Home News Testimony Issue of Intrusions into Government Computer Networks
This is archived material from the Federal Bureau of Investigation (FBI) website. It may contain outdated information and links may no longer function.
  • Ronald L. Dick
  • Director, National Infrastructure Protection Center, FBI
  • Federal Bureau of Investigation
  • Before the House Energy and Commerce Committee, Oversight and Investigation Subcommittee
  • Washington, DC
  • April 05, 2001

Representative Greenwood, Members of the subcommittee, thank you for inviting me here today to speak to the important issue of intrusions into government computer networks. The problem is serious. The Department of Defense reports thousands of potential cyber attacks launched against DOD systems. GAO reports that "in 1999 and 2000, the Air Force, Army, and Navy recorded a combined total of 600 and 715 [serious] cyber attacks, respectively." This does not even consider attacks on civilian agencies. Two weeks ago National Security Advisor Condoleezza Rice stated that "The President himself is on record as stating that infrastructure protection is important to our economy and to our national security and therefore it will be a priority for this administration."

Dr. Rice also stated during that same speech that, "We have to maximize our resources and energies by making sure that they are focused, instead of allowing them to be dissipated through dispersal." The need for a coordinated interagency approach to address intrusions into government networks was one of the principal reasons for having established the National Infrastructure Protection Center (NIPC). When the NIPC was founded three years ago, it was during one of the largest intrusions ever into U.S. government systems. The lessons learned from that intrusion and from the response to it have helped shape the NIPC.

Let me provide you with a snapshot of our caseload on government intrusions. Currently we have 102 cases (of a current total of 1,219 pending cases) involving computer intrusions into government systems. This includes intrusions into federal, state and local systems, as well as the military. It should be noted that a single case can consist of hundreds of compromised systems that have experienced thousands of intrusions. In addition, many agencies conduct investigations concerning intrusions into their systems that are not reported to the FBI. In short, this case load represents a large number of incidents.

Several critical elements are required to deal with intrusions into government computer systems. There must be an interagency structure to deal with this problem. No agency should or should have to address these issues alone. Information must be shared with law enforcement and the NIPC. We must work to ensure that any intrusions are stemmed and the vulnerability that allowed the intrusion is patched.

Interagency cooperation is essential in dealing with intrusions into government systems. As I said at the outset, that is why the NIPC was created. Currently the NIPC has representatives from the following agencies at the Center: FBI, Army, Navy, Air Force Office of Special Investigations, Defense Criminal Investigative Service, National Security Agency, United States Postal Service, Department of Transportation/Federal Aviation Administration, Central Intelligence Agency, Department of Commerce/Critical Infrastructure Assurance Office, and the Department of Energy. This representation has given us the unprecedented ability to reach back into the parent organizations of our interagency detailees on intrusions and infrastructure protection matters. In addition, we have formed an interagency coordination cell at the Center which holds monthly meetings with U.S. Secret Service, U.S. Customs Service, representatives from DOD investigative agencies, the Offices of Inspector General of NASA, Social security administration, Departments of Energy, State, and Education, and the U.S. Postal Service, to discuss topics of mutual concern.

This representation is not enough, however. The PDD states that, " The NIPC will include FBI, USSS, and other investigators experienced in computer crimes and infrastructure protection, as well as representatives detailed from the Department of Defense, the Intelligence Community and Lead Agencies." The NIPC would like to see all lead agencies represented in the Center. The more broadly representative the NIPC is, the better job it can do in responding to intrusions into government systems.

The NIPC is pursuing three sets of activities that address computer intrusions into government systems: prevention, detection, and response.


Our role in preventing cyber intrusions into government systems is not to provide advice on what hardware or software to use or to act as a federal systems administrator. Rather our role is to provide information about threats, ongoing incidents, and exploited vulnerabilities so that government and private sector system administrators can take the appropriate protective measures. The NIPC has a variety of products to inform the private sector and other domestic and international government agencies of the threat, including: alerts, advisories, and assessments; biweekly CyberNotes; monthly Highlights; and topical electronic reports. These products are designed for tiered distribution to both government and private sector entities consistent with applicable law and the need to protect intelligence sources and methods, and law enforcement investigations. For example, Highlights is a monthly publication for sharing analysis and information on critical infrastructure issues. It provides analytical insights into major trends and events affecting the nation's critical infrastructures. It is usually published in an unclassified format and reaches national security and civilian government agency officials as well as infrastructure owners. CyberNotes is another NIPC publication designed to provide security and information system professionals with timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information, and other critical infrastructure-related best practices. It is published twice a month on our website and disseminated in hardcopy to government and private sector audiences.

The NIPC has elements responsible for both analysis and warning. What makes the NIPC unique is that it has access to all-source intelligence from law enforcement, the intelligence community, private sector, international arena, and open sources. No other entity has this range of information. Complete and timely reporting of incidents from private industry and government agencies allows NIPC analysts to make the linkages between government intrusions and private sector activity. We are currently working on an integrated database to allow us to more quickly make the linkages among seemingly disparate intrusions. This database will leverage both the unique information available to the NIPC through FBI investigations and information available from the intelligence community and open sources. Having these analytic functions at the NIPC is a central element of its ability to carry out its preventive mission.

This initiative expands direct contacts with the private sector infrastructure owners and operators and shares information about cyber intrusions and exploited vulnerabilities through the formation of local InfraGard chapters within the jurisdiction of each of the 56 FBI field offices. This is critical to infrastructure protection, since private industry owns most of the infrastructures. Further, InfraGard's success belies the notion that private industry will not share information with NIPC or law enforcement. All 56 FBI field offices have InfraGard chapters. There are currently over 900 InfraGard members. The national InfraGard rollout was held on January 5, 2001.

The NIPC is also working with the Information Sharing and Analysis Centers established under the auspices of PDD-63. For example, the North American Electric Reliability Council (NERC) serves as the electric power ISAC. We have developed a program with the NERC to develop an Indications and Warning System for physical and cyber attacks. Under the program, electric utility companies and other power entities transmit incident reports to the NIPC. These reports are analyzed and assessed to determine whether an NIPC alert, advisory, or assessment is warranted to the electric utility community. Electric power participants in the pilot program have stated that the information and analysis provided by the NIPC back to the power companies make this program especially worthwhile. NERC has recently decided to expand this initiative nationwide. This initiative will serve as a good example of government and industry working together to share information and the Electrical Power Indications and Warning System will provide a model for the other critical infrastructures. Eventually the NIPC will need to be able to have a comprehensive nation-wide system for all the infrastructures.

The NIPC is the Sector Lead Agency for the Emergency Law Enforcement Services sector. As part of this mission, the Center has also been asked to by ELES Sector the to have the NIPC Watch and Warning Unit act as the ISAC for the sector. The NIPC is working to implement this request.


Given the ubiquitous vulnerabilities in existing Commercial Off-the-Shelf (COTS) software, intrusions into critical systems are inevitable for the foreseeable future. Thus detection of these intrusions is critical if the U.S. Government and critical infrastructure owners and operators are going to be able to respond. To improve our detection capabilities, we first need to ensure that we are fully collecting, sharing, and analyzing all extant information from all relevant sources. It is often the case that intrusions can be discerned simply by collecting bits of information from various sources; conversely, if we don't collate these pieces of information for analysis, we might not detect the intrusions at all. Thus the NIPC's role in collecting information from all sources and performing analysis in itself serves the role of detection.

Agency system administrators need to work with FedCIRC and the NIPC. PDD-63 makes clear the importance of such reporting. It states, "All executive departments and agencies shall cooperate with the NIPC and provide such assistance, information and advice that the NIPC may request, to the extent permitted by law. All executive departments shall also share with the NIPC information about threats and warning of attacks and about actual attacks on critical government and private sector infrastructures, to the extent permitted by law." We are working with OMB, FedCIRC, and the agencies to improve agency reporting of security incidents.

In some cases, in response to victims' reports, the NIPC has sponsored the development of tools to detect malicious software code. For example, in December 1999, in anticipation of possible Y2K related malicious conduct, the NIPC posted a detection tool on its web site that allowed systems administrators to detect the presence of certain Distributed Denial of Service (DDoS) tools on their networks. In these cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht (German for barbed wire) on a number of unwitting victim systems. Then when the hacker sends the command, the victim systems in turn begin sending messages against a target system. The target system is overwhelmed with the traffic and is unable to function. Users trying to access that system are denied its services. The NIPC's detection tools were downloaded thousands of times and have no doubt prevented many DDoS attacks.

The NIPC also led the FBI's multiagency Y2K command center. NIPC personnel were on alert during the rollover period watching for possible malicious activity under the guise of Y2K. NIPC coordinated a nationwide watch effort and distributed reports every four hours round the clock on the situation.

Regarding warning, if we determine that an intrusion is imminent or underway, the NIPC Watch is responsible for formulating assessments, advisories, and alerts, and quickly disseminating them. The substance of those products will come from analytical work done by NIPC analysts. If we determine an attack is underway, we can notify both private sector and government entities using an array of mechanisms so they can take protective steps. In some cases these warning products can prevent a wider attack; in other cases warnings can mitigate an attack already underway. Finally, these notices can prevent attacks from ever happening in the first place. For example, the NIPC released an advisory on March 30, 2001 regarding the "Lion Internet Worm," which is a DDoS tool targeting Unix-based systems. Based on all-source information and analysis, the NIPC alerted systems administrators how to look for this compromise of their system and what specific steps to take to remove the tools if they are found. This alert was issued after consultation with FedCIRC, JTF-CND, a private sector ISAC, and other infrastructure partners.


Despite our efforts, we know that government systems will continue to be attacked. Thus we need to determine the origin of these attacks in order to get to the person behind the keyboard for our government to formulate the appropriate response. In the cyber world, determining what is happening is difficult at the early stages. An event could be a system probe to find vulnerabilities or entry points, an intrusion to steal data or plant sniffers or malicious code, an act of teenage vandalism, an attack to disrupt or deny service, or even an act of war. The crime scene itself is totally different from the physical world in that it is dynamic -- it grows, contracts, and can change shape. Further, the tools used to perpetrate a major infrastructure attack can be the same ones used for other cyber intrusions (simple hacking, foreign intelligence gathering, organized crime activity to steal property, data, etc...), making identification more difficult. Determining that an event is even occurring thus can often be difficult in the cyber world, and usually a determination cannot be made without a thorough investigation. In the physical world one can see instantly if a building has been bombed or an airliner brought down. In the cyber world, an intrusion may go undetected for some time.

Identification of the perpetrators and their objectives during an event is critical especially in the initial stages. The perpetrators could be criminal hackers, teenagers, electronic protesters, terrorists, or foreign intelligence services. In order to attribute an attack, the NIPC coordinates an investigation that gathers information from within the United Sates using either criminal investigative or foreign counter-intelligence authorities, depending on the circumstances. We also rely on the assistance of other nations when appropriate. Obtaining reliable information is necessary not only to identify the perpetrator but also to determine the size and nature of the intrusion: how many systems are affected, what techniques are being used, and what is the purpose of the intrusions--disruption, economic espionage, theft of money, etc...

Relevant information could come from existing criminal investigations or other contacts at the FBI Field Office level. It could come from the U.S. Intelligence Community, other U.S. Government agency information, through private sector contacts, the media, other open sources, or foreign law enforcement contacts. The NIPC's role is to coordinate, collect, analyze, and disseminate this information. Indeed this is one of the principal reasons the NIPC was created.

Because the Internet by its nature embodies a degree of anonymity, our government's proper response to an attack first requires significant investigative steps. Investigators typically need a full range of criminal and/or national security authorities to determine who launched the attack. Under our system the legal authorities for conducting investigations within the United States include: the Computer Fraud and Abuse Act, the Economic Espionage Statute, the Electronic Communications Privacy Act, the Foreign Intelligence Surveillance Act, as well as the relevant executive orders delineating the responsibilities of the intelligence community. Thus the FBI can apply for court orders to get subscriber information from Internet Service Providers, and monitor communications under the Electronic Communications Privacy Act or under the Foreign Intelligence Surveillance Act, depending on the facts of the case as they are known at the time the order is requested. The FBI has designated the NIPC to act as the program manager for all of its computer intrusion investigations, and the NIPC has made enormous strides in developing this critical nationwide program. In that connection, the NIPC works closely with the Criminal Division's Section on Computer Crime and Intellectual Property, the Department's Office of Intelligence Policy and Review, and the U.S. Attorney's Offices in coordinating legal responses.

In the event of a national-level set of intrusions into significant systems, the NIPC will form a Cyber Crisis Action Team (C-CAT) to coordinate response activities and use the facilities of the FBI's Strategic Information and Operations Center (SIOC). The team will have expert investigators, computer scientists, analysts, watch standers, and other U.S. government agency representatives. Part of the U.S. government team might be physically located at FBI Headquarters and part of the team may be just electronically connected. The C-CAT will immediately contact field offices responsible for the jurisdictions where the attacks are occurring and where the attacks may be originating. The C-CAT will continually assess the situation and support/coordinate investigative activities, issue updated warnings, as necessary, to all those affected by or responding to the crisis. The C-CAT will then coordinate the investigative effort to discern the scope of the attack, the technology being used, and the possible source and purpose of the attack.

While we have not seen an example of cyber terrorism directed against U.S. government systems, the NIPC's placement in the FBI's Counterterrorism division will allow for a seamless FBI response in the event of a terrorist action that encompasses both cyber and physical attacks. The NIPC and the other elements of the FBI's Counterterrorism Division have conducted joint operations and readiness exercises in the FBI's SIOC. We are prepared to respond if called upon.

Case Examples

Over the past several years we have seen a wide range of cyber threats ranging from defacement of websites by juveniles to sophisticated intrusions sponsored by foreign powers, and everything in between. Some of these are obviously more significant than others. The theft of national security information from a government agency or the interruption of electrical power to a major metropolitan area would have greater consequences for national security, public safety, and the economy than the defacement of a web-site. But even the less serious categories have real consequences and, ultimately, can undermine confidence in e-commerce and violate privacy or property rights. A web site hack that shuts down an e-commerce site can have disastrous consequences for a business. An intrusion that results in the theft of credit card numbers from an online vendor can result in significant financial loss and, more broadly, reduce consumers' willingness to engage in e-commerce. Because of these implications, it is critical that we have in place the programs and resources to investigate and, ultimately, to deter these sorts of crimes.

In addition, because it is often difficult to determine whether an intrusion or denial of service attack, for instance, is the work of an individual with criminal motives or foreign nation state, we must treat each case as potentially serious until we gather sufficient information to determine the nature, purpose, scope, and perpetrator of the attack. While we cannot discuss ongoing investigations, we can discuss closed cases that involve FBI and other agency investigations in which the intruder's methods and motivation were similar to what we are currently seeing. A few illustrative are described below:

In hacker cases, the attacker's motivation is just to see how far he can intrude into a system. This seems to be the motivation for the California teens in the well-known Solar Sunrise case. In this case the intruders exploited a well known vulnerability in computers that run on the Sun Solaris operating system. By exploiting this vulnerability, the intruder can gain root access (total control) of the system. As in the Solar Sunrise case, the intruders can then install their own accounts on the system and create backdoors into the system from which they can then install additional programs to find passwords. They also had the ability to alter, remove, or destroy data on those systems. This case demonstrated to the interagency community how difficult it is to identify an intruder until all of the facts are gathered through an investigation, and why assumptions cannot be made until sufficient facts are available. The incident also vividly demonstrated the vulnerabilities that exist in our networks; if these individuals were able to assume "root access" to certain unclassified DOD systems, it is not difficult to imagine what hostile adversaries with greater skills and resources would be able to do. Finally, Solar Sunrise demonstrated the need for interagency coordination to deal with such attacks. The perpetrators in this case were two 16 and an 18 years old.

We have also seen cases of hacking and mischief for what might be termed personal reasons. For example, Eric Burns, a.k.a Zyklon, hacked into the White House web site as well as other sites. This case was worked jointly by the U.S. Secret Service and the FBI. He was caught and pled guilty to one count of 18 U.S.C.1030. In November 1999 he was sentenced to 15 months in prison, 3 years supervised release, and ordered to pay $36,240 in restitution and a $100 fine.

In another example, the Melissa Macro Virus was reportedly named after an exotic dancer from Florida; this virus wreaked havoc on government and private sector networks in March 1999. He pled guilty to one federal count of violating 18 U.S.C. 1030 and four state counts. He admitted to causing $80 million in damage as well. David Smith, the author of the virus, faces a maximum sentence of five years and $250,000 on the federal charge. He is currently awaiting sentencing. This is a good example of how federal and state governments are increasingly coordinating investigations and prosecutions in combating computer crime.

In another case, system penetration coupled with theft can be the motivation. A Florida youth admitted to breaking into 13 computers at the Marshall Space Flight Center in Huntsville, Alabama in June 1999 and downloading $1.7 million in NASA proprietary software that supports the International Space Station's environmental systems. NASA has estimated the cost to repair the damage at $41,000. The subject has also admitted to entering Defense Department systems of the Defense Threat Reduction Agency, intercepting 3,300 e-mail messages, and stealing passwords from Pentagon computers. This case was investigated by NASA. He was sentenced to six months in a juvenile detention center for hacking into NASA computers which support the International Space Station.

Virus writers have become a more prevalent threat in recent years. We have seen virus writers unleash havoc on the Internet for a variety of motivations. In May 2000 companies and individuals around the world were stricken by the "Love Bug", a virus (or, technically, a "worm" ) that traveled as an attachment to an e-mail message and propagated itself extremely rapidly through the address books of Microsoft Outlook users. The virus/worm also reportedly penetrated at least 14 federal agencies C including the Department of Defense (DOD), the Social Security Administration, the Central Intelligence Agency, the Immigration and Naturalization Service, the Department of Energy, the Department of Agriculture, the Department of Education, the National Aeronautics and Space Administration (NASA), along with the House and Senate.

Investigative work by the FBI's New York Field Office, with assistance from the NIPC, traced the source of the virus to the Philippines within 24 hours. The FBI then worked, through the FBI Legal Attaché in Manila, with the Philippines' National Bureau of Investigation, to identify the perpetrator. The speed with which the virus was traced back to its source is unprecedented. The prosecution in the Philippines was hampered by the lack of a specific computer crime statute. Nevertheless, Onel de Guzman was charged on June 29, 2000 with fraud, theft, malicious mischief, and violation of the Devices Regulation Act. However, those charges were dropped in August by Philippine judicial authorities. As a postscript, it is important to note that the Philippines' government on June 14, 2000 reacted quickly and approved the E-Commerce Act, which now specifically criminalizes computer hacking and virus propagation. The Philippine government will not be hindered by insufficient charging authorities should an incident like this one ever occur again. Also, the NIPC continues to work with other nations to provide guidance on the need to update criminal law statutes.

In some cases, we have been able to prevent the release of disastrous viruses against public systems. On March 29, 2000, FBI Houston initiated an investigation when it was discovered that certain small businesses in the Houston area had been targeted by someone who was using their Internet accounts in an unauthorized manner and causing their hard drives to be erased. On March 30, 2000, FBI Houston conducted a search warrant on a residence of an individual who allegedly created a computer "worm" that seeks out computers on the Internet. This "worm" looks for computer networks that have certain sharing capabilities enabled, and uses them for the mass replication of the worm. The worm causes the hard drives of randomly selected computers to be erased. The computers whose hard drives are not erased actively scan the Internet for other computers to infect and force the infected computers to use their modems to dial 911. Because each infected computer can scan approximately 2,550 computers at a time, this worm could have the potential to create a denial of service attack against the E911 system. The NIPC issued a warning to the public through the NIPC webpage, SANS, NLETS, InfraGard, and teletypes to government agencies. On May 15, 2000 Franklin Wayne Adams of Houston was charged by a federal grand jury with knowingly causing the transmission of a program onto the Internet which caused damage to a protected computer system by threatening public health and safety and by causing loss aggregated to at least $5000. Adams was also charged with unauthorized access to electronic or wire communications while those communications were in electronic storage. He faces 5 years in prison and a $250,000 fine.

Revenge by disgruntled employees seems to be another strong motivation for attacks. Insiders do not need a great deal of knowledge about computer intrusions, because their knowledge of victim systems often allows them to gain unrestricted access to cause damage to the system or to steal system data. For example, in July 1997 Shakuntla Devi Singla used her insider knowledge and another employee's password and logon identification to delete data from a U.S. Coast Guard personnel database system. It took 115 agency employees over 1800 hours to recover and reenter the lost data. Ms. Singla was convicted and sentenced to five months in prison, five months home detention, and ordered to pay $35,000 in restitution.

Another case involved a National Library of Medicine (NLM) employee. In January and February 1999 the National Library of Medicine computer system, relied on by hundreds of thousands of doctors and medical professionals from around the world for the latest information on diseases, treatments, drugs, and dosage units, suffered a series of intrusions where system administrator passwords were obtained and hundreds of files downloaded, including sensitive medical A alert @ files and programming files that kept the system running properly. The intrusions were a significant threat to public safety and resulted in a monetary loss in excess of $25,000. FBI investigation identified the intruder as Montgomery Johns Gray, III, a former computer programmer for NLM, whose access to the computer system had been revoked. Gray was able to access the system through a "backdoor" he had created in the programming code. Due to the threat to public safety, a search warrant was executed for Gray's computers and Gray was arrested by the FBI within a few days of the intrusions. Subsequent examination of the seized computers disclosed evidence of the intrusion as well as images of child pornography. Gray was convicted by a jury in December 1999 on three counts for violation of 18 U.S.C. 1030. Subsequently, Gray pleaded guilty to receiving obscene images through the Internet, in violation of 47 U.S.C. 223. Montgomery Johns Gray III was sentenced to 5 months prison, 5 months halfway house, 3 years probation and ordered to pay $10,000 in restitution and assessments.

We are also seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain. In September, 1999, two members of a group dubbed the "Phonemasters" were sentenced after their conviction for theft and possession of unauthorized access devices (18 USC § 1029) and unauthorized access to a federal interest computer (18 USC § '1030). The "Phonemasters" were an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even the National Crime Information Center. The Phonemasters' methods included "dumpster diving" to gather old phone books and technical manuals for systems. They used this information to trick employees into giving up their logon and password information. The group then used this information to break into victim systems. One member of this group, Mr. Calvin Cantrell, downloaded thousands of Sprint calling card numbers, which he sold to a Canadian individual, who passed them on to someone in Ohio. These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy. Cantrell was sentenced to two years as a result of his guilty plea, while one of his associates, Cory Lindsay, was sentenced to 41 months.

Terrorists groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. In his statement on the worldwide threat in 2000, Director of Central Intelligence George Tenet testified that terrorists groups, "including Hizbollah, HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida organization are using computerized files, e-mail, and encryption to support their operations." In one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. While we have not yet seen these groups employ cyber tools as a weapon to use against critical infrastructures, their reliance on information technology and acquisition of computer expertise are clear warning signs. Moreover, we have seen other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engage in attacks on foreign government web-sites and email servers. During the riots on the West Bank in the fall of 2000, Israeli government sites were subjected to e-mail flooding and "ping" attacks. The attacks allegedly originated with Islamic elements trying to inundate the systems with email messages. As one can see from these examples overseas, "cyber terrorism" -- meaning the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population -- is thus a very real threat.

We have worked closely with our international partners on computer intrusion cases, including cases in which hackers have illegally accessed U.S. government systems. In 1999 the FBI cooperated with New Scotland Yard in the United Kingdom on a case in which a UK citizen confessed to breaking into U.S. Navy systems. He was further suspected of intruding into other systems, including that of the U.S. Senate. He was sentenced to a term of 3 years on a probation-like status.

We believe that foreign intelligence services have adapted to using cyber tools as part of their information gathering tradecraft. While I cannot go into specific cases, there are overseas probes against U.S. government systems every day. It would be naive to ignore the possibility or even probability that foreign powers were behind some or all of these probes. The motivation of such intelligence gathering is obvious. By combining law enforcement and intelligence community assets and authorities under one Center, the NIPC can work with other agencies of the U.S. government to detect these foreign intrusion attempts.

The prospect of "information warfare" by foreign militaries against our critical infrastructures is perhaps the greatest potential cyber threat to our national security. We know that many foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. Knowing that they cannot match our military might with conventional or "kinetic" weapons, nations see cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heel -- our growing dependence on information technology in government and commercial operations. For example, two Chinese military officers recently published a book that called for the use of unconventional measures, including the propagation of computer viruses, to counterbalance the military power of the United States.


While the NIPC has accomplished much over the last three years in building the first national-level operational capability to respond to cyber intrusions, much work remains. We have learned from cases that successful network investigation is highly dependent on expert investigators and analysts, with state-of-the-art equipment and training. We have built that capability both in the FBI Field Offices and at NIPC Headquarters, but we have much work ahead if we are to build our resources and capability to keep pace with the changing technology and growing threat environment, while at the same time being able to respond to several major incidents at once.

We are building the international, agency to agency, government to private sector, and law enforcement partnerships that are vital to this effort. The NIPC is well suited to foster these partnerships since it has analysis, information sharing, outreach, and investigative missions. We are working with the executives in the infrastructure protection community with the goal of fostering the development of safe and secure networks for our critical infrastructures. While this is a daunting task, we are making progress.

Within the federal sector, we have seen how much can be accomplished when agencies work together, share information, and coordinate their activities as much as legally permissible. But on this score, too, more can be done to achieve the interagency and public-private partnerships called for by PDD-63. We need to ensure that all relevant agencies are sharing information about threats and incidents with the NIPC and devoting personnel and other resources to the Center so that we can continue to build a truly interagency, "national" center. Finally, we must work with Congress to make sure that policy makers understand the threats we face in the Information Age and what measures are necessary to secure our Nation against them. I look forward to working with the Members and Staff of this Committee to address these vitally important issues.

Thank you.

Recent Testimonies
Deciphering the Debate Over Encryption Amy Hess, Executive Assistant Director, Science and Technology Branch, Federal Bureau of Investigation, Statement Before the House Committee on Energy and Commerce, Subcommittee on Oversight and Investigation, Washington, D.C.
The Need for a Consolidated FBI Headquarters Building Richard L. Haley, II, Assistant Director, Facilities and Finance Division, Federal Bureau of Investigation, Statement Before the House Committee on Transportation and Infrastructure, Subcommittee on Economic Development, Public Buildings, and Emergency Management, Washington, D.C.
Encryption Tightrope: Balancing Americans’ Security and Privacy James B. Comey, Director, Federal Bureau of Investigation, Statement Before the House Judiciary Committee, Washington, D.C.
FBI Budget Request for Fiscal Year 2017 James B. Comey, Director, Federal Bureau of Investigation, Statement Before the House Appropriations Committee, Subcommittee on Commerce, Justice, Science, and Related Agencies, Washington, D.C.
Law Enforcement Implications of Illegal Online Gambling Joseph S. Campbell, Assistant Director, Criminal Investigative Division, Federal Bureau of Investigation, Statement Before the House Committee on Oversight and Government Reform, Washington, D.C.
Oversight of the Federal Bureau of Investigation James B. Comey, Director, Federal Bureau of Investigation, Statement Before the Senate Judiciary Committee, Washington, D.C.
Oversight of the Federal Bureau of Investigation James B. Comey, Director, Federal Bureau of Investigation, Statement Before the House Judiciary Committee, Washington, D.C.
Worldwide Threats and Homeland Security Challenges James B. Comey, Director, Federal Bureau of Investigation, Statement Before the House Committee on Homeland Security, Washington, D.C.
Threats to the Homeland James B. Comey, Director, Federal Bureau of Investigation, Statement Before the Senate Committee on Homeland Security and Governmental Affairs, Washington, D.C.
Inspector General Access Kevin L. Perkins, Associate Deputy Director, Federal Bureau of Investigation, Joint Statement with Department of Justice Associate Deputy Attorney General Carlos Uriarte Before the Senate Judiciary Committee, Washington, D.C.