U. S. Department of Justice
Criminal Division
Washington, D.C. 20530
Mr. Chairman and members of the Subcommittee: Thank you for
this opportunity to help increase public awareness of the potential
hazards that accompany the many benefits of the Internet. I hope
that increased appreciation of these pitfalls will help people to
be careful in management of this powerful technology.
The Internet, which allows people to interact electronically
for both personal and commercial reasons, has generated justifiable
excitement over the past few years. But as with other innovations,
crime has quickly followed, and it has already begun to affect the
public. I would like to describe for you some aspects of Internet
crime that the Department of Justice is starting to see, and some
of the steps we are taking to deal with it.
Although it is difficult to quantify the scope of the computer
crime problem, public reports have estimated that computer crime
costs us between five hundred million and ten billion dollars per
year. The Computer Security Institute has surveyed 428 information
security specialists in Fortune 500 companies; 42% of the
respondents indicated that there was an unauthorized use of their
computer systems in the last year.
Computers can play three different roles in criminal activity:
o First, computers can be targets of an offense, for example if a hacker tries to steal information from, or to damage, a computer or computer network. We're all familiar with examples of this, such as vandalism of Web sites or the introduction of viruses into computers.
o Second, computers can be tools in the commission of a traditional offense. They can replace the telephone as a tool in an illegal telemarketing operation; they can be and are used to create and transmit child pornography. Or, to give you a specific example, Russian computer hackers in St. Petersburg broke into a Citibank electronic money transfer system and tried to steal more than $10 million by multiple wire transfers to accounts in at least seven different countries. Members of the gang have been arrested in several countries, but according to Citibank $400,000 has still not been recovered.
o Finally, computers can be incidental to the offense, but still
significant for law enforcement purposes. For example, many
drug dealers now store their records on computers, which
raises difficult forensic and evidentiary issues that we don't
face with old-fashioned paper records.
Of course, a single computer could be used in all three ways. For
example, a "hacker" might use his computer to gain unauthorized
access to an Internet Service Provider such as America On-Line --
known as an "ISP" -- and then use that access to illegally
distribute copyrighted software stored on his computer's hard
drive.
But it is not only ISPs or large financial institutions who
should be concerned about computer crime. Others have testified in
other forums about the important issues of protection of our
infrastructure and of the impact computers have on our ability to
protect our intellectual property, and I won't dwell on them today.
But hackers can also affect individual citizens directly. For
example, they can compromise the confidentiality and integrity of
personal and financial information. In one case, hackers from
Germany gained complete control of an ISP in Miami and captured all
the credit card information maintained on the service's
subscribers. The hackers then threatened to destroy the system and
distribute all the credit card numbers unless the ISP paid ransom.
German authorities arrested the hacker when he tried to pick up the
money -- but had he not sought ransom he could have used the stolen
credit card numbers to defraud thousands of consumers.
Government records, like any other records, can be susceptible
to a network attack if they are stored on a networked computer
system or without proper protections. In Seattle, two hackers
pleaded guilty to penetrating the U.S. District Court System, an
intrusion which gave them access to confidential or perhaps even
sealed information.(1) In carrying out their attack, they used
supercomputers at the Boeing Computer Center, also in Seattle, to
crack the courthouse system's password file. If Boeing had not
reported the intrusion to law enforcement, the District Court
system administrator would never have known the system was
compromised.
Just as significantly, the computer can be a powerful tool for
consumer fraud. The Internet can provide a con artist with the
unprecedented ability to reach millions of potential victims. As
far back as December 1994 -- and two and a half years is a long
time in this field -- the Justice Department indicted two people
for fraud on the Internet. Among other things, they had placed
advertisements on the Internet which promised victims valuable
goods upon payment of money. But the defendants never had access
to the goods, and never intended to deliver them to their victims.
Both pleaded guilty to wire fraud.(2)
Moreover, people can use computers to engage in new kinds of consumer fraud that would have never been possible before. In one interesting case, two hackers in Los Angeles pleaded guilty to computer crimes committed to ensure they would win prizes given away by local radio stations. When the stations announced that they would award prizes to a particular caller, for example the ninth caller, the hackers manipulated the local telephone switch to ensure that the winning call was their own. Their prizes included two Porsche automobiles and $30,000 in cash. Both of them received substantial jail terms.(3)
Just this year, in another interesting case that raises novel
issues, a federal court in New York granted the Federal Trade
Commission's request for a temporary restraining order to shut down
an alleged scam on the World Wide Web. According to the FTC's
complaint, people who visited pornographic Web sites were told they
had to download a special computer program to view the sites.
Unknown to them, the program secretly rerouted their phone calls
from their own local Internet provider to a phone number in
Moldova, a former Soviet republic, for which a charge of more than
two dollars a minute could be billed. According to the FTC, more
than 800,000 minutes of calling time were billed to U.S. customers.
Like other kinds of crimes, Internet crimes can be addressed
proactively and reactively. For example, fraudulent activity over
the Internet, like other fraudulent activity, can be prevented to
some extent by increased consumer education. People must bring the
same common sense to bear on their decisions in cyberspace as they
do in the physical world. They should realize that a World Wide
Web site can be created at relatively low cost and can look
completely reputable even if it is not. They should invest time
and energy to investigate the legitimacy of parties with whom they
interact over the Web. Just as with other consumer transactions,
they should be careful about where and to whom they provide their
credit card numbers. The ancient maxim "caveat emptor" continues
to apply with full force in the computer age.
The public can also be protected by vigorous law enforcement
efforts. Many consumer-oriented Internet crimes, such as fraud or
harassment, can be prosecuted using traditional statutory tools,
such as wire fraud. Moreover, last year the Congress, at our
request, substantially strengthened the laws against computer crime
in the National Information Infrastructure Protection Act of 1996.
As now drafted, the law contains eleven separate provisions
designed to protect the confidentiality, integrity and availability
of data and systems.
Nevertheless, the Internet presents novel challenges for law
enforcement. Two particularly difficult issues for law enforcement
are jurisdiction and identification.
One of the benefits of the global Internet is its ability to
bring people together, regardless of where in the world they are
located. But this can sometimes have a subtle impact for law
enforcement. For example, to buy a book you used to walk down to
your local bookstore and have a face to face transaction; if the
bookseller cheated you, you went to the local police. But the
Internet can make it easier and cheaper for a consumer to make
purchases, without even leaving his or her home, from a distributor
based in a different state or even a different country. And if the
consumer pays by credit card or, in the future, electronic cash,
and then the book never arrives, this simple transaction may become
a matter for the federal or even international law enforcement
community, rather than a local matter.
Moreover, the Internet makes interstate and international
crime significantly easier in a number of respects. For example,
a fraudulent telemarketing scheme might be extremely difficult to
execute on a global basis because of the cost of international
telephone calls, the difficulty of identifying suitable
international victims, and the more mundane problem of planning
calls across numerous time zones. But the Internet enables scam
artists to victimize consumers all over the world in simple and
inexpensive ways. An offshore World Wide Web site offering the
sale of fictitious goods may attract U.S. consumers who can "shop"
at the site without incurring international phone charges, who can
be contacted through e-mail messages -- and who may not even know
that the supposed merchant is offshore. The Moldova phone scam I
mentioned earlier provides an example of the relative ease with
which more complex international crimes may be perpetrated. In
such a global environment, not only is international crime more
likely, but some consumer fraud cases traditionally handled by
state and local authorities may require federal action.
Another fundamental issue facing law enforcement involves
proving a criminal's identity in a networked environment. In all
crimes -- including cybercrimes -- we must prove the defendant's
guilt beyond a reasonable doubt, but global networks lack effective
identification mechanisms. Indeed, individuals on the Internet can
be anonymous, and even those individuals who identify themselves
can adopt false identities by providing inaccurate biographical
information and misleading screen names. Even if a criminal does
not intentionally use anonymity as a shield, it is easy to see how
difficult it could be for law enforcement to prove who was actually
sitting at the keyboard and committing the illegal act. This is
particularly true because identifiable physical attributes such as
fingerprints, voices or faces are absent from cyberspace, and there
are few mechanisms for proving identity in an electronic
environment.
A related problem arises with the identity of the victim.
With increasing frequency, policy-makers are appropriately seeking
to protect certain classes of citizens, most notably minors, from
unsuitable materials. But if individuals requesting information
can remain anonymous or identify themselves as adults, how can the
flow of materials be restricted? Similarly, if adults can
self-identify as children and lure real children into dangerous
situations, how can these victims be protected? Congress last year
made an important attempt to protect minors who use the Internet in
the Communications Decency Act. As you know the Government
defended the constitutionality of that statute before the Supreme
Court in March and we are awaiting the Court's decision.
One area that raises both jurisdictional and identification
issues is Internet gambling. The Internet offers several
advantages for gambling businesses. First, electronic
communications, such as electronic mail, allow for simple record
keeping. Second, the Internet is far cheaper than long distance
and international telephone service. Third, many software packages
make it easy to operate consumer businesses over the Internet. Use
of the Internet for gambling -- as well as for other illegal
activities such as money laundering -- could increase substantially
as the use of "electronic cash" becomes more commonplace.
Gambling on the Internet is governed by existing federal law.
Interstate gambling by the use of any wire communication facility,
including the Internet, is illegal unless the gambling activity is
legal in both states. Even where gambling is legal, it is legal
only for adults. Therefore, the legality of gambling depends
critically on both the location and the age of the participants,
neither of which can be verified reliably through current network
mechanisms, at least when the participants are not willing to
cooperate honestly. Congress has already established the national
Gambling Impact Study Commission to study a variety of issues,
including "the interstate and international effects of gambling by
electronic means, including the use of interactive technologies and
the Internet."(4) We expect to provide assistance to the Commission,
and hope they will address the difficult issues we have raised
here.
In other contexts as well, we have long taken steps to ensure
that the Justice Department can respond effectively to Internet
crime. For example, as far back as 1991 both the Federal Bureau of
Investigation and the Justice Department created dedicated computer
crime units. Since that time, the FBI has established two
additional high-tech squads, and the Department has created, within
the Criminal Division, a new Computer Crime and Intellectual
Property Section. Additionally, in early 1995, the Department of
Justice initiated the Computer/Telecommunications Coordinator
program, under which each of the 93 United States Attorney's Office
has designated at least one Assistant United States Attorney to
serve as an in-house high-tech expert. We provide special training
to these prosecutors to help them keep abreast of the rapidly
changing technological and legal issues. In addressing privacy
concerns, the Department has participated in a number of working
groups and forums that have included representatives from both the
public and the private sector, including the Privacy Working Group
of the Information Infrastructure Task Force.
The Department of Justice is also taking the lead in providing
training in computer and telecommunications technologies and legal
issues to others in law enforcement. The Computer Crime and
Intellectual Property Section has established an "Infotech Training
Working Group," which includes representatives from every relevant
federal agency, the National Association of Attorneys General, the
National District Attorneys Association, and others, to guide,
assist and coordinate federal, state and local high-tech training.
As significant as these efforts are, however, the problems of
the global Internet cannot be solved without extensive
international cooperation. Although international awareness
concerning computer crime is growing, considerable work remains, as
countries attempt to harmonize their computer crime laws and
eliminate the procedural obstacles which prevent the timely
acquisition of evidence that is located in cyberspace. Several
separate efforts are underway to tackle these difficult issues,
including multilateral efforts at the Organization for Economic
Cooperation and Development, the P-8, and the Council of Europe.
Mr. Chairman, I thank you for the opportunity to present testimony today. The Attorney General and the Department of Justice look forward to working with the Congress to meet the law enforcement and privacy protection challenges associated with the Internet.
1. To our knowledge, no investigations were compromised. On February 22, 1993, the two defendants were sentenced to 5 years' probation, $30,000 restitution (joint and several), and 250 hours community service. As a condition of probation, both hackers are restricted from owning or using a computer without permission from the probation officer.
2. One of the two was sentenced to incarceration of 15 months, and 36 months probation, while the other was sentenced to 60 months probation. Restitution was ordered jointly in the amount of $32,000.
3. One of them received a sentence of 51 months of incarceration and three years supervised release for these crimes alone. The other received a sentence of 41 months, three years of supervised release, and restitution of $40,000, for commission of these and other crimes. See United States v. Peterson, 98 F.3d 502, 504 (9th Cir. 1996) (upholding two-level enhancement under Sentencing Guidelines for use of special skill to facilitate crimes, including crime described in text).
4. National Gambling Impact Study Commission Act § 4(a)(2)(F), 18 U.S.C.A. § 1954 note (West Supp. 1997).