Senate Judiciary Subcommittee on Crime and Terrorism Hearing
Federal Information & News Dispatch, Inc. |
Good afternoon, Chairman Whitehouse, Ranking Member Graham, and Members of the Subcommittee. Thank you for the opportunity to appear before the Subcommittee today to discuss the
The threat from botnets--networks of victim computers surreptitiously infected with malicious software, or "malware," that are controlled by an individual criminal or an organized criminal group--has increased dramatically over the past several years. The computers of American citizens and businesses are, as we speak, under attack by individual hackers and organized criminal groups using state-of-the-art techniques seemingly drawn straight from a science fiction movie. Unfortunately, this cybercrime wave is all too real. Botnet attacks are intended to undermine Americans' privacy and steal from unsuspecting victims. If left unchecked, they will succeed.
The
Our successful effort to suppress the Gameover Zeus botnet should remind us that those who use botnets to cause harm are increasing in number and sophistication, and we cannot expect continued success if we merely rest on our laurels. The Department is armed with the laws and resources that we have been granted, but those tools must be updated and enhanced. If we want to remain effective in protecting our citizens and businesses, our laws and our resources must keep pace with the tactics and numbers of our adversaries. Our adversaries are always adapting. So must we. In my testimony, I will outline several legislative proposals that will assist the Department in its efforts to counter the threat posed by botnets. Finally, I will outline our resource needs--in particular the need for additional specialized criminal prosecutors.
Current DOJ Anti-Botnet Activities
Cybercrime overall has increased dramatically over the last decade, and caused enormous financial damage and innumerable invasions of Americans' privacy. The advances in computing technology that have powered our economy have also empowered those who seek to do us harm. Today, cyber criminals can steal personal and financial information from tens of millions of citizens in a single breach. To be sure, thefts of such information were committed long before the digital revolution. But stealing ten million credit card numbers previously would have required burglarizing thousands of stores, whereas now it can be done from a basement with a laptop. And some crimes have been uniquely adapted in the digital age. For example, in a new, disturbing twist on extortion, hackers have secretly activated the cameras on victims' laptop computers, taken compromising pictures or videos, and demanded payments not to expose those pictures or videos to the public. All the while, technological advances, including advances designed to protect privacy, such as anonymizing software and encryption, are being used to frustrate criminal or civil investigations and, perversely, protect the wrongdoers. Our cyber crimefighters must be equipped with the tools and expertise to compete with and overcome our adversaries.
Over the same time period, botnets have emerged as a major threat. Sometimes called "botmasters" or "botherders," cyber criminals who control botnets can use advances in communications technology to take control of thousands, or even hundreds of thousands, of victim computers, or "bots." They can then command the computers they control to, for example, deluge an internet site with junk data, overwhelming it and knocking it offline. They may conduct such distributed denial-of-service (DDOS) attacks out of malice, as ideological attacks on those with whom they disagree, or even as a paid service to other criminals. They can also use the infected bots to steal banking credentials, credit card numbers, and other financial information. They can use them to send spam--email messages that range from advertising for illegal and dangerous pharmaceutical products, to fraud schemes aimed at artificially inflating the price of stocks, to "phishing" messages that gather sensitive information. Moreover, cybercriminals can use botnets to engage in other online crime by using their networks of infected computers as "proxies." This activity allows such criminals to conceal their identity and location while they commit crimes that range from fraud and theft of data to drug dealing and the sexual exploitation of children.
Botnets pose a threat to
To counter this significant and complex threat, the
The Department's response to botnets takes two tracks, often at the same time. First, whenever possible, we seek to arrest, prosecute, and incarcerate the criminals who use botnets to victimize Americans. For example, in
Similarly, in federal court in
Arresting and convicting key players can disrupt criminal enterprises, but such actions are not always sufficient to counter the threat, particularly given the transnational nature of cybercrime. They also will not always remedy the harm caused by a botnet. Accordingly, the Department has pursued a second approach to botnets: the use of seizures, forfeitures, restraining orders, and other civil and criminal legal process to dismantle criminal infrastructure. In cases such as Gameover Zeus, Blackshades, and a 2011 case involving the Coreflood botnet, the Department used these legal authorities, with judicial authorization and oversight, to wrest domains and servers from cyber criminals' control, prevent infected computers from communicating with the criminals' command and control infrastructure, and liberate hundreds of thousands of computers.
In May of this year, CCIPS,
Gameover Zeus was also used to install Cryptolocker--a type of malware known as "ransomware"--on infected computers. Cryptolocker enabled cyber criminals to encrypt key files on the infected computers. Victims then saw a splash screen on their computer monitors, telling them that their files were encrypted and that they had three days to pay a ransom, usually between about
Disrupting and mitigating these threats requires determination, technical skill, and creativity. In response to previous efforts to disable botnets, the creators of the Gameover Zeus botnet designed a novel and resilient structure, including three distinct layers of command and control infrastructure that rendered the botnet particularly difficult to overcome. The Department's successful disruption began with a complex international investigation conducted in close partnership with the private sector. It continued through the Department's use of an inventive combination of criminal and civil legal process to obtain authorization to stop infected computers from communicating with each other and with other servers around the world. The operation simultaneously targeted all three command and control layers of Gameover Zeus, and stopped Cryptolocker from encrypting additional computers. The investigation and court-authorized operation ultimately permitted the team not only to identify and charge one of the leading perpetrators, but also to stop the botnet and ransomware from functioning. Moreover, the
I cannot emphasize enough the importance to our anti-botnet efforts of the cooperation of foreign governments and our U.S. government and private-sector partners. In every case I have mentioned, foreign law enforcement services took carefully coordinated steps worldwide to disrupt the scheme and investigate the offenders, by seizing servers, interviewing subjects, making arrests, and providing evidence to U.S. investigators. The Department has devoted substantial resources to building the relationships with foreign law enforcement partners that made these coordinated efforts possible. The
One factor has harmed our relationships with foreign law enforcement agencies, however: our inability to rapidly respond to foreign requests for electronic evidence located in
Like the value of our relationships with foreign law enforcement, the expertise, dedication, and cooperation of private-sector entities have been crucial to our success. For example, security researchers develop highly specialized expertise in particular botnets and help develop countermeasures that match the botnets in sophistication. Their technical contributions are truly astounding. Private-sector companies also serve a critical function when they notify victims that their computers have been compromised and supply the tools needed to clean up those computers. Because the vast majority of the internet is owned and operated by the private sector, we simply could not conduct anti-botnet operations without the firm commitment of network service providers to protecting their customers.
Proposals to Enhance Anti-Botnet and other Cyber Capabilities
The Department is dedicated to using innovative means to target increasingly complex botnet threats as they emerge. But there is a lot more work to be done, and we ask that
Department prosecutors rely on criminal statutes to bring cyber criminals to justice and to halt their criminal activity. One of the most important of these laws is the Computer Fraud and Abuse Act, also called the "CFAA." The CFAA is the primary Federal law against hacking. It protects the public against criminals who hack into computers to steal information, install malware, and delete files. The CFAA, in short, reflects our shared baseline expectation that people are entitled to have control over their own computers and are entitled to trust that the information they store in their computers remains safe.
The CFAA was first enacted in 1986, at a time when the problem of cybercrime was still in its infancy. Over the years, a series of measured, modest changes have been made to the CFAA to reflect new technologies and means of committing crimes and to equip law enforcement with tools to respond to changing threats. But the CFAA has not been amended since 2008, and the intervening years have again created the need for the enactment of modest, incremental changes. The Administration's
In addition, our investigations of those responsible for creating and using botnets and our efforts to disrupt botnets rely substantially on the availability of legal investigative process pursuant to the Electronic Communications Privacy Act ("ECPA"). ECPA governs the Department's access to much of the electronic evidence necessary to investigate botnets, hold perpetrators accountable, and develop methods to free unsuspecting victims. It is essential to the success of our anti-botnet initiatives, and to our efforts against cybercrime as a whole, that the government maintain the ability to obtain relevant electronic evidence in a responsible, timely and effective manner.
Selling Access to Botnets
In the years since 2011, experience has revealed additional shortcomings in the criminal law. For example, while botnets can be used for various nefarious purposes, including theft of personal or financial information, the dissemination of spam, and DDOS attacks, the creators and operators of botnets do not always commit those crimes themselves. Frequently they sell, or even rent, access to the infected computers to others. The CFAA does not clearly cover such trafficking in access to botnets, even though trafficking in infected computers is clearly illegitimate, and can be essential to furthering other criminal activity. We thus propose that section 1030(a)(6) of the CFAA be amended to cover trafficking in access to botnets.
In addition, section 1030(a)(6) presently requires proof of an intent to commit a financial fraud. Such intent is often difficult--if not impossible--to prove because the traffickers of unauthorized access to computers often have a wrongful purpose other than the commission of fraud. Indeed, sometimes they may not know or care why their customers are seeking unauthorized access to other people's computers. This reality has made it more challenging in many cases for our prosecutors to identify a provable offense, even when we can establish beyond a reasonable doubt that individuals are selling access to thousands of infected computers. We therefore recommend that
Enhancing Judicial Authority to Disrupt Botnets and other Malware
Under current law, two federal statutes, 18 U.S.C. [Subsec.] 1345 & 2521, give the Attorney General the authority to bring civil suits against defendants who are engaged in or "about to" engage in wiretapping or the violation of specified fraud crimes. n1 See 18 U.S.C. [Subsec.] 1345(a), 2521. The court is then empowered to enjoin the violation, "or take such other action, as is warranted to prevent a continuing and substantial injury to
These authorities played a prominent role in the Department's successful disruptions of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014. These botnets collected online financial account information as it was transmitted from infected computers, thus violating the Wiretap Act, and the criminals used their access to steal from victims' bank accounts, which constitutes wire and bank fraud. Because these botnets violated statutes against fraud and wiretapping, courts were authorized to issue orders under sections 1345 and 2521 that permitted
No analogous statutory authority exists, however, for violations of the CFAA that do not involve fraud or the interception of communications. As a result, the law does not provide a clear statutory remedy for the government to use against botnets or other types of malware that criminals employ for other purposes, such as DDOS attacks. Similar to frauds and illegal wiretaps, these types of computer hacking--which are prohibited under section 1030--present serious threats that can cause severe and continuing damage as long as they persist. We would welcome the opportunity to work with the Committee to ensure that the law appropriately addresses this challenge.
Criminalizing the Overseas Sale of Stolen U.S. Financial Information
To ensure that we can take action when cyber criminals acting overseas steal data from U.S. financial institutions, we also recommend a modification to what is known as the access device fraud statute, 18 U.S.C. [Sec.] 1029. One of the most common motivations for criminal hacking is to obtain financial information. The access device fraud statute proscribes the unlawful possession and use of "access devices," such as credit card numbers and devices such as credit card embossing machines. Not only do lone individuals commit this crime, but, more and more, organized criminal enterprises have formed to commit such intrusions and to exploit the stolen data through fraud.
The
Enhancing Resources to Combat Botnets and other Cyber Threats
This last May, the Department submitted to
. Ensure that all of DOJ's investigators and attorneys receive training on cybercrime and digital evidence.
. Increase the number of digital forensic experts and the capacity of available digital forensic hardware.
. Enhance DOJ's expertise in addressing complex cyber threats.
. Improve information sharing efforts with the private sector.
. Expand and strengthen relationships with international law enforcement and criminal justice partners on cybercrime to enhance the sharing of electronic evidence.
. Enhance capacity in the area of cyber policy development and associated legislative work.
The plan repeatedly highlighted the disruption of botnets as a key priority. In order to properly address the threat of botnets and other cybercrimes, components across the Department, such as CCIPS, NSD, and
The Department confronts an increasing demand for its anti-cybercrime expertise. CCIPS, for example, conducts its own prosecutions, receives requests for consultation of its attorneys or digital investigative analysts, provides advice to law enforcement agencies, engages with the private sector regarding the implementation of investigative authorities, and delivers domesic and international training. This escalation in activity is due in part to the ever-expanding nature of the cyber threat. Prosecutorial needs have also resulted from the expansion of investigative efforts, as the
The Department would like to thank the
Conclusion
I very much appreciate the opportunity to discuss with you the Department's efforts to combat botnets. We are committed to using all available tools to disrupt these networks and bring perpetrators to justice, as we seek to protect Americans' security, privacy, and property.
Thank you for the opportunity to discuss the Department's work in this area, and I look forward to answering any questions you might have.
n1 The specified fraud crimes include those listed in Title 18, Chapter 65 (mail fraud, wire fraud, bank fraud, and health care fraud), section 287 (fraudulent claims), section 1001 (false statements to government officers), and conspiracies to commit these offenses. See 18 U.S.C. [Sec.] 1345(a)(1).
Read this original document at: http://www.judiciary.senate.gov/download/07-15-14-caldwell-testimony&download=1
Copyright: | (c) 2010 Federal Information & News Dispatch, Inc. |
Wordcount: | 4548 |
Senate Judiciary Committee Hearing
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News