I come today, if I could find an olive branch I'd bring the olive branch, I come today to ask you, as I asked those around the conference room or the cabinet table in the Cabinet Room at the White House, what can law enforcement do to be a better partner, how can we build the trust, the understanding, the network that will permit law enforcement to do its job the right way and yet effect the wonderful opportunities that this medium provides.
We have gathered a very impressive array of representatives from businesses from around the world and from varied law enforcement agencies in the United States. I am here today to invite industry to join my colleagues in law enforcement in a very frank, very open and, I hope, productive dialogue about internet computer crime and what each of us should do to combat its growing threat.
It seems to me that we all have a common goal: To keep the nation's computer network secure, safe and reliable for America's citizens, for America's business. But we must do this in a way that respects the Constitutional rights, the privacy and other rights of all Americans. And we must do it in a way that causes the least disruptive impact of the criminal justice system's processes.
Only by understanding each other views and areas of expertise and control can we band together to effectively fight this battle.
We have talked about the growth of the internet over the last decade, the new promise it brings. It is so exciting to see young people communicating and learning in ways that they never learned before. It is wonderful to see people communicating as they haven't before. It already allows us to participate in government and in opportunities that we never dreamed possible.
It can serve as a tool to teach and to give us an opportunity in a forum to debate issues, great and minute. It allows Americans the very, very real option of working at home and shopping at home. And think of what that may mean to this nation in terms of giving both parents quality time with their children.
The internet has also spurred a new and thriving economy. Many e-commerce businesses, some of which are represented here, have prospered by providing their products and services through the internet. Other businesses have assisted in building and maintaining the internet itself. The net has given people jobs, supported families and communities and created new opportunities for commerce for all America.
Perhaps less visible, but no less critical, is the use of computer networks to provide essential services to the people of our nation.
Telecommunications and banking systems, water and electric power supplies and emergency and national defense examples, for example, rely on these networks. The internet has touched all our working life, all our family life, and it has the potential to be one of the most wonderful things that has ever happened to humankind.
But there are those who would use the tools of the internet to hurt and harm others. Even in the internet's relatively short lifespan we have seen a wide array of criminal conduct. We have seen the net used to commit traditional crimes against an ever- increasing pool of victims.
Although the internet provides an unparalleled opportunity for Americans to exercise their First Amendment rights and to freely express ideas, it also provides a forum for ill-motivated persons to promote hatred and racism, to advocate violence and to teach acts of destruction and vandalism as if an art form or honorable trade in its own right.
Then there are those criminals intent on attacking and disrupting computers, computer networks and the internet itself. Though it is often difficult to identify the motivation of these digital outlaws, the result of this conduct is to threaten the promise that the internet offers by reducing public confidence in the whole system. And that is what we are about today.
We have an incredible moment of opportunity, an opportunity to come together, to define our roles, to determine what each of us can do best, to give the public confidence that that system will not be used to invade their privacy, that that system will not be used to extort them, or to stalk them, or to undermine the quality of life that they know, but that instead it will be used to give them the opportunity that they never dreamed they could have, to work, to shop, to communicate, to learn, to bring peace in this world.
Earlier this year we witnessed the senseless denial-of-service attacks launched against many prominent commercial internet sites. Not only did these attacks maliciously disrupt legitimate commerce and interfere with the use by customers of information services, they also violated the security of a substantial number of other computers from which the denial-of-service attacks were launched. The number of victims in these types of cases can be substantial and the collective loss and cost to respond to these attacks can run into the tens of millions of dollars or more.
We have also seen rogue intruders violate the privacy of Americans, stealing personal information and boldly threatening to extort them. We have suffered from hackers who break into computer networks and steal, among other information, credit card numbers, Social Security numbers, passwords and proprietary business information that is oftentimes the lifeblood of American business.
We have got to check this. We have got to make sure that we use this window to establish understandings about what government will do in conjunction with the private sector in a partnership, not as adversaries, to make this marvelous, new phenomenon a reality of opportunity.
We will realize the spectacular potential if we can prevail, but how we do it is critical.
The imperative of finding perpetrators of computer crimes is often a daunting task, as a result of the anonymity afforded by the internet combined with its necessarily open nature.
If law enforcement cannot track down and punish the criminals, public safety and confidence is undermined. But we cannot and will not win if we in any way undermine our Constitutional rights.
This morning I had an opportunity to talk with law students. They asked me if the Constitution and the laws had changed enough to adapt to new technology. I think the law of this country, the Constitution that our forefathers developed long ago, without ever imagining cybertools, is strong enough, fine enough to last through all sorts of technological revolutions if we work together to make sure that it happens.
We should not pay a hollow victory through the sacrifice of privacy. I invite the thoughts of industry on where the appropriate lines should be drawn and what respective roles industry and government can play. I invite industry, state and local law enforcement, my federal colleagues, to talk about how we can work together to recognize that borders will become meaningless.
As people can sit in a kitchen in St. Petersburg, Russia and steal from a bank in Chicago, as people can stalk halfway around the world, as people can extort people halfway around the world, how will we build a partnership with our colleagues around the world to track these people, to bring them to justice and to make again the opportunities of the internet real for the world? The solutions will not be found in any single sector, in government, in law enforcement, in the private sector, amongst citizens.
We can only address the problems we face through the individual efforts of and cooperation among the many members of our online society. The interconnectivity that is the internet demands that we all work together. This includes not just law enforcement and industry but also the system administrators who oversee the security and information logging of public and private computer networks, educational institutions that can secure the computer networks and teach our children about the ethical use of computers.
It includes our nation's parents and our citizens who may find themselves victims of online crime. It is a long road. It can be a hard road, but it is a road well worth traveling.
And today we take another step on that road. We have gathered skilled business persons, system security experts and other prominent industry leaders and talented and devoted members of law enforcement, including federal, state and local prosecutors and investigators. Each of us has a role to play in ensuring that the cyberrevolution is not put down or diminished in any way by people who would prey on or hurt others.
We must talk openly and frankly. I came here today to listen, to learn and to go back to Washington with your unvarnished opinion clearly in my mind about what we can do to define our roles and do it the right way.
Law enforcement, like industry, has its duties, its tools and its constraints. As a prosecutor for almost 15 years in Miami, I can tell you that I know how intrusive a criminal investigation can be. I have heard from bankers long before they talked in terms of cybertools about why they didn't report an embezzlement, why they didn't want to put up with a criminal investigation.
I want your opinions, your suggestions about what we can do in law enforcement to design investigations that achieve the truth, that do it according to principles of the Constitution and do it with the least disruption to your undertakings.
We ask industry to recognize that law enforcement has much to offer to make the internet a secure place for their businesses and customers. But I also recognize that it is hard for government to attract a sufficient number of people who have both the technical and the legal expertise to deal with the critical issues that we face.
I have been so proud of those in the Department of Justice who have done so much with limited resources, limited equipment. And we want to work with you to understand better how we can attract people, what we can do to retain them, how we can work with you in public-private partnerships to achieve new goals.
Senior officials from the Department's Computer Crime Section meet regularly with representatives from internet service providers, telecommunications carriers and others through information industry group. The FBI's National Infrastructure Protection Center and its Computer Crime Squads have worked to develop the Infragard Program in communities around the country, to build relationships. And I think relationships is what it is all about.
Until that FBI agent sits down with your security officer or deals one on one in terms of an investigation, people do not know each other. But when they have that experience, when you have a good working relationship, when you can build on a good experience, you learn so much about how we can work together.
I would like to use this opportunity to make sure that we do that in the most effective way possible.
We have also begun regular meetings with the Law Enforcement and Security Council of the Internet Alliance, an industry group that includes many of the largest ISPs. Industry and law enforcement have made sincere efforts to cooperate and have made real gains. Today's conference is another step in the right direction.
We are not interested in a top-down approach. We do not know best. We know that people in the field, state and local law enforcement, industry can tell us what needs to be done. And we can provide a vantage point that can be helpful, as well.
We do not want invasive government regulation or monitoring of the internet. We must recognize that with overlapping areas of responsibility and control we can do so much if we define the particular function of each.
The private sector in that regard should take the lead, I think, in protecting the security of private-sector computer systems. We must take the lead in protecting government systems. And we must share information about vulnerabilities so that we can each take steps to protect our systems against attack.
Once the systems have been victimized, law enforcement must take the lead on investigating network and other computer crimes. We need to ensure that we have the technical and legal tools necessary to do it. We also want to ensure that we have the information and continued cooperation necessary to effectively investigate these cases.
Always mindful that the victim is concerned about confidentiality, that the victim is concerned about the intrusion of the law enforcement process in their business, we need to design an approach that can be effective.
These are the issues that we jointly face. This is an opportunity to speak directly, but even then we have another challenge. What happens when you learn information about a particular issue that if linked with ten other people or ten other businesses' information indicates a real threat to national security or a real threat to the internet or a real threat to business? How can we develop the trust that will permit us to share information?
If we share information how can we develop a process that will provide us a procedure for giving early warning to all concerned to avoid further injury to all concerned without interrupting or interfering with your business processes?
These are the issues we have to face.
We recognize that a sophisticated intrusion may go undetected and be nearly undetectable by the victim. A hacker may be able to erase all traces of the hack, modifying logs to cover the digital footprints. This is a very real problem that we must address through means, such as eliminating system vulnerabilities that can be exploited and enhancing and implementing intrusion detection software.
Law enforcement must understand that while there may be reluctance to report, we must identify what we can do to encourage victims to come forward.
I would like any suggestions you have today in practical details with practical examples of where you have had problems in the past about what we can do to address these issues.
I hope that today law enforcement and industry can identify the barriers and take serious steps to build a mutual trust. I hope today that we can also recognize that there are business risks. We are all victims if computer crime goes unresolved. If the crime is not reported, people are going to try again and again and again.
And I put it in the same terms as I talked to bankers twenty years ago in Miami: If you let this embezzler get away with it and this embezzler get away with it and this embezzler get away with it, people are just going to take advantage of you.
Where do we draw the line, ladies and gentlemen? That is the challenge that we face today.
Today you will also address the proper manner in which businesses involved in an intrusion and law enforcement should work together when we discover the vulnerability.
Perhaps the greatest challenge and the one where we can make the most progress is by discussing openly the investigation of intrusions by law enforcement. By sharing perspectives on the steps that both industry and law enforcement can take to enhance the prospect of a successful investigation, we can arrive at a way to conduct these investigations with a minimal disruption to all concerned.
And it is important that law enforcement share with you what we need to obtain in terms of court orders, in terms of search warrants, in terms of process, that we do not go willy-nilly into people's computers, that there is a process and a Constitutional protection that governs us each step of the way.
There are so many challenges. The one I'm fond of pointing out: What happens if law enforcement in Atlanta, Georgia has traced an intrusion to somebody in Denver, Colorado? What process can the local law enforcement official use in Atlanta to obtain records of data stored in Colorado? What happens to search warrants, to court orders, to Title 3s? There are so many issues that we have got to confront.
And then we complicate it even more: What happens if the French government is investigating a French businessman who has never stepped foot out of France, gets a court order for his computer. His computer, he happens to be a customer of America Online and the data is stored near Dulles in Virginia? What processes? How does the law adapt? How do we adapt to achieve our common goal, to protect the Constitutional rights of all concerned, to protect the privacy of all concerned, to protect and ensure the safety and the security of one of the greatest undertakings, one of the greatest inventions, one of the greatest ideas, one of the greatest example of collective human brilliance and endeavor we have ever seen in the history of the world?
We have a moment in time, ladies and gentlemen, where we can set the tone for the internet for all of our history to come. It is a time where we can give it the foundation, where we can give the public confidence in it, where we can make it a tool for opportunity that even we probably can't dream of where it is going to because it is so phenomenal.
I need the answer to the question: What can law enforcement do to improve? How can we be a better partner? How can we achieve our common goals? And how can we make this wonderful, wonderful opportunity a reality for all Americans?
Thank you so much for being here and for giving this time today. It will be critical for us.
(Applause.)
FACILITATOR MILLER: Attorney General Reno, a first question for you, if you would, please.
Please comment on the insider threat and how relevant do you think it is to today's discussion. And do you have some sense of the importance of the insider threat as opposed to the hacker threat in terms of its significance?
ATTORNEY GENERAL RENO: I think it is one of the many threats that we face, and how do we do it? I think if we put it in terms of if conduct before the internet was criminal and a threat, with the internet it can still be the same type of threat. And I think this is one of the issues that we have got to consider.
We have got to consider, in terms of national security, what we do when we contract with people who are in the inside and we do not know who they are and where they come from around the world. There are just a whole range of issues. And I think Mr. Watkins has set the tone. We are not going to get all the answers, but if we can get a process by which we consider these.
Harris had the opportunity to testify, I think, before Senator Kyl's committee, and he ended his testimony by saying, "The federal government can do better." And I think we can.
FACILITATOR MILLER: This is an interesting question. I don't know if I have come across this before.
And, Attorney General, you may not be able to answer it, but I think it is a thought-provoking question.
Many laws, such as the Digital Millennium Copyright Act, provide a limitation on liability for a website or an ISP only if the service provider has no knowledge if information that's been posted on the website. So it is a way to limit liability on the service provider. If you do not know that someone posted something that is in violation of the law, then you cannot be liable.
But in some sense that is an inhibitor to companies actively going out and looking for things on their website and going through an investigative process because, if they go through the investigative process and if they are regularly scanning the websites that they happen to be maintaining, then conceivably someone could go back and argue that they are, in fact, liable for things that were posted on their website that should not have been there.
So are we in a situation where, in essence, we have inadvertently created a disincentive for certain people in the internet business to try to be good corporate citizens?
ATTORNEY GENERAL RENO: I think this is one of the great challenges that we face on or off the internet. If we ask people to be vigilant, do we hold them accountable for the problem exposed by their vigilance?
I would be grateful for people's thoughts as to how we can address this issue. I do not have any immediate answer.
FACILITATOR MILLER: Next question, again for the Attorney General. You mentioned the global nature of the internet and the global nature of these issues. Can you share with the audience what the Justice Department is doing or what the Administration is doing to help deal with these issues on a global basis?
ATTORNEY GENERAL RENO: We have begun in a number of forums to address the issue. One of the principal forums that we have focused on is the G8. Originally the G8, the big eight industrial nations, were not so focused on justice and public safety issues.
In the last three years we have gotten their attention, and we have now had a number of conferences. Interestingly enough, our first conference was in Washington, I think approximately three years ago. We meet once a year.
The next was a meeting through video conferencing. I had to be there at 6:30 in the morning. The Japanese had to stay until 11:30 at night. It was a four-hour conference and it was excellent, again focused in substantial part on the issue of internet crime.
We met this past fall in Moscow and had an excellent conference amongst the eight ministers. And we are dedicated and are making progress with respect to setting up a twenty-four-hour, seven-day-a-week ability to detect and to cooperate with each other in detecting intrusions in the eight countries. And we are beginning to share with others.
We are hopeful that as the EU focuses more on public safety and justice issues, and we expect some more formal comments to follow up with the action taken this past fall in Finland, that we will be able to work with the EU in terms of these initiatives.
Again, there are many issues. As somebody pointed out to me, there are some countries who do not want to retain information and data that would permit the tracing of the intrusion because they have been part of a government that historically retained data on more people than any other government in history.
There are many issues that we have got to face there, but the issue of data retention sufficient to trace intrusions becomes one of the issues that we focus on.
I have been trying to get the Organization of American States to focus on this issue, and I think we are making real progress. We met this past March in Costa Rica, again the ministers of justice, focusing on what we can do through the OAS to develop common laws, common understanding, common process.
And one of the things that we need to do is to develop a whole new approach to trying people. If you have a relatively small case but an important case, it may be too small to bring witnesses halfway around the world to try them here. Where do we try them?
And one of the issues that I think we have got to undertake is to focus on how we develop court systems through video conferencing. We have had three cases in Florida, not involving cyberissues, but giving us hope as to what we might do when we have situations like this where witnesses have testified in the court proceeding in Florida through video conferencing from halfway around the world.
These are some of the undertakings that we are involved in. But, again, my colleagues share with me the strong feeling, and particularly my colleague, the Home Secretary for the U.K., Jack Straw, is so concerned with the necessity for developing a partnership with industry to make this worldwide effort effective.
FACILITATOR MILLER: I think we have to get you out of here. Let me ask one last question which is sort of a combination of several questions, and it is something Peter referred to, which is the seriousness with which the whole law enforcement community views these types of crimes and particularly an issue which I think came up at the White House meeting also.
Obviously you take this very seriously, otherwise you wouldn't be here today.
The question is: Do judges, the people who have to schedule these cases, the U.S. Attorneys and local law enforcement officials, do they take them just as seriously? Because it is obviously one thing for an investigation to be conducted, it is another thing to actually get this into a court and then see actual punishment, or do we have to do more to get these issues to a higher level of prominence in the judicial system?
ATTORNEY GENERAL RENO: I think we have got to do more to raise the level of focus and prominence, not so much because of indifference or lack of interest or lack of appreciation, but we must educate as to the nature, the extent and the seriousness of the threat.
The U.S. Attorneys are taking it very seriously, and each has an expert in their office focused on the issue.
It is important for us to work with Congress to make sure that Congress understands how important it is to have this fully staffed. Congress will at the same time tell us, 'Well, come up with a cyberplan.' And we have suggested to them that we provide a five-year plan for how we can effect the issue.
State and local law enforcement is doing a wonderful job with totally inadequate resources. Sometimes it depends on there's a sergeant who just got interested, his son was fussing with the computer, the sergeant got interested in the computer. He discovered an aptitude with it and ran with it and has developed a whole squad for his department. Other departments do not have much of an expertise.
But one of the most exciting points I can bring to you is that the President of the International Association of Chiefs of Police, Colonel Mike Robinson, the head of the Michigan State Police, is very, very concerned about this issue and articulate as to the need to develop a real undertaking.
What I think is important for us in this regard is that law enforcement, amongst itself, must develop a sharing, a two-way street that is vital, both with industry but within law enforcement.
We are not going to have the money to keep up with the exciting development and equipment. About the time we procure something and get it installed, we are beginning to find that it is obsolete.
And government cannot afford to keep current unless it does so through using networking and sharing with state and locals so that we do not have to constantly purchase for everybody a costly piece of equipment and we can put into our investments one piece of equipment that can serve the federal government and all fifty states. It is a new era in law enforcement in that regard.
(Applause.)
(Recess taken at 10:22. Break-out sessions held.)
Go to . . . CCIPS Home Page || Justice
Department Home Page