should seek the voluntary
      cooperation of the computer hardware and software industry as a means of attempting
      to address the public safety issues associated with use of encryption in furtherance of
      serious criminal activity. Over the past year and a half, the FBI has initiated an
      aggressive industry outreach strategy to inform industry of law enforcement's needs in
      the area of encryption, to continue to encourage the development of recoverable
      encryption products that meet law enforcement's needs, and to seek industry's
      assistance regarding the development of law enforcement plain text access "tools" and
      capabilities when non-recoverable encryption products are encountered during the
      course of lawful investigations.

      The FBI will be meeting this year with industry in an environment wherein various
      computer and software industry representatives can exchange technical and business
      information regarding encryption and encryption products with law enforcement. This
      information will assist law enforcement agencies with establishing development and
      operational strategies to make the most effective use of limited resources.

      State and Local Assistance

      Just as with other crimes, often the state and local authorities are going to be the first
      ones on the scene. The challenge for these law enforcement officers is even greater
      than the one the Federal Government faces in that state and local law enforcement is
      less likely to have the expertise to investigate computer intrusions, gather and examine
      cyber media and evidence. The challenge for the federal government is to provide the
      training and backup resources to the state and local levels so that they can
      successfully conduct investigations and prosecutions in their jurisdictions. This sort of
      cooperation is already showing results. For example, the FBI worked with the New
      Jersey State Police on the Melissa Macro Virus case that resulted in the arrest of David
      L. Smith by the New Jersey authorities. In addition, the NIPC and our Training Division
      are working together to provide training to state and local law enforcement officers on
      cybercrime. In FY 1999 over 383 FBI Agents, state and local law enforcement and other
      government representatives have taken NIPC sponsored or outside training on computer
      intrusion and network analysis, energy and telecommunications key assets. We have
      made great strides in developing our training program for state and local law
      enforcement officials. More NIPC training than ever before is being conducted outside of
      Washington, DC, meaning that more state and local officers should have the
      opportunity to attend these classes with less disruption to their schedules and less
      travel. One of the main responsibilities of the NIPC Training and Continuing Education
      Unit is to develop and manage the state and local Law Enforcement Training Program.
      This program trains state and local law enforcement officials in a myriad of
      state-of-the-art cyber courses.

      Building on the success of the San Diego Regional Computer Forensic Laboratory, the
      Attorney General asked the FBI and the Office of Justice Programs, to work in
      partnership to develop a series of regional laboratories. These facilities will provide
      computer forensic services as joint ventures among federal, state and local law
      enforcement. Six million dollars is requested in the Office of Justice Programs to
      establish several regional computer forensic laboratories. Working together, we are
      identifying geographical areas where the establishment of such partnerships could
      make significant impact.

      The NIPC is supporting the Attorney General's proposal to create a network of federal,
      state, and local law enforcement personnel for combating cybercrimes. We are
      instructing each field office to have a point of contact at the appropriate investigative
      agencies regarding their area of jurisdiction and to provide this information to NIPC at
      FBIHQ.

      Presidential Decision Directive (PDD) 63 identified the Emergency Law Enforcement
      Services Sector (ELES) as one of the eight critical infrastructures. PDD 63 further
      designated the Federal Bureau of Investigation as the lead agency with protecting the
      ELES. The NIPC is currently working on a strategic plan for this sector and holding
      meetings with sector representatives. This involves developing and implementing a plan
      to help law enforcement protect its own systems from attack so it will be able to deliver
      vitally needed services to the public.

      Success of the NIPC requires building on proven mechanisms to develop and maintain
      long-term relationships with state and local law enforcement agencies. NIPC oversees
      outreach programs, coordinates training, shares information and coordinates
      interagency efforts to plan for, deter, and respond to cyber attacks.

      Currently, the NIPC is sharing information with state and local governments via Law
      Enforcement On-line (LEO) and the National Law Enforcement Telecommunications
      System. Timely coordination and sharing of information with other law enforcement
      agencies is essential in combating the cyber threat in the Information Age. Local law
      enforcement is also encouraged to join the InfraGard chapters in their area.

      State and local agencies investigate and prosecute cyber crimes based on violations of
      local laws. By sharing investigative data with the NIPC, emerging trends can be
      identified, analyzed and further shared with other agencies to share investigative
      responsibilities with their local FBI field office and the NIPC. The cross-jurisdictional
      nature of cyber crimes, in which attacks occur outside the state or even national
      borders, means that investigative efforts must be coordinated among local, state and
      federal agencies to ensure effective prosecution.

      FBI Cybercrime Investigation Capabilities

      National Infrastructure Protection Center

      Under PDD-63, the NIPC's mission is to detect, warn of, respond to, and investigate
      computer intrusions and unlawful acts that threaten or target our critical infrastructures.
      The Center not only provides a reactive response to an attack that has already
      occurred, but proactively seeks to discover planned attacks and issues warnings before
      they occur. This large and difficult task requires the collection and analysis of
      information gathered from all available sources (including law enforcement
      investigations, intelligence sources, data voluntarily provided by industry and open
      sources) and dissemination of analyses and warnings of possible attacks to potential
      victims, whether in the government or the private sector. To accomplish this mission,
      the NIPC relies on the assistance of, and information gathered by the FBI's 56 field
      offices, other federal agencies, state and local law enforcement, and perhaps most
      importantly, the private sector.

      The NIPC, while located at the FBI, is an interagency center, with representatives from
      many other agencies, including DOD, the U.S. Intelligence Community, and other
      federal agencies. The NIPC at FBI Headquarters currently has 79 FBI personnel, with
      an authorized ceiling of 94. There are 22 representatives from Other Government
      Agencies (OGAs), the private sector, state and local law enforcement, and our
      international partners at the Center. Our target for OGA and private sector participation
      is 40.

      To accomplish its goals, the NIPC is organized into three sections:

      The Computer Investigations and Operations Section (CIOS) is the operational response
      arm of the Center. It program manages computer intrusion investigations conducted by
      FBI field offices throughout the country: provides subject matter experts, equipment,
      and technical support to cyber investigators in federal, state and local government
      agencies involved in critical infrastructure protection; and provides a cyber emergency
      response capability to help resolve a cyber incident.

      The Analysis and Warning Section (AWS) serves as the "indications and warning arm
      of the NIPC. It provides analytical support during computer intrusion investigations and
      long-term analyses of vulnerability and threat trends. Through its 24/7 watch and
      warning capability, it distributes tactical warnings and analyses to all the relevant
      partners, informing them of potential vulnerabilities and threats and long-term trends. It
      also reviews numerous government and private sector databases, media, and other
      sources daily to gather information that may be relevant to any aspect of our mission,
      including the gathering of indications of a possible attack.

      The Training, Outreach and Strategy Section (TOSS) coordinates the training and
      education of cyber investigators within the FBI field offices, state and local law
      enforcement agencies, and private sector organizations. It also coordinates outreach to
      private sector companies, state and local governments, other government agencies, and
      the FBI's field offices. In addition, this section manages collection and cataloguing of
      information concerning "key assets" across the country. Finally, it handles our strategic
      planning and administrative functions with FBI and DOJ, the National Security Counsel,
      other agencies and Congress.

      Through these, the Center brings its unique perspective as the only national
      organization devoted to investigation, analysis, warning, and response to attacks on the
      infrastructures. Further, as an interagency entity, the NIPC takes a broad view of
      infrastructure protection, looking not just at reactive investigations but also at proactive
      warnings and prevention. Finally, through the FBI, the Center has a national reach to
      implement policy. The Center is working closely on policy initiatives with its Federal
      partners and meets regularly with the other Federal lead agencies on policy issues.

      National Infrastructure Protection and Computer Intrusion Squads/Teams

      In October 1998, the National Infrastructure Protection and Computer Intrusion Program
      (NIPCP) was approved as an investigative program and resources were created and
      placed in each FBI field office with the NIPC at FBI Headquarters acting as program
      manager.

      By the end of this fiscal year, there will be 16 FBI Field Offices with regional NIPC
      squads. Each of these squads will be staffed with 7 to 8 agents. Nationwide, there are
      193 agents dedicated to investigating NIPC matters. In order to maximize investigative
      resources the FBI has taken the approach of creating regional squads that have
      sufficient size to work difficult major cases and to assist those field offices without an
      NIPC squad. In those field offices without squads, the FBI is building a baseline
      capability by having one or two agents to work NIPC matters, i.e. computer intrusions
      (criminal and national security), viruses, InfraGard, state and local liaison etc.

      Computer Analysis and Response Teams (CART)

      An essential element in the investigation of computer crime is the recovery of evidence
      from electronic media. In a murder investigation, the detectives investigate the case but
      the coroner examines the body for evidence of how the crime was committed. The
      CART personnel serve this function in cyber investigations. CART examiners perform
      three essential functions. First, they extract data from computer and network systems,
      and conduct forensic examinations and on-site field support to all FBI investigations and
      programs where computers and storage media are required as evidence. Second, they
      provide technical support and advice to field agents conducting such investigations.
      Finally, they assist in the development of technical capabilities needed to produce
      timely and accurate forensic information.

      Currently the FBI has 26 full time CART personnel at FBI Headquarters and 62 full-time
      and 54 part-time CART personnel in the field, for a total of 142 trained CART personnel.
      CART resources are used in a variety of investigations ranging from sensitive espionage
      cases to health care fraud. For example, on September 12, 1998, the FBI executed the
      arrest of individuals who were involved in an espionage ring trying to penetrate U.S.
      military bases on behalf of the Cuban government. During the arrest of these individuals
      CART conducted the seizure of 35 Gb of digital evidence to include personal computers
      containing twelve (12) hard drives, 2,500 floppy diskettes, and assorted CD-ROMs. The
      FBI deployed more than 30 CART field examiners during the search and examination
      which consumed thousands of hours of their time.

      In order to process the vast quantities of information required, the CART program needs
      to purchase or develop new ways of handling digital evidence. One program used by the
      FBI is the Automated Computer Examination System (ACES), a data exploration tool
      developed by the FBI Laboratory, to scan thousands of files for identification of known
      format and executable program files. ACES verifies that certain program, batch or
      executable files are for computer operation and do not represent a file in which potential
      evidentiary material is stored. Results from an ACES examination can be passed to
      other analytical utilities used in examining a computer.

      The FBI is also working with other federal agencies as well as state and local law
      enforcement to share data and forensic expertise. In San Diego, a regional computer
      forensic capability has been established that is staffed by the FBI, the Navy, and the
      San Diego police department, among others. This lab serves as a resource for the
      entire region. The vast majority of all computer related seizures in San Diego County
      are currently being made through the RCFL. During the start-up period (Summer 1999
      to December 1999), although all participating agencies had been co-located, each
      examiner had been working on his own agencies's cases. As of January 3, 2000, the
      San Diego lab started receiving submissions as a joint facility and jointly tracking those
      submissions. As of February 3, the lab had received 26 cases, including three federal
      cases consisting of large scale networks, and local cases including a death threat to a
      Judge, a poisoning case, and a child molestation case. We recognize that state and
      local law enforcement often will not have the resources for complex computer forensics,
      and we hope that the San Diego model can be expanded.

      Technical Investigative Support

      The FBI has long had capabilities regarding the interception of conventional phone lines
      and modems. The rapid advance of data technologies and the unregulated nature of the
      Internet has resulted in a myriad of technologies and protocols which make the
      interception of data communications extremely difficult. It is critical that the FBI
      properly equip investigators with technical capabilities for utilizing the critical
      investigative tools on lawfully authorized Title III and Title 50 interception.

      Innocent Images Initiative/Child Pornography

      The FBI has moved aggressively against child pornographers. In 1995 the FBI's first
      undercover operation, code name Innocent Images, was initiated. Almost five years
      later, Innocent Images is an FBI National Initiative, supported by annual funding of $10
      million, with undercover operations in eleven FBI field offices -- Baltimore, Birmingham,
      Cleveland, Dallas, Houston, Las Vegas, Los Angeles, Newark, Phoenix, San
      Francisco, and Tampa -- being worked by task forces that combine the resources of the
      FBI with other federal, state and local law enforcement officers from Maryland, Virginia,
      the District of Columbia, Alabama, Ohio, Texas, Nevada, California, New Jersey,
      Arizona, and Florida. Investigations developed by the National Initiative's undercover
      operations are being conducted by every field office and information has been referred to
      foreign law enforcement agencies through the FBI's Legal Attache Offices.

      During Fiscal Year 1999 a total of 1,497 new cases were opened. Every one of these
      investigations has digital evidence and requires the assistance of a CART examiner.
      Additionally, 188 search warrants and 57 consent searches were executed, and 193
      arrests, 125 indictments, 29 information and 108 convictions were obtained as a result
      of the Innocent Images National Initiative. Also in Fiscal Year 1999, the IINI provided 227
      presentations to 17,522 individuals from foreign and domestic law enforcement and
      government officials, civilian groups, and private citizens in an effort to raise awareness
      about child pornography/child sexual exploitation issues and increase coordination
      between federal, state and local law enforcement.

      Intellectual Property Rights/Internet Fraud

      Intellectual property is the driver of the 21st century American economy. In many ways
      it has become what America does best. The United States is the leader in the
      development of creative, technical intellectual property. Violations of Intellectual
      Property Rights, therefore, threaten the very basis of our economy. Of primary concern
      is the development and production of trade secret information. The American Society of
      Industrial Security estimated the potential losses at $2 billion per month in 1997.
      Pirated products threaten public safety in that many are manufactured to inferior or
      non-existent quality standards. A growing percentage of IPR violations now involve the
      Internet. There are thousands of web sites solely devoted to the distribution of pirated
      materials. The FBI has recognized, along with other federal agencies, that a
      coordinated effort must be made to attack this problem. The FBI, along with the
      Department of Justice, U.S. Customs Service, and other agencies with IPR
      responsibilities, will be opening an IPR Center this year to enhance our national ability
      to investigate and prosecute IPR crimes through the sharing of information among
      agencies.

      One of the most critical challenges facing the FBI and law enforcement in general, is
      the use of the Internet for criminal purposes. Understanding and using the Internet to
      combat Internet fraud is essential for law enforcement. The fraud being committed over
      the Internet is the same type of white collar fraud the FBI has traditionally investigated
      but poses additional concerns and challenges because of the new environment in which
      it is located. Internet fraud is defined as any fraudulent scheme in which one or more
      components of the Internet, such as Web sites, chat rooms, and E-mail, play a
      significant role in offering nonexistent goods or services to consumers, communicating
      false or fraudulent representations about the schemes to consumers, or transmitting
      victims' funds, access devices, or other items of value to the control of the scheme's
      perpetrators. The accessibility of such an immense audience coupled with the
      anonymity of the subject, require a different approach. The frauds range from simple
      geometric progression schemes to complex frauds. The Internet appears to be a perfect
      manner to locate victims and provides an environment where the victims don't see or
      speak to the fraud perpetrators. Anyone in the privacy of their own home can create a
      very persuasive vehicle for fraud over the Internet. In addition, the expenses associated
      with the operation of a "home page" and the use of electronic mail (E-mail) are minimal.
      Fraud perpetrators do not require the capital to send out mailers, hire people to respond
      to the mailers, finance and operate toll free numbers, etc. This technology has evolved
      exponentially over the past few years and will continue to evolve at a tremendous rate.
      By now it is common knowledge that the Internet is being used to host criminal
      behavior. The top ten most frequently reported frauds committed on the Internet include
      Web auctions, Internet services, general merchandise, computer equipment/software,
      pyramid schemes, business opportunities/franchises, work at home plans, credit card
      issuing, prizes/sweepstakes and book sales.

      Improving FBI Cybercrime Capabilities

      The last two years have seen tremendous strides in the development of the National
      Infrastructure Protection Center in both the Headquarters and field program. We have
      directed our resources into developing our prevention, detection, and response
      capabilities. This has meant recruiting talented personnel from both inside and outside
      the FBI, training those personnel, and developing investigative, analytic, and outreach
      programs. Most of these programs had to be developed from scratch, either because no
      program previously existed or because the program had to be reinvigorated from an
      earlier FBI incarnation.

      The cyber crime scene is dynamic-- it grows, contracts, and can change shape.
      Determining whether an intrusion is even occurring can often be difficult in the cyber
      world, and usually a determination cannot be made until after an investigation is
      initiated. The establishment of the NIPC has greatly enhanced the FBI's investigative,
      analytic, and case support capabilities. A few years ago, the NIPC would have been
      limited in its ability to undertake some of the sensitive investigations of computer
      intrusions that the FBI has supported. While the FBI has been able to develop and
      maintain its present response capability, the explosive nature of the crime problem
      continues to challenge our capacities. While much has been accomplished, much
      remains to be done.

      Building Investigative Capacity

      Trained personnel and resources present the greatest challenges to the FBI critical
      infrastructure protection mission. The FBI must make sure that the NIPC and Field
      Office squads are fully staffed with technologically competent investigators and
      analysts. It is also essential that these professional have state of the art equipment and
      connectivity they need to conduct their training.

      To accomplish this, the FBI must identify, recruit, and train personnel who have the
      technical, analytical, investigative, and intelligence skills for engaging in cyber
      investigations. This includes personnel to provide early warnings of attacks, to read and
      analyze log files, write analytic reports and products for the field and the private sector,
      and to support other investigations with cyber components. With such a configuration of
      selected personnel skills, the FBI will be able to effectively and efficiently investigate
      cyber threats, allegations, incidents, and violations of the law that target and/or impact
      critical infrastructure facilities, components, and key assets. Aggressive recruitment of
      qualified specialists is critical. Targeting the right people and providing hiring and
      educational incentives are good steps in building this professional cadre.

      Developing and deploying the best equipment in support of the mission is very
      important. Not only do investigators and analysts need the best equipment to conduct
      investigations in the rapidly evolving cyber system but the NIPC must be on the cutting
      edge of cyber research and development. NIPC must not only keep abreast of the
      criminal element but they must also accurately predict the next generation of criminal
      activity.

      In order to support state and local law enforcement efforts, field offices will seek to form
      cybercrime task forces. This should include assigning a prosecutor to handle task force
      cases.

      Building Partnerships with Industry and Academia

      NIPC is founded on the notion of partnership. This partnership is critical to ensuring
      timely information sharing about threats and incidents, new technologies, and keeping
      our capabilities at the cutting edge. The FBI, in conjunction with the private sector, has
      also developed an initiative call "InfraGard" to expand direct contacts with the private
      sector infrastructure owners and operators and to share information about cyber
      intrusions, exploited vulnerabilities, and physical infrastructure threats. The initiative
      encourages the exchange of information by government and private sector members
      through the formation of local InfraGard chapters within the jurisdiction of each Field
      Office. Chapter membership includes representatives from the FBI, private industry,
      other government agencies, State and local law enforcement, and the academic
      community. The initiative provides four basic services to its members: an intrusion alert
      network using encrypted e-mail; a secure website for communication about suspicious
      activity or intrusions; local chapter activities; and a help desk for questions. The critical
      component of InfraGard is the ability of industry to provide information on intrusions to
      the local FBI Field Office using secure communications in both a "sanitized" and
      detailed format. The local FBI Field Offices can, if appropriate, use the detailed version
      to initiate an investigation; while NIPC Headquarters can analyze that information in
      conjunction with other law enforcement, intelligence, or industry information to
      determine if the intrusion is part of a broader attack on numerous sites. The Center can
      simultaneously use the sanitized version to inform other members of the intrusion
      without compromising the confidentiality of the reporting company. The secure website
      will also contain a variety of analytic and warning products that we can make available
      to the InfraGard community.

      The NIPC has also developed and is implementing an aggressive outreach program. We
      have briefed a number of key critical infrastructure sector groups including the North
      American Electric Reliability Council and business groups such as the U.S. Chamber of
      Commerce. We are also working closely with our international partners.

      Much attention has been given to the need to create mechanisms for sharing
      information with the private sector. The NIPC has built up a track record for doing this
      over the past 2 years with concrete results. Not only has it provided early warnings and
      vulnerability threat assessments but it has also developed unique detection tools to
      help potential victims of DDOS attacks. And contrary to press statements by
      companies offering security services that private companies won't share information with
      law enforcement, private companies have reported incidents and threats to the NIPC or
      FBI. The cooperation we have received from victims in the recent DDOS attacks is only
      the most recent example of this. InfraGard will increase this capacity by providing a
      secure two way mechanism for sharing information between the government and the
      private sector.

      Developing Forensic and Technical Capabilities

      As noted above, CART has developed substantial capability to examine computer and
      network media and storage devices. But the rapid change in technology and the
      increasing use of computers in criminal activity necessitate the on-going development of
      better investigative and forensic tools and techniques for examiners. We fully expect
      that the number of cases requiring CART examinations will increase by over 50% in the
      next few years. In addition, as storage media hold more information, each individual
      examination will require more effort. To even attempt to keep pace with these
      developments, we will need to increase our personnel base in CART. For FY 2001,
      funding is proposed to add 100 new CART examiners.

      In addition, in order for our ACES program to remain able to provide comprehensive
      analysis of computer files, it needs to be continuously updated. After all, how many
      iterations of Windows®, Microsoft Office®, and other software and operating systems
      have we seen just in the last two years? We need to ensure that ACES can perform its
      function. The FY 2001 budget includes $2,800,000 for the ACES program.

      Improving our technical capabilities to access plain text communications is a critical
      challenge to the FBI. The ultimate objective is to provide field investigators with an
      integrated suite of automated data collection systems, operating in a low-cost and
      readily available personal computer environment, which will be capable of identifying,
      intercepting and collecting targeted data of interest from a broad spectrum of data
      telecommunications transmissions mediums and networks. Substantial resource
      enhancements are required to progress development from current ad hoc, tactical data
      intercept systems to integrated modular systems, providing the field investigators with
      increased flexibility, simplicity and reliability and to enhance training programs to
      enable field Technically Trained Agents and Investigators to install and operate this
      complex equipment. The most technically complex component of electronic
      surveillance, has been and always will be the deciphering of encrypted signals and
      data. In the past few years, growth in electronic communications and the public
      demand for security have increased the number of investigations which encounter
      encrypted signals and data. With the convergence of digital technologies in the very
      near future, all electronic communications conducted using computers, the Internet,
      wireless and other forms of communications, will inherently incorporate and apply data
      security (i.e. encryption). The ability to gather evidence from FBI electronic surveillance
      and seized electronic data will significantly depend upon the development of and
      deployment of signal analysis and decryption capabilities. Funding enhancements are
      requested to step toward the fulfillment of a strategic plan to ensure that collected
      signals, data and evidence can be intercepted, interpreted and made usable in the
      prosecution of crimes and the detection of national security offenses. Failure to
      strategically prepare for the impending global changes data and voice
      telecommunications, information security, and the volumes of encrypted information
      collected by law enforcement pursuant to lawful court orders, will ensure that critical
      information and evidence will be unintelligible and unusable in future investigations.

      We are urgently trying to develop our capabilities in this area through the acquisition of
      hardware and software tools, technologies and systems, and support services to work
      on a variety of research projects to meet this problem. Last September, the
      Administration announced a "New Approach to Encryption" which included significant
      changes to the nation's encryption export policies and recommended public safety
      enhancement to ensure "that law enforcement has the legal tools, personnel, and
      equipment necessary to investigate crime in an encrypted world."

      Specifically, on September 16, 1999, the President, on behalf of law enforcement,
      transmitted to Congress the "Cyberspace Electronic Security Act of 1999" which would:
      ensure that law enforcement maintains its ability to access decryption information
      stored with third parties, while protecting such information from inappropriate release;
      protect sensitive investigative techniques and industry trade secrets from unnecessary
      disclosure in litigation or criminal trials involving encryption, consistent with fully
      protecting defendants' rights to a fair trial; and authorize $80 million over four years for
      the FBI's Technical Support Center (TSC), which serves as a centralized technical
      resource for federal, state and local law enforcement in responding to the increased use
      of encryption in criminal cases. The TSC is an expansion of the FBI's Engineering
      Research capabilities that will take advantage of existing institutional and technical
      expertise in this area. As indicated earlier, the FY 2001 budget proposes an increase of
      $7,000,000 for the FBI's counterencryption program. We urge Congress to support us in
      these endeavors.

      The law enforcement community relies on lawfully-authorized electronic surveillance as
      an essential tool for the investigation, disruption, and prevention of serious and violent
      offenses. Technological advances have taken a serious toll on law enforcement's ability
      to protect the public through the use of lawfully-authorized electronic surveillance. The
      Communications Assistance for Law Enforcement Act (CALEA) was passed so that the
      telecommunications industry would pro-actively address law enforcement's need and
      authority to conduct lawfully-authorized electronic surveillance as a basic element in
      providing service. CALEA clarifies and further defines existing statutory obligations of
      the telecommunications industry to assist law enforcement in executing
      lawfully-authorized electronic surveillance.

      The FBI developed a flexible deployment strategy to minimize the costs and the
      operational impact of installation of CALEA-compliant software on telecommunications
      carriers. This strategy supports the carriers' deployment of CALEA-compliant solutions
      in accordance with their normal business cycles when this deployment will not delay
      implementation of CALEA solutions in high-priority areas. The carriers will provide
      projected CALEA-deployment schedules for all switches in their network and
      information pertaining to recent lawfully authorized electronic surveillance activity. Using
      this information, the FBI and the carrier will develop a mutually agreeable deployment
      schedule. The FBI provided the carriers with the Flexible Deployment Assistance Guide
      to facilitate the carrier's submission of information.

      The FBI is negotiating with telecommunications carriers and manufacturers of
      telecommunications equipment for nationwide Right-to-Use (RTU) licenses to facilitate
      the availability of CALEA-compliant software to carriers. Also, the FBI is establishing a
      regional, nationwide law enforcement liaison program. This team will facilitate
      developing consensus law enforcement electronic surveillance requirements for all
      telecommunications technologies and services required to comply with CALEA;
      educate and inform Congress and the Federal Communications Commission (FCC) to
      ensure law enforcement's ability to conduct court-authorized electronic surveillance is
      not compromised on any telecommunications technology or service required to comply
      with CALEA; identify, publish, and ensure deployment of capacity requirements in
      accordance with Section 104 of CALEA; and develop a prioritized plan for the effective
      deployment and tracking of CALEA solutions.

      The FBI needs to conduct testing and verification of manufacturer-proposed CALEA
      technical solutions and to have the subject matter expertise necessary to address new
      technologies that must comply with CALEA. Without these capabilities, the FBI will be
      unable to conduct testing and verification of manufacturer-proposed CALEA technical
      solutions and complete the nationwide RTU license agreements. The FY 2001 budget
      proposes a total of $240,000,000 for CALEA RTU license agreements, including
      $120,000,000 under the Telecommunications Carrier Compliance Fund and
      $120,000,000 under the Department of Defense. Additionally, $2,100,000 is requested
      to support the FBI's CALEA program management office.

      Conclusion

      Computer crime is one of the most dynamic problems the FBI faces today. Just think
      about how many computers you have owned and how many different software packages
      you have learned over the past several years and you can only begin to appreciate the
      scope of the problem we are dealing with in the fast changing area. We need to budget
      for and train on technology that often has not even been invented when we begin the
      budget cycle some 18 months prior to the beginning of the fiscal year. I am proud of the
      progress that we have made in dealing with this problem. What I have tried to do here
      today is give you a flavor of what we are facing. I am confident that once the scope of
      the problem is clear, we can work together to develop the capabilities to meet the
      computer crime problem, in all its facets, head on. Our economy and public safety
      depend on it.


INTRO



"President Clinton warned during commencement ceremonies last month at the
U.S. Naval Academy that the United States is increasingly vulnerable to cyber-
attack. He called for strengthening the nation's computer defenses and ordered
an assessment to plan against such attacks."

source : AP

UPDATE : August 1998


Is this 'suspect' holding a 'terrorist' device ?

"Air Force Lt. Gen. Kenneth Minihan, head of the ultrasecretive National Security
Agency, testified to the same panel that attacks against U.S. networks were occur-
ring "every day." "We are only seeing the tip of the iceberg," he said. "Even when
attacks are detected and reported, we rarely know who the attacker was."

Tenet identified potential cyberattackers as comprising everyone from foreign nations'
intelligence and militaries to guerrilla forces, criminals, industrial competitors, hackers,
and disgruntled people."

An update - while Clinton's away ... the mice will play ... Today both CIA director
George Tenet and Lt. Gen Kenneth Minihan, head of the NSA continued to 'prop-
agandize' for the 'great hacker peril' in front of a Senate committee hearing. Today's
comedy involves China supposedly wanting to 'hack' into US computers via the
Internet - a 'black eye' on the President's trip according to Reuters News Service.

"WASHINGTON--China and other countries have begun to focus on U.S. computer
networks as a target for possible high-tech attacks that could cripple anything from
telephones to electricity, CIA Director George Tenet said yesterday."

"Tenet said the "battle space" of the information age would "surely" extend to U.S.
domestic infrastructure. "Our electric power grids and our telecommunications net-
works will be targets of the first order," he said. "

Yesterday, the AP reported that the Pentagon admitted ( indirectly ) that the hacking
into India's sensitive documents went by way of Army computers -- when asked, the
Pentagon had no responce whether someone could access the data in India from the
Army's Internet ...

Since I broke CyberGate on the 19th, government agencies have been scrambling to
provide press releases about the sensitive communications vulnerabilities, etc. when
the REAL issue was that the PCCIP in 1996 created a large federal inter-agency
commission on infrastructure security with FEMA, CIA, DOD, FBI, NSA and others
participating to spy on any Americans with 'a PC and a modem' ...

Remember, that 'cold war' scare tactics have done great injustices in the past, and
with evidence of federally sanctioned hacking having taken place in the past ; the
PCCIP's work ( at The SPYder web - all executive orders, mission statement, summary
report, etc. ) is now classified 'TOP SECRET' by Clinton, but repercussions of this
'cybergate' are beginning to be felt, and seen in the media . Don't be misled - My user
tracking of over 7,000 users of my website over the last few weeks provided that list
of dozens of federal agencies / military departments who are systematically searching
the entire Internet looking for 'terrorists', red peril, or now - the Chinese ! Federal mon-
itoring of personal internet use dwarfs any sanctioned FBI monitoring of individuals in
the '60s, and their only failure in the latest public propaganda campaign, is that they
were caught !

CYBERGATE SUMMARY :


From: radioman@seasurf.com
To: ALL
Date: 19 Jun 1998
Subject: *TOP SECRET* Multi-Agency Federal Conspiracy !
Priority: normal

PCCIP : *TOP SECRET* Multi-Agency Federal Conspiracy !

"CyberGate" 6/19/98

Here is the answer to WHY so many federal agencies / military departments
have been visiting The SPYder Web lately - after nearly 7,000 visitor log entries
analysis - we found 'cybergate' - a Presidential commission which included many
Federal Agencies / Military and N.S.A. whose purpose is to investigate potential
security breaches on nonclassified computer systems from 'terrorists' and those
'recreational hackers', and anyone 'with a PC and modem ...' Here are some of
the items from 1996 :

"(b) Members. The head of each of the following executive branch departments
and agencies shall nominate not more than two full-time members of the
Commission:"

"(i) Department of the Treasury;
(ii) Department of Justice;
(iii) Department of Defense;
(iv) Department of Commerce;
(v) Department of Transportation;
(vi) Department of Energy;
(vii) Central Intelligence Agency;
(viii) Federal Emergency Management Agency;
(ix) Federal Bureau of Investigation;
(x) National Security Agency."

The current work of this *top secret* classified group, if any, is unknown; but
their initial press release, the origional executive order, three subsequent amend-
ments, and their first report with conclusions ( their mission statement ) has
been found !!! ( see full text : *PCCIP* at http://seasurf.com/~radioman/nsc.html ,
and full text of what preceded this at : http://seasurf.com/~radioman/album.html )

This committee exists to investigate security, computer security, breach of non-
classified computer systems, etc. under the 'hat' of National Security interests.
In a responce to increasing terrorism, and the Oklahoma City Bombing, this group
has compared findings within each participating agency regarding 'recreational
hacking' ...

The targets are every american citizen 'with a PC and a modem ...' In addition to
investigating the rise of 'recreational hacking', of particular note was the justi-
fication of all this based on 'freely available software on the Internet'.

In a nutshell, YOU are being watched, by agencies who's charters prohibit
domestic monitoring ( CIA ). While the conclusions summary goes on to make
a case for National Security, the reality is that an inter-agency group was set
into motion in 1996 to specifically 'monitor' internet users in addition to
already-in-place methods by the NSA.

"This was an unusually large commission with broad representation from federal
departments and agencies and from the private sector. An Advisory Committee
of industry leaders appointed by the President provided the perspective of the
infrastructure owners and operators. A Steering Committee, composed of the
Commission's Chairman and four top government officials, oversaw the Commiss-
ion's work on behalf of the Principals Committee, which included Cabinet Officers,
heads of agencies, and senior White House staff members."

"The Commission generally operated by consensus. Every recommendation was
discussed at length with the full Commission and most were revised several times
before final approval. No Commissioner agreed completely with all of the recom-
mendations. Nevertheless, each accepted the final report as a reasonable and
balanced recommendation to the President."

"New, cyber threats.Today, the right command sent over a network to a power
generating station's control computer could be just as effective as a backpack
full of explosives, and the perpetrator would be harder to identify and apprehend."

"The rapid growth of a computer-literate population ensures that increasing millions
of people possess the skills necessary to consider such an attack. The wide
adoption of public protocols for system interconnection and the availability of
"hacker tool" libraries make their task easier."

"While the resources needed to conduct a physical attack have not changed much
recently, the resources necessary to conduct a cyber attack are now common-
place. A personal computer and a simple telephone connection to an Internet
Service Provider anywhere in the world are enough to cause a great deal of harm."

"Insiders. Normal operation demands that a large number of people have authorized
access to the facilities or to the associated information and communications
systems. If motivated by a perception of unfair treatment by management, or if
suborned by an outsider, an "insider" could use authorized access for unauthorized
disruptive purposes."

"Recreational hackers. For an unknown number of people, gaining unauthorized
electronic access to information and communication systems is a most fascinating
and challenging game. Often they deliberately arrange for their activities to be
noticed even while hiding their specific identities. While their motivations do not
include actual disruption of service, the tools and techniques they perfect among
their community are available to those with hostile intent."

"Industrial espionage. Some firms can find reasons to discover the proprietary
activities of their competitors, by open means if possible or by criminal means if
necessary. Often these are international activities conducted on a global scale."

"Terrorism. A variety of groups around the world would like to influence US
policy and are willing to use disruptive tactics if they think that will help."

"National intelligence. Most, if not all, nations have at least some interest in
discovering what would otherwise be secrets of other nations for a variety of
economic, political, or military purposes."

"Information warfare. Both physical and cyber attacks on our infrastructures
could be part of a broad, orchestrated attempt to disrupt a major US military
operation or a significant economic activity."

"Potentially serious cyber attacks can be conceived and planned without detectable
logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed,
and then mounted in a matter of minutes or even seconds without revealing the
identity and location of the attacker."

"A National Organization Structure"

"In order to be effective, recommendations must discuss not only what is to be
done, but how it will get done and who will do it. We have recommended the
following partnering organizations be established to be responsible for specific
parts of our vision:"

"Sector Coordinators to provide the focus for industry cooperation and infor-
mation sharing, and to represent the sector in matters of national cooperation
and policy;"

"Lead Agencies, designated within the federal government, to serve as a
conduit from the government into each sector and to facilitate the creation of
sector coordinators, if needed;"

"National Infrastructure Assurance Council of industry CEOs, Cabinet
Secretaries, and representatives of state and local government to provide
policy advice and implementation commitment;"

"Information Sharing and Analysis Center to begin the step-by-step process
of establishing a realistic understanding of what is going on in our infrastructures
-- of distinguishing actual attack from coincidental events;"

"Infrastructure Assurance Support Office to house the bulk of the national
staff which is responsible for continuous management and follow-through of our
recommendations; and"

"Office of National Infrastructure Assurance as the top-level policy making
office connected closely to the National Security Council and the National
Economic Council."

( see : President's Commission on Critical Infrastructure Protection
Executive Order 13010 )

Air Force Lt. Gen. Kenneth Minihan, head of the ultrasecretive National Security
Agency, testified to the same panel that attacks against U.S. networks were oc-
curring "every day." "We are only seeing the tip of the iceberg," he said. "Even
when attacks are detected and reported, we rarely know who the attacker was."

Tenet identified potential cyberattackers as comprising everyone from foreign
nations' intelligence and militaries to guerrilla forces, criminals, industrial com-
petitors, hackers, and disgruntled people. -- Reuters News Service

Commentary : While it was difficult to find and verify the existance of this group,
it appears that this was the beginning of the largest organized federal monitoring
effort of cybercitizens ever assembled - exceeding the FBI's efforts in the '60s ...
and a direct parallel to the White House 'plumber's group' which was composed
of the President, Vice President, Henry Kissenger, Chairman of the Joint Chiefs
of Staff, heads of various federal agencies, top White House aids, etc. - which
existed secretly as a 'networking group' meeting weekly in the White House base-
ment some years before the famous 'Watergate' breakin took place ( and known
by Greg Davis and others beforehand ... )
Since this press release to hundreds of cybercitizens on the 19th, daily news
events have shown the 'infrastructure problem' being promoted to the Senate,
and the media ... 'we are in danger' - CIA and NSA says ... propaganda ???


Below is the current internet user tracking which led to this discovery :


"Welcome to *1245* links -- latest new users are : "

NASA - GSFC : patriots.gsfc.nasa.gov ,
NASA - JPL : havoc.jpl.nasa.gov ,
NASA - JPL : reddwarf.jpl.nasa.gov ,
NASA - WSC : bgardner.wsc.nasa.gov ,
Kennedy Space Center : kw1868733.ksc.nasa.gov ,
( also at Kennedy - NASA : n1144797.ksc.nasa.gov ) ,
Naval Ocean Systems Center : shq-ot-027.nosc.mil ,
( ndsprog3.nosc.mil ( 128.49.152.46 ) see 'spawar' ) ,
AF Base - Germany : ws126100.rheinmain.af.mil ,
Commander - Naval Surface U.S. Pacific : 31a.isd.mrms.navy.mil ,
Naval Undersea Warfare Center : craigw.npt.nuwc.navy.mil ,
Naval Research Labs : wardergate.nrl.navy.mil ( 132.250.154.106 ) ,
Commander-In-Chief : constellation.navy.mil ( pacfa.fleet.navy.mil ) ,
Defense Logistics Agency : hq068087003.dcmdw.dla.mil ,
Space & Missile Systems Center : system147-226.losangeles.af.mil ,
US Army Intelligence Center : huachuca-www10.army.mil ,
Davis-Monthan AFB : spec.dm.af.mil ( 131.50.138.46 ) ,
Canada's D.O.D. : scotty.drev.dnd.ca ( Department of National Defense ) ,
U.S. - D.O.E. - Yucca Mountain, NV : tc8pc056.ymp.gov ,
Sandia National Labs : sahp947.sandia.gov , sahp949.sandia.gov ,
Los Alamos National Labs : tmh.lanl.gov , pel.lanl.gov ,
U.S. Air Force Intelligence : sgb03014.kelly.af.mil ( 137.242.30.14 ) ,
U.S. Army Research Labs : slip5.ts1.stuttgart.army.mil ( 136.221.30.205 ) ,
Ramstein : ws090244.ramstein.af.mil , Hill AFB : oogate1.hill.af.mil (UT) ,
INTERPOL : Ministry of the Interior -- Croatia : access12 ( 194.152.211.22 ) ,
( access ports available : access1 - access32 : at -- mup1.mup.hr ) ,
Central Intelligence Agency : 198.81.129.193 -- relay1.ucia.gov ,
The 'Mayor's Office' -- of Moscow, Russia : relay1.mos.ru ,
Chief of Naval Education and Training : penu3466.cnet.navy.mil ,
National Computer Security Center - (Ft. Meade) : roamer2.tycho.ncsc.mil ,
( 144.51.3.71 -- one of over 150 active DNS entries for the N.S.A. ) ,
( known project : 'biometrics' at : www.biometrics.org ( pri4.dns.psi.net ),
Gov't - Ontario, Canada : dto01c51_05.mpr.gov.on.ca : 142.106.58.15 ,
British Government's web server at : b97.gtnet.gov.uk : 195.44.97.97 ,
A.ROOT-SERVERS.NET. hostmaster.INTERNIC.NET : 192.131.181.30 ,
and INTERNIC : 199.180.6.59 , 198.206.177.252 ; MIT : farlink.ll.mit.edu ,
U.S. Army Medical Department : dns1.amedd.army.mil ( 192.138.74.197 ) ,
Grand Forks AFB , ND, USA : snowwhite.grandforks.af.mil ( 132.10.1.47 ) ,
Andrews AFB : osi2.andrews.af.mil ( 137.9.210.11 ) - ( hqwall.ogn.af.mil ) ,
U.S. Treasury Department : tcs-gateway1.treas.gov ( 204.151.245.2 ) ,
Hanscom AFB : professor-x.rl.plh.af.mil ( 146.153.124.194 ) - Phillips Labs ,
( Geophysics : Space Vehicles Directorate - gw1.plh.af.mil - ( Kirtland AFB ) ,
McClellan AFB, Sacramento, CA : mc0085.mcclellan.af.mil ( 137.243.58.24 ) ,
Moody AFB : proxy server at : cits-proxy.moody.af.mil ( 132.40.224.33 ) ,
U.S. Environmental Protection Agency : etd64.herl.epa.gov ( 134.67.72.64 ) ,
U.S. Army Directorate of Information : nexus.bliss.army.mil ( 147.71.91.11 ) ,
USAISC - US Army at Fort Benning, GA : ( 150.226.90.25 ) '150.226.0.0' ,
U.S. Navy Medical Department : snd-fw.med.navy.mil ( 159.71.152.2 ) ,
U.S. Air Force Command HQ ( Pentagon ) : saf10872.hq.af.mil ( 134.205.108.72 ) ,
( ns.hq.af.mil : same as Pentagon HQ classroom server : 7of9.sam.pentagon.mil ) ,
Will Smith, Army Corps of Engineers, Jacksonville, FL : wsmith.saj.usace.army.mil ,
U.S. Naval Air - COMPATWING ONE : user03.cpw1.navy.mil ( 207.132.72.153 ) ,
U.S. Coast Guard Command at : glacier21.comdt.uscg.mil ( 199.211.149.21 ) ,
U.S. Department of Agriculture Research Lab ( USDA ) : 204.170.110.234 ,
Securities & Exchange Commission : secfw3.sec.gov ( 206.181.243.34 ),
National Institute of Health : axeppp193.nih.gov , nameless.house.gov ,
Texas Dept. of Mental Health : ns.mhmr.state.tx.us ( 163.126.216.58 ) ,
Attorney General - U.S. Dept of Justice : wdcsun1.usdoj.gov ( 149.101.1.100 ) ,
Tinsman & Houser, Inc. - Attorneys : San Antonio, TX ( 198.206.177.252 ) ,
Department of Minerals and Energy , Western Australia : 202.0.15.134 ,
The Government of Singapore at : guardian.gov.sg ( 160.96.179.5 ) ,
jpNIC : NIC Japan - Univ. of Tokyo Computer Center ( 202.235.39.246 ),
Laboratory 'X' ! in the Philippines : labx.xsite.com.ph ( 210.16.16.98 ) ,
Associated Press : sun02ppp19.pe.net , MTECnet, Inc. - FTP Services ,
Pilot Internet Security , Ministry of Communications - Kuwait : mdrass.moc.kw


73's radioman

fedwatch@hotmail.com
radioman@seasurf.com

http://seasurf.com/~radioman

:{


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


WASHINGTON, DC, U.S.A., 1997 OCT 24
(Newsbytes) -- By Bill Pietrucha.



The US Defense Department's unclassified computer systems are as susceptible
to hacking as commercial and other civilian computer systems and networks,
according to the director of the National Security Agency (NSA), who
predicted the number of attacks will double this year from the more than
250 break-ins in 1996.

NSA Director US Air Force Lt. Gen. Kenneth Minihan told the Association
of Former Intelligence Officers' annual convention that more than 250
unclassified Defense Department computer systems were "penetrated" last
year, a number which could double in 1997.

Minihan's remarks underscored a classified report released to the White
House this past Monday by the President's Commission on Critical
Infrastructure Protection (PCCIP)
, warning that America's infrastructure
is becoming increasingly vulnerable to the risk of computer attack.

The NSA director's remarks noted that the United States relies on
computer networks more than any other country, which increases its
vulnerability to attacks not only from "adversarial nation-states," but
from international terrorists, drug cartels, and organized crime.

According to Minihan, the 1.3 million local area networks in the United
States are being threatened by both network "sniffer" programs, which
monitor online communications, and by "attack" programs which could
disable systems and networks.

"We have evidence that our known network and computer communications
vulnerabilities are being exploited by real-world attackers," Minihan
said. Minihan did not elaborate, nor say who the attackers are or have
been.

Unless the United States increases protection of its computer networks,
Minihan said, the country "will eventually pay for" building its
information infrastructure "on a poor foundation."

The classified PCCIP report echoed Minihan's remarks, concluding that
"infrastructure assurance," particularly in the areas of information and
communications, banking and finance and energy "must be a high priority
for the nation in the Information Age."

"With escalating dependence on information and telecommunications," the
report notes, "our infrastructures no longer enjoy the protection of
oceans and military forces. They are vulnerable in new ways. We must
protect them in new ways."

The report found that the potential for cyber threats on America's
infrastructure is growing, noting that "Today, the right command sent over
a network to a power generating station's control computer could be just
as effective as a backpack full of explosives, and the perpetrator would
be harder to identify and apprehend."

The commission also noted that the rapid growth of a computer- literate
population ensures that increasing millions of people possess the skills
necessary to consider such an attack.

"The wide adoption of public protocols for system interconnection and
the availability of 'hacker tool' libraries make their task easier," the
report says. "While the resources needed to conduct a physical attack have
not changed much recently, the resources necessary to conduct a cyber
attack are now commonplace. A personal computer and a simple telephone
connection to an Internet service provider anywhere in the world are
enough to cause a great deal of harm."

(1997/1024) Reported by Newsbytes News Network

Copyright 1997

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


President's Commission on Critical Infrastructure Protection

Executive Order 13010

Executive Order 13010, which formed the PCCIP, was signed by President William J. Clinton on July 15, 1996. The original text of the executive order as it was signed on that day is available from the White House Web site.

Executive Order 13010 has been amended three times:

  • On November 13, 1996 by Executive Order 13025,
  • On April 3, 1997 by Executive Order 13041, and
  • On October 11, 1997 by Executive Order 13064

The texts of these amendments are available on another page at this site. Below we have reproduced the text of Executive Order 13010 in its full amended form.


 

CRITICAL INFRASTRUCTURE PROTECTION

 

Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property ("physical threats"), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures ("cyber threats"). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation.

NOW, THEREFORE, by the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Establishment. There is hereby established the President's Commission on Critical Infrastructure Protection ("Commission").

   (a) Chair. A qualified individual from outside the Federal Government shall be designated by the President from among the members to serve as Chair of the Commission. The Commission Chair shall be employed on a full-time basis.

   (b) Members. The head of each of the following executive branch departments and agencies shall nominate not more than two full-time members of the Commission:

 

(i) Department of the Treasury;

(ii) Department of Justice;

(iii) Department of Defense;

(iv) Department of Commerce;

(v) Department of Transportation;

(vi) Department of Energy;

(vii) Central Intelligence Agency;

(viii) Federal Emergency Management Agency;

(ix) Federal Bureau of Investigation;

(x) National Security Agency.

One of the nominees of each agency may be an individual from outside the Federal Government who shall be employed by the agency on a full-time basis. Each nominee must be approved by the Steering Committee.

Sec. 2. The Principals Committee. The Commission shall report to the President through a Principals Committee ("Principals Committee"), which shall review any reports or recommendations before submission to the President. The Principals Committee shall comprise the:

 

(i) Secretary of the Treasury;

(ii) Secretary of Defense;

(iii) Attorney General;

(iv) Secretary of Commerce;

(v) Secretary of Transportation;

(vi) Secretary of Energy;

(vii) Director of Central Intelligence;

(viii) Director of the Office of Management and Budget;

(ix) Director of the Federal Emergency Management Agency;

(x) Assistant to the President for National Security Affairs;

(xi) Assistant to the Vice President for National Security Affairs;

(xii) Assistant to the President for Economic Policy and Director of the National Economic Council; and

(xiii) Assistant to the President and Director of the Office of Science and Technology Policy.

Sec. 3. The Steering Committee of the President's Commission on Critical Infrastructure Protection. A Steering Committee ("Steering Committee") shall oversee the work of the Commission on behalf of the Principals Committee. The Steering Committee shall comprise five members. Four of the members shall be appointed by the President, and the fifth member shall be the Chair of the Commission. Two of the members of the Committee shall be employees of the Executive Office of the President. The Steering Committee will receive regular reports on the progress of the Commission's work and approve the submission of reports to the Principals Committee.

Sec. 4. mission. The Commission shall: (a) within 30 days of this order, produce a statement of its mission objectives, which will elaborate the general objectives set forth in this order, and a detailed schedule for addressing each mission objective, for approval by the Steering Committee;

   (b) identify and consult with: (i) elements of the public and private sectors that conduct, support, or contribute to infrastructure assurance; (ii) owners and operators of the critical infrastructures; and (iii) other elements of the public and private sectors, including the Congress, that have an interest in critical infrastructure assurance issues and that may have differing perspectives on these issues;

   (c) assess the scope and nature of the vulnerabilities of, and threats to, critical infrastructures;

   (d) determine what legal and policy issues are raised by efforts to protect critical infrastructures and assess how these issues should be addressed;

   (e) recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation;

   (f) propose any statutory or regulatory changes necessary to effect its recommendations; and

   (g) produce reports and recommendations to the Steering Committee as they become available; it shall not limit itself to producing one final report.

Sec. 5. Advisory Committee to the President's Commission on Critical Infrastructure Protection. (a) The Commission shall receive advice from an advisory committee ("Advisory Committee") composed of no more than 20 individuals appointed by the President from the private and public sectors who are knowledgeable about critical infrastructures. The Advisory Committee shall advise the Commission on the subjects of the Commission's mission in whatever manner the Advisory Committee, the Commission Chair, and the Steering Committee deem appropriate.

   (b) A Chair or Co-Chairs shall be designated by the President from among the members of the Advisory Committee.

   (c) The Advisory Committee shall be established in compliance with the Federal Advisory Committee Act, as amended (5 U.S.C. App.). The Department of Defense shall perform the functions of the President under the Federal Advisory Committee Act for the Advisory Committee, except that of reporting to the Congress, in accordance with the guidelines and procedures established by the Administrator of General Services.

Sec. 6. Administration. (a) All executive departments and agencies shall cooperate with the Commission and provide such assistance, information, and advice to the Commission as it may request, to the extent permitted by law.

   (b) The Commission and the Advisory Committee may hold open and closed hearings, conduct inquiries, and establish subcommittees, as necessary.

   (c) Members of the Advisory Committee shall serve without compensation for their work on the Advisory Committee. While engaged in the work of the Advisory Committee, members may be allowed travel expenses, including per diem in lieu of subsistence, as authorized by law for persons serving intermittently in the government service.

   (d) To the extent permitted by law, and subject to the availability of appropriations, the Department of Defense shall provide the Commission and the Advisory Committee with administrative services, staff, other support services, and such funds as may be necessary for the performance of its functions and shall reimburse the executive branch components that provide representatives to the Commission for the compensation of those representatives.

   (e) In order to augment the expertise of the Commission, the Department of Defense may, at the Commission's request, contract for the services of nongovernmental consultants who may prepare analyses, reports, background papers, and other materials for consideration by the Commission. In addition, at the Commission's request, executive departments and agencies shall request that existing Federal advisory committees consider and provide advice on issues of critical infrastructure protection, to the extent permitted by law.

   (f) The Commission shall terminate 1 year and 90 days from the date of this order, unless extended by the President prior to that date. The Principals Committee, the Steering Committee, and the Advisory Committee shall terminate no later than March 15, 1998, and, upon submission of the Commission's report, shall review the report and prepare appropriate recommendations to the President.

   (g) The person who served as Chair of the Commission may continue to be a member of the Steering Committee after termination of the Commission.

Sec. 7. Review of Commission's Report. (a) Upon the termination of the Commission as set out in section 6(f) of this order, certain of the Commission's staff may be retained no later than March 15, 1998, solely to assist the Principals, Steering, and Advisory Committees in reviewing the Commission's report and preparing recommendations to the President. They shall act under the direction of the Steering Committee or its designated agent. The Department of Defense shall continue to provide funding and administrative support for the retained Commission staff.

   (b) Pursuant to Executive Order 12958, I hereby designate the Executive Secretary of the National Security Council to exercise the authority to classify information originally as "Top Secret" with respect to the work of the Commission staff, the Principals Committee, the Steering Committee, the Advisory Committee, and the Infrastructure Protection Task Force.

Sec. 8. Interim Coordinating mission. (a) While the Commission is conducting its analysis and until the President has an opportunity to consider and act on its recommendations, there is a need to increase coordination of existing infrastructure protection efforts in order to better address, and prevent, crises that would have a debilitating regional or national impact. There is hereby established an Infrastructure Protection Task Force ("IPTF") within the Department of Justice, chaired by the Federal Bureau of Investigation, to undertake this interim coordinating mission.

   (b) The IPTF will not supplant any existing programs or organizations.

   (c) The Steering Committee shall oversee the work of the IPTF.

   (d) The IPTF shall include at least one full-time member each from the Federal Bureau of Investigation, the Department of Defense, and the National Security Agency. It shall also receive part-time assistance from other executive branch departments and agencies. Members shall be designated by their departments or agencies on the basis of their expertise in the protection of critical infrastructures. IPTF members' compensation shall be paid by their parent agency or department.

   (e) The IPTF's function is to identify and coordinate existing expertise, inside and outside of the Federal Government, to:

 

   (i) provide, or facilitate and coordinate the provision of, expert guidance to critical infrastructures to detect, prevent, halt, or confine an attack and to recover and restore service;

   (ii) issue threat and warning notices in the event advance information is obtained about a threat;

   (iii) provide training and education on methods of reducing vulnerabilities and responding to attacks on critical infrastructures;

   (iv) conduct after-action analysis to determine possible future threats, targets, or methods of attack; and

   (v) coordinate with the pertinent law enforcement authorities during or after an attack to facilitate any resulting criminal investigation.

   (f) All executive departments and agencies shall cooperate with the IPTF and provide such assistance, information, and advice as the IPTF may request, to the extent permitted by law.

   (g) All executive departments and agencies shall share with the IPTF information about threats and warning of attacks, and about actual attacks on critical infrastructures, to the extent permitted by law.

   (h) The IPTF shall terminate no later than 180 days after the termination of the Commission, unless extended by the President prior to that date.

Sec. 9. General. (a) This order is not intended to change any existing statutes or Executive orders.

   (b) This order is not intended to create any right, benefit, trust, or responsibility, substantive or procedural, enforceable at law or equity by a party against the United States, its agencies, its officers, or any person.

 

   /s/ WILLIAM J. CLINTON

 

THE WHITE HOUSE,
July 15, 1996.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


President's Commission on Critical Infrastructure Protection

Other PCCIP Documents

Executive Order 13025

Executive Order 13025, which amended Executive Order 13010, was signed 13 November 1996 by President Clinton. Below is the text of this order as extracted from the Federal Record, which can be accessed online through the Government Printing Office.

[Federal Register: November 18, 1996 (Volume 61, Number 223)]
[Presidential Documents]               
[Page 58623]

                        Presidential Documents 
___________________________________________________________________

Title 3--
The President

[[Page 58623]]

                Executive Order 13025 of November 13, 1996

 
                Amendment to Executive Order 13010, the 
                President's Commission on Critical Infrastructure Protection

                By the authority vested in me as President by the 
                Constitution and the laws of the United States of 
                America, and in order to amend Executive Order 13010, 
                it is hereby ordered as follows:

                Section 1. The first sentence of section 1(a) of 
                Executive Order 13010 shall read "A qualified 
                individual from outside the Federal Government shall be 
                designated by the President from among the members to 
                serve as Chair of the Commission.''

                Sec. 2. The second and third sentences of section 3 of 
                Executive Order 13010 shall read "The Steering 
                Committee shall comprise five members. Four of the 
                members shall be appointed by the President, and the 
                fifth member shall be the Chair of the Commission. Two 
                of the members of the Committee shall be employees of 
                the Executive Office of the President.''

                Sec. 3. The first sentence of section 5 of Executive 
                Order 13010 shall be amended by deleting "ten'' and 
                inserting "15'' in lieu thereof.

                    (Presidential Sig.) <Clinton1><Clinton2>

                THE WHITE HOUSE,

                     November 13, 1996.

[FR Doc. 96-29597
Filed 11-15-96; 8:45 am]
Billing code 3195-01-P

Executive Order 13041

Executive Order 13041, which further amended Executive Order 13010, was signed 3 April 1997 by President Clinton. Below is the text of this order as extracted from the Federal Record, which can be accessed online through the Government Printing Office.

[Federal Register: April 8, 1997 (Volume 62, Number 67)]
[Presidential Documents]               
[Page 17037-17039]

[[Page 17037]]
_______________________________________________________________________
Part V

The President
_______________________________________________________________________

Executive Order 13041--Further Amendment to Executive Order 13010, as 
Amended
                        Presidential Documents 
___________________________________________________________________

Title 3--
The President

[[Page 17039]]

                Executive Order 13041 of April 3, 1997

 
                Further Amendment to Executive Order 13010, as 
                Amended

                By the authority vested in me as President by the 
                Constitution and the laws of the United States of 
                America, and in order to add the Assistant to the 
                President for Economic Policy and the Assistant to the 
                President and Director, Office of Science and 
                Technology Policy to the Principals Committee of the 
                President's Commission on Critical Infrastructure 
                Protection ("Commission'') and to extend the life of 
                the Commission for an additional 90 days, it is hereby 
                ordered that Executive Order 13010, as amended, is 
                further amended by adding (1) "(xii) Assistant to the 
                President for Economic Policy and Director of the 
                National Economic Council; and (xiii) Assistant to the 
                President and Director of the Office of Science and 
                Technology Policy.'" to section 2 of that order and (2) 
                "and 90 days'' after "1 year'' in section 6(f) of 
                that order.

                    (Presidential Sig.) <Clinton1><Clinton2>

                THE WHITE HOUSE,

                    April 3, 1997.

[FR Doc. 97-9200
Filed 4-7-97; 11:11 am]
Billing code 3195-01-P

Executive Order 13064

On October 11, 1997, Executive Order 13010 was amended for a third time by Executive Order 13064. Below is the text of this order as extracted from the Federal Record, which can be accessed online through the Government Printing Office.

[Federal Register: October 16, 1997 (Volume 62, Number 200)]
[Presidential Documents]               
[Page 53711]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr16oc97-165]

                        Presidential Documents 

___________________________________________________________________

Title 3--
The President

[[Page 53711]]

                Executive Order 13064 of October 11, 1997

 
                Further Amendment to Executive Order 13010, as 
                Amended, Critical Infrastructure Protection

                By the authority vested in me as President by the 
                Constitution and the laws of the United States of 
                America, and in order to provide for the review of the 
                report by the President's Commission on Critical 
                Infrastructure Protection, it is hereby ordered that 
                Executive Order 13010, as amended, is further amended 
                as follows:

                Section 1. Section 5(a), as amended, shall be further 
                amended by deleting "15" and inserting "20" in lieu 
                thereof and by deleting "sector" and inserting "and 
                public sectors" in lieu thereof. Section 5(b) shall be 
                amended by inserting "or Co-Chairs" after "Chair".

                Sec. 2. Section 6(f), as amended, shall be further 
                amended by deleting ", the Principals Committee, the 
                Steering Committee, and the Advisory Committee" and by 
                inserting a second sentence, which shall read: "The 
                Principals Committee, the Steering Committee, and the 
                Advisory Committee shall terminate no later than March 
                15, 1998, and, upon submission of the Commission's 
                report, shall review the report and prepare appropriate 
                recommendations to the President." Section 6, as 
                amended, shall be further amended by inserting the 
                following:

                    "(g) The person who served as Chair of the 
                Commission may continue to be a member of the Steering 
                Committee after termination of the Commission."

                Sec. 3. A new section 7 shall be inserted, which reads:

                    "Sec. 7. Review of Commission's Report. (a) Upon 
                the termination of the Commission as set out in section 
                6(f) of this order, certain of the Commission's staff 
                may be retained no later than March 15, 1998, solely to 
                assist the Principals, Steering, and Advisory 
                Committees in reviewing the Commission's report and 
                preparing recommendations to the President. They shall 
                act under the direction of the Steering Committee or 
                its designated agent. The Department of Defense shall 
                continue to provide funding and administrative support 
                for the retained Commission staff.
                    (b) Pursuant to Executive Order 12958, I hereby 
                designate the Executive Secretary of the National 
                Security Council to exercise the authority to classify 
                information originally as "Top Secret" with respect 
                to the work of the Commission staff, the Principals 
                Committee, the Steering Committee, the Advisory 
                Committee, and the Infrastructure Protection Task 
                Force."

                Sec. 4. Sections 7 and 8 of Executive Order 13010, as 
                amended, shall be renumbered sections 8 and 9, 
                respectively.

                    (Presidential Sig.)<Clinton1><Clinton2>

                THE WHITE HOUSE,

                    October 11, 1997.

[FR Doc. 97-27644
Filed 10-15-97; 8:45 am]
Billing code 3195-01-P

Classification Authority

[Federal Register: March 3, 1997 (Volume 62, Number 41)]
[Presidential Documents]               
[Page 9349]
                        Presidential Documents 
___________________________________________________________________

Title 3--
The President

[[Page 9349]]

                Order of February 26, 1997

 
                Designation Under Executive Order 12958 

                Pursuant to the provisions of section 1.4 of Executive 
                Order 12958 of April 17, 1995, entitled "Classified 
                National Security Information," I hereby designate the 
                following additional official to classify information 
                originally as "Top Secret":

                    The Chair, President's Commission on Critical 
                Infrastructure Protection.

                The Chair of the President's Commission on Critical 
                Infrastructure Protection, established under Executive 
                Order 13010 of July 15, 1996, shall exercise the 
                authority to classify information originally as "Top 
                Secret" during the existence of the Commission.

                Any delegation of this authority shall be in accordance 
                with section 1.4(c) of Executive Order 12958.

                This order shall be published in the Federal Register.

                    (Presidential Sig.) <Clinton1><Clinton2>

                THE WHITE HOUSE,

                    February 26, 1997.

[FR Doc. 97-5308
Filed 2-28-97; 8:45 am]
Billing code 3195-01-P

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


REPORT SUMMARY

The President's Commission on Critical Infrastructure Protection

This report summary is also available in a formatted Acrobat version (30k). The report itself is also available at this Web site.

 


Critical Foundations

Thinking Differently

 


"Our responsibility is to build the world of tomorrow by embarking on a period of construction -- one based on current realities but enduring American values and interests..."

President William J. Clinton
National Security Strategy

 

Introduction

The United States is in the midst of a tremendous cultural change -- a change that affects every aspect of our lives. The cyber dimension promotes accelerating reliance on our infrastructures and offers access to them from all over the world, blurring traditional boundaries and jurisdictions. National defense is not just about government anymore, and economic security is not just about business. The critical infrastructures are central to our national defense and our economic power, and we must lay the foundations for their future security on a new form of cooperation between the private sector and the federal government.

The federal government has an important role to play in defense against cyber threats -- collecting information about tools that can do harm, conducting research into defensive technologies, and sharing defensive techniques and best practices. Government also must lead and energize its own protection efforts, and engage the private sector by offering expertise to facilitate protection of privately owned infrastructures.

In the private sector, the defenses and responsibilities naturally encouraged and expected as prudent business practice for owners and operators of our infrastructures are the very same measures needed to protect against the cyber tools available to terrorists and other threats to national security.

Venues for Change

Terrorist bombings of US forces in Saudi Arabia, the World Trade Center in New York City, and the federal building in Oklahoma City remind us that the end of the Cold War has not eliminated threats of hostile action against the United States.

In recognition of comparable threats to our national infrastructures, President Clinton signed Executive Order 13010 on July 15, 1996, establishing the President's Commission on Critical Infrastructure Protection. The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operation.

 

Our Process -- Who We Are and What We Did

Composition and Operation of the Commission

This was an unusually large commission with broad representation from federal departments and agencies and from the private sector. An Advisory Committee of industry leaders appointed by the President provided the perspective of the infrastructure owners and operators. A Steering Committee, composed of the Commission's Chairman and four top government officials, oversaw the Commission's work on behalf of the Principals Committee, which included Cabinet Officers, heads of agencies, and senior White House staff members.

The Commission generally operated by consensus. Every recommendation was discussed at length with the full Commission and most were revised several times before final approval. No Commissioner agreed completely with all of the recommendations. Nevertheless, each accepted the final report as a reasonable and balanced recommendation to the President.

Sector Studies

The Commission divided its work into five "sectors" based on the common characteristics of the included industries. The sectors are:

  1. Information and Communications
  2. Banking and Finance
  3. Energy, Including Electrical Power, Oil and Gas
  4. Physical Distribution
  5. Vital Human Services

The Commission characterized the sectors, studied their vulnerabilities, and looked for solutions.

We prepared comprehensive working papers for each of the five sectors providing specific recommendations. Other work contains the results of deliberations on issues that are not sector specific. Among them is a paper on Research and Development Recommendations, which outlines a comprehensive set of topics regarding the long term needs of infrastructure protection. The paper on National Structures contains our conclusions and recommendations about the functions and responsibilities for infrastructure assurance and the creation of new units in the federal government and the private sector, and some that are jointly staffed by government employees and representatives of the infrastructure owners and operators. The paper on Shared Infrastructures: Shared Threats is our collected analysis of the vulnerabilities and threats facing the critical infrastructures. We recognize the enormous significance of physical threats, but we have a significant amount of experience in dealing with them. It is the cyber threat that is new. Cyber issues dominate this analysis because networked information systems present fundamentally new security challenges.

Public Hearings and Outreach

We conducted extensive meetings with a range of professional and trade associations concerned with the infrastructures, private sector infrastructure users and providers, academia, different state and local government agencies, consumers, federal agencies, and numerous others. Of special interest were five public meetings in major cities.

We attended dozens of conferences and roundtables with a variety of groups, and we arranged two strategic simulations with participants drawn from across the infrastructures and from all levels of government. We encouraged questions and comments by anyone, and established a World Wide Web site to facilitate contact. Several meetings with Congressional Members and their staffs added a very useful perspective to our research.

Development of our Critical Issues

During the preparation of the sector papers we identified several dozen issues for which recommendations might be appropriate. Each issue was described, relevant observations, findings, and conclusions were collected, and several alternative recommendations were prepared. The Commission then deliberated each issue and selected one of the alternative recommendations.

 

We Found

Increasing Dependence on Critical Infrastructures

The development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society. Our security, economy, way of life, and perhaps even survival, are now dependent on the interrelated trio of electrical energy, communications, and computers.

Increasing Vulnerabilities

Classical physical disruptions. A satchel of dynamite or a truckload of fertilizer and diesel fuel have been frequent terrorist tools. The explosion and the damage are so certain to draw attention that these kinds of attacks continue to be among the probable threats to our infrastructures.

New, cyber threats. Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend.

The rapid growth of a computer-literate population ensures that increasing millions of people possess the skills necessary to consider such an attack. The wide adoption of public protocols for system interconnection and the availability of "hacker tool" libraries make their task easier.

While the resources needed to conduct a physical attack have not changed much recently, the resources necessary to conduct a cyber attack are now commonplace. A personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm.

System complexities and interdependencies. The energy and communications infrastructures especially are growing in complexity and operating closer to their designed capacity. This creates an increased possibility of cascading effects that begin with a rather minor and routine disturbance and end only after a large regional outage. Because of their technical complexity, some of these dependencies may be unrecognized until a major failure occurs.

A Wide Spectrum of Threats

Of the many people with the necessary skills and resources, some may have the motivation to cause substantial disruption in services or destruction of the equipment used to provide the service.

This list of the kinds of threats we considered shows the scope of activity with potentially adverse consequences for the infrastructures, and the diversity of people who might engage in that activity. It may not be possible to categorize the threat until the perpetrator is identified -- for example, we may not be able to distinguish industrial espionage from national intelligence collection.

Natural events and accidents. Storm-driven wind and water regularly cause service outages, but the effects are well known, the providers are experienced in dealing with these situations, and the effects are limited in time and geography.

Accidental physical damage to facilities is known to cause a large fraction of system incidents. Common examples are fires and floods at central facilities and the ubiquitous backhoe that unintentionally severs pipes or cables.

Blunders, errors, and omissions. By most accounts, incompetent, inquisitive, or unintentional human actions (or omissions) cause a large fraction of the system incidents that are not explained by natural events and accidents. Since these usually only affect local areas, service is quickly restored; but there is potential for a nationally significant event.

Insiders. Normal operation demands that a large number of people have authorized access to the facilities or to the associated information and communications systems. If motivated by a perception of unfair treatment by management, or if suborned by an outsider, an "insider" could use authorized access for unauthorized disruptive purposes.

Recreational hackers. For an unknown number of people, gaining unauthorized electronic access to information and communication systems is a most fascinating and challenging game. Often they deliberately arrange for their activities to be noticed even while hiding their specific identities. While their motivations do not include actual disruption of service, the tools and techniques they perfect among their community are available to those with hostile intent.

Criminal activity. Some are interested in personal financial gain through manipulation of financial or credit accounts or stealing services. In contrast to some hackers, these criminals typically hope their activities will never be noticed, much less attributed to them. Organized crime groups may be interested in direct financial gain, or in covering their activity in other areas.

Industrial espionage. Some firms can find reasons to discover the proprietary activities of their competitors, by open means if possible or by criminal means if necessary. Often these are international activities conducted on a global scale.

Terrorism. A variety of groups around the world would like to influence US policy and are willing to use disruptive tactics if they think that will help.

National intelligence. Most, if not all, nations have at least some interest in discovering what would otherwise be secrets of other nations for a variety of economic, political, or military purposes.

Information warfare. Both physical and cyber attacks on our infrastructures could be part of a broad, orchestrated attempt to disrupt a major US military operation or a significant economic activity.

Lack of Awareness

We have observed that the general public seems unaware of the extent of the vulnerabilities in the services that we all take for granted, and that within government and among industry decision-makers, awareness is limited. Several have told us that there has not yet been a cause for concern sufficient to demand action.

We do acknowledge that this situation seems to be changing for the better. The public news media seem to be carrying relevant articles more frequently; attendance at conferences of security professionals is up; and vendors are actively introducing new security products.

The Commission believes that the actions recommended in this report will increase sensitivity to these problems and reduce our vulnerabilities at all levels.

No National Focus

Related to the lack of awareness is the need for a national focus or advocate for infrastructure protection. Following up on our report to the President, we need to build a framework of effective deterrence and prevention.

This is not simply the usual study group's lament that "no one is in charge." These infrastructures are so varied, and form such a large part of this nation's economic activity, that no one person or organization can be in charge. We do not need, and probably could not stand, the appointment of a Director of Infrastructures. We do need, and recommend, several more modest ways to create and maintain a national focus on the issues.

Protection of our infrastructures will not be accomplished by a big federal project. It will require continuous attention and incremental improvement for the foreseeable future.

 

We Concluded

Life on the information superhighway isn't much different from life on the streets; the good guys have to hustle to keep the bad guys from getting ahead.

Rules Change in Cyberspace -- New Thinking is Required

It is not surprising that infrastructures have always been attractive targets for those who would do us harm. In the past we have been protected from hostile attacks on the infrastructures by broad oceans and friendly neighbors. Today, the evolution of cyber threats has changed the situation dramatically. In cyberspace, national borders are no longer relevant. Electrons don't stop to show passports.

Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker.

Formulas that carefully divide responsibility between foreign defense and domestic law enforcement no longer apply as clearly as they used to. "With the existing rules, you may have to solve the crime before you can decide who has the authority to investigate it." [1]

We Should Act Now to Protect our Future

The Commission has not discovered an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis. However, we are quite convinced that our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop. What is more, the investments required to improve the situation are still relatively modest, but will rise if we procrastinate.

We should attend to our critical foundations before the storm arrives, not after: Waiting for disaster will prove as expensive as it is irresponsible.

Infrastructure Assurance is a Shared Responsibility

National security requires much more than military strength. Our world position, our ability to influence others, our standard of living, and our own self-image depend on economic prosperity and public confidence. Clear distinctions between foreign and domestic policy no longer serve our interests well.

At the same time, the effective operation of our military forces depends more and more on the continuous availability of infrastructures, especially communications and transportation, that are not dedicated to military use.

While no nation state is likely to attack our territory or our armed forces, we are inevitably the target of ill will and hostility from some quarters. Disruption of the services on which our economy and well-being depend could have significant effects, and if repeated frequently could seriously harm public confidence. Because our military and private infrastructures are becoming less and less separate, because the threats are harder to differentiate as from local criminals or foreign powers, and because the techniques of protection, mitigation, and restoration are largely the same, we conclude that responsibility for infrastructure protection and assurance can no longer be delegated on the basis of who the attacker is or where the attack originates. Rather, the responsibility should be shared cooperatively among all of the players.

 

We Recommend

A Broad Program of Awareness and Education

Because of our finding that the public in general and many industry and government leaders are insufficiently aware of the vulnerabilities, we have recommended a broad and continuous program of awareness and education to cover all possible audiences. We include White House conferences, National Academy studies, presentations at industry associations and professional societies, development and promulgation of elementary and secondary curricula, and sponsorship of graduate studies and programs.

Infrastructure Protection through Industry Cooperation
and Information Sharing

We believe the quickest and most effective way to achieve a much higher level of protection from cyber threats is to raise the level of existing protection through application of "best practices." We have accordingly recommended a sector-by-sector cooperation and information sharing strategy. In general, these sector structures should be partnerships among the owners and operators, and appropriate government agencies, which will identify and communicate best practices. We have especially asked the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to provide technical skills and expertise required to identify and evaluate vulnerabilities in the associated information networks and control systems.

One very effective practice is a quantitative risk-management process, addressing physical attacks, cyber attacks that could corrupt essential information or deny service, the possibility of cascading effects, and new levels of interdependency.

The first focus of sector cooperation should be to share information and techniques related to -risk management assessments. This should include development and deployment of ways to prevent attacks, mitigate damage, quickly recover services, and eventually reconstitute the infrastructure

We suggest consideration of these immediate actions prior to the completion of a formal risk assessment: (1) Isolate critical control systems from insecure networks by disconnection or adequate firewalls; (2) Adopt best practices for password control and protection, or install more modern authentication mechanisms; (3) Provide for individual accountability through protected action logs or the equivalent.

The sector cooperation and information sharing needed to improve risk assessments and to protect against probable attacks may naturally develop into sharing of information on current status. This would permit assessing whether one of the infrastructures is under a coordinated attack -- physical, cyber, or combined. As this process develops, the national center for analysis of such information should be in place and ready to cooperate.

Reconsideration of Laws Related to Infrastructure Protection

Law has failed to keep pace with technology. Some laws capable of promoting assurance are not as clear or effective as they could be. Still others can operate in ways that may be unfriendly to security concerns. Sorting them all out will be a lengthy and massive undertaking, involving efforts at local, state, federal, and international levels. Recognizing the dynamic nature of legal reform, we attempted to lay a foundation through various studies, papers, and a legal authorities database that can aid eventual implementation of our recommendations and assist owners, operators, and government at all levels.

We also offered a number of preliminary legal recommendations intended to jump-start this process of reform. We identified existing laws that could help the government take the lead and serve as a model of standards and practices for the private sector. We identified other areas of law which, with careful attention, can enable infrastructure owners and operators to take precautions proportionate to the threat. We identified still other areas of law that should be molded to enable a greater degree of government-industry partnership in areas such as information sharing.

A Revised Program of Research and Development

The Commission believes that some of the basic technology needed to improve infrastructure protection already exists, but needs to be widely deployed. In other areas, additional research effort is needed.

At the same time the Commission recognizes that we are not now able to deploy several capabilities that we need. We have, therefore, recommended a program of research and development focused on those future capabilities. Among them are new capabilities for detection and identification of intrusion and improved simulation and modeling capability to understand the effects of interconnected and fully interdependent infrastructures.

A National Organization Structure

In order to be effective, recommendations must discuss not only what is to be done, but how it will get done and who will do it. We have recommended the following partnering organizations be established to be responsible for specific parts of our vision:

Sector Coordinators to provide the focus for industry cooperation and information sharing, and to represent the sector in matters of national cooperation and policy;

Lead Agencies, designated within the federal government, to serve as a conduit from the government into each sector and to facilitate the creation of sector coordinators, if needed;

National Infrastructure Assurance Council of industry CEOs, Cabinet Secretaries, and representatives of state and local government to provide policy advice and implementation commitment;

Information Sharing and Analysis Center to begin the step-by-step process of establishing a realistic understanding of what is going on in our infrastructures -- of distinguishing actual attack from coincidental events;

Infrastructure Assurance Support Office to house the bulk of the national staff which is responsible for continuous management and follow-through of our recommendations; and

Office of National Infrastructure Assurance as the top-level policy making office connected closely to the National Security Council and the National Economic Council.

 

Conclusion

It is clear to us that infrastructure assurance must be a high priority for the nation in the Information Age. With escalating dependence on information and telecommunications, our infrastructures no longer enjoy the protection of oceans and military forces. They are vulnerable in new ways. We must protect them in new ways. And that is what we recommend in this report.

The public and private sectors share responsibility for infrastructure protection. Our recommendations seek to provide structures for the partnership needed to assure our future security. Further, they seek to define new ways for approaching infrastructure assurance -- ways that recognize the new thinking required in the Information Age, the new international security environment emerging from our victory in the Cold War and both the promise and danger of technology moving at breakneck speed.

We do not so much offer solutions as directions -- compass headings that will help navigate through a new geography and ensure the continuity of the infrastructures that underpin America's economic, military, and social strength.


Endnotes

1. Senator Sam Nunn, remarks to the PCCIP Advisory Committee. Washington, DC, September 7, 1997.

This report summary is also available in a formatted Acrobat version (30k). The report itself is also available at this Web site.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



<<BACK