[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
HOMELAND SECURITY, AND INVESTIGATIONS
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MARCH 13, 2013
__________
Serial No. 113-14
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
U.S. GOVERNMENT PRINTING OFFICE
79-878 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin JERROLD NADLER, New York
HOWARD COBLE, North Carolina ROBERT C. ``BOBBY'' SCOTT,
LAMAR SMITH, Texas Virginia
STEVE CHABOT, Ohio MELVIN L. WATT, North Carolina
SPENCER BACHUS, Alabama ZOE LOFGREN, California
DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona Georgia
LOUIE GOHMERT, Texas PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio JUDY CHU, California
TED POE, Texas TED DEUTCH, Florida
JASON CHAFFETZ, Utah LUIS V. GUTIERREZ, Illinois
TOM MARINO, Pennsylvania KAREN BASS, California
TREY GOWDY, South Carolina CEDRIC RICHMOND, Louisiana
MARK AMODEI, Nevada SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho JOE GARCIA, Florida
BLAKE FARENTHOLD, Texas HAKEEM JEFFRIES, New York
GEORGE HOLDING, North Carolina
DOUG COLLINS, Georgia
RON DeSANTIS, Florida
KEITH ROTHFUS, Pennsylvania
Shelley Husband, Chief of Staff & General Counsel
Perry Apelbaum, Minority Staff Director & Chief Counsel
------
Subcommittee on Crime, Terrorism, Homeland Security, and Investigations
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
LOUIE GOHMERT, Texas, Vice-Chairman
HOWARD COBLE, North Carolina ROBERT C. ``BOBBY'' SCOTT,
SPENCER BACHUS, Alabama Virginia
J. RANDY FORBES, Virginia PEDRO R. PIERLUISI, Puerto Rico
TRENT FRANKS, Arizona JUDY CHU, California
JASON CHAFFETZ, Utah LUIS V. GUTIERREZ, Illinois
TREY GOWDY, South Carolina KAREN BASS, California
RAUL LABRADOR, Idaho CEDRIC RICHMOND, Louisiana
Caroline Lynch, Chief Counsel
Bobby Vassar, Minority Counsel
C O N T E N T S
----------
MARCH 13, 2013
Page
OPENING STATEMENTS
The Honorable F. James Sensenbrenner, Jr., a Representative in
Congress from the State of Wisconsin, and Chairman,
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations................................................. 1
The Honorable Robert C. ``Bobby'' Scott, a Representative in
Congress from the State of Virginia, and Ranking Member,
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations................................................. 3
The Honorable Bob Goodlatte, a Representative in Congress from
the State of Virginia, and Chairman, Committee on the Judiciary 8
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary.................................................. 12
WITNESSES
Jenny S. Durkan, United States Attorney, Western District of
Washington, U.S. Department of Justice
Oral Testimony................................................. 15
Prepared Statement............................................. 18
John Boles, Deputy Assistant Director, Cyber Division, Federal
Bureau of Investigation, U.S. Department of Justice
Oral Testimony................................................. 29
Prepared Statement............................................. 32
Robert Holleyman, President and CEO, BSA, The Software Alliance
Oral Testimony................................................. 38
Prepared Statement............................................. 40
Orin S. Kerr, Fred C. Stevenson Research Professor, George
Washington University Law School
Oral Testimony................................................. 45
Prepared Statement............................................. 47
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Material submitted by the Honorable Robert C. ``Bobby'' Scott, a
Representative in Congress from the State of Virginia, and
Ranking Member, Subcommittee on Crime, Terrorism, Homeland
Security, and Investigations................................... 5
Material submitted by the Honorable Bob Goodlatte, a
Representative in Congress from the State of Virginia, and
Chairman, Committee on the Judiciary........................... 9
Prepared Statement of the Honorable Bob Goodlatte, a
Representative in Congress from the State of Virginia, and
Chairman, Committee on the Judiciary........................... 11
Prepared Statement of the Honorable John Conyers, Jr., a
Representative in Congress from the State of Michigan, and
Ranking Member, Committee on the Judiciary..................... 13
INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS
----------
WEDNESDAY, MARCH 13, 2013
House of Representatives
Subcommittee on Crime, Terrorism,
Homeland Security, and Investigations
Committee on the Judiciary
Washington, DC.
The Subcommittee met, pursuant to call, at 11:35 a.m., in
room 2237, Rayburn Office Building, the Honorable F. James
Sensenbrenner, Jr. (Chairman of the Subcommittee), presiding.
Present: Representatives Sensenbrenner, Goodlatte, Gohmert,
Coble, Forbes, Franks, Chaffetz, Gowdy, Scott, Conyers, Chu,
and Richmond.
Staff present: (Majority) Caroline Lynch, Chief Counsel;
Sam Ramer, Counsel; Alicia Church, Clerk; (Minority) Bobby
Vassar, Minority Counsel, and Joe Graupensperger, Counsel.
Mr. Sensenbrenner. Because the President is coming to
address the Republican Conference of the House, this hearing
will end at 1:00 sharp. So would everybody please make note of
that and judge their time accordingly?
I would like to welcome everybody to the first hearing of
the Subcommittee, acknowledge the Ranking Member, the gentleman
from Virginia, Mr. Scott, and also welcome the full Committee
Chair, Mr. Goodlatte.
Today's hearing will investigate our focus on how America
investigates and prosecutes 21st century cyber threats. The
United States has been the subject of the most coordinated and
sustained computer attacks the world has ever seen. Rival
nations, particularly China, have been invading corporate
computer systems and stealing intellectual property at an
increasing rate.
Spying between governments has always been a fact of life,
but in the digital age the spying is more pervasive and harder
to guard against. The systematic and strategic theft of
intellectual property by foreign governments threatens one of
America's most valuable commodities, our innovation and hard
work.
In 2011, the American Superconductor Corporation supplied
sophisticated software for wind turbines to Sinovel, a giant
Chinese wind turbine corporation. When American engineers went
to China to repair a wind turbine, they discovered that Chinese
wind turbines were already using a stolen version of the
American software. Worse, the Chinese company had complete
access to the American company's proprietary source code.
Because they possessed this important code, the Chinese did not
need the American Superconductor Corporation anymore.
A few months later, Sinovel abruptly began turning away
shipments. On April 5, 2011, the American Superconductor
Corporation had no choice but to announce that Sinovel, its
biggest customer, accounting for more than two-thirds of the
company's $315 million in revenue in 2010, had stopped making
purchases. The result for the American company: investors fled,
erasing 40 percent of the company's value in a single day, and
84 percent of its value by September 2011.
This week, the Obama Administration has finally increased
public pressure on Chinese cyber spying. On Monday, the
President's national security advisor announced what the media
has called the White House's most aggressive response to a
series of military-style hacks of American corporations.
Describing the problem as a key point of concern in discussion
at all levels of government, Mr. Donilon said Beijing should
take serious steps to investigate and put a stop to these
activities. I agree.
The fact that such mild comments have been termed the
Administration's most aggressive ever may be part of the
problem. When one country decides to advance its economy by
stealing our intellectual property, we must do more than simply
ask Beijing to investigate. Make no mistake. Sinovel stole
hundreds of millions of dollars from the American
Superconductor Corporation. This is a company that received
over $20 million in stimulus money from U.S. taxpayers. But far
from demanding our $20 million, the Administration's strongest
rebuke has been to ask that Beijing take serious steps to
investigate.
We simply cannot outsource the fight against cybercrime to
international diplomacy. The theft of valuable intellectual
property is a serious strategic threat to the American economy,
and it must be treated as such by U.S. law enforcement.
Congress has repeatedly addressed the issue of cybercrime.
In 2000 or in 1986, Congress implemented the Computer Fraud and
Abuse Act as a tool for law enforcement to combat computer
crimes. As computer crimes continue to evolve, so, too, has the
CFAA, which Congress has amended eight times since its
enactment. It may be time for Congress to augment and approve
the CFAA and other criminal statutes to enable law enforcement
to combat international criminal enterprises.
The Administration has taken initial steps to address the
growing cyber threat. We applaud the Administration for its
efforts, but it remains to be seen whether these steps will
actually work.
Today the Committee will look at the criminal laws and
investigative tools to combat cybercrime. We will determine
what changes can be made to our criminal laws to more
effectively combat and deter the cyberattacks we are enduring.
We will discuss what protection can be provided for the privacy
of Americans through data breach notification laws, and we will
discuss what steps can be taken by this Committee to protect
the intellectual property and sensitive government information
that hackers in foreign governments seek to obtain.
As we saw from China's cyberattack on Google and other
companies, America's edge in innovation and technical
superiority can be compromised by competing countries that make
theft of intellectual property a national strategy. I look
forward to hearing more about this issue and thank all of our
witnesses for participating in today's hearing.
It is now my pleasure to recognize for his opening
statement the Ranking Member of the Subcommittee, the gentleman
from Virginia, Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman.
Mr. Chairman, because of our growing reliance on Internet
and computer networks, I welcome today's hearing to examine the
cyber threats we face and to discuss how we can better protect
ourselves against them.
This hearing comes at a time when there's a rise in the
disparity of cyber threats, and so an update of our computer
crime statutes may have to be considered. It is critical that
we work together on this effort with the Members of Congress,
Administration, with the business community, and with private
advocates to find ways to enhance the security of our
government information systems, business computer systems, and
our personal use of the Internet.
And while it is the job of Congress to evaluate and update
our laws in response to changing circumstances, we have to be
careful that any changes we make will actually improve the law,
and not just ratchet up penalties in an exercise of sound bite
politics. Often the problem is a lack of enforcement,
investigation, and prosecution, and so penalties become
irrelevant if a case is not even investigated in the first
place.
This is particularly important in the case of the Computer
Fraud and Abuse Act, a law whose breadth of scope and sometimes
questionable application has already generated concern by
citizens and narrowing by the courts. In the last Congress, we
met to discuss many of these same issues, and the cyber threats
of course remain an urgent issue of national economic and
personal security. At that time, I raised concerns about one
provision in the proposed law, and that was the mandatory
minimum sentencing for certain crimes of damaging political
critical infrastructure computers.
This Committee has heard a lot of testimony on mandatory
minimums. They have been found to waste the taxpayers' money,
do nothing about crime, and often result in sentences that are
violative of common sense. This Committee has recently also
focused on the issue of federalism, so we have to be concerned
about whether the Computer Fraud and Abuse Act appropriately
focuses on behavior that we all believe rises to the level of
Federal criminal liability.
That statute was originally enacted to deal with intrusions
into computers, what we now call hacking, and since that time
we have extended the scope of the law on several occasions,
which has led to expansive use in recent years, which have
generated concerns on both sides of the aisle. I hope we can
work together to address those concerns.
Mr. Chairman, we know that criminals target computers and
cyber networks of individual companies and our government. That
is why we have to enhance the protective measures that we take
at every level to prevent cyber intrusions. I applaud the
President's resolve to work with industry to better resolve our
critical infrastructure. His executive order will improve the
sharing of information with industry and establish a framework
for best practices to help companies step up cyber protection.
As in every area of crime policy, public safety demands
that we engage in level-headed efforts to identify and
implement comprehensive evidence-based solutions, and I hope we
can do that in this case.
Before I close, Mr. Chairman, I ask unanimous consent that
a letter signed by 20 Internet companies expressing their
concerns about the scope of the current Computer Fraud and
Abuse Act be entered into the record.
Mr. Sensenbrenner. Without objection.
[The information referred to follows:]
__________
Mr. Sensenbrenner. And it is now my pleasure to recognize
for his opening statement the Chairman of the full Committee,
the gentleman from Virginia, Mr. Goodlatte.
Mr. Goodlatte. Thank you, Mr. Chairman. I very much
appreciate your holding this hearing, and I will submit my full
statement for the record in order to save a little time for our
witnesses. But I do want to make a few points.
First of all, yesterday, and I would submit these for the
record, the Secret Service launched an investigation of the
alleged hacking of private information of Vice President Joe
Biden, First Lady Michelle Obama, FBI Director Robert Mueller,
Attorney General Eric Holder, and many others. And the
President yesterday also acknowledged that hacking of personal
data is a big problem.
Mr. Sensenbrenner. Without objection, the material will be
entered.
[The information referred to follows:]
__________
Mr. Goodlatte. Thank you. But that is just the beginning of
this problem. Cyber intrusions are just the tip of the iceberg.
In November 2011, the National Counterintelligence Executive,
the agency responsible for countering foreign spying on the
U.S. government, issued a report that hackers and illicit
programmers in China and Russia are pursuing American
technology in industrial secrets jeopardizing an estimated $400
billion dollars in U.S. research spending.
According to the report, China and Russia view themselves
as strategic competitors of the United States, and are the most
aggressive collectors of U.S. economic information and
technology.
Further, in January of this year, the New York Times
reported it is has been the victim of a sustained cyberattack
by Chinese hackers. Shortly afterward, the Wall Street Journal
and Washington Post also reported they, too, had been breached
by similar sources. The Times commissioned a report from
Mandiant, a private investigative agency which traced the
cyberattacks to a unit of the Chinese People's Liberation Army.
According to the report, the Chinese are engaged in massive
cyber spying on the American industrial base and in areas the
Chinese are trying to develop for their own national purposes.
Earlier this year, the Administration issued a
cybersecurity executive order and presidential directive aimed
at helping secure America's cyber networks. The executive order
is a first step toward protecting our public and private
networks from attack, but Congress can and must do more. The
Judiciary Committee is responsible for ensuring that our
Federal criminal laws keep pace with the ever-evolving cyber
landscape. Our challenge is to create a legal structure that
protects the invaluable government and private information that
hackers seek to exploit while allowing the freedom of thought
and expression that made this country great.
I would submit the rest of my statement for the record, and
I thank the Chairman.
[The prepared statement of Mr. Goodlatte follows:]
Prepared Statement of the Honorable Bob Goodlatte, a Representative in
Congress from the State of Virginia, and Chairman, Committee on the
Judiciary
Thank you, Chairman Sensenbrenner.
The 21st century has brought us a more connected, inter-dependent
world. The Internet and portable computer systems make it possible for
people, businesses and governments to interact on a global level never
seen before.
The United States, with its bounty of personal freedom and free
enterprise, is a leader in advancing the technology that enables us to
stay in touch almost everywhere with almost everyone.
However, our technological advancement also makes the United States
increasingly vulnerable to cyber attacks--from routine cyber crimes to
nation-state espionage. Earlier this week, we all heard about the high
profile cyber breach that exposed sensitive personal and financial
information about high-ranking government officials and celebrities
from FBI Director Mueller and Attorney General Holder to Beyonce and
Donald Trump. The truth is that all citizens are vulnerable to these
kinds of cyber attacks.
We are also currently experiencing a profound cyber-spying conflict
on the nation-state level. Most Americans are familiar with the
Wikileaks case, which resulted in the public disclosure of hundreds of
thousands of secret State Department cables. And many of us are
familiar with the cyber attack on the Chamber of Commerce, in which
Chinese hackers gained access to the files on the Chamber's 3 million
member companies.
But these cyber intrusions are just the tip of the iceberg. In
November, 2011, the National Counterintelligence Executive, the agency
responsible for countering foreign spying on the U.S. government,
issued a report that hackers and illicit programmers in China and
Russia are pursuing American technology and industrial secrets,
jeopardizing an estimated $398 billion in U.S. research spending.
According to the report, ``China and Russia view themselves as
strategic competitors of the United States and are the most aggressive
collectors of U.S. economic information and technology.'' The report
drew on 2009-2011 data from at least 13 agencies, including the Central
Intelligence Agency and the Federal Bureau of Investigation.
And in January of this year, the New York Times reported it has
been the victim of a sustained cyber attack by Chinese hackers. Shortly
afterward, the Wall Street Journal and the Washington Post also
reported they too had been breached by similar sources. The Times
commissioned a report from Mandiant, a private investigative agency,
which traced the cyber attacks to a unit of the Chinese People's
Liberation Army. According to the report, the Chinese are engaged in
massive cyber spying on the American industrial base and in areas the
Chinese are trying to develop for their own national purposes.
Earlier this year, the Administration issued a cyber security
Executive Order and Presidential Directive aimed at helping secure
America's cyber networks. The Executive Order is a first step towards
protecting our public and private networks from attack. But Congress
can and must do more. The Judiciary Committee is responsible for
ensuring that our federal criminal laws keep pace with the ever-
evolving cyber landscape.
Our challenge is to create a legal structure that protects the
invaluable government and private information that hackers seek to
exploit, while allowing the freedom of thought and expression that made
this country great. One thing is clear: cyber attacks can have
devastating consequences for citizens, private industry and America's
national security and should be treated just as seriously as more
traditional crimes by our criminal justice system.
The risks to our national infrastructure, our national wealth, and
our citizens are profound, and we must protect them. We must not allow
cyber crime to continue to grow and threaten our economy, safety and
prosperity.
__________
Mr. Sensenbrenner. Without objection, the Ranking Member
and Chairman Emeritus of the Committee, the gentleman from
Michigan, Mr. Conyers.
Mr. Conyers. Thank you, Chairman Sensenbrenner.
I would like to welcome the witnesses and note that I am
reintroducing today a bill that I introduced in 2012, July or
August, the Cyber Privacy Fortification Act, which will create
a strong standard for data breach notification, which does not
exist now, and is a great reason for us to be conducting this
hearing. It requires a data breach activity to be made public,
notified to us so that we can measure just what is going on.
Cyberattacks have increased, according to the National
Security Agency, by 44 percent. And many of these attacks are
perpetrated by criminals operating beyond our national
boundaries, intent on stealing our intellectual property,
assessing financial accounts, and compromising our critical
infrastructure.
And so, we have got a problem here, and it is one that I
think this Committee is perfectly suited to handle. And I would
recommend, and I will be looking for discussion on this, the
increasing collaboration necessary between the government and
the private sector on cybersecurity, but not at the expense of
the privacy of innocent citizens. We must not toss aside
existing privacy restrictions to grant the government and law
enforcement unwarranted access to private communications.
The Administration and others have called for private
sector companies to be allowed to share communications in their
possession for the purpose of protecting against cyber threats.
We must require that any additional sharing only be allowed to
occur if information is removed that can be used to identify
persons unrelated to the cybersecurity threat itself.
And then in addressing a recent cybersecurity conference,
FBI Director Mueller emphasized the law enforcement-focused
need for this information is limited to threats and attacks,
not other sensitive information about company secrets or
customers. This must be the condition for enhancing
collaboration between the government and the private sector to
better secure our computer networks.
And finally, the Internet has made the world a smaller
place, and because cyberattacks are often launched outside of
our borders, now more than ever, we need a diplomatic
engagement to increase cooperation between nations and
cybersecurity issues. In other words, diplomacy is going to
have a larger role in this activity.
I submit the rest of my statement, and I yield back to the
Chairman.
Mr. Sensenbrenner. Without objection, the rest of the
statement will be included in the record.
[The prepared statement of Mr. Conyers follows:]
Prepared Statement of the Honorable John Conyers, Jr., a Representative
in Congress from the State of Michigan, and Ranking Member, Committee
on the Judiciary
Good morning. This hearing focuses on a topic that is very
important to the country and this Committee.
Last year, the head of the National Security Agency warned that
cyber attacks had increased by 44%. With the proliferation of these
attacks, especially those perpetrated by criminals operating beyond our
national boundaries intent on stealing our intellectual property,
accessing financial accounts, and compromising our critical
infrastructure, we must take additional steps to protect our cyber
networks.
To start with, we need a strong national requirement for reporting
data breaches. When a company has suffered a cyber attack that has
resulted in the compromise of sensitive information of consumers, they
should report the attack to law enforcement and notify affected
consumers.
As it stands now, there are 47 different state laws with different
data breach notice requirements. This often makes compliance more
complex and difficult than it should be. A national standard should be
strong enough to provide appropriate notice so that individuals may be
on guard against any subsequent identity theft and law enforcement is
able to investigate these intrusions.
That is why I am reintroducing my Cyber Privacy Fortification Act,
which will accomplish this.
Next, we must increase collaboration between the government and the
private sector on cyber security, but not at the expense of the privacy
of innocent citizens. We must not toss aside existing privacy
restrictions to grant the government and law enforcement unwarranted
access to private communications. The Administration and others have
called for private sector companies to be allowed to share
communications in their possession for the purpose of protecting
against cyber threats.
We must require that any additional sharing only be allowed to
occur if information is removed that can be used to identify persons
unrelated to the cyber security threat.
In addressing a recent cyber security conference, FBI Director
Mueller emphasized that law enforcement's focused need for this
information is limited to the threats and attacks, not other sensitive
information about company secrets or customers. This must be the
condition for enhancing collaboration between government and the
private sector to better secure our computer networks.
Finally, now more than ever, we need diplomatic engagement to
strengthen cooperation between nations on cyber security because the
Internet has made the world a smaller place, and because cyber attacks
are often launched from outside our borders. The interconnected nature
of the Internet allows for communication across all borders, but also
allows some cyber criminals to hide from prosecution behind
international boundaries.
Even if we improve our domestic computer crime laws, those laws are
only as effective against international criminals as our ability to
find, investigate, and prosecute them.
The State Department and our federal law enforcement agencies must
take steps to reinforce international relationships so that their
foreign colleagues enhance their capabilities to find and preserve
evidence of cyber crime, extradite criminals to the United States, and
prosecute these criminals in their own courts when extradition is not
possible.
I commend the Crime Subcommittee for discussing this issue, and
with these thoughts in mind, we can better protect our cyber networks
from intrusion while protecting our civil liberties and preserving the
openness of the Internet.
__________
Mr. Sensenbrenner. And without objection, all Members'
opening statements will be included in the record.
We have a very distinguished panel today, and I will begin
by recognizing the gentlewoman from Washington, Ms. DelBene,
who will introduce the first witness.
Ms. DelBene. Thank you, Mr. Chair. It is my pleasure to
introduce Jenny Durkan. Ms. Durkan currently serves as the
United States attorney for the Western District of Washington,
where my district is located. She is the top Federal law
enforcement officer of 19 counties in western Washington. She
was nominated by President Obama in May of 2009 and was
confirmed by unanimous vote of the U.S. Senate on September 29
of 2009.
Ms. Durkan chairs the Attorney General's Advisory
Subcommittee on Cybercrime and Intellectual Property
Enforcement. She is also a member of three other subcommittees:
Terrorism and National Security, Civil Rights, and Native
American Issues.
Ms. Durkan is a Seattle area native who grew up in
Issaquah, Washington, graduated from the University of Notre
Dame, and received her law degree from the University of
Washington.
Thank you, Mr. Chair.
Mr. Sensenbrenner. Before recognizing you, Ms. Durkan, let
me introduce the rest of the members of the panel.
Mr. Boles currently serves as the deputy assistant director
for the cyber division of the FBI, where he oversees FBI cyber
operations and investigations.
He entered on duty with the FBI in Sacramento in 1995,
where he successfully investigated an Internet Ponzi scheme
that defrauded 15,000 victims in 57 countries. In 2009, as
assistant special agent in charge of the San Diego Division, he
oversaw six investigative squads over cyber and white-collar
crime matters, as well as directing the administrative program
from the office.
Mr. Boles was a legal attache? to Kiev, Ukraine in 2003,
where he successfully facilitated the first extradition from
Ukraine to the United States. He served as the special
assistant director, national security branch, and in 2011 was
selected as the special agent in charge of the Norfolk FBI
office.
He is a graduate of the University of Georgia.
Mr. Robert Holleyman serves as president and CEO of BSA,
the Software the Alliance. He was also appointed by President
Barack Obama to serve on the Advisory Commission for Trade
Policy and Negotiations, the principle advisory Commission for
the U.S. government on trade matters. He oversaw an innovative
study of cloud computing-related policies around the world, and
is an advocate for breaking down barriers that cloud providers
face when they do business internationally. He also was an
early proponent for policies that promote the widespread
deployment of security technologies and to build public trust
and confidence in cyber space.
He has testified before Congress, the European Commission,
the World Intellectual Property Organization, and other
governing bodies on technology, trade, and economic matters. He
previously served as a counselor and legislative advisor in the
Senate, an attorney in private practice, then a judicial clerk
in the U.S. District Court.
He holds a bachelor's degree from Trinity University in San
Antonio, where he was named distinguished alumnus in 2012, and
received his law degree from Louisiana State University. He
completed the Stanford Executive Program at the Stanford
Graduate School of Business.
Professor Orrin Kerr is a professor law at George
Washington University, where he teaches criminal law, criminal
procedure, and computer crime law. Before joining the faculty
in 2001, Professor Kerr was an honors program trial attorney in
the Computer, Crime, and Intellectual Property section of the
criminal division at the Department of Justice, as well as the
special assistant U.S. attorney for the Eastern District of
Virginia.
He is a former law clerk for Justice Anthony Kennedy of the
U.S. Supreme Court and Judge Leonard Garth of the U.S. Court of
Appeals for the 3rd Circuit. In the summer of 2009 and '10, he
served as special counsel for the Supreme Court nominations to
Senator John Cornyn and the Senate Judiciary Committee. He has
also been a visiting professor at the University of Chicago Law
School and the University of Pennsylvania Law School.
He received his bachelor of science degree in engineering
from Princeton, master of science from Stanford, and earned his
juris doctor from Harvard Law School.
Now, each of the witnesses' written testimony will be
entered into the record in its entirety, and I ask that each
witness summarize his or her testimony in 5 minutes or less.
And I am going to be kind of like the chief justice given the
time constraints that we have with the President coming. So
when the little red light appears before you, time is up.
So we will start with you, Ms. Durkan.
TESTIMONY OF JENNY S. DURKAN, UNITED STATES ATTORNEY, WESTERN
DISTRICT OF WASHINGTON, U.S. DEPARTMENT OF JUSTICE
Ms. Durkan. Thank you. Good afternoon, Chairman
Sensenbrenner, Ranking Member Scott, and Members of the
Subcommittee. Thank you for the opportunity to testify before
you this afternoon regarding the investigation and prosecution
of cyber threats to our Nation. I want to thank Congresswoman
DelBene for the introduction and for her service to our
district.
As United States attorney, I see the full range of threats
to our communities and to our Nation. Few things are as
sobering as the daily cyber threat briefing I receive.
Technology is changing our economy and our daily lives. We
have witnessed the rapid growth of wonderful companies,
lifesaving technologies, and the way we connect with others.
Unfortunately, the good guys are not the only innovators. We
have also seen growth in the number and the sophistication of
bad actors exploiting the new technology. Financially motivated
international rings have stolen large quantities of personal
data. Criminal groups develop tools and techniques to disrupt
and damage computer systems. State actors and organized
criminals have demonstrated the desire and the capability to
steal sensitive data, trade secrets, and intellectual property.
One particular area of concern is computer crime that
invades the privacy of individual Americans. Every day,
criminals hunt for our personal and financial data, which they
use to commit fraud or to sell to other criminals. Hackers
perpetrate large-scale data breaches that leave hundreds of
thousands, if not millions, susceptible to identity theft.
The national security landscape has evolved dramatically in
recent years. Although we have not yet experienced a
devastating cyberattack against our critical infrastructure, we
have been victim to a range of malicious cyber activities that
siphon off valuable economic assets and threaten our Nation's
security. There can be doubt. Cyber threat actors pose
significant risks to our national security and our economic
interests.
Addressing those complex threats requires a unified
approach that incorporates criminal investigative and
prosecutorial tools, civil and national security authorities,
diplomatic tools, public-private partnerships, and
international cooperation. Criminal prosecution, whether here
in the United States or by a partner country plays a central
and critical role in this collaborative effort. We need to
ensure that throughout the country members of the Department of
Justice who are actively working on these threats have the
investigative resources and forensic capabilities to deal with
these challenges, and we appreciate the support this Committee
has given in this regard.
To meet these challenges, the Department has organized
itself to ensure that we are in a position to aggressively
investigate and prosecute cybercrime wherever it occurs. The
criminal division's Computer Crime and Intellectual Property
Section works with a nationwide network of over 300 Assistant
United States Attorneys designated as our computer hacking and
intellectual property prosecutors. They lead our efforts in
this area.
Similarly, the Department's National Security Division is
organized to ensure that we are aggressively investigating
national security cyber threats through a variety of means.
These include counterespionage and counterterrorism
investigations and prosecutions.
Recognizing the diversity of the national security cyber
threats and the need for a coordinated approach, the Department
established last year a National Security Cyber Specialist
Network. It brings together the Department's full range of
expertise on national security-related cyber matters, drawing
on experts from the National Security Division, the Criminal
Division, U.S. attorney offices, and other department
components to make sure that we have a centralized resource for
prosecutors and agents around the country.
Our efforts have led to a number of enforcement successes,
two of which I will highlight later. But I will say that in our
district we have been able to bring these prosecutions very
successfully, and have made a difference for our citizens and
for our businesses.
Thank you.
[The prepared statement of Ms. Durkan follows:]
__________
Mr. Sensenbrenner. Thank you very much.
Mr. Boles.
TESTIMONY OF JOHN BOLES, DEPUTY ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. DEPARTMENT OF
JUSTICE
Mr. Boles. Good morning, Chairman Sensenbrenner and
distinguished Members of the Subcommittee. I appreciate the
opportunity to be here today to talk to you about the cyber
threat and how we are going about it with our partners to
combat it.
As the Subcommittee is aware, the number and sophistication
of cyberattacks against our Nation's private sector and the
government networks has increased dramatically over the recent
years, and it expected to continue.
We see four primary adversaries in the cyber world: spies
who seek to steal our secrets and our intellectual property,
organized criminals who want to steal our identities and our
money, terrorists who would like to attack our critical
infrastructure, and hacktivist groups who are trying to make a
political or a social statement through the use of the
Internet. The bottom line here is that we are losing data,
money, ideas, and innovation to a wide range of cyber
adversaries.
FBI Director Mueller has stated that he expects the cyber
threat to surpass the terrorism threat in our Nation in the
coming years. That is why we are strengthening our cyber
capabilities, much in the same way that we enhanced our
intelligence and our national security capabilities in the wake
of 9/11.
The FBI recognized the significance of the cyber threat
more than a decade ago, and in response the FBI developed a
number of techniques to go after a strategy for responding to
it. We created the Cyber Division. We elevated the cyber threat
to our number three national priority behind only counter
intelligence counterterrorism. We significantly increased our
hiring of technically-trained agents, analysts, and forensic
specialists, and we have expanded our partnerships with law
enforcement, private industry, and academia.
We have made progress since the cyber division was first
created in 2002. Back then, we viewed it as a success when we
were able to recognize that networks were being attacked. Just
the fact that we saw it and recognized it was part of our
success. So the next 8 or 9 years, attribution, which is
knowing who is responsible for the attack on our computers and
our networks, was considered the level of success, and we got
very good tracking the Internet protocol address or the IP
addresses back to their source to determine who was
responsible.
Now, we can often tell when the networks are being breached
and are able to determine who is doing it. So the question now
becomes as we move forward in this, is what are we going to do
about it, or, how are we going to take action on this
information that we have gathered.
The perpetrators of these attacks are often overseas, and
in the past tracking an IP back to a source in a foreign
country, it usually led to a dead end investigatively. Since
then we have imbedded cyber agents with law enforcement and
several key countries, including Estonia, Ukraine, the
Netherlands, and Romania. And we have worked with some of these
countries to extradite subjects from their countries to stand
trial in the United States.
As I described in my written statement, the prime example
of international collaboration came in the 2011 take down of
Rove Digital, as company that was founded by a ring of Estonian
and Russian criminals to commit a massive Internet fraud
scheme. Seven of these have since been indicted in the Southern
District of New York, two of which have been extradited to the
United States now and are in U.S. custody, and one pled guilty
last month.
While we are proud of this and our other successes, we are
continuing to push ourselves so that we can respond more
rapidly and prevent attacks before they occur. Over the past
year, under our current legal authorities and with our
government partners, we successfully warned potential victims
before an attack has occurred. They were then able to use that
information to shore up their network defenses and combat the
attack.
As we go into now our next move here will be the next
generation of cyber, and these have all come apart as our
initiative to drive forward in the next gen. Next gen cyber
entails a wide range of measures, including focusing the cyber
division specifically on computer intrusion networks as opposed
to crimes committed with the computers being the modality,
hiring additional computer scientists to assist with the
technical investigations at FBI field offices, and expanding
our partnerships in collaboration with the National Cyber
Investigative Joint Task Force, or the NCIJTF.
Briefly, the NCIJTF is a compendium of 19 agencies who work
together in a collaborative and information sharing environment
so that we can almost in real time share information back and
forth across the cyber threat.
So the next step of that, of course, is our private sector
outreach. We consider that as an important and as our next step
for our whole of government team approach in combatting
cybercrime. Now, we have reached into the industry, developed
expertise with them, and are sharing as rapidly at unseen rates
than we have seen in the past. We now realize that the
information flow must go both ways, where in the past we have
taken information and not necessarily given them back
actionable intelligence. We have now actionable intelligence.
We have now rectified that, and in developing our partnership,
we are able to make that information flow go in both
directions.
So in conclusion, Mr. Chairman, to counter the threats that
we face, we are engaging in an unprecedented level of
collaboration within the U.S. government, with the private
sector, and with international law enforcement. We look forward
to continuing these partnerships and expanding them with the
Committee and with Congress.
And thank you very much. I look forward to your questions.
[The prepared statement of Mr. Boles follows:]
__________
Mr. Sensenbrenner. Thank you.
Mr. Holleyman.
TESTIMONY OF ROBERT HOLLEYMAN, PRESIDENT AND CEO, BSA, THE
SOFTWARE ALLIANCE
Mr. Holleyman. Mr. Chairman, Ranking Member Scott, Members
of the Subcommittee, there are more than 400 million strains of
malicious computer code in the world today, and their most
frequent targets are here in the United States. And this costs
American citizens and businesses well over $100 billion a year,
and the losses are mounting.
So I would like to recommend and outline a policy approach
that BSA believes can help us address the nature of the threats
that we face. It has three principle elements: first, promoting
real time information sharing; second, strengthening law
enforcement tools and resources; and third, supporting
cybersecurity research and development.
On the issue of promoting real time information sharing, we
know that to prevent cyberattacks, we need to be able to
identify threats in real time, and the best way to do that is
to let IT professionals share information. And when companies
and government agencies detect threats, they need to tell each
other.
Unfortunately there are legal barriers and commercial
disincentives that stand in the way when the private sector
tries to information with the government. First, there are
liability concerns whenever you share commercial data, and,
second, there is a risk of exposing trade secrets. And BSA
believes that we need legislation that promotes information
sharing by addressing these issues, and we need to do that in a
way that carefully balances privacy and civil liberties
concerns.
Secondly, we believe that we need to strengthen law
enforcement tools and resources. Identifying emerging threats
is important, but it is not nearly enough. We also need to
enhance our ability to deter criminal behavior with effective
law enforcement. We should not be over zealous in prosecuting
people for innocent mistakes or minor infractions, but we in
the government need tools and resources that send a strong
message that there will be appropriate punishment for serious
cybercrimes.
Third, the last element we need to do is to create
something that is really fundamental that is elemental. We need
to recognize that technology innovation is the best tool to
combat long-term cyber threats, and BSA believes that we need a
robust national R&D plan that involves technology companies,
involve technologists within the governments, to develop the
resources to take our technologies and our practices and
improve our country's overall cybersecurity policy.
Now, the issue of data breach notification has come up as
well, and we appreciate Mr. Conyers' statement this morning. We
know that we will never be completely risk-free or eliminate
all the risks of cyberattacks. But as a separate, but related,
matter to cybersecurity legislation, we also believe we should
clarify how and when to notify people when a breach compromises
their personal information.
Today there are 47 States that have their own laws, and BSA
supports replacing that patchwork with a well-crafted Federal
law that simplifies compliance for businesses, but also ensures
the proper notices when there is a breach of sensitive personal
information.
And lastly, when Congress is working on cybersecurity
legislation, we also do that knowing that the Administration is
beginning to implement the President's recent executive order.
And we are encouraged by the emphasis that order places on
innovation, and we welcome the Administration's plan to improve
coordination of cybersecurity policy and increased information
sharing from the government to industry. And these measures
must embody principles that everyone can embrace.
But it will take congressional oversight to ensure that the
order is implemented effectively. And as the Administration
develops the framework it envisions for protecting critical
infrastructure, it will be especially important to forge a
close partnership with industry. We believe that NIST should
have a lead role in that, and done well, there is an
opportunity for the framework to serve as a model for best
practices that can be extended beyond just critical
infrastructure.
So I appreciate the opportunity to testify today. BSA looks
forward to working with this Committee and Congress to upgrade
America's cyber readiness. Thank you.
[The prepared statement of Mr. Holleyman follows:]
__________
Mr. Sensenbrenner. Thank you, Mr. Holleyman.
Professor Kerr.
TESTIMONY OF ORIN S. KERR, FRED C. STEVENSON RESEARCH
PROFESSOR, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL
Mr. Kerr. Mr. Chairman, Ranking Member Scott, and Members
of the Subcommittee, thank you for the invitation to testify
this morning.
The Computer Fraud and Abuse Act is the primary Federal
computer crimes statute, and its main prohibition is on
unauthorized access to a computer. A year and a half ago, the
Subcommittee had a relatively similar hearing to that today,
and at that time I testified about some of the recent court
decisions which had adopted a very broad interpretation of the
Computer Fraud and Abuse Act, not only punishing what we would
think of as hacking, breaking into a system, but also violating
the terms of use on a computer, doing something contrary to an
employer's interest while using a computer, and the like.
And I warned about the implications of that broad
interpretation of the Computer Fraud and Abuse Act. Everyone
agrees that the law should punish serious computer crimes, but
I hope we would also agree that the law should not punish
completely innocent activity, the kind of innocent activity
that most Americans engage in every day might be violating
terms of use on a Web site. That is that little language that
nobody reads off to the corner that everybody blows by when
they go to use a Web site or an Internet service. It should not
be that violating those terms of service is a crime. Some
Federal circuits have, in fact, indicated that that is the
case.
And a lot has changed, though, in the last 18 months since
the last hearing. In the 9th Circuit, the en banc 9th Circuit
in United States v. Nozol, concluded that the Computer Fraud
and Abuse Act does not apply to breach of employer restrictions
on access to a computer, and is relegated only to sort of
classic breaking into a machine, what we might call hacking or
we think of as hacking, what the court called circumventing a
technological access barrier.
Also in 2012, the 4th Circuit decided a case, concluding
that an employee that acts in a way disloyal to an employer
while using the employer's network is not violating the
Computer Fraud and Abuse Act, creating a disagreement between
the decision of the 4th Circuit and another decision of the 7th
Circuit, which it indicated that that would be a Federal crime.
So right now, the state of the law in the lower courts
interpreting this critical phrase of this critical statute, the
Computer Fraud and Abuse Act, is essentially in disarray. There
are circuits that are all over the map in terms of just
figuring out what this prohibition means, what is this statute
that has been on the books for 25 years.
So I think this Committee basically has two choices. One is
to do nothing and let the Supreme Court figure it out. There is
a circuit split. That means usually the Supreme Court at some
point will step in and resolve the uncertainty and either pick
the narrow view of the statute, or the broad view of the
statute, or something in between, or Congress could act and
actually clarify which interpretation of the statute is the
right one.
I think this Congress should act. This is a question
ultimately of what Congress wants to prohibit, and I think the
best approach is for Congress to enact the narrow view of the
Computer Fraud and Abuse Act, essentially codifying the rule of
the 9th Circuit, United States v. Nozol, that what this statute
does is prohibit breaking into a computer.
We are not meeting here because we are worried about
individuals breaching terms of service. We are not worried
about employees of companies checking Facebook on company time.
We are worried about people hacking into critical
infrastructure, people accessing United States' secrets that
are stored on computers from abroad. Those are problems which
would be prosecuted and criminalized under any interpretation
of the Computer Fraud and Abuse Act. But I think it is
essential that Congress narrow the statute and expressly adopt
this narrow view rather than just wait for the Supreme Court to
try to figure it out.
We do not know what would happen if the Supreme Court took
this case, and in all likelihood, no matter what the Supreme
Court would do, we would probably be back here to try to figure
out what the laws should look because there are hard cases to
be dealt with on either side.
In particular, imagine the Supreme Court adopts the narrow
view of the statute and says that the Computer Fraud and Abuse
Act only prohibits classic hacking into a network. In that
case, there is the problem of insiders. They are given access
to the network, but they essentially steal secrets and then
send them to somebody else or use them in some nefarious way or
maybe give them to a foreign government. We of course need to
make sure that that is prohibited as well.
And there are statutory authorities that can do that, for
example, the Theft of Trade Secrets Statute is available in
those situations. But also we could amend the Interstate
Transportation of Stolen Property Act, which is used to deal
with the transferring of stolen property in the case of
physical property. The Justice Department has tried
unsuccessfully to use that statute to prosecute stolen
information. The 2nd Circuit has said that is not a fair
interpretation of the statute, and that could be amended to
make sure the insider threat is dealt with.
Thank you. I look forward to your questions.
[The prepared statement of Mr. Kerr follows:]
__________
Mr. Sensenbrenner. Thank you very much. Because of the time
constraints, the Chair will withhold his questions until the
end if there is time remaining.
And the Chair recognizes the gentleman from Arizona, Mr.
Franks, to start the questions.
Mr. Franks. Well, thank you, Mr. Chairman. And thank all of
you for being here today. I do not envy your jobs. It is
difficult when you are trying to marry highly esoteric
technological issues with very precise legal enforcement and
prosecution issues. So it is a difficult challenge.
And it so happens that I am new on this Committee, so my
primary familiarity with cybersecurity issues is on the
Strategic Forces Committee where there is a national security
component. And of course, it is an issue of the first
magnitude.
So my first question is to you, Mr. Boles. Given that some
type of commercial cyber intrusion carries with it one set of
concerns, and national security carries with it a whole
different set of concerns.
Are there different protocols or more latitude in existing
law when you are doing what is necessary to protect our
critical systems from national security threats or threats that
have a national security nexus as opposed to the commercial
intrusions?
Mr. Boles. Thank you, sir. That leads right into why I
spoke briefly about the next generation of cyber initiative.
And one of the things that we have seen, that we have
implemented in the change of that initiative is putting all
tools in the toolbox. We recognize that in the cyber world,
crimes are essentially without borders, as one of the gentlemen
said, that the world has gotten smaller, crimes without
borders. And it is often difficult to tell at the outset is it
criminal or is it national security oriented.
So one of the things that we, working with the DoJ partners
and with our other law enforcement partners, is how do we bring
all the tools to the toolbox to combat the threat? So, for
example, if it is a nation-state actor who is attempting
economic espionage and stealing trade secrets, that then may
enhance their national economy and/or structure. Is that
criminal? Is it national security? I would say that it is both,
and we have both sets of tools that we can bring to it.
So it gives us a wide latitude. It makes us a much more
nimble law enforcement community to go after and combat these
threats by being able to put the appropriate tool against the
appropriate threat.
Mr. Franks. But once you identify whether it is a national
security threat or it is simply a commercial threat, do you
have a different set of criteria in the law as it is now to
combat those, or are they treated essentially the same as far
as your tools to respond?
Mr. Boles. Again, I will tell you it sounds a little bit
like I am going to hedge on you, but I am not. The fact of the
matter is that by having both sides in the toolbox, we have
kind of melded the two protocols together.
So what that means is, let us say, for example, we
determine that is, in fact, a straight national security, you
know, intrusion or theft, you know. How can we go about
disrupting that? Part of the next generation cyber initiative
is to identify the hands on the keyboard, you know, the skin
behind the screen, and how do we go after them and disrupt
that? So that is through criminal prosecution? Is that through
working with our intelligence partners and our foreign partners
overseas to disrupt in other manner or shutting off access?
It is a multitude of options that are open to us by doing
that. So I would tell you that the protocols, by going to the
all tools approach, actually gives us access to both protocols
through the entirety of the investigation.
Mr. Franks. What would you suggest to this Committee, if we
were to apportion our concern for each of those two things I
mentioned, commercial intrusion as opposed to those threats
that have a national security nexus.
When you identify these threats, what would you suggest
would be the proportion, I mean, how much under attack from
your point of view, and we are familiar with it in some of the
security committees. But from your point of view in the FBI,
what would you suggest is the state of the union here as far as
our protection from national security cyber threats? Do you
think that we are facing pretty significant challenges?
Mr. Boles. We are absolutely facing significant challenges.
Mr. Franks. That was a leading question.
Mr. Boles. Yes, it was. [Laughter.]
Mr. Franks. I am very familiar with just how serious they
are in some ways. And I guess I would like to put something on
your radar. It is not really in the form of a question, but I
am concerned, and we are concerned on some of the security
committees that intentional electromagnetic interference may
someday be or EMP may be our ultimate cybersecurity threat in
terms of a national security destructive to try to disrupt our
systems. And I would hope that we would have that on the radar.
I realize that is a little ways down the road, but perhaps not
as far as it should be.
And I appreciate all of you for what you are doing. You are
kind of the front line of freedom, even though people do not
see you and appreciate it.
Thank you, Mr. Chairman.
Mr. Sensenbrenner. The time of the gentleman has expired.
The gentleman from Virginia, Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman. And I would like to
follow through on that same line of questioning, but I would
like Ms. Durkan to respond with the various levels of
seriousness. First, will the Administration have a
recommendation to address the concerns that Professor Kerr
pointed out that there is split in the circuits on
interpretation. Do we have a recommendation on how to deal with
that split in the circuits?
Ms. Durkan. Thank you, Ranking Member Scott. As we have
said in other forums, we believe that there needs to be some
clarification to the law in terms of particularly what exceeds
authorized access is. But we think that what we need to make
sure is that there are a number of insiders who have access to
very valuable and confidential information, and we have to make
sure that we still have the law enforcement necessary to
protect against that threat.
Mr. Scott. Well, do you have a legislative recommendation?
Ms. Durkan. We do not have a specific legislation
recommendation, but we are willing to work with your staff and
provide technical assistant to reach those goals.
Mr. Scott. Are there any other elements of the crime that
need clarification?
Mr. Scott. There are additional ones we need clarification.
I think that in our last year's proposal, we had how the
difference between felonies, and misdemeanors, and previous
offenses. And so, I think we can look at those issues.
But I think that you are right, and it has been said before
is the nature of the threat is evolving rapidly, and it ranges
everything from the consumers whose private data is threatened
by hackers to the national security threats. We at the
Department of Justice have to deal with that full range of
threats, and so the important thing for us right now is not to
create greater gaps in the law, but to ensure we have the tools
that we need.
Mr. Scott. In your statement, you mentioned that judges
would still, of course, make sentencing decisions on a case by
case basis. Should we infer from that that the Administration
will not have any mandatory minimums in its recommendations?
Ms. Durkan. We are not recommending mandatory minimums in
these recommendations. The judicial discretion, as you know, is
very important for the judge to be able to determine what level
of penalty is important.
I want to emphasize the Department does that at each stage
of prosecutions as well, whether an investigation is merited in
the first place, whether charges should be brought, and then
what plea or what sentence is appropriate.
Mr. Scott. Well, we do not have to scour the
recommendations for mandatory minimums, so we will assume that
they are not there. Is that a fair assumption?
Ms. Durkan. Yes, sir.
Mr. Scott. And a lot of these crimes, there are overseas
connections to some of these crimes. Does that create
jurisdictional problems that we need to address legislatively?
Ms. Durkan. There may be some legislative fix. We need to
do that. The Department has already taken some steps on the
international front. It is more and more important, more of
these cyber cases. For example, in my district we recently
prosecuted a case where a case where a small business in
Seattle was hacked by someone who was in Maryland, who traded
the card information he got to a Dutch citizen living in
Romania, who then sold them to someone in Los Angeles.
We were able to bring the person in Maryland, who has been
prosecuted and convicted, as well as extradite the person from
Romania charges pending against Los Angeles.
So international cooperation is key, and we are working on
many fronts to make sure we have the most robust system
possible.
Mr. Scott. Are any legislative changes needed to help you
in that regard?
Ms. Durkan. There may be some. There was one proposal that
we had that was approved in the previous budget that gave us
additional resources abroad, what we call our iChip Center,
national cyber prosecutors, who can assist our foreign partners
to make sure that we gather the evidence we need to bring the
people an extradite them to America.
Mr. Scott. Well, that brings me to my next question. A lot
of this is resources and investigation. You have got these
things in a statute. It is just a matter of priorities. This
Committee has looked at things like ID theft where consumer ID
theft cases are not brought because you just do not have the
resources, organized retail theft for those cases are not
investigated because of resources or funding. And somebody
fails a background check on a gun purchase, nothing is done
because you do not have the resources.
I guess, Mr. Boles, if you focus more on cybercrime, do you
have enough resources to do the other things you need to do?
And as part of that, what effect will the sequester have on
your ability to continue doing your work?
Mr. Boles. I keep going back to the net gen cyber, and that
was one of our functions and one of our driving forces in that.
So the Cyber Division focuses entirely on intrusions and
pushing forward for the high tech solution, but part of that
was that we have also added impact and emphasis on the
traditional cyber--I am sorry.
Mr. Sensenbrenner. You can continue your sentence.
[Laughter.]
Mr. Boles. Okay. Under traditional cybercrime, much like on
the ID theft, sir.
Mr. Sensenbrenner. The time of the gentleman has expired.
The gentleman from Michigan, Mr. Conyers.
Mr. Conyers. Thank you very much. Members of the panel,
most of our serious computer hacking threats come from other
countries. Can any of you discuss with me and make a point
about how we can better identify, stop, and prosecute these
attacks?
Your recollection of what happened in another case is very
compelling because we want to improve the law protecting
against cybercrime. And the whole idea of this hearing is to
identify where we should be going.
I think I have about the only general law on cyber privacy,
which I introduced last year and will reintroduce today. And so
I would appreciate, and the comments that have been made and
any that may be added to this discussion.
Who would like to volunteer?
Ms. Durkan. I can address some of that, Congressman.
First, I want to be clear. While the international cyber
threat is growing and complex, we have a lot of homegrown cyber
actors as well. In my district, we regularly prosecute people
who are located right in our district who are able to do a
significant amount of damage to both individual consumers and
to businesses.
With regards to your privacy legislation, obviously we have
not had the opportunity to review it yet. We look forward to
doing so and working with the staff of the Committee. I will
say that it has always been the position of the Department of
Justice that all legislative proposals should carefully balance
both the need to deter and hold accountable the bad actors with
consumer privacy and civil rights, as well as making sure we
have the adequate public-private partnerships. And so we look
forward to working with you on that bill.
Mr. Conyers. Well, you have the kind of a Subcommittee here
that is going to take this seriously. There have been so many
things going on, especially in the Judiciary Committee, that it
is easy for this to slip through the cracks. And I think this
hearing is extremely important for focusing in on that.
Mr. Holleyman. Mr. Conyers, let me say I think it is going
to take a complement of laws and a mix like criminal statutes.
I think the corollary around data breach notification can be
very important, particularly if it also encourages the kind of
incentives for companies to build in security practices so that
if there is a breach of consumer data, that that data will be
essentially useless because it is has been protected in the
first instance.
So I think as the Federal Government, we can do more to
protect our citizens. I think the private sector can do more.
And it is going to take a mix of civil and criminal statutes to
effectively deal with this.
Mr. Conyers. Professor Kerr?
Mr. Kerr. Yeah, just one brief comment. So the substantive
law, the Computer Fraud and Abuse Act, already jurisdictionally
covers the world. It covers everything. In fact, the Computer
Fraud and Abuse Act covers every computer that the United
States government can regulate around the world under the
Constitution, under the foreign commerce clause and under the
interstate commerce clause. So it will certainly apply to a
foreign hacker who hacks into U.S. computers, the U.S. hacker
that hacks into foreign computers, or even a foreign person
that hacks into other foreign computers through the U.S.
So the substantive criminal law is very broad. The
difficulty is always if somebody is outside the U.S., if the
foreign government is going to cooperate with the U.S., then
that is a way that the U.S. can have the person extradited and
brought to the United States for prosecution. But if they are
not a cooperative government, that is where the problem is
going to be.
Mr. Conyers. Well, you know, I think that we are going to
have to put increased emphasis on our diplomacy aspect. I think
the sooner, Chairman Sensenbrenner, that we begin to look at
this part of this problem, the better off we are going to be in
terms of getting as much cooperation as we can. Now, we know
that is going to vary from country to country, but it is still
very important.
Mr. Sensenbrenner. The time of the gentleman has expired,
and I agree with the last point that the gentleman from
Michigan has made since the Internet is completely
internationalized and knows no boundaries, either for doing
good or breaking the law.
The gentleman from Texas, Mr. Gohmert.
Mr. Gohmert. Thank you, Mr. Chairman, and thank you to all
the witnesses for your research, for your concerns, and for
your testimony here today.
It is my understanding that under 18 U.S.C. 1030, that it
is a violation, a criminal violation, of our law to do anything
that helps take control of another computer even for a moment.
Is that your understanding? Some general nods.
Mr. Kerr. It depends exactly what you mean by take control,
but certainly if taking control includes gaining access to the
computer in order to take--assuming a network, you are not
supposed to take control of, then, yes, that would clearly be
prohibited by the statute.
Mr. Gohmert. All right. For example, my understanding is
there was a recent example where someone had inserted malware
on their own computer such that when their computer was hacked
and the data downloaded, it took the malware into the hacker's
computer, such that when it was activated, it allowed the
person whose computer was hacked to get a picture of the person
looking at the screen. So they had the person that did the
hacking and actually did damage to all the data that was in the
computer.
Now some of us would think that is terrific. That helps you
get at the bad guys. But my understanding is that since that
allowed the hackee to momentarily take over the computer and
destroy information in that computer, and to see who was using
that computer, then actually that person would have been in
violation, in the United States would have been in violation of
18 U.S.C. 1030.
So I am wondering if perhaps one of the potential helps or
solutions for us would be to amend 18 U.S.C. 1030 to make an
exception such that if the malware or the software that allows
someone to take over a computer, is taking over a hacker's
computer, than it is not a violation. Perhaps it would be like
we do for, say, assaultive offenses, you have a self-defense.
If this is part of a self-defense protection system, then it
would be a defense that you violated 1030.
Anybody see any problem with helping people by amending our
criminal code to allow such exceptions or have any suggestions
along those lines?
Mr. Kerr. Mr. Gohmert, I think it is a great question and
one that is very much debated in computer security circles
because from what I hear, there is a lot of this sort of
hacking back, as they refer to it. But at least under current
law, it is mostly illegal to do that.
There is a limited necessity defense that some courts have
recognized to say basically if you are a victim of a crime, you
have a certain amount of ability to act to try to stop that
crime. But it is not really clear how the necessity defense, as
it is recognized in current Federal law, would apply in those
circumstances.
I think the idea of saying there is some ability to
counterhack back, however you want to describe it, is a sound
one. The real difficulty is in the details of how do you do it.
What circumstances do you allow somebody to counterhack how
broadly, how broadly are they allowed to counterhack, how far
can they go?
The difficulty, I think, is once you open that door as a
matter of law, it can be something that is difficult to cabin.
So I think if there is such an exception, it should be a quite
narrow one to avoid it from sort of becoming the exception that
swallows the rule.
Mr. Gohmert. Well, I am not sure that I would care if it
destroyed a hacker's computer completely, as long as it was
confined to that hacker. Are you saying we need to afford the
hacker protection so that we do not hurt him too bad?
Mr. Kerr. No. The difficulty is that you do not know who
the hacker is, so it might be that you think the hacker is one
person. Let us say you think you are being hacked from a French
company or even a company in the United States.
Mr. Gohmert. Oh, and it might be the United States
government, and we do not want to hurt them if they are
snooping on our people. I do not really understand why you are
wanting to be protective of the hacker.
Mr. Kerr. The difficulty is first identifying who is the
hacker. You do not know when somebody is intruding into your
network who is behind it. So all you will know is that there is
an IP address that seems to back to a specific computer, but
you will not know who it is that is behind the attack. That is
the difficulty.
Mr. Sensenbrenner. The time of the gentleman has expired.
The gentleman from Louisiana, Mr. Richmond.
Mr. Richmond. Thank you, Mr. Chairman. I guess my first
question, maybe first two questions, will go to Mr. Holleyman.
You talked about information sharing, you talked about
security, and you talked about oversight over critical
networks. And we had that bill last year in Homeland Security,
which was the PRECISE Act, which when it came up, the
interesting thing about it, it was a pretty decent bill at the
time that shared bipartisan support. But when it came up for
markup, it was gutted by the author, which was a strange thing,
but that is because he could not get leadership to move on the
issue and bring it up to a floor vote if that was that
comprehensive.
So I guess I am asking you your thoughts on the PRECISE
Act, and was that going in the right direction.
Mr. Holleyman. Thank you for that question. I know that in
the last Congress there were a number of pieces of legislation
that were considered, several of which were approved. We
believe it is important for Congress to supplement what the
President did in his executive order with not only oversight,
but with additional legislation.
I think the executive order has tried to do--yeah, I would
need to look back at the elements of the PRECISE Act to be able
to comment further. But I think the President's executive order
has tried to address many of the elements that would have been
outlined in the PRECISE Act. So whether or not that act would
be needed at this point in time, I cannot comment on. I would
be happy to look at that for the record.
Mr. Richmond. If anyone else wanted to comment on it, that
is fine.
My next question would be, you mentioned one of the
elements and one of the things we should be doing is continuing
or creating a robust R&D for cybersecurity. And I guess my
question would be, would that be in the term of maybe an R&D
tax credit, or are you thinking of something like NIH and
grants to people who want to do that type of research for
cybersecurity?
Mr. Holleyman. Well, I think there are really three
elements of it. One is that we do not have enough students who
are being trained as professionals to be able to work in
cybersecurity for the future, and that is a problem for the
private sector and for the government. So we need to have the
right education and the right training. Secondly, I think we
need the right cooperative agreements between private sector
and government to allow that research to happen, including with
university research. And certainly, finally there is research
that goes on at the Federal Government about the level and the
nature in evolving threats, and that research needs to be
properly funded, and there needs to be proper oversight. So I
think it takes all three of those.
Mr. Richmond. And I guess I have a third question for you
or Mr. Kerr. I think that Ms. Durkan and Mr. Demers will
probably know the answer to it. But part of it is from your
organization's standpoint and from your experience, the level
of cooperation, and information sharing, and assistance that
our security agencies provide now. And sometimes we get the
benefit of hearings that are not public. But I am interested in
knowing from your perspective the interaction between FBI, CIA,
Department of Justice, and those in terms of helping either
avert or on the back end, find the perpetrators. So how has
that been with you all?
Mr. Holleyman. Well, I will start by saying I think the
nature of that is critical, and they are certainly very good
relationships. What we need is to be able to share more real
time threat information, not simply after the fact, but real
time threat information. That is part of what the President has
tried to do in his executive order and part of what we think
Congress can supplement that would make it even easier and
better for industry to share information with the government,
too.
Mr. Richmond. And I understand the barriers for industry.
What is the biggest barrier, or if you want to do it
comprehensively, what are the biggest barriers to doing it? Is
it just permission and law for real time information sharing?
Mr. Holleyman. Yeah, I think some of it is sort of the
existing laws that private sector companies feel like they
must, and appropriately, adhere to, which in some cases makes
it difficult, if not impossible, to share real time threat
information. So you can only do something about it after the
fact. That is not in anyone's interest to do that, so we need
the appropriate way to be able to share that with the Federal
Government.
Mr. Richmond. Mr. Chairman, for the sake of time, I yield
back.
Mr. Sensenbrenner. The time of the gentleman had expired.
[Laughter.]
The gentlewoman from California, Ms. Chu.
Ms. Chu. Thank you, Mr. Chair.
I wanted to ask about economic espionage and the stealing
of intellectual property, of trade secrets, customer lists,
future plans and contracts. And, Mr. Holleyman, I wanted to ask
you, you said that Semantic estimated that it lost $110 billion
through economic espionage and the stealing of IP through these
means.
What do you think is the overall cost to the corporations
that you represent?
Mr. Holleyman. Well, the Semantic number came from their
Internet security threat report, and it really related to the
total amount of losses. It was not sort of referring to their
company losses. And so the figure of $110 billion of damages on
consumers is what they cited.
I think that all of the data shows, and certainly the
information that is being very public and that the Chairman
spoke of in his opening remarks, shows that the nature of the
threat is increasing and it is increasing substantially.
McAfee, one of our members, estimated that it used to be that a
new piece of malware was identified and put into action about
15 minutes, and now they estimate it is one per second.
So the pace at which this is occurring is huge. The
consequence of losses are growing. And this is exactly the kind
of hearing this Committee and other Committees should be
focused on because we are all in this together.
Ms. Chu. And what is the private sector doing to minimize
these intrusions and to protect intellectual property
throughout all these layers?
Mr. Holleyman. Well, I think the Attorney General, the IP
enforcement coordinator, the Homeland Security Secretary, about
three weeks ago had a major discussion about theft of trade
secrets. And I know Members of this Committee were a part of
that process.
One, I think it is sort of building awareness. Two, it is
building best practices. Three, is security companies. We are
working to create faster, more effective ways of preventing
these intrusions to share information about the threats when
they occur. And it is a race. I mean, it is a race, and we are
in the business of trying to help prepare us. But a lot of it
is going to take education on the part of businesses, and
consumers, and the Federal Government, who is the biggest
source of attacks, against the Federal Government. The Federal
has to be using the strongest security to try to limit those
attacks.
So, I mean, we are all in this together. Our companies want
to do more things, particularly in small or medium enterprises
and others, build in security procedures, so that if there are
breaches of their information, and there will be from time to
time, that that information is rendered useless so that the
hacker or the perpetrator cannot do anything with it because it
is has been secured through encryption or other means. And
those additional incentives will be helpful to a long-term
solution.
Ms. Chu. I wanted to make sure law enforcement has the
tools that it needs to prosecute these cases and investigate
them. And Ms. Durkan and Mr. Boles, I want to know, Ms. Durkan,
I note that the DoJ leads vigorous prosecutions in cyber theft
and economic espionage. I am curious to know how frequently a
case regarding intellectual property appears in your case load
and if you feel like you have the appropriate tools, like
training and funding, to effectively prosecute these cases.
Ms. Durkan. Thank you. It is a very significant part of our
district's work. We have some small mom and pop corporations,
like Boeing, Amazon, Microsoft, and the like, where the
proprietary information, as the Chairman said, is their most
valuable commodity. So we consistently work with those
corporations to make sure that we are getting the appropriate
referrals.
We have specially trained prosecutors. We will say we
always take more resources because the threat is evolving, but
we appreciate the resources this Committee has given to us.
Ms. Chu. And, Mr. Boles, do you have the adequate training
and funding to carry on your investigations?
Mr. Boles. Like my partner, Ms. Durkan, said, we will
always take more. It is important. It is a high tech and
evolving thing.
And just to give you a feel for it, we currently have about
1,100 cases ongoing in the FBI that involve intellectual
property theft, and it cuts across all of our programs whether
it be cyber, counter intelligence, and in the traditional
criminal. So it is a wide-ranging need that we have. And part
of our drive is to make sure that all the investigators, and
the analysts, and the support folks have the training that they
need as we push that out and go forward in the computer world.
But, you know, that is a need that we constantly reassess
and try to address.
Mr. Sensenbrenner. The gentlewoman's time has expired.
The Chair will recognize himself for a couple of questions.
Ms. Durkan, in response to Mr. Scott's question, you said
in the Administration's proposal, there are no mandatory
minimum sentences. My understanding is the bill the
Administration sent us up in the last Congress had mandatory
minimums. What made them change their mind?
Ms. Durkan. We assess a variety of factors, and at this
time we are not supporting that. But we would be happy to work
with your staff to answer any further questions that the
Chairman may have.
Mr. Sensenbrenner. Well, what factors were those?
Ms. Durkan. We will look at the number of factors we have
to as to what our priorities are in addressing the statute. And
right now we see that as the threat is evolving, what we really
need are tools that can address some of the gaps we see in the
law to make sure that we disrupt, deter crimes in the first
instance and hold people accountable.
Mr. Sensenbrenner. Well, you know, there are two separate
things, you know. When we are talking about mandatory minimums,
we are talking about after a conviction when the judge
pronounces a sentence. There certainly is not a lot of effort
and a lot of money that is required to go into that,
particularly with a mandatory minimum giving the judge little
or no discretion. I think you are trying to confuse apples with
oranges and not get into the fact.
Does the Administration oppose mandatory mininums as a
matter of principle, or do they not think that the crimes that
we are talking about here deserve a mandatory minimum?
Ms. Durkan. I think what you are getting at, Chairman, is
what is the appropriate sanction for these activities, and we
agree that we must assess and make sure that these bad actors
are held accountable under the law. It is one reason why we
support increasing the statutory maximum in the fraud scenario
to bring that on par because there are some cases where that is
the only statute available, but yet a judge would not be able
to assess the nature of the crime that occurred and assess the
appropriate penalty.
And so the Department of Justice is always going to look at
the factors present in a case and make sure that we are
recommending to a judge what the appropriate sanction is. And
then, of course, the judge needs to have the discretion and the
ability to make sure that that sanction can be imposed so that
we both deter the crime in the first instance and hold the
people when it occurs.
Mr. Sensenbrenner. I think we are going to be talking about
this issue a lot more as legislation is developed. I disagree
with that conclusion.
I do want to spend some time asking two questions of
Professor Kerr.
I am a little bit concerned, Professor Kerr, about your
idea that there should be certain things that are currently
criminal that should not be criminal anymore. And let me pose a
hypothetical view. Say that there is a foreign agent that is
employed by a U.S. tech company, and he was ordered to check to
see that the company was not working on a certain project,
using process of elimination to see who is working on that
project. The spy exceeds the authorized access and determines
that the company really is not working on the project.
Now, in this example, nothing was taken or damaged, but
should the Justice Department not have a tool to be able to do
something about that, even though another crime was not
committed?
Mr. Kerr. In that situation, I would imagine there would be
another crime committed. I am thinking in terms of attempt
liability for attempted--I gather the goal was to ultimately
determine confidential information relating to the company as
to what the company was or was not doing. So it would be either
an attempted theft of that information. I am not sure of the
criminal statutes governing spying, for example.
I think the key idea is that it is not a computer-related
offense. It just so happens that that offense involves
computer-related conduct. But it should be treated under the
law just as it would be if the spy were going were going into a
locked closet instead of locked computer. It does not make any
difference as to whether it is a physical or a computer crime.
So my approach would be just to resolve the circuit split
by adopting the 9th Circuit standard, which is treating hacking
like hacking and treating computer crime offenses like the
physical world analysis.
Mr. Sensenbrenner. Okay. Well, let me go into the trespass
issue that you talked about. Now, it is obvious if somebody got
into the mechanical room at Space Mountain at Disneyworld and
then pulled the pin on that, and all of a sudden the cars, you
know, stopped abruptly and nobody was injured. Maybe it was
lucky. But, you know, how about cyber trespass that would have
just as much damage, and that would be a violation of a term of
service. And should that not be criminalized as well?
Mr. Kerr. It should be criminalized, but not because of the
terms of service violation. It could be criminalized under a
number of different theories.
First, it would be access without authorization because I
am assuming that breaking into the computer that is controlling
this machine would itself be password protected. It is not like
anyone can walk up and pull something on the machine.
Also it would be a Section 1030(a)(5) violation, which is
intentionally causing damage to a protected computer without
authorization, and that is a separate criminal statute that
does not involve unauthorized access. It is sort of
intentionally causing damage without authorization.
So these are all situations that would already be
criminalized without the need to go to the unauthorized access
prohibition.
Mr. Sensenbrenner. Okay. Well, my time is up.
So I would like to thank all of the witnesses for appearing
today, for being brief in the answers to your questions so that
we Republicans can go listen to what the President has to say.
And I understand you Democrats will have that pleasure sometime
in the future, very soon.
So without objection, this hearing is adjourned.
[Whereupon, at 12:54 p.m., the Subcommittee was adjourned.]
�