Federal News Service September 22, 2004 Wednesday
HEADLINE: HEARING OF THE TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS SUBCOMMITTEE OF THE HOUSE GOVERNMENT REFORM COMMITTEE
SUBJECT: IDENTITY THEFT: THE CAUSES, COSTS, CONSEQUENCES, AND POTENTIAL SOLUTIONS?
CHAIRED BY: REPRESENTATIVE ADAM H. PUTNAM (R-FL)
WITNESSES PANEL ONE:
ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE COMMISSION; STEVEN MARTINEZ, DEPUTY ASSISTANT DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION;
LARRY JOHNSON, SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, UNITED STATES SECRET SERVICE;
PATRICK O'CARROLL, ACTING INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION;
PANEL TWO: HOWARD SCHMIDT, FORMER WHITE HOUSE CYBER SECURITY ADVISER, AND VICE PRESIDENT, CHIEF INFORMATION SECURITY OFFICER, EBAY INC.; DR. BILL HANCOCK, VICE PRESIDENT, SECURITY PRACTICE & STRATEGY, CHIEF SECURITY OFFICER, SAVVIS COMMUNICATIONS CORPORATION; BILL CONNER, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, ENTRUST, INC.;
JODY WESTBY, MANAGING DIRECTOR, PRICEWATERHOUSECOOPERS
REP. ADAM H. PUTNAM (R-FL): A quorum being present, this hearing of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order. Good afternoon and welcome to the subcommittee's hearing entitled "Identity Theft: The Causes, Cost, Consequences and Potential Solutions." Today the subcommittee conducts its 11th hearing this Congress on cyber security issues, and this is the 39th hearing overall of this subcommittee in the 108th Congress and I certainly want to commend staff for the majority and the staff for the minority in the hard work that they have put into all of these hearings and the work of the membership as we have covered an awful lot of ground in this Congress.
Throughout the 108th Congress, the subcommittee has focused a great deal of attention and oversight on the topic of computer information security and the growing cyber threat to this nation. This hearing will examine the cyber security threat from a somewhat different perspective and delve into an issue that has already adversely impacted millions of Americans and has the potential to become even worse as more and more information is gathered, stored and shared through the Internet in an all too often unprotected environment. The issue is computer identity theft.
I'm concerned about the threat that identity theft poses to the United States' national and economic security. Identity theft is one of the fastest growing crimes in the United States and it appears that the battle ground is expanding from one populated primarily by those seeking notoriety to those seeking profit and disruptive impact. Federal statistics show that nearly 10 million identities were stolen in the United States last year alone and that the total cost of this crime in the United States is approximately $50 billion per year. Some predict that the worldwide cost of identity theft in all of its forms will exceed $2 trillion in financial losses by the end of 2005. These numbers are staggering and they highlight why this hearing is so important.
As use of the Internet continues to expand every day, more personal information is converted into electronic data. Both the federal government and the private sector maintains large databases of personal information about their employees and customers. The efficiencies realized through the increased availability of electronic data storage and transmission are tremendous, but the wealth of available personal information in digital form also provides a target- rich environment for criminals and terrorists. By hacking into databases, paying off insiders, loading spyware onto users' machines or using fraudulent e-mails to trick users into revealing Social Security and other account numbers, criminals and terrorists are utilizing the Internet to profit illegally. It seems as if not a day goes by without a new report of some worm, virus, phishing scheme or other cyber crime threatening users of the Internet.
This week we have also learned that there is a dramatic increase in the number of zombie PCs, also called bots. These are computers infected by worms or Trojans and taken over surreptitiously by hackers and used to send spam, more viruses, harvest financial and personal information or launch denial of service attacks. It is estimated that the number of computers being taken over by remote control is now averaging 30,000 per day, peaking at 75,000 in a single day. We need to quarantine and vaccinate infected computers, close the back doors, shut down the tunnels and cut off bad guy access to our computers and networks.
A recent crackdown on cyber crime by the Department of Justice, known as Operation Web Snare, demonstrates just how large a problem cyber crime has become. The department, through its U.S. Attorneys Office, its criminal division and the FBI, coordinated with the Secret Service, the FTC and a variety of other federal, state, local and foreign law enforcement agencies, conducted this operation. Investigators identified more than 150,000 victims with estimated losses of more than $200 million.
This operation to date has resulted in more than 150 arrests and convictions for electronic crimes, including identity theft, fraud, counterfeiting software, computer intrusions and other intellectual property crimes. We have representatives from the FBI, the FTC and the Secret Service with us here today. I applaud your efforts and the efforts of all those involved in this operation and I thank you for your service to this nation.
In addition to highlighting the threat of organized crime on the Internet, Operation Web Snare touched on another growing problem: the potential nexus between cyber crime and terrorism. The report on the operation noted that terrorists and their support groups are hiding behind the cloak of the Internet to conceal their true locations and to communicate, generate funds and develop resources in support of terrorism. Furthermore, the report noted an increase in online complaints in which illegally obtained funds are flowing to parts of the world where terrorist groups are known to operate. Operation Web Snare makes it clear that this is a global problem and not only are criminals and terrorists aware of the vulnerabilities in cyberspace, but they are exploiting them for monetary profit as well.
Make no mistake about it, our nation's information systems are under attack 24 hours a day, seven days a week from around the world. We cannot stick our heads in the sand and ignore these problems or continue to make excuses for why we are not taking more affirmative action. We have to address them head on and make sure that our cyber defenses are prepared to repel these intruders.
Unfortunately, through the work of this subcommittee through our extensive research and oversight, I am not convinced that we are prepared either in the public or the private sector to adequately deal with these problems. I fear that cyber crime may get worse before it gets better and I do not wish to wait for some large scale failure of our Internet infrastructure or the launch of a combined physical and cyber attack against our citizens and our economy before we as a nation get serious about protecting our information systems.
About a year ago, after several oversight hearings on the subject and an information gathering visit to Silicon Valley, I began to realize just how vulnerable this nation had become to a growing and dangerous threat of cyber attack. Not only were federal agencies failing to comply with the requirements of the law as outlined by FISMA, but the private sector was also seriously delinquent in its attention to these matters. After examining alternatives, we drafted the Corporate Information Security Accountability Act which would have set forth certain computer information security plan reporting requirements for publicly traded companies in an effort to elevate the profile of this matter to the C level of management in respect of boards of directors.
I did not introduce the legislation at the time, preferring a private sector driven, market based solution to this growing threat to the American people and the economy, and hearing from the private sector that they could address this issue without the assistance or intervention by Congress. Well, here we are a year later and, quite frankly, not only has the problem not gotten much better, there is compelling evidence, some of which we will hear today, that the problem is getting worse and perhaps a lot worse. Thankfully, there are some key stakeholders such as Microsoft, RSA and AOL who are taking visible steps to proactively address this challenge.
But the world has grown to be a very dangerous place. Most of us make sure that we lock our doors and windows in our homes and businesses before we end the day. Some even pay extra to have an alarm system installed in their home or business to provide protection against unwanted intruders who wish to do us harm or steal our assets. In today's digital world we must also protect our cyber assets and our personal information from intruders, both internal and external from those who would do us harm and steal our information. We have not focused sufficiently on the challenge and as a result, our personal and national security and our personal and national economic stability are subject to a growing risk from enemies who may attack at any time of day or night from anywhere in the world, 365 days a year.
So today I call on this nation, everyone in this nation to take immediate actions to increase their protection and to dramatically improve the cyber security profile of this country. We are all stakeholders and we all have a responsibility to be a part of the solution and not a continuing part of the problem. I call on major corporations to schedule on the agenda of their next senior management meeting and their next board of directors meeting a discussion about your company's computer information security plan. This is a management, governance and business process issue and must be treated accordingly.
Have you invested in the implementation of fundamental information security best practices and benchmarks, and is your IT security risk assessment and risk management plan up to date? The National Cyber Security Partnership with the tremendous help and leadership of the Business Software Alliance and others, has produced a guide to corporate governance that provides tools and strategies that corporations can affordably implement immediately. I'm tired of hearing that lawyers are advising against the adoption and implementation of cyber security best practices or online privacy policies, because they're afraid that they may be creating liability.
Friends, in my estimation, a failure to aggressively address these issues may in and of itself be creating the liability. While I'm not a lawyer, I'm a businessman, I'm a citrus grower, a taxpayer, an involved citizen, this issue is about national security and economic stability along with sound business practices and deserves immediate attention. How about training for employees and information about how to protect their computers from unwanted intruders and thieves? What a great and inexpensive corporate benefit that would be and for those who are already doing that, thank you and keep up the great work.
We call on the larger businesses of Corporate America to work with your entire supply chain to demand that all the businesses that connect to your network understand their responsibility to make sure their systems are secure. We speak to the financial services sector, credit card companies, healthcare providers and others to reexamine their own information security protection profiles. Many Americans trust you with their most personal information and have an expectation that the information will remain confidential and protected. Why are we experiencing such a proliferation of identity theft? Is the day of the PIN and password behind us and we need to move immediately to a two part authentication process that may include biometrics? Are we making the necessary investments to protect the information, or do some view the cost of identity theft as merely the cost of doing business?
I call on software and hardware manufacturers and the national associations that represent you, take the lead from a number of major CEOs who have already publicly committed to improving the quality and security of their products by issuing a public statement that makes that commitment in a manner that the public can have the confidence to know that you too view the proliferation of worms, viruses and other challenges resulting from vulnerabilities in your software and hardware products as a matter deserving of a greater investment of common resources to provide sturdier and more secure products for the marketplace.
I further call on those same software and hardware manufacturers to expand your commitment to providing the consuming public with secure, out of the box computing products with user friendly instructions, pre-set default security controls and alerts about creating and maintaining a secure computing environment. I call on the manufacturers of these essential products to work more closely with critical infrastructure sectors to provide security and configuration requirements in advance and build those requirements into the life cycle development process to deliver more compatible, secure and higher quality products to the marketplace. Companies like Oracle, Microsoft, Sun, Verizon and Entrust are examples of those who are taking this matter seriously.
I call on Internet service providers and operating systems manufacturers to work more aggressively with other public and private stakeholders to provide consumers of all levels of sophistication with information about affordable, user friendly tools that are available to help them protect themselves and immediately improve their cyber security hygiene. We urge small businesses to take the time and learn about steps that you can take that are affordable and user friendly to make your system more secure from the growing threats of cyber space. There are fundamental steps in cyber security hygiene that will improve your protection profile overnight. You're an important stakeholder in this matter and you have a responsibility to be a part of the solution.
Home users are not exempt. Home users can become more aware of the tools that are available to improve the protection of their home computer. Make sure that you know about the anti-virus software and personal firewalls and how to update your applications, including your operating system, in a timely manner. The National Cyber Security Alliance is sponsoring National Cyber Security Awareness Month during October and you may get a lot of the necessary information about fundamental steps that you can take to protect yourselves by visiting their website at www.staysafeonline.info <http://www.staysafeonline.info>.
Today we call on the states and local governments to examine their own information security plans, along with their education, awareness and training programs. And, again, we speak to the agencies of the federal government, large and small, to step up and provide the example for the rest of the nation. Receiving Ds and Fs on scorecards about compliance with the requirements of the law is unacceptable.
We absolutely must experience a recommitment by every cabinet secretary, department, agency and bureau head to address the issue of securing the federal computer networks and protecting the information assets they contain. Federal CIOs and CISOs must be empowered to develop and implement effective strategies and to examine opportunities for enterprise solutions. And we call on Congress to work with all stakeholders, including military, intelligence and law enforcement agencies, domestic and international, to ensure an adequate level of preparedness to meet this growing cyber challenge and recognize this battle in an overall threat domain.
There is much that each of us can do today. The magnitude of this threat demands that we pay increased attention to the issue. If each of us take the steps today to ensure that we have implemented the basic fundamental elements of cyber security hygiene, the cyber security protection profile of this nation will improve overnight. We will send an enormous message to all the bad guys that we take this challenge seriously and we will make the necessary steps to protect our national security and economic stability.
As e-government, e-commerce, e-banking and e-health continue to take hold, we must be sure that we have a comprehensive national strategy that provides flexibility while encouraging innovation and creativity in developing the tools and strategies necessary to secure the computer networks of this nation and protect the information that they contain. Today's hearing provides the subcommittee the opportunity to examine this challenge in the context of the impact that unprotected computers and networks have had on the rise of computer related identity theft, and the adverse impact that these data thefts are having on the national security and economic profile of this nation.
We will hear from experts about potential solutions to these problems such as vulnerability management, credentialing and authentication tools which may help reduce the impact of viruses, worms, spyware, spam and fishing and in turn reduce identity related cyber theft. I eagerly look forward to the expert testimony that our panel of leaders in information security will provide today, as well as the opportunity to discuss the challenges ahead. Today's hearing can be viewed live via webcast by going to reform.house.gov and clicking on the multimedia link.
At this time I would like to welcome the distinguished ranking member of the subcommittee, the gentleman from Missouri, Mr. Clay, for his opening statement.
BREAK IN TRANSCRIPT
REP. PUTNAM: I thank the gentleman. And we'll move right to testimony. I would ask the first panel of witnesses and anyone accompanying you who will be providing support to your answers to please rise and raise your right hand for the administration of the oath.
REP. PUTNAM: Note for the record that all the witnesses responded in the affirmative. I'd like to introduce our first witness for his opening statement. We would ask-all of your written testimony will be included for the record. We would ask you to summarize those statements to a five minute opening and we will begin with Mr. Swindle.
Commissioner Orson Swindle was sworn in as a commissioner on the Federal Trade Commission in December of 1997. Commissioner Swindle was appointed in December of 2001 as head of the United States delegation to the Organization for Economic Cooperation and Development Experts Group to review the 1992 OECD guidelines for the security of information systems. Commissioner Swindle has had a distinguished military career in serving the Reagan administration from 1981 to 1989, directing financial assistance programs to economically distressed rural and municipal areas of the country.
We welcome you back to the subcommittee, sir, and you're recognized for five minutes.
BREAK IN TRANSCRIPT
REP. PUTNAM: Thank you very much, Commissioner. Our next witness is Steven Martinez. Mr. Martinez began work for the FBI in 1987. He's held a variety of supervisory and investigative positions within the FBI throughout the United States. In February of 2003, Mr. Martinez was assigned as the FBI's first on scene commander at CENTCOM, or Central Command, in Doha, Qatar, and in Baghdad, Iraq, during the staging and commencement of Operation Iraqi Freedom. While there, he was in charge of all deployed FBI personnel and managed the FBI's counterterrorism and counterintelligence efforts spanning the initial combat phase of the war. Mr. Martinez was promoted to this current position as deputy assistant director for the Cyber Division in August 2004.
Welcome to the subcommittee, sir, you're recognized. Welcome home.
MR. STEVEN MARTINEZ: (Off mike) --
REP. PUTNAM: Sir, could you make sure your mike is on and pull it in close? There we go.
BREAK IN TRANSCRIPT
REP. PUTNAM: Thank you very much, Mr. Martinez.
Our next witness is Larry Johnson. Mr. Johnson has been a part of the Secret Service for 22 years and has held supervisory positions in both its protective and investigative divisions. He currently holds the title of special agent in charge of the Criminal Investigative Division, and is responsible for the oversight of the Secret Service's criminal investigations, both domestic and abroad. The Criminal Investigative Division also manages the Secret Service's electronic crime programs and initiatives, including the specialized training of agents in computer forensics and the development and implementation of the Secret Service's electronic crimes task forces.
Welcome to the subcommittee, sir, you're recognized for five minutes.
BREAK IN TRANSCRIPT
REP. PUTNAM: Thank you very much, Mr. Johnson.
Our next witness is Patrick O'Carroll. A nice French name. Mr. O'Carroll currently serves as the acting inspector general for the office of the inspector general for the Social Security Administration. In Fiscal Year 2003, the office's investigators reported over $356 million in investigative accomplishments. Prior to coming to the Social Security Administration, Mr. O'Carroll had 24 years of experience in the U.S. Secret Service, so we have two Secret Service representatives with us today. Throughout his government career, Mr. O'Carroll has received numerous awards for his meritorious service.
Welcome to the subcommittee, sir, you're recognized for five minutes.
BREAK IN TRANSCRIPT
REP. PUTNAM: Thank you very much.
And I want to thank all of our first panel of witnesses, and we'll go straight to questions.
Commissioner Swindle, in the current threat environment in which we live, where systems based ongoing attacks, probes or constant vulnerabilities, the bots, the zombies and everything else, some companies, it is becoming clear, are purposely avoiding conducting IT risk assessments because of the fear that those assessments themselves will establish knowledge of vulnerabilities that can be used against them in litigation. What are your thoughts on the position that a lot of these companies have taken?
MR. SWINDLE: Mr. Chairman, I would compare their conduct to that conduct you spoke of earlier about lawyers recommending they don't have privacy policies so as to avoid liability. I think it's a road to suicide, quite frankly, because it'll catch up with them eventually. And I think consumers, as they become more aware of the whole privacy issue and certainly the information security issue are going to look to companies that are responsible, and they're going to turn away from those that aren't.
And soon there'll be more of those that are responsible than not, and the losers are going to be those that chose this course of action. I think it's incredibly dumb. And I have encountered this in several fora that I've attended over the years, and I just look at them with somewhat astonishment that they would take that approach, because I don't think it's realistic, it's certainly not responsible.
REP. PUTNAM: Is there a need for some form of safe harbor that would encourage companies to conduct thorough examinations and then come forward with whatever deficiencies they find?
MR. SWINDLE: Safe harbor, I would say, is perhaps a good vehicle to protect those who do the right thing, and inadvertently, as I said, no security package is going to be complete. They've taken responsible action, they've done as much as they can see to do, and a breach occurs, I don't think they should be held overly responsible for something they couldn't really avoid.
But I have a hard time giving people an easy way out, if you will. But we may have to come to that position, because as both Mr. Clay and yourself have mentioned, these problems are growing. We're making progress, but yet the problems are growing faster often times than the progress. And it may be that we've got to seek some kind of means to encourage people to get in and start doing the right thing.
But I would still prefer to see a private sector led, for their own self-interest, movement to do the right thing. And I'm still not convinced that we aren't capable of doing that. I have hopefully not unfounded confidence that we will do the right thing.
REP. PUTNAM: Thank you.
Mr. Martinez, Mr. Johnson, a recent survey was conducted by Carnegie Mellon and Information Week of 100 small and medium sized businesses that found that 17 percent of the participating companies had been the targets of some form of cyber extortion.
Could you tell us more about the cyber extortion problem and the trends that you're seeing out there, and what advice would you have for companies who are faced with that thread? We'll begin with the FBI.
MR. MARTINEZ: In simplified terms, the cyber extortion is not just the mere use of the facility of the internet to make an extortionate demand, but instead a sophisticated hacker might find a vulnerability in a system, steal proprietary information, customer lists, personnel information from a company, and then pitch them that they can fix it. And if they aren't allowed to come in as a, quote- unquote, "consultant," that they'll release that information in a way that will be harmful to that company. That's one manner in which it can occur.
Trends, the level of sophistication absolutely is going up. The ease with which tools can be obtained to make the initial intrusion are becoming far, far more available and simpler to use. It doesn't take a rocket scientist to drive some of these tools at this point. It was mentioned previously about the playing field changing from hacking for fun to now hacking for profit.
As far as advice goes, of course good computer security, engaging in private industry partnerships, partnerships with law enforcement organizations such as InfoGuard where information can be shared so that we can have a prophylactic effect, you know, share information about how we can protect systems. And also, as was mentioned previously, have a response plan. Companies have to have a response plan, they need to know what to do when they've been attacked.
By all means, contact law enforcement. There's a lot we can do, a lot of resources we can bring to bear to solve the problem. Not all these problems can be solved from the desktop of a systems administrator. Again, you need to know how to respond, how to freeze evidence, how to establish logs so that we can go in and determine what the methodology was, see if it's common with some other case we've been working in the past and apply what resources we can bring to bear to the problem.
REP. PUTNAM: I understand that the Secret Service recently released a report on insider cyber crime activities in the banking and finance sector as part of its ongoing insider threats study.
Could you elaborate on the results of that study, the difficulties of dealing with an insider threat, and the implications that that report has for combating identity theft?
MR. JOHNSON: Yes, Mr. Chairman. I echo the sentiments and statements of the FBI, in that we recently had a case involving AOL that involved an insider threat, the selling of personal identifiers to spammers for monetary gain. With the insider threat, the last two years the Secret Service in conjunction with Carnegie Mellon's CERT Coordination Center collaborated on this inside threat study.
The threat to critical systems include individuals who have manipulated vulnerabilities within the systems for personal gain, as the case I mentioned with AOL. Some of the relevant findings of the study were that-were similar to a lot of things that we've talked about today, and that is updating firewalls when employees leave, taking them out of the access to networks, changing passwords, the simplest type things are being overlooked by businesses and IT people.
Most incidents were not sophisticated or complex, a majority of the incidents were thought out and planned in advance, and in most cases others had knowledge of the insider's intentions, plans and activities. Like the locks on your doors, changing access to networks and changing passwords and updating firewalls is a smart business practice.
REP. PUTNAM: And, Mr. Martinez, you mentioned a series of ongoing investigations that involve in some the theft of 30 million credit card numbers and potential losses of $15 billion. Can you elaborate on how thefts like this grow to such epic proportions? And are the penalties for cyber crime under the current code commensurate with the damage that is being done?
MR. MARTINEZ: Of course, a case can be taken to this scope by consolidating like cases, and that's one of the things we try to do in developing studies, both for proactive efforts and then also once we have complaints that have commonalties. And in order to do that, we have to employ analytical tools and analysts in a form like IC3 in order to determine if we have a problem that goes beyond the scope of a single complaint.
In this case a rather large list of credit information was obtained. Again, it involved many different credit card companies, and so again I think we put the number at 100 that were affected, different financial services and institutions. And the idea here is to identify the scope and then work with these institutions, work with victims in order to track back. Let's see where this threat came from, see if we can't put our resources together in order to address the problem, and to be proactive about the next attack.
REP. PUTNAM: Mr. Johnson, do you wish to add anything to that? Very good.
My time has expired, I will recognize the distinguished ranking member, Mr. Clay, for his questions.
BREAK IN TRANSCRIPT
REP. PUTNAM: You're very welcome.
Mr. O'Carroll, you mentioned that in your work on behalf of the president's council on integrity and efficiency on controls over Social Security numbers that nine of 15 inspectors reported that their agencies had inadequate controls over the protection of Social Security numbers in their databases. Given the extensive information security requirements for federal agencies under FISMA and GISRA, how can this be?
MR. O'CARROLL: Well, Mr. Chairman, historically the use of the SSN was the federal identifier of employees. And much as we found with universities where it was on your identification card, in many federal agencies it was on the identification card for the agency, it was posted on walls. It was more in terms of instead of system security flaws on it, it was mostly just posting in easily observable SSNs.
And what we were feeling-we did the study with the other inspector generals on this thing, as much as you said there, our feeling is that the first place to start correcting the use of the publication of SSNs is within the federal government. One of the ways that we just changed it recently, as probably many of the people in the room are aware, is when any check was going out from the federal government, in the window of it it had the Social Security number of the individual receiving the check.
These are all baby steps that we're taking, we finally have got that taken off of the check, we've been stopping the publication of it. We're doing studies now in terms of the uses of non-federal agencies' use of SSNs, for example colleges and universities, and we're trying to do an education program to get the SSN taken out of the daily usage. And we figure that will be a good way to prevent its misuse in government, and misuse period.
REP. PUTNAM: Many companies avoid reporting security breaches due to the effect that the news would have on their reputation. Is that sound policy? I mean, it's certainly to a degree understandable, or does it merely make the problem worse and encourage those cyber criminals by having them to believe that they won't get caught?
Beginning with Mr. Martinez.
MR. MARTINEZ: This issue's addressed across the board in some of the cyber crime matters that we address. I know when I was an assistant special agent in charge in Los Angeles we worked with the entertainment community on IPR issues, intellectual property rights. And there was a bit of a dance that we had to do with the industry because they don't like to admit that they've got a problem. It's bad business sometimes, it gives their competitors possibly an edge. And the same thing applies to e-commerce businesses, et cetera.
So our approach to that is to try to engage to the fullest extent we can with those businesses, give them a comfort level with us, let them know what to expect through training. Again, our InfoGuard program that's in part to let them know what to expect if they do report and the FBI shows up, what we're going to be looking for, what we would hope to find when we get there as far as the procedures they've put in place to maintain evidence.
REP. PUTNAM: Does anyone else want to answer that? Commissioner Swindle?
MR. SWINDLE: I believe I addressed it in part in my last response, but there's almost a Washington, D.C. ostrich syndrome that I think permeates the whole society, that when we do something wrong we fear addressing it upfront more than I think is necessary. I think if we deal with things direct, upfront, get it out, find a solution, we're far better off. I think it speaks well to the reputation of legitimate companies that they will do that.
And I just think it's just ignoring a problem that will never go away. It will come back, it will be found out, and then you've got to deal with why you covered it up.
REP. PUTNAM: It's not just Washington, it might be a network problem too. Anyone else want to add to that? The president has transmitted to the Senate the Council of Europe's convention on cybercrime. Given the international nature of this, and certainly have law enforcement represented-has to operate across borders, how important is the ratification of this treaty to improving our ability to apprehend cyber criminals?
MR. MARTINEZ: Well absolutely it's important. The FBI has made a significant investment in international training and trying to work jointly with law enforcement agencies in other countries where we know we have problems and issues, where attacks are generated, where fishing schemes are located. And again, we're very proactive about that, offering through the international law enforcement academy several different blocks of cyber training, ad hoc training really anywhere in the world where it's required. We have 47 legal attaché office, about to add three more, and a big part of their job is to put us in contact with law enforcement agencies that need that kind of help. So having those kinds of devices to allow us to solidify those relationships, standardize the law in response in areas across the world, is critical to our being able to address the problem here in the United States.
REP. PUTNAM: Mr. Johnson do you wish to add anything?
MR. JOHNSON: Yes, Mr. Chairman, I would agree and the Secret Service would agree that the victimization of Americans and of businesses overseas is growing at a rapid pace. The world is borderless. The internet provides the foreign criminals easy access to the United States and their citizens by quickly getting on line. Many countries have internet access. They have TV access.
But the young and educated foreign public can only buy Western products on line, that's their only capabilities. The growing number of significant investigations overseas, virtually all terrorist investigations have a foreign nexus. The field offices that we've established have provided rapid response overseas and provided that capability, and it's also extending the reach of American law enforcement in general.
REP. PUTNAM: Commissioner, this is my final question and then I'll yield back to Mr. Clay. California has a law that took effect in 2003 that requires businesses or state agencies that maintain computerized data that includes specified personal information to disclose any breach of security to any California resident whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person. What effect to you think that law will have on improving information security and what are your thoughts on taking it national?
MR. SWINDLE: Mr. Chairman, as I mentioned in my testimony there certainly are circumstances where a person ought to be notified that there's been a breach. However, I don't for a minute believe that in every circumstance they should be notified. And I think taken to the extreme that could be an enormous burden on businesses because it would solve no problems. I don't think it necessarily would prevent it from happening again, possibly, and there may very well not be any damage done at all.
A lot of the information that's personally identifying is publicly known, in phone books, for an obvious example. So I think you'd have to deal with those circumstances on a case by case basis and to my knowledge I think California is the only state, at least to date, that has that kind of legislation. That's not to say it's probably not being considered by many other states, but I think I would move in that direction extremely cautiously because I think it could be an overkill.
REP. PUTNAM: Mr. Clay, you're recognized.
BREAK IN TRANSCRIPT