|
Speech by Louis J. Freeh, Director of the FBI |
|---|
Thank you Jim. Good morning, ladies and gentleman. It's really a pleasure to be up here and to welcome you to the conference, and also to tell you what a historic and great opportunity this is for all of the varying interests represented here.
It's appropriate that this conference be held in New York City, which is a global city in a global economy. It's appropriate, and we thank you, Mr. Moran, on behalf of Chase, for involving private industry, both nationally and internationally, in the principles and objectives of the conference, as well as our law enforcement friends and colleagues from around the United States and around the world.
I just returned from a very brief trip to the Mideast where I visited three countries and spent time with the leaders of all the countries involved in the current peace process. We met with Yasser Arafat, the Prime Minister of Israel, King Hussein, President Mubarak, and, over the course of several days, all of my counterparts, both in law enforcement services and security services. And part of our agenda, although not the priority part, did in fact deal with some of the issues that this conference is going to address--issues like technology crimes; law enforcement in the information age; threats to infrastructure; threats to national security; the new ways that criminals and terrorists have found to achieve their objectives; taking advantage of all of the technological changes; the transparency of borders; the ability to travel and send information instantaneously.
These are matters that are relatively mid-way on law enforcement security agendas--and appropriately so given the enormous security problems and the current crises with which those countries and authorities deal.
It's an obvious point, but one which I think we need to make: in the United States also, these critical issues will continue to occupy industry and law enforcement, but they are not at this time on the front burners for law enforcement or for national security people.
This should not be surprising. We are not imminently threatened with the collapse of infrastructures. We are not seeing intrusions at a frequent enough index that people are alarmed about them. Our experience in 1993, when we addressed the digital telephony issue of how to maintain and continue court-authorized wiretaps in a new technological environment, is a good illustration.
At that time, we could not go to the administration or go to Congress and say we're in a crisis--we can't do any more wiretaps. We could only tell them with a lot of confidence and good information that if we did not solve that problem in 1993, we were certain that in 2003 we would not be able to perform court-authorized wiretaps--neither in the criminal enforcement area, nor in the national security area.
Today, this kind of debate continues in Washington and around the world on encryption. Again, at this point we can't point to a proliferation of examples where encryption, unbreakable encryption, has caused the loss of lives or shut down major investigations. But we know, with great certainly, that if that problem is not dealt with very quickly, the time will come that, as robust encryption proliferates without any recovery systems, law enforcement and national security will clearly be at risk.
In a sense, this process really describes the history and the saga of law enforcement. In 1933, unarmed FBI agents transporting a prisoner were gunned down in a crossfire that became known as the Kansas City Massacre. Only then was Congress spurred to enact, within a week after that attack, the authority for FBI agents to carry firearms and make arrests.
It took the chance discovery of the Apalachin meeting up in New York and subsequent investigations in the mid 60's to demonstrate the existence of La Cosa Nostra in the United States--and that spurred Congress to authorize court-authorized wiretapping in 1968.
So we see, over the course of time, how law enforcement strives to catch up with technology. And I think that's where we are right now with computer crime, with the encryption issues, with the telecommunication issues, and with the wireless communication issues--all of which need to be addressed and solved.
So I really salute all of you--and of the different countries and corporations that you represent--for putting together a conference which, for the first time, focuses internationally on this problem. Your lead is one that law enforcement must follow.
Today when new FBI agents graduate from our training academy in Virginia, they leave with their firearms and their badges, but they also leave with a lap top computer. It's an excellent symbol of the changing environment in which these young men and women will function over the next 20 years. It is also imperative for the way they must conduct investigations. When they serve law enforcement search warrants, they seize hard drives and disks instead of the boxes and boxes of records and books and ledgers that their predecessors, myself included, used to seize to support our cases.
Today, also, they chase fugitives over cyberspace as well as over fences. You may remember when we arrested Mr. Mitnik a year or so ago. He was found by the FBI, but he was found because we hired a 23-year-old computer specialist to locate exactly where he was and where he was transmitting from. That was the basis of effecting that arrest.
I thought also I would mention, very briefly, some of the cases where the technology of computers and cyber crime is evidencing itself, and then talk generally and briefly about recent initiatives undertaken between the FBI and other government organizations, in partnership with the private sector, to deal with some of these problems.
Clearly these problems and issues cannot be solved unilaterally by law enforcement, no more than they could be solved unilaterally by the private sector. If we are to identify and respond to these various problems, we've got to unite the efforts of industry and law enforcement on an international scale.
Let me mention very quickly a couple of cases; these are all public cases so I can comment on them. The Citibank case, which you've heard Mary Jo White refer to, was a case where someone with a lap top computer, sitting in an apartment in St. Petersburg, Russia, intrudes into a bank and attempts to move millions of dollars out of accounts to a place where they can be exploited.
We had a similar case recently with a so-called "phone phreaker" in Sweden--and because of the assistance we received from Swedish authorities, we were able to solve that case. There a young man, sitting in his own apartment, hacked his way across the Atlantic Ocean into U.S. telephone switching systems and worked his way down to Northern Florida, where over the course of several weeks, he interfered with 911 systems and had the capability to disable the system. It could have been disastrous, because 911 systems not only affect the police but also affect fire and emergency services.
Now extrapolate that to imagine if he'd hit to larger systems--banking systems, stock exchanges, or power grids in the northeast or northwest in the middle of winter.
We had another recent and continuing case in Baltimore, which we call the Innocent Images case. Several speakers today have already referred to it. It goes back to 1993 when we began investigating a kidnapping case. When we began to focus on several subjects, it became clear that they were using computers--computer telecommunications networks--to contact, identify and, in some cases, arrange for meetings with children. In a sense, they were entering the homes of the children, not on the telephone or by a knock on the door, but through computer modems. That case, which has become a national initiative by the FBI, has resulted, so far, in approximately 88 arrests and 78 convictions. And the only people targeted in those cases are the individuals who are involved in large-scale distributions of pornography, and that's just, in our view, the tip of the iceberg.
We had a recent terrorism case where an individual maintained plans in his lap top computer to attack airliners and other targets. Part of the files contained in that lap top is still encrypted and is still in need of being deciphered by the law enforcement authorities.
Those are just several cases on the menu--again, not representative of thousands of others, but all of a very serious nature and with grave implications.
If you take the context of those cases and translate them to large scale industries, to infrastructure, and to informational systems then you can see that the potential is catastrophic.
Consider for example, a recent exercise by a government agency that is responsible for maintaining and transmitting secure information. This agency ran some computer attacks against its own very well defended systems, using people inside and outside the agency to perform them. The results of the test were that 88 percent of the attacks were successful. Again, the implications of that exercise, translated to all our informational systems, are sobering.
We have been trying to respond to the prospective issues involved in this issue in a number of different ways. In June last year the President signed an Executive Order that asked all government agencies, coordinated by the FBI, to do a critical infrastructure study over a 1-year period that would focus on the vulnerabilities of the systems--both physical and informational security--and that would compose and design protocols of plans and systems to protect key areas of government, as well as private industry infrastructure.
That process has been ongoing now for several months. We have enlisted the assistance of many agencies, particularly Department of Defense agencies, which have great expertise in this area. We have also heavily relied upon private industry and private consultants to supply some of the necessary expertise for analysis and planning.
In addition, pursuant to Executive Order and to a Presidential Directive on terrorism, we established an FBI Computer Investigations and Threat Assessment Center in our Headquarters, which we call CITAC. The purpose of that center is two-fold. One, to develop and provide expertise in computer investigations. Secondly, to do threat assessments with respect to computer crime infrastructure defenses. This ties in as best it can with the infrastructure analysis program which is ongoing at the same time.
We've established three FBI computer crime squads in the field now: one is here in New York; two, in other cities around the country. These are very different animals in terms of our FBI structure. Most FBI squads are programmatic squads, dealing with bank robbery or with theft from interstate shipment. These new computer crime squads, however, are disciplinary squads--nonprogrammatic and specifically designed and ordered to gather up, within a particular division, all of the computer investigative expertise that we have both from an analytic and an operational point of view. We then use them as a resource for all other programs in the field divisions, whether they be counterterrorism programs, criminal programs, or national security matters. We also use them to assist our partners in other law enforcement agencies.
Part of our CITAC program also requires the SACs in all our 56 field divisions to form working groups with local industry--banking, utilities, energy, whatever the framework may be for that particular location--and put together working groups that will serve both to advise and respond to a crisis that threatens infrastructure, whether it be a criminal or a national security matter. To date, those advisory working groups are working very well around the country.
Again, the real key to success here--and I don't think it can be repeated too much--is the critical partnership of government with the private sector and private industry. Beyond our best expertise, we need additional expertise based on system-design and system-engineering infrastructure protection. It is critical that, prior to an emergency, we develop the contacts, the associations, and the working groups to deal with some of those problems.
We have worked very hard, as you know, in the legislation area to obtain the authorities that not only enable us to continue our investigative programs and techniques, but also help us anticipate some of the emerging problems. Last year, for instance, the FBI worked very hard with private industry and with many distinguished academics, to propose and ultimately to see pass the economic espionage statute, which is really a trade secrets act.
The interesting thing behind that initiative, however, was the fact that it was computer crime--particularly computer intrusions into major companies to valuable trade secrets--that focused our efforts to protect commerce and industry here in the United States. We found, for instance, that the traditional theft statutes, like the transportation of stolen property, just didn't apply to the situations where an intruder into or an employee of a corporation quickly downloads an important trade secret and transports that information on a disk either locally or globally.
The courts had said in many cases that intellectual property or knowledge of a trade secret was not really a "good" or "ware" as intended by the Congress in the interstate transportation of stolen property act. So we found we had a large area of criminal activity legally exempted from the FBI's program.
A major impetus for this trade secrets act was thus the ability of computer criminals to steal valuable intellectual property that doesn't quite fit the 1930's definition of "goods, wares, and merchandise." This is just one example of our legislative initiatives directed towards those technology problems.
Encryption is another important one. We realize that the need for robust encryption is critical for the health of our national economy and for American competitiveness, here and overseas. As a law enforcement agency that wears a national security hat, however, we also realize that we need encryption with some exempted or court-authorized recovery mechanism for those very rare instances when encrypted channels are used to either transmit or store information, relative to a crime, an act of terror, or a national security matter. Of course such a mechanism would to be available to us only under court orders and very stringent requirements, as with the 1968 court-authorized wiretapping statute.
So there is a friction, as there always is, between technology issues and law enforcement, with respect to balancing public safety issues with first amendment issues regarding free trade. We have worked very hard to try to achieve that critical balance. We are not out of the woods yet. We cannot do, nor would we advocate doing, what some countries have done; Russia, Israel, and France, for example, have outlawed encryption. That's a solution that doesn't really deal with the problem in all of its dynamics and all of its dimensions. We are rather looking for a solution that balances the protection of robust encryption with the protection of national security and public safety--one that affords both sides the protections and restrictions that will keep our intrusiveness limited and will not affect competition or the economy.
Another FBI initiative that deals with cyber crime and global crime issues is the expansion of our Legal Attache program. As many of our international friends here know, the FBI has had, for many, many years, a "Legat" program, as we call it, where FBI agents are assigned to various embassies to engage in liaison functions with the host law enforcement authorities. They deal exclusively in law enforcement-related activities. They don't engage in any other non-criminal activities except as liaison.
We have Legats now in 30 countries. On my last trip, in fact, I dedicated an office in Tel Aviv, which will also serve as liaison with Jordan, with the Palestinian authority, and with the office in Cairo. Over the next two years, pursuant to a plan approved by the Congress, we'll open another 16 Legats which will take us to the places like Beijing, South Africa, and Buenos Aires--places where law enforcement needs cop-to-cop bridges and the police-to-police contacts that are necessary to deal with crimes like computer crime and others that have no boundaries and that are committed in the twinkling of a eye. These crimes absolutely require us to work with our partners in order to identify and solve them.
We are behind the eight ball, I think, in our efforts to deal both with cyber crime and global crime. But the initiatives I've mentioned--including infrastructure initiatives, training initiatives, the Legat programs--are all certainly moving in the right direction. My concern is that we are moving too slowly and that the pace of change is so rapid that, despite our best efforts and our resources, we will still remain a little bit behind the curve. If you think about what's happening now with respect to cyber crime and global crime, it's not unfair to compare it to the advent of the automobile back in the early part of the century. Easy automobile use then changed everything. It didn't just changed the economy, it also had an immense impact on law enforcement, which had been dealing with crime on a localized basis.
Today the change is from national to international borders. I remember when I was a new FBI agent here in New York in 1975. It was an anomaly to have a lead in your case which went overseas to a foreign bank account, or to need to speak to a witness who was outside our jurisdiction, or to need records from an off-shore location where we had no jurisdiction.
Now in 1997, that's all changed. It's probably rare when we don't have an international connection in a drug case or an economic crime case, or a fugitive case or a national security matter. Just like the automobile back in the 1920s and the 1930s, the computer is impacting the economy and the science of law enforcement today, except, probably, with a ten-fold greater impact.
It is affecting everything we do in law enforcement. It is changing the rules of the game with respect to how we prepare for and deal with national security issues. And it will continue to do that at an even more alarming rate.
Remember the old gangster movies where somebody robbed a bank, got in an old Model T, and raced away from the police to a state line--where the police had to stop because they didn't have jurisdiction to take the bank robbers over the state line? Congress intervened when that happened. It established interstate banking authority for the FBI with respect to the bank robbery jurisdiction. And everybody thought we had solved the problem. In today's world, though, we're dealing with global borders and economic borders that have ceased to exist. We now need to have authorities from Congress, and we also need technological means to deal with a problem that is getting increasingly more complex and global. We need to draw on your expertise and advice and partner our efforts.
So, let me just close by again thanking you all of your attendance and participation here. We certainly appreciate your interest. We thank your Chiefs and Director Generals for approving this. And we ask that you help us to combat these new crime phenomena. A critical part, of our success will come from industry and from you. Thank you very much.