ad info

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info



Special Event

Attorney General Holds News Conference on Computer Security

Aired February 9, 2000 - 2:31 p.m. ET


LOU WATERS, CNN ANCHOR: We are awaiting the start of a briefing by the FBI on the attacks that have temporarily shut down popular Internet sites over the past three days. Today, ZDNet and E*Trade were victimized. Some of the other sites that have been affected by so-called "denial of service attacks" are household names. They include eBay, and CNN,, which just went public, and Yahoo!, the hugely popular Internet search engine which was the first apparent victim on Monday.

These kinds of attacks are not new, but this scale and the coordination of these attacks is unprecedented. Rather than hacking directly into a company's computer system, its Web site is flooded with unwanted messages, often called spam -- that's like cyber-junk. Like a traffic jam on a highway, prevents customers from accessing the site, disrupting normal commerce and potentially causing losses in revenue for the company.

So far, all of the targeted companies managed to stop the attacks and get their Web sites up again within a few hours, but, clearly, the scope of these cyber-attacks has caught the attention of the entire Internet community.

Joining us from Boston with a look at this, Internet security expert Frank Prince of Forrester Research.

Mr. Prince, we're awaiting this news briefing at FBI headquarters, and we know what these attacks are about, but we don't know who it is and we're getting indication maybe we may never know who it is. What's the -- who do you think it is that's responsible for this -- in a general sense?


At this juncture, because the attacks are going to a number of different companies, there doesn't necessarily seem to be a pattern by industry, and because it appears that they're automated attacks, there's a good chance that it's people trying out the new tool kits that are available for carrying out these sorts of attacks, and usually people do that for bragging rights.

As to whether you can go ahead and find out who, ultimately, is behind it, if you do something for bragging rights, one of the things that you have to do is brag and brag to somebody else. And what's more, if you keep doing this over and over and over again, sooner or later you'll be able to track it down. So I would expect that if people don't just take their rights and walk away, that there's a good chance that, ultimately, we'll find out who did this. If, on the other hand, they take a short shot at what they're doing, talk to just a few friends, don't get too widespread about it, we may never know, just as you said.

WATERS: That would be a concentrated effort you're referring to. But as I understand it, there are instructions on the Internet for how to do this, so it could -- anybody could do it, could they not?

PRINCE: Well, anybody is perhaps a little bit of a stretch, but it's true that people who want to do the research and have the focus and the time to do it could, in fact, do it. On the other hand, if you get some cachet with your friends from throwing eggs at a building, after 50 people throw eggs at the building, it doesn't do you any good to be the 51st.

WATERS: So, I guess, now, what we're talking about would be implications. We know that the Internet is vulnerable and we've heard many experts and Internet providers say this is likely to go on for some time. What and who could it hurt?

PRINCE: Well, there are a number of people that it could hurt, of course, but I'd like to make a note that this isn't particularly an Internet kind of crime. If you have a store who has it's front door blocked, you go to another store. If you have a whole bunch of stores who have their stores blocked, then maybe there's concern. We haven't seen that on the Internet yet.

Now, relative to who it hurts, the companies lose business, for sure, during the period of the attack. They may incur some costs in order to keep themselves from having that attack as badly in the future, and there could be a PR damage associated with it. But if the attacks are, in fact, spread across a large number of companies, even the PR damage is minimized. You're just one of many victims in that case.

WATERS: Now, as we mentioned, the FBI's about to hold this news conference and usually the FBI will just say we're on the case and here's what progress we've made and here's what we can't comment on because we're in the middle of an investigation. But is not true that the FBI itself has been hacked? What can the FBI do about this, if anything?

PRINCE: Well, the FBI provides a rallying point for a number of activities that are already in place, and it also provides a legal framework in which this activity can take place. We see the computer emergency response team, a number of agencies that have been set up over time who have the technical expertise, given enough information, to trace these kinds of attacks down, and we have the FBI to follow through and to coordinate those activities from a legal point of view. So while the FBI itself, they only provide some of the resources to actually discover who's the problem, there are other organizations that, through that kind of coordination, can in fact make a differences in finding who did the bad things. WATERS: Are there -- could there be economic motives here? You mentioned the bragging rights motive, but we heard from our financial unit that business-to-business operations could be crippled in an economic sense if this were to continue in the future. Is it -- could there be an economic motive here?

PRINCE: There actually could be an economic motive for perhaps some other attacks, but these don't appear, at this juncture, to have that kind of a motive behind them. And in point of fact, you don't attack a high-profile site like this for two hours and expect that it'll be more than a blip in the radar. If I remember correctly, the stock prices associated with many of the people who were attacked, in fact, went up.

WATERS: Are there -- what are the laws surrounding this type of activity? Say the FBI was to track someone down. Are the laws tough enough, or are there laws?

PRINCE: There are laws. They are tough enough in general. My general sense is, though, that the rule of law, the process of finding out who committed the crime, what the jurisdiction was in which the crime will actually be tried, and going through the process of gathering enough evidence which to a jury is sensible, is by far the most difficult aspects of those rather than the laws themselves.

WATERS: We've heard repeatedly today that future success for the dot.coms will be in being able to keep these hackers away from their sites. Is there technology in the works? Do you see anything on the cyber-horizon that might give the consumer confidence? We've been assuring consumers all day that their credit card numbers, for instance, have not been stolen in this latest wave of access denial.

PRINCE: Well, let's go back to that example of blocking the door. Just because you block the door to somebody's business doesn't mean that you've broken in and rifled through their files. So to that extent, this isn't hacking in the sense that many people think about it.

WATERS: All right, Mr. Prince, thank you.

The FBI has begun so we'll switch over to Washington, FBI headquarters now and listen to what's going on there.


UNIDENTIFIED MALE: ... Internet crime, the attorney general of the United States, Janet Reno, for some remarks.


Over the past several days, Americans have experienced cyber- attacks on some of our nation's most popular commercial Web site. These cyber-assaults have caused millions of Internet users to be denied services from such sites as Yahoo!, and eBay, just to name a few. At this time, we are not aware of the motives behind these attacks, but they appear to be intended to interfere with and to disrupt legitimate electronic commerce. That is the reason the FBI has initiated a criminal investigation into these matters.

Specifically, personnel from the National Infrastructure Protection Center are working closely with FBI field offices around the country on investigative leads. They are also working with specially trained federal prosecutors, both in Washington and around the country, and with state and local law enforcement agencies. We are also working closely with the companies that are the victims.

As many of you already know, preventing cybercrime is one of our top priorities. At the Justice Department, we have been well-aware that the technology has changed not only the way people do business. It has changed the way criminals do business too.

To keep pace with cybercriminals of the new millennium, we have taken a number of steps. We have set up a system through the National Infrastructure Protection Center to better coordinate with private entities to ensure that cybercrime is promptly reported to law enforcement. We are developing the personnel and technical expertise to investigate and prosecute cybercrime, and providing local law enforcement with necessary tools as well.

We are working with industry and others to promote security measures that reduce our vulnerability to this new type of crime, and we are expanding our computer response teams, which are dispatched to investigate computer-related crimes.

Just this week, we announced a request of $37 million as an increase to fight cybercrime and to protect our nation's infrastructure. These measures will help address the cyberattacks of recent days, and they will help us deal with attacks in the future.

We are committed in every way possible to tracking down those who are responsible, to bringing them to justice, and to seeing that the law's enforced. And we're committed to taking steps to ensure that e- commerce remains a secure place to do business and that the Internet and cybertechnology can be the true benefit for the future that we all think it is in terms of learning, communication, commerce, and the opportunity to bring the world together rather than split it apart.

Thank you.

RON DICK, CHIEF OF COMPUTER INVESTIGATIONS AND OPERATIONS, NATIONAL INFRASTRUCTURE PROTECTION CENTER: My name is Ron Dick. I'm chief of the computer investigations and operations section at the National Infrastructure Protection Center here at FBI headquarters.

Let me first introduce the people behind me: Mark (ph) Zerwillinger, who is the deputy section chief for the computer crime and intellectual property section, criminal division of the Department of Justice; Jan Filpott (ph) with the Computer Emergency Response Team at Carnegie-Mellon University; David Jarrell (ph), who's the director of Federal Computer Incident Response Center; and Mr. Tom Burke (ph), who is the assistant commissioner, information security, General Services Administration.

I'd like to make just a couple of brief comments about what our current investigations are addressing. Basically, as you all in the media have reported, we are dealing with a distributed denial of service attack on various businesses here in the United States. Basically, what this is, as many of you know, is an attack on the network by multiple computers that generate network traffic that basically ceases or causes the servers and systems of these businesses to cease operations.

The length of these attacks can vary. They can vary from a few minutes to several days, depending on the capabilities of those that are conducting this attack. These kinds of attacks are very analogous to things that happened on our telephone systems in the past, where systems get overloaded by a number of people dialing in to a particular number. And because of the volume of traffic, you get a busy signal on there, and therefore, you're not able to contact the people that you want to have a conversation with.

In business environment, particularly with e-commerce, this is very critical, because this is how they're able to receive orders and be able to deliver goods and services to the people that they service. So this is very important to those, particularly those in e-commerce.

Likewise, a denial of service attack is planned action by an attacker and causes the network, as I said, to become dysfunctional.

We are working to try and solve these particular sequences of attacks that have occurred in the last couple of days. We are working very closely with our partners within the -- within Fed CERT, CERT CC (ph), the intelligence community partners as well as other partners in law enforcement and the United States Secret Service, as well as the military investigative components.

There's been a number of public announcements concerning this type of attack. The Computer Emergency Response Team at Carnegie- Mellon issued a white paper that's called "Distributed Systems Intruder Tools Workshop," which you can find on the Web site -- and I can give you that later -- which has some very, very good ideas as to how to prevent this type of activity.

Now, one thing that we have to keep in mind that I think is very, very important, particularly in the world that we live in today, security in the Internet is a community effort. It is not something that can be done by any one organization, any one federal agency, any one -- the government itself. It is a partnership between all of us, and most important partner is the private -- the private sector itself.

And your security or the security of systems within the private sector, or the lack thereof, can cause harm to others, as exemplified in the things that we've seen gone on in the last couple of days: because it's highly likely that the origin of these attacks on these business are not from witting or knowing individuals or businesses. They probably are unwitting people that their business or systems have been intruded into, tools by which to launch these attacks have been placed there without their knowledge, and someone at a remote location is controlling those tools to launch attacks against the victims that have been highlighted in the media here recently.

While it is difficult to prevent these attacks, there are certain things that can minimize the impact on e-commerce and businesses and government itself. Many of the distributed denial of service tools currently are readily available out there on the Internet, that can be simply gone to a Web site, you can download them, and it doesn't take any particular technical knowledge by which to utilize them.

So for those in the private sector and in government, the key to this is prevention. The key to this is implementing appropriate security measures such that you do not allow your system to be used in some of these attacks.

You need to keep up-to-date with your patches and workarounds for certain viruses that are out there so that you are able to put your business in a position so as not to be a contributing factor.

Intruders can use the source address by falsifying, or what they call spoofing, such that it makes it very difficult for us in law enforcement to identify exactly where the particular attack is coming from.

Basically, they can hide their identity. For example, when we read the address of where the communication is coming from, it might say it's from the FBI, and when in reality the FBI may not know anything about it, because they've given a false address on the information being provided to the victim site.

Because of your security is dependent on the overall security of the network, we urge sites, both in the government and in the private sector, to take appropriate means to secure them.

During the millennium change, one of the things we were concerned with were two tools that we saw out there that -- identified as TFN and TRINO (ph). We saw them being installed on numerous systems throughout the United States and the world, and we got very concerned that this could be utilized in a concerted attack on various systems.

Through the NIPC and our partners in the private sector, we were able to develop tools by -- which allows us to identify if those particular tools are on your systems.

That particular tool is available free of charge on, and there are other tools out there that do similar-type identification on yours systems by Carnegie-Mellon and others.

As I've talked about before -- and I re-emphasize -- that it's very important that the community takes responsibility for the systems and implements appropriate security measures to minimize this kind of activity.

There are certain trends out there that we need to be mindful of in the environment that we live in today. The intruder community is actively developing tools by which to circumvent many of these security measures and take advantage of government systems as well as those involved in e-commerce.

There are multiple categories of different kinds of intrusions and exploits and vulnerabilities that are out there. It is only through your efforts, or the efforts of government and the private sector to implement appropriate security measures are we going to be able to thwart this -- these -- these kinds of criminal activity.

In a relatively short of period time, as I said, an unsophisticated intruder or unsophisticated computer user can take advantage of not only the U.S. government, but also e-commerce. We strongly urge that if you become victim of a denial of service attack, that you immediately report it to either your local FBI office or other local law enforcement agency, federal or -- or -- or federal law enforcement agency, or notify the National Infrastructure Protection Center: watch and warning unit at 202-323-3205.

Any comments?

We'll be happy to take any questions.

QUESTION: Are we talking about one strain of VD of all school (ph)? Are their various tools being used, various strings being used? And are the victim sites, which are launching these attacks, the innocent victim sites which are launching these attacks -- are they in the United States alone, or are they floated?

DICK: We are in a process of collecting all the logs from the victim's sites to try ad discern all of the information that you just described, and we're in the process of analyzing them and getting them in here at this time. And at this point, I cannot really comment on the specific sites. But historically, this is not just a issue. We inevitably wind up overseas, where a unwitting ISP is used as a launch pad for these.

QUESTION: But have you identified what they apply to? What laws are there against this? What (UNINTELLIGIBLE)? And can you apply them to intruders who are operating from overseas?

DICK: The law that applies is title 18, United States coast, section 1030, A5A. And basically what that says, is anyone that knowingly causes the transmission of a program, information code or command, and as a result of such conduct intentionally causes damage without authorization to the protected computer. A protected computer includes any computer used in interstate or foreign commerce or communication. The maximum penalty for this violation is five years, and a fine for the first-time offender, a minimum six months. For repeat offenders, it's 10 years and a fine. Fines can range from up to $250,000 dollars per count, or if the damage is more than that, the court can set the fine at twice the gross loss to the victim.

In addition, the statute allows for civil penalties by the victim sites, who are suing the person that's been identified as doing this.

QUESTION: (OFF-MIKE) ... foreign hackers?

DICK: I'll defer to the Department of Justice, but I believe we do.

UNIDENTIFIED MALE: In situations where a foreign hacker is using United States computer system, the penalties about a computer fraud and abuse act would apply.

QUESTION: (OFF-MIKE) ... government computers have been used as host to the attack agents. And what efforts are being made to prevent government computers from being compromised and used as host?

DICK: I'll defer to Mr...

UNIDENTIFIED MALE: We have not identified any government computers at this point in time that are being used as a host to launch the attacks. Approximately, an hour and half ago, we sent out a revised advisory on these types of attacks, with special notes to the CIOs and the system administrators in the agencies, so that they could take any preventative action to identify the tools that Ron had mentioned earlier, and start the actions to ensure that the government sites are not the launching points for these attacks.

PIERRE THOMAS, CNN JUSTICE CORRESPONDENT: Mr. Dick, question for you: Walk us through, if you could, how do you tracked down the culprits? What types of steps do you go through?

DICK: Basically, not to get in a long, detailed technical explanation of this, but basically, it's not unlike any other crime where we do electronic surveillance, wherein we utilize the technology available to track our way back to the various ISPs until we get to the person that's behind the keyboard. I mean, that's a simplified version of that.

But in essence, that's it. It's not unlike when you do a bank robbery, and you identify where the subject is, and you follow them back to where they are.

QUESTION: Does it to be done in realtime? Or can you do it like, you know, in a bank robbery, after the crime has taken place, or do you have to actually track them while they're doing the crime?

DICK: We can do both. But it's likely that a lot of times, like in any other crime we're working after fact. That's why it's very important that the ISPs maintain logs, so that when we go to them ask them for the evidence regarding the activity on their systems, which the law tracks, that we're able to see that kind of activity. Now the unfortunate part is a lot of time the logs, for a lot of different reason, are not maintained by the ISPs.


QUESTION: ... one of the most important things here in the prevention of -- that some of sites that had been attacked have highly sophisticated systems to try to prevent this sort of thing. The government doesn't seem to be offering them anything more sophisticated. So what should they really do? I mean, there doesn't seem to be -- the president himself said today he wasn't sure there was anything Washington could do about it. Could you comment on that as well?

DICK: OK, you got to keep in mind, in a distributed denial-of- service attack, the victim can do some filtering, which a lot of them have done, so as to prevent, you know, when the packets start hitting on their doors, if you will, and knocking on the door, to prevent them from entering.

However, the real solution to it isn't the victim site itself; it's like I talked about a moment ago, is the innocent third parties that are out there that haven't installed appropriate security measures to determine if those kinds of tools out there are present to launch those kinds of attacks through there.

So and that's what I was talking about a moment ago: It's a community effort. The victims that have been identified here recently may have done everything in the world that they could possibly do from a security standpoint. But if you have certain private-sector businesses out there that have not, that have loaded those tools out there by which to launch them, it doesn't do any good.

QUESTION: (OFF-MIKE) ,,, businesses that have not done what you're talking about?

DICK: Well, you're absolutely -- hopefully, there are not millions, but there a lot.

QUESTION: There is tens of thousands.

DICK: And that's the point: This is a community effort. And for the Internet to be a safe place to do business and for -- out there, it is going to be incumbent upon the community to install appropriate security measures.

QUESTION: (OFF-MIKE) ... attack, or is this just software you can get off the Internet? Is this a 15-year-old kid, or is this a 30- year-old hacker?

DICK: There are tools out there, that as you described, that a 15-year-old kid could launch these attacks. This is not something that it takes a great deal of sophistication to do.

QUESTION: Could you give us an idea of the scope of this?


QUESTION: ... a group of people doing single attack, doing the same thing over and over again, or is it separate attacks I guess?

DICK: It's much to too early in the investigation at this point to discern that. We're just following every lead that we can.

QUESTION: It doesn't sound like really you've got a very effective handle on who's doing this, who's going to be hit next, and how best we can defend ourselves from it, unless we go to the Internet, all of us, and download these tools and find out if these drones are attached to our computers somehow without our knowledge. It sounds like a wide-open door situation.

DICK: That is one of the issues with the Internet. It is a matter of the community policing itself in a lot of respects. And you're absolutely right in that regard. We're going to need the help of everyone in the community to solve this problem.

QUESTION: Has there been any indication why any communication from the hacker or hackers, why they did this?

DICK: Not at this point.

QUESTION: Do you think that you can determine the sites that were going to be hit for the denial of service, before they were actually hit, and contact those businesses?

DICK: Not in this particular instance. If we would have -- if we had known that information we would have, but not in this instance.

QUESTION: Does there seem to be any kind of strategic plan or profit motive, or does it appear, from what you know now, to be just vandalism?

DICK: No, not that we've been able to discern a motive at this point in time.

QUESTION: Can you tell how much is lost in commerce so far?

DICK: No, it's too early to tell that.

QUESTION: After every terrorist event, you have claims of responsibility. Has there been any credible claim of responsibility or any claim of responsibility from any purported group or individual to the FBI?

DICK: None that I'm aware of. We are obviously conducting or reviewing intelligence base, and a lot of these attacks, as in any crime, people like to talk, and we're following every lead we can to discern that.

QUESTION: Question for you: First of all, you'd expressed concern the NIPC had that the Y2K remediation could open the door to just this kind of attack. Is there any indication, first of all, that this may be tied to Y2K fixes that were done, and the opportunity taken to insert back doors or Trojan horses?

DICK: No to your first; we have no indication this is tied to the millennium efforts whatsoever. And no to the second; we have no indication this has anything to do with Trojan horses or back doors placed during Y2K remediation.

QUESTION: The second part of my question is....

WATERS: That is Ron Dick of the FBI National Infrastructure Protection Center. A lot of acronyms and cyber-words there, but essentially, what we have is a criminal investigation by the FBI, also including the intelligence community and the military, on this so- called denial-of-service attack within the past couple of days, denying access to several Internet Web sites because of the flood of data being put in there by someone or some group of someones. The FBI says its job is to track our way back, but it's too early for answers on who might be involved in this attack.

It comes under the heading of the Fraud and Abuse Act, which calls for five years in prison for a first-time offender and also allows for civil penalties. The attorney general of the United States also was involved in this news conference, telling us that the -- protecting e-commerce is one of the primary concerns of the Justice Department, and more money has been requested for that fight, up to $37 million.

More on all of this in the next hour here now. Bobbie Battista with more on this cyber-attack and the ramifications of it.


Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.