Please adjust the frame on the left to read the following story to avoid using the stroll bars at the bottom.
Speech by
Louis J. Freeh, Director of the FBI
_________________________________________________________________
1997 International Computer Crime Conference
New York, New York
March 4, 1997
Thank you Jim. Good morning, ladies and gentleman. It's really a
pleasure to be up here and to welcome you to the conference, and also
to tell you what a historic and great opportunity this is for all of
the varying interests represented here.
It's appropriate that this conference be held in New York City, which
is a global city in a global economy. It's appropriate, and we thank
you, Mr. Moran, on behalf of Chase, for involving private industry,
both nationally and internationally, in the principles and objectives
of the conference, as well as our law enforcement friends and
colleagues from around the United States and around the world.
I just returned from a very brief trip to the Mideast where I visited
three countries and spent time with the leaders of all the countries
involved in the current peace process. We met with Yasser Arafat, the
Prime Minister of Israel, King Hussein, President Mubarak, and, over
the course of several days, all of my counterparts, both in law
enforcement services and security services. And part of our agenda,
although not the priority part, did in fact deal with some of the
issues that this conference is going to address--issues like
technology crimes; law enforcement in the information age; threats to
infrastructure; threats to national security; the new ways that
criminals and terrorists have found to achieve their objectives;
taking advantage of all of the technological changes; the transparency
of borders; the ability to travel and send information
instantaneously.
These are matters that are relatively mid-way on law enforcement
security agendas--and appropriately so given the enormous security
problems and the current crises with which those countries and
authorities deal.
It's an obvious point, but one which I think we need to make: in the
United States also, these critical issues will continue to occupy
industry and law enforcement, but they are not at this time on the
front burners for law enforcement or for national security people.
This should not be surprising. We are not imminently threatened with
the collapse of infrastructures. We are not seeing intrusions at a
frequent enough index that people are alarmed about them. Our
experience in 1993, when we addressed the digital telephony issue of
how to maintain and continue court-authorized wiretaps in a new
technological environment, is a good illustration.
At that time, we could not go to the administration or go to Congress
and say we're in a crisis--we can't do any more wiretaps. We could
only tell them with a lot of confidence and good information that if
we did not solve that problem in 1993, we were certain that in 2003 we
would not be able to perform court-authorized wiretaps--neither in the
criminal enforcement area, nor in the national security area.
Today, this kind of debate continues in Washington and around the
world on encryption. Again, at this point we can't point to a
proliferation of examples where encryption, unbreakable encryption,
has caused the loss of lives or shut down major investigations. But we
know, with great certainly, that if that problem is not dealt with
very quickly, the time will come that, as robust encryption
proliferates without any recovery systems, law enforcement and
national security will clearly be at risk.
In a sense, this process really describes the history and the saga of
law enforcement. In 1933, unarmed FBI agents transporting a prisoner
were gunned down in a crossfire that became known as the Kansas City
Massacre. Only then was Congress spurred to enact, within a week after
that attack, the authority for FBI agents to carry firearms and make
arrests.
It took the chance discovery of the Apalachin meeting up in New York
and subsequent investigations in the mid 60's to demonstrate the
existence of La Cosa Nostra in the United States--and that spurred
Congress to authorize court-authorized wiretapping in 1968.
So we see, over the course of time, how law enforcement strives to
catch up with technology. And I think that's where we are right now
with computer crime, with the encryption issues, with the
telecommunication issues, and with the wireless communication
issues--all of which need to be addressed and solved.
So I really salute all of you--and of the different countries and
corporations that you represent--for putting together a conference
which, for the first time, focuses internationally on this problem.
Your lead is one that law enforcement must follow.
Today when new FBI agents graduate from our training academy in
Virginia, they leave with their firearms and their badges, but they
also leave with a lap top computer. It's an excellent symbol of the
changing environment in which these young men and women will function
over the next 20 years. It is also imperative for the way they must
conduct investigations. When they serve law enforcement search
warrants, they seize hard drives and disks instead of the boxes and
boxes of records and books and ledgers that their predecessors, myself
included, used to seize to support our cases.
Today, also, they chase fugitives over cyberspace as well as over
fences. You may remember when we arrested Mr. Mitnik a year or so ago.
He was found by the FBI, but he was found because we hired a
23-year-old computer specialist to locate exactly where he was and
where he was transmitting from. That was the basis of effecting that
arrest.
I thought also I would mention, very briefly, some of the cases where
the technology of computers and cyber crime is evidencing itself, and
then talk generally and briefly about recent initiatives undertaken
between the FBI and other government organizations, in partnership
with the private sector, to deal with some of these problems.
Clearly these problems and issues cannot be solved unilaterally by law
enforcement, no more than they could be solved unilaterally by the
private sector. If we are to identify and respond to these various
problems, we've got to unite the efforts of industry and law
enforcement on an international scale.
Let me mention very quickly a couple of cases; these are all public
cases so I can comment on them. The Citibank case, which you've heard
Mary Jo White refer to, was a case where someone with a lap top
computer, sitting in an apartment in St. Petersburg, Russia, intrudes
into a bank and attempts to move millions of dollars out of accounts
to a place where they can be exploited.
We had a similar case recently with a so-called "phone phreaker" in
Sweden--and because of the assistance we received from Swedish
authorities, we were able to solve that case. There a young man,
sitting in his own apartment, hacked his way across the Atlantic Ocean
into U.S. telephone switching systems and worked his way down to
Northern Florida, where over the course of several weeks, he
interfered with 911 systems and had the capability to disable the
system. It could have been disastrous, because 911 systems not only
affect the police but also affect fire and emergency services.
Now extrapolate that to imagine if he'd hit to larger systems--banking
systems, stock exchanges, or power grids in the northeast or northwest
in the middle of winter.
We had another recent and continuing case in Baltimore, which we call
the Innocent Images case. Several speakers today have already referred
to it. It goes back to 1993 when we began investigating a kidnapping
case. When we began to focus on several subjects, it became clear that
they were using computers--computer telecommunications networks--to
contact, identify and, in some cases, arrange for meetings with
children. In a sense, they were entering the homes of the children,
not on the telephone or by a knock on the door, but through computer
modems. That case, which has become a national initiative by the FBI,
has resulted, so far, in approximately 88 arrests and 78 convictions.
And the only people targeted in those cases are the individuals who
are involved in large-scale distributions of pornography, and that's
just, in our view, the tip of the iceberg.
We had a recent terrorism case where an individual maintained plans in
his lap top computer to attack airliners and other targets. Part of
the files contained in that lap top is still encrypted and is still in
need of being deciphered by the law enforcement authorities.
Those are just several cases on the menu--again, not representative of
thousands of others, but all of a very serious nature and with grave
implications.
If you take the context of those cases and translate them to large
scale industries, to infrastructure, and to informational systems then
you can see that the potential is catastrophic.
Consider for example, a recent exercise by a government agency that is
responsible for maintaining and transmitting secure information. This
agency ran some computer attacks against its own very well defended
systems, using people inside and outside the agency to perform them.
The results of the test were that 88 percent of the attacks were
successful. Again, the implications of that exercise, translated to
all our informational systems, are sobering.
We have been trying to respond to the prospective issues involved in
this issue in a number of different ways. In June last year the
President signed an Executive Order that asked all government
agencies, coordinated by the FBI, to do a critical infrastructure
study over a 1-year period that would focus on the vulnerabilities of
the systems--both physical and informational security--and that would
compose and design protocols of plans and systems to protect key areas
of government, as well as private industry infrastructure.
That process has been ongoing now for several months. We have enlisted
the assistance of many agencies, particularly Department of Defense
agencies, which have great expertise in this area. We have also
heavily relied upon private industry and private consultants to supply
some of the necessary expertise for analysis and planning.
In addition, pursuant to Executive Order and to a Presidential
Directive on terrorism, we established an FBI Computer Investigations
and Threat Assessment Center in our Headquarters, which we call CITAC.
The purpose of that center is two-fold. One, to develop and provide
expertise in computer investigations. Secondly, to do threat
assessments with respect to computer crime infrastructure defenses.
This ties in as best it can with the infrastructure analysis program
which is ongoing at the same time.
We've established three FBI computer crime squads in the field now:
one is here in New York; two, in other cities around the country.
These are very different animals in terms of our FBI structure. Most
FBI squads are programmatic squads, dealing with bank robbery or with
theft from interstate shipment. These new computer crime squads,
however, are disciplinary squads--nonprogrammatic and specifically
designed and ordered to gather up, within a particular division, all
of the computer investigative expertise that we have both from an
analytic and an operational point of view. We then use them as a
resource for all other programs in the field divisions, whether they
be counterterrorism programs, criminal programs, or national security
matters. We also use them to assist our partners in other law
enforcement agencies.
Part of our CITAC program also requires the SACs in all our 56 field
divisions to form working groups with local industry--banking,
utilities, energy, whatever the framework may be for that particular
location--and put together working groups that will serve both to
advise and respond to a crisis that threatens infrastructure, whether
it be a criminal or a national security matter. To date, those
advisory working groups are working very well around the country.
Again, the real key to success here--and I don't think it can be
repeated too much--is the critical partnership of government with the
private sector and private industry. Beyond our best expertise, we
need additional expertise based on system-design and
system-engineering infrastructure protection. It is critical that,
prior to an emergency, we develop the contacts, the associations, and
the working groups to deal with some of those problems.
We have worked very hard, as you know, in the legislation area to
obtain the authorities that not only enable us to continue our
investigative programs and techniques, but also help us anticipate
some of the emerging problems. Last year, for instance, the FBI worked
very hard with private industry and with many distinguished academics,
to propose and ultimately to see pass the economic espionage statute,
which is really a trade secrets act.
The interesting thing behind that initiative, however, was the fact
that it was computer crime--particularly computer intrusions into
major companies to valuable trade secrets--that focused our efforts to
protect commerce and industry here in the United States. We found, for
instance, that the traditional theft statutes, like the transportation
of stolen property, just didn't apply to the situations where an
intruder into or an employee of a corporation quickly downloads an
important trade secret and transports that information on a disk
either locally or globally.
The courts had said in many cases that intellectual property or
knowledge of a trade secret was not really a "good" or "ware" as
intended by the Congress in the interstate transportation of stolen
property act. So we found we had a large area of criminal activity
legally exempted from the FBI's program.
A major impetus for this trade secrets act was thus the ability of
computer criminals to steal valuable intellectual property that
doesn't quite fit the 1930's definition of "goods, wares, and
merchandise." This is just one example of our legislative initiatives
directed towards those technology problems.
Encryption is another important one. We realize that the need for
robust encryption is critical for the health of our national economy
and for American competitiveness, here and overseas. As a law
enforcement agency that wears a national security hat, however, we
also realize that we need encryption with some exempted or
court-authorized recovery mechanism for those very rare instances when
encrypted channels are used to either transmit or store information,
relative to a crime, an act of terror, or a national security matter.
Of course such a mechanism would to be available to us only under
court orders and very stringent requirements, as with the 1968
court-authorized wiretapping statute.
So there is a friction, as there always is, between technology issues
and law enforcement, with respect to balancing public safety issues
with first amendment issues regarding free trade. We have worked very
hard to try to achieve that critical balance. We are not out of the
woods yet. We cannot do, nor would we advocate doing, what some
countries have done; Russia, Israel, and France, for example, have
outlawed encryption. That's a solution that doesn't really deal with
the problem in all of its dynamics and all of its dimensions. We are
rather looking for a solution that balances the protection of robust
encryption with the protection of national security and public
safety--one that affords both sides the protections and restrictions
that will keep our intrusiveness limited and will not affect
competition or the economy.
Another FBI initiative that deals with cyber crime and global crime
issues is the expansion of our Legal Attache program. As many of our
international friends here know, the FBI has had, for many, many
years, a "Legat" program, as we call it, where FBI agents are assigned
to various embassies to engage in liaison functions with the host law
enforcement authorities. They deal exclusively in law
enforcement-related activities. They don't engage in any other
non-criminal activities except as liaison.
We have Legats now in 30 countries. On my last trip, in fact, I
dedicated an office in Tel Aviv, which will also serve as liaison with
Jordan, with the Palestinian authority, and with the office in Cairo.
Over the next two years, pursuant to a plan approved by the Congress,
we'll open another 16 Legats which will take us to the places like
Beijing, South Africa, and Buenos Aires--places where law enforcement
needs cop-to-cop bridges and the police-to-police contacts that are
necessary to deal with crimes like computer crime and others that have
no boundaries and that are committed in the twinkling of a eye. These
crimes absolutely require us to work with our partners in order to
identify and solve them.
We are behind the eight ball, I think, in our efforts to deal both
with cyber crime and global crime. But the initiatives I've
mentioned--including infrastructure initiatives, training initiatives,
the Legat programs--are all certainly moving in the right direction.
My concern is that we are moving too slowly and that the pace of
change is so rapid that, despite our best efforts and our resources,
we will still remain a little bit behind the curve. If you think about
what's happening now with respect to cyber crime and global crime,
it's not unfair to compare it to the advent of the automobile back in
the early part of the century. Easy automobile use then changed
everything. It didn't just changed the economy, it also had an immense
impact on law enforcement, which had been dealing with crime on a
localized basis.
Today the change is from national to international borders. I remember
when I was a new FBI agent here in New York in 1975. It was an anomaly
to have a lead in your case which went overseas to a foreign bank
account, or to need to speak to a witness who was outside our
jurisdiction, or to need records from an off-shore location where we
had no jurisdiction.
Now in 1997, that's all changed. It's probably rare when we don't have
an international connection in a drug case or an economic crime case,
or a fugitive case or a national security matter. Just like the
automobile back in the 1920s and the 1930s, the computer is impacting
the economy and the science of law enforcement today, except,
probably, with a ten-fold greater impact.
It is affecting everything we do in law enforcement. It is changing
the rules of the game with respect to how we prepare for and deal with
national security issues. And it will continue to do that at an even
more alarming rate.
Remember the old gangster movies where somebody robbed a bank, got in
an old Model T, and raced away from the police to a state line--where
the police had to stop because they didn't have jurisdiction to take
the bank robbers over the state line? Congress intervened when that
happened. It established interstate banking authority for the FBI with
respect to the bank robbery jurisdiction. And everybody thought we had
solved the problem. In today's world, though, we're dealing with
global borders and economic borders that have ceased to exist. We now
need to have authorities from Congress, and we also need technological
means to deal with a problem that is getting increasingly more complex
and global. We need to draw on your expertise and advice and partner
our efforts.
So, let me just close by again thanking you all of your attendance and
participation here. We certainly appreciate your interest. We thank
your Chiefs and Director Generals for approving this. And we ask that
you help us to combat these new crime phenomena. A critical part, of
our success will come from industry and from you. Thank you very much.
__________________________________________
Link to FBI website