U. S. Department of Justice
Criminal Division
Washington, D.C. 20530

Mr. Chairman and members of the Subcommittee: Thank you for this opportunity to help increase public awareness of the potential hazards that accompany the many benefits of the Internet. I hope that increased appreciation of these pitfalls will help people to be careful in management of this powerful technology.

The Internet, which allows people to interact electronically for both personal and commercial reasons, has generated justifiable excitement over the past few years. But as with other innovations, crime has quickly followed, and it has already begun to affect the public. I would like to describe for you some aspects of Internet crime that the Department of Justice is starting to see, and some of the steps we are taking to deal with it.

Although it is difficult to quantify the scope of the computer crime problem, public reports have estimated that computer crime costs us between five hundred million and ten billion dollars per year. The Computer Security Institute has surveyed 428 information security specialists in Fortune 500 companies; 42% of the respondents indicated that there was an unauthorized use of their computer systems in the last year.

Computers can play three different roles in criminal activity:

o First, computers can be targets of an offense, for example if a hacker tries to steal information from, or to damage, a computer or computer network. We're all familiar with examples of this, such as vandalism of Web sites or the introduction of viruses into computers.

o Second, computers can be tools in the commission of a traditional offense. They can replace the telephone as a tool in an illegal telemarketing operation; they can be and are used to create and transmit child pornography. Or, to give you a specific example, Russian computer hackers in St. Petersburg broke into a Citibank electronic money transfer system and tried to steal more than $10 million by multiple wire transfers to accounts in at least seven different countries. Members of the gang have been arrested in several countries, but according to Citibank $400,000 has still not been recovered.

o Finally, computers can be incidental to the offense, but still significant for law enforcement purposes. For example, many drug dealers now store their records on computers, which raises difficult forensic and evidentiary issues that we don't face with old-fashioned paper records.

Of course, a single computer could be used in all three ways. For example, a "hacker" might use his computer to gain unauthorized access to an Internet Service Provider such as America On-Line -- known as an "ISP" -- and then use that access to illegally distribute copyrighted software stored on his computer's hard drive.

But it is not only ISPs or large financial institutions who should be concerned about computer crime. Others have testified in other forums about the important issues of protection of our infrastructure and of the impact computers have on our ability to protect our intellectual property, and I won't dwell on them today. But hackers can also affect individual citizens directly. For example, they can compromise the confidentiality and integrity of personal and financial information. In one case, hackers from Germany gained complete control of an ISP in Miami and captured all the credit card information maintained on the service's subscribers. The hackers then threatened to destroy the system and distribute all the credit card numbers unless the ISP paid ransom. German authorities arrested the hacker when he tried to pick up the money -- but had he not sought ransom he could have used the stolen credit card numbers to defraud thousands of consumers.

Government records, like any other records, can be susceptible to a network attack if they are stored on a networked computer system or without proper protections. In Seattle, two hackers pleaded guilty to penetrating the U.S. District Court System, an intrusion which gave them access to confidential or perhaps even sealed information.⁽¹⁾ In carrying out their attack, they used supercomputers at the Boeing Computer Center, also in Seattle, to crack the courthouse system's password file. If Boeing had not reported the intrusion to law enforcement, the District Court system administrator would never have known the system was compromised.

Just as significantly, the computer can be a powerful tool for consumer fraud. The Internet can provide a con artist with the unprecedented ability to reach millions of potential victims. As far back as December 1994 -- and two and a half years is a long time in this field -- the Justice Department indicted two people for fraud on the Internet. Among other things, they had placed advertisements on the Internet which promised victims valuable goods upon payment of money. But the defendants never had access to the goods, and never intended to deliver them to their victims. Both pleaded guilty to wire fraud.⁽²⁾

Moreover, people can use computers to engage in new kinds of consumer fraud that would have never been possible before. In one interesting case, two hackers in Los Angeles pleaded guilty to computer crimes committed to ensure they would win prizes given away by local radio stations. When the stations announced that they would award prizes to a particular caller, for example the ninth caller, the hackers manipulated the local telephone switch to ensure that the winning call was their own. Their prizes included two Porsche automobiles and $30,000 in cash. Both of them received substantial jail terms.⁽³⁾

Just this year, in another interesting case that raises novel issues, a federal court in New York granted the Federal Trade Commission's request for a temporary restraining order to shut down an alleged scam on the World Wide Web. According to the FTC's complaint, people who visited pornographic Web sites were told they had to download a special computer program to view the sites. Unknown to them, the program secretly rerouted their phone calls from their own local Internet provider to a phone number in Moldova, a former Soviet republic, for which a charge of more than two dollars a minute could be billed. According to the FTC, more than 800,000 minutes of calling time were billed to U.S. customers.

Like other kinds of crimes, Internet crimes can be addressed proactively and reactively. For example, fraudulent activity over the Internet, like other fraudulent activity, can be prevented to some extent by increased consumer education. People must bring the same common sense to bear on their decisions in cyberspace as they do in the physical world. They should realize that a World Wide Web site can be created at relatively low cost and can look completely reputable even if it is not. They should invest time and energy to investigate the legitimacy of parties with whom they interact over the Web. Just as with other consumer transactions, they should be careful about where and to whom they provide their credit card numbers. The ancient maxim "caveat emptor" continues to apply with full force in the computer age.

The public can also be protected by vigorous law enforcement efforts. Many consumer-oriented Internet crimes, such as fraud or harassment, can be prosecuted using traditional statutory tools, such as wire fraud. Moreover, last year the Congress, at our request, substantially strengthened the laws against computer crime in the National Information Infrastructure Protection Act of 1996. As now drafted, the law contains eleven separate provisions designed to protect the confidentiality, integrity and availability of data and systems.

Nevertheless, the Internet presents novel challenges for law enforcement. Two particularly difficult issues for law enforcement are jurisdiction and identification.

One of the benefits of the global Internet is its ability to bring people together, regardless of where in the world they are located. But this can sometimes have a subtle impact for law enforcement. For example, to buy a book you used to walk down to your local bookstore and have a face to face transaction; if the bookseller cheated you, you went to the local police. But the Internet can make it easier and cheaper for a consumer to make purchases, without even leaving his or her home, from a distributor based in a different state or even a different country. And if the consumer pays by credit card or, in the future, electronic cash, and then the book never arrives, this simple transaction may become a matter for the federal or even international law enforcement community, rather than a local matter.

Moreover, the Internet makes interstate and international crime significantly easier in a number of respects. For example, a fraudulent telemarketing scheme might be extremely difficult to execute on a global basis because of the cost of international telephone calls, the difficulty of identifying suitable international victims, and the more mundane problem of planning calls across numerous time zones. But the Internet enables scam artists to victimize consumers all over the world in simple and inexpensive ways. An offshore World Wide Web site offering the sale of fictitious goods may attract U.S. consumers who can "shop" at the site without incurring international phone charges, who can be contacted through e-mail messages -- and who may not even know that the supposed merchant is offshore. The Moldova phone scam I mentioned earlier provides an example of the relative ease with which more complex international crimes may be perpetrated. In such a global environment, not only is international crime more likely, but some consumer fraud cases traditionally handled by state and local authorities may require federal action.

Another fundamental issue facing law enforcement involves proving a criminal's identity in a networked environment. In all crimes -- including cybercrimes -- we must prove the defendant's guilt beyond a reasonable doubt, but global networks lack effective identification mechanisms. Indeed, individuals on the Internet can be anonymous, and even those individuals who identify themselves can adopt false identities by providing inaccurate biographical information and misleading screen names. Even if a criminal does not intentionally use anonymity as a shield, it is easy to see how difficult it could be for law enforcement to prove who was actually sitting at the keyboard and committing the illegal act. This is particularly true because identifiable physical attributes such as fingerprints, voices or faces are absent from cyberspace, and there are few mechanisms for proving identity in an electronic environment.

A related problem arises with the identity of the victim. With increasing frequency, policy-makers are appropriately seeking to protect certain classes of citizens, most notably minors, from unsuitable materials. But if individuals requesting information can remain anonymous or identify themselves as adults, how can the flow of materials be restricted? Similarly, if adults can self-identify as children and lure real children into dangerous situations, how can these victims be protected? Congress last year made an important attempt to protect minors who use the Internet in the Communications Decency Act. As you know the Government defended the constitutionality of that statute before the Supreme Court in March and we are awaiting the Court's decision.

One area that raises both jurisdictional and identification issues is Internet gambling. The Internet offers several advantages for gambling businesses. First, electronic communications, such as electronic mail, allow for simple record keeping. Second, the Internet is far cheaper than long distance and international telephone service. Third, many software packages make it easy to operate consumer businesses over the Internet. Use of the Internet for gambling -- as well as for other illegal activities such as money laundering -- could increase substantially as the use of "electronic cash" becomes more commonplace.

Gambling on the Internet is governed by existing federal law. Interstate gambling by the use of any wire communication facility, including the Internet, is illegal unless the gambling activity is legal in both states. Even where gambling is legal, it is legal only for adults. Therefore, the legality of gambling depends critically on both the location and the age of the participants, neither of which can be verified reliably through current network mechanisms, at least when the participants are not willing to cooperate honestly. Congress has already established the national Gambling Impact Study Commission to study a variety of issues, including "the interstate and international effects of gambling by electronic means, including the use of interactive technologies and the Internet."⁽⁴⁾ We expect to provide assistance to the Commission, and hope they will address the difficult issues we have raised here.

In other contexts as well, we have long taken steps to ensure that the Justice Department can respond effectively to Internet crime. For example, as far back as 1991 both the Federal Bureau of Investigation and the Justice Department created dedicated computer crime units. Since that time, the FBI has established two additional high-tech squads, and the Department has created, within the Criminal Division, a new Computer Crime and Intellectual Property Section. Additionally, in early 1995, the Department of Justice initiated the Computer/Telecommunications Coordinator program, under which each of the 93 United States Attorney's Office has designated at least one Assistant United States Attorney to serve as an in-house high-tech expert. We provide special training to these prosecutors to help them keep abreast of the rapidly changing technological and legal issues. In addressing privacy concerns, the Department has participated in a number of working groups and forums that have included representatives from both the public and the private sector, including the Privacy Working Group of the Information Infrastructure Task Force.

The Department of Justice is also taking the lead in providing training in computer and telecommunications technologies and legal issues to others in law enforcement. The Computer Crime and Intellectual Property Section has established an "Infotech Training Working Group," which includes representatives from every relevant federal agency, the National Association of Attorneys General, the National District Attorneys Association, and others, to guide, assist and coordinate federal, state and local high-tech training.

As significant as these efforts are, however, the problems of the global Internet cannot be solved without extensive international cooperation. Although international awareness concerning computer crime is growing, considerable work remains, as countries attempt to harmonize their computer crime laws and eliminate the procedural obstacles which prevent the timely acquisition of evidence that is located in cyberspace. Several separate efforts are underway to tackle these difficult issues, including multilateral efforts at the Organization for Economic Cooperation and Development, the P-8, and the Council of Europe.

Mr. Chairman, I thank you for the opportunity to present testimony today. The Attorney General and the Department of Justice look forward to working with the Congress to meet the law enforcement and privacy protection challenges associated with the Internet.

1. To our knowledge, no investigations were compromised. On February 22, 1993, the two defendants were sentenced to 5 years' probation, $30,000 restitution (joint and several), and 250 hours community service. As a condition of probation, both hackers are restricted from owning or using a computer without permission from the probation officer.

2. One of the two was sentenced to incarceration of 15 months, and 36 months probation, while the other was sentenced to 60 months probation. Restitution was ordered jointly in the amount of $32,000.

3. One of them received a sentence of 51 months of incarceration and three years supervised release for these crimes alone. The other received a sentence of 41 months, three years of supervised release, and restitution of $40,000, for commission of these and other crimes. See United States v. Peterson, 98 F.3d 502, 504 (9th Cir. 1996) (upholding two-level enhancement under Sentencing Guidelines for use of special skill to facilitate crimes, including crime described in text).

4. National Gambling Impact Study Commission Act § 4(a)(2)(F), 18 U.S.C.A. § 1954 note (West Supp. 1997).