Louis J. Freeh

I just returned from a very brief trip to the Mideast where I visited three countries and spent time with the leaders of all the countries involved in the current peace process. We met with Yasser Arafat, the Prime Minister of Israel, King Hussein, President Mubarak, and, over the course of several days, all of my counterparts, both in law enforcement services and security services.

And part of our agenda . . . did in fact deal with some of the issues that this conference is going to address—issues like technology crimes; law enforcement in the information age; threats to infrastructure; threats to national security; the new ways that criminals and terrorists have found to achieve their objectives; taking advantage of all of the technological changes; the transparency of borders; the ability to travel and send information instantaneously. . . .

It's an obvious point, but one which I think we need to make: in the United States also, these critical issues will continue to occupy industry and law enforcement, but they are not at this time on the front burners for law enforcement or for national security people. This should not be surprising. We are not imminently threatened with the collapse of infrastructures. We are not seeing intrusions at a frequent enough index that people are alarmed about them. . . .

Today this kind of debate continues in Washington and around the world on encryption. Again, at this point we can't point to a proliferation of examples where encryption, unbreakable encryption, has caused the loss of lives or shut down major investigations. But we know, with great certainty, that if that problem is not dealt with very quickly, the time will come that, as robust encryption proliferates without any recovery systems, law enforcement and national security will clearly be at risk.

In a sense, this process really describes the history and the saga of law enforcement. In 1933, unarmed FBI agents transporting a prisoner were gunned down in a crossfire that became known as the Kansas City Massacre. Only then was Congress spurred to enact, within a week after that attack, the authority for FBI agents to carry firearms and make arrests.

It took the chance discovery of the Apalachin meeting up in New York and subsequent investigations in the mid-60's to demonstrate the existence of la Cosa Nostra in the United States—and that spurred Congress to authorize court-authorized wiretapping in 1968.

So we see, over the course of time, how law enforcement strives to catch up with technology. And I think that's where we are right now with computer crime, with the encryption issues, with the telecommunication issues, and with the wireless communication issues—all of which need to be addressed and solved.

So I really salute all of you—and the different countries and corporations that you represent—for putting together a conference which, for the first time, focuses internationally on this problem. Your lead is one that law enforcement must follow.

Today when new FBI agents graduate from our training academy in Virginia, they leave with their firearms and their badges, but they also leave with a laptop computer. It's an excellent symbol of the changing environment in which these young men and women will function over the next 20 years. It is also imperative for the way they must conduct investigations. When they serve law enforcement search warrants, they seize hard drives and disks instead of the boxes and boxes of records and books and ledgers that their predecessors, myself included, used to seize to support our cases.

Today, also, they chase fugitives over cyberspace as well as over fences. You may remember when we arrested Mr. Mitnik a year or so ago. He was found by the FBI, but he was found because we hired a 23-year-old computer specialist to locate exactly where he was and where he was transmitting from. That was the basis of effecting that arrest.

I though also I would mention, very briefly, some of the cases where the technology of computers and cyber crime is evidencing itself, and then talk generally and briefly about recent initiatives undertaken between the FBI and other government organizations, in partnership with the private sector, to deal with some of these problems.

Clearly these problems and issues cannot be solved unilaterally by law enforcement, no more than they could be solved unilaterally by the private sector. If we are to identify and respond to these various problems, we have got to unite the efforts of industry and law enforcement on an international scale.

Let me mention very quickly a couple of cases; these are all public cases so I can comment on them. The Citibank case . . . was a case where someone with a laptop computer, sitting in an apartment in St. Petersburg, Russia, intrudes into a bank and attempts to move millions of dollars out of accounts to a place where they can be exploited.

We had a similar case recently with a so-called "phone phreaker" in Sweden—and because of the assistance we received from Swedish authorities, we were able to solve that case. There a young man, sitting in his own apartment, hacked his way across the Atlantic Ocean into U.S. telephone switching systems and worked his way down to northern Florida, where over the course of several weeks, he interfered with 911 systems and had the capability to disable the system. It could have been disastrous, because 911 systems not only affect the police but also affect fire and emergency services.

FBI Director Louis Freeh testifies on Capitol Hill, April 27, 1995. With the rising possibility of cyber crimes and computer system terrorism affecting the entire nation in the 1990s, Freeh called for industry and law enforcement agencies across the world to work together—a new concept in law enforcement. (AP/Wide World Photos)

Now extrapolate that to imagine if he had hit larger systems—banking systems, stock exchanges, or power grids in the northeast or northwest in the middle of winter.

We had another recent and continuing case in Baltimore, which we call the Innocent Images case. . . . It goes back to 1993 when we began investigating a kidnapping case. When we began to focus on several subjects, it became clear that they were using computers—computer telecommunications networks—to contact, identify and, in some cases, arrange for meetings with children.

In a sense, they were entering the homes of the children, not on the telephone or by a knock on the door, but through computer modems. That case, which has become a national initiative by the FBI, has resulted so far in approximately 88 arrests and 78 convictions. And the only people targeted in those cases are the individuals who are involved in large-scale distributions of pornography, and that's just, in our view, the tip of the iceberg.

We had a recent terrorism case where an individual maintained plans in his laptop computer to attack airliners and other targets. Part of the files contained in that laptop is still encrypted and is still in need of being deciphered by the law enforcement authorities.

Those are just several cases on the menu—again, not representative of thousands of others, but all of a very serious nature and with grave implications. If you take the context of those cases and translate them to large scale industries, to infrastructure, and to informational systems, then you can see that the potential is catastrophic.

Consider for example, a recent exercise by a government agency that is responsible for maintaining and transmitting secure information. This agency ran some computer attacks against its own very well defended systems, using people inside and outside the agency to perform them. The results of the test were that 88 percent of the attacks were successful. Again, the implications of that exercise, translated to all our informational systems, are sobering.

We have been trying to respond to the prospective issues involved in this issue in a number of different ways. In June last year the President signed an Executive Order that asked all government agencies, coordinated by the FBI, to do a critical infrastructure study over a one-year period that would focus on the vulnerabilities of the systems—both physical and informational security—and that would compose and design protocols of plans and systems to protect key areas of government, as well as private industry infrastructure.

That process has been ongoing now for several months. We have enlisted the assistance of many agencies, particularly Department of Defense agencies, which have great expertise in this area. We have also heavily relied upon private industry and private consultants to supply some of the necessary expertise for analysis and planning.

In addition, pursuant to the Executive Order and to a Presidential Directive on terrorism, we established an FBI Computer Investigations and Threat Assessment Center in our headquarters, which we call CITAC. The purpose of that center is two-fold: one, to develop and provide expertise in computer investigations; secondly, to do threat assessments with respect to computer crime infrastructure defenses. This ties in as best it can with the infrastructure analysis program which is ongoing at the same time.

We have established three FBI computer crime squads in the field now, one is there in New York; two, in others cities around the country. These are very different animals in terms of our FBI structure. Most FBI squads are programmatic squads, dealing with bank robbery or with theft from interstate shipment. These new computer crime squads, however, are disciplinary squads—nonprogrammatic and specifically designed and ordered to gather up, within a particular division, all of the computer investigative expertise that we have both from an analytic and an operational point of view. We then use them as a resource for all other programs, criminal programs, or national security matters. We also use them to assist our partners in other law enforcement agencies.

Part of our CITAC program also requires the SACs in all our 56 field divisions to form working groups with local industry—banking, utilities, energy, whatever the framework may be for that particular location—and put together working groups that will serve both to advise and respond to a crisis that threatens infrastructure, whether it be a criminal or a national security matter. To date, those advisory working groups are working very well around the country.

Again, the real key to success here—and I don't think it can be repeated too much—is the critical partnership of government with the private sector and private industry. . . . It is critical that, prior to an emergency, we develop the contacts, the associations, and the working groups to deal with some of those problems.

We have worked very hard, as you know, in the legislation area to obtain the authorities that not only enable us to continue our investigative programs and techniques, but also help us anticipate some of the emerging problems. Last year, for instance, the FBI worked very hard with private industry and with many distinguished academics, to propose and ultimately to see pass the economic espionage statute, which is really a trade secrets act.

The interesting thing behind that initiative, however, was the fact that it was computer crime—particularly computer intrusions into major companies to valuable trade secrets—that focused our efforts to protect commerce and industry here in the United States. We found, for instance, that the traditional theft statutes, like the transportation of stolen property, just didn't apply to the situations where an intruder into or an employee of a corporation quickly downloads an important trade secret and transports that information on a disk either locally or globally.

The courts had said in many cases that intellectual property or knowledge of a trade secret was not really a "good" or "ware" as intended by the Congress in the interstate transportation of stolen property act. So we found we had a large area of criminal activity legally exempted from the FBI's program.

A major impetus for this trade secrets act was thus the ability of computer criminals to steal valuable intellectual property that doesn't quite fit the 1930s definition of "goods, wares, and merchandise." This is just one example of our legislative initiatives directed towards those technology problems.

Encryption is another important one. We realize that the need for robust encryption is critical for the health of our national economy and for American competitiveness, here and overseas. As a law enforcement agency that wears a national security hat, however, we also realize that we need encryption with some exempted or court-authorized recovery mechanism for those very rare instances when encrypted channels are used to either transmit or store information relative to a crime, an act of terror, or a national security matter. Of course such a mechanism would be available to us only under court orders and very stringent requirements, as with the 1968 court-authorized wiretapping statute. . . .

Another FBI initiative that deals with the cyber crime and global crime issue is the expansion of our Legal Attaché program. As many of our international friends here know, the FBI has had, for many, many years a "Legat" program, as well call it, where FBI agents are assigned to various embassies to engage in liaison functions with the host law enforcement authorities. They deal exclusively in law enforcement-related activities. They do not engage in any other non-criminal activities except as liaison.

We have Legats now in 30 countries. On my last trip, in fact, I dedicated an office in Tel Aviv, which will also serve as liaison with Jordan, with the Palestinian authority, and with the office in Cairo. Over the next two years, pursuant to a plan approved by the Congress, we will open another 16 Legats which will take us to the places like Beijing, South Africa, and Buenos Aires—places where law enforcement needs cop-to-cop bridges and the police-to-police contacts that are necessary to deal with crimes like computer crime and others that have no boundaries and that are committed in the twinkling of a eye. These crimes absolutely require us to work with our partners in order to identify and solve them.

We are behind the eight ball, I think, in our efforts to deal both with cyber crime and global crime. But the initiatives I have mentioned—including infrastructure initiatives, training initiatives, the Legat programs—are all certainly moving in the right direction. My concern is that we are moving too slowly and that the pace of change is so rapid that, despite our best efforts and our resources, we will still remain a little bit behind the curve.

If you think about what's happening now with respect to cyber crime and global crime, it's not unfair to compare it to the advent of the automobile back in the early part of the century. Easy automobile use then changed everything. It didn't just change the economy, it also had an immense impact on law enforcement, which had been dealing with crime on a localized basis.

U.S. Department of Homeland Security secretary Tom Ridge speaks at the National Cyber Security Summit in Santa Clara, California, December 3, 2003. (AP/Wide World Photos)

Today the change is from national to international borders. I remember when I was a new FBI agent here in New York in 1975. It was an anomaly to have a lead in your case which went overseas to a foreign bank account, or to need to speak to a witness who was outside our jurisdiction, or to need records from an offshore location where we had no jurisdiction.

Now in 1997, that's all changed. It is probably rare when we don't have an international connection in a drug case or an economic crime case, or a fugitive case or a national security matter. Just like the automobile back in the 1920s and the 1930s, the computer is impacting the economy and the science of law enforcement today, except, probably, with a tenfold greater impact.

It is affecting everything we do in law enforcement. It is changing the rules of the game with respect to how we prepare for and deal with national security issues. And it will continue to do that at an even more alarming rate.

Remember the old gangster movies where somebody robbed a bank, got in an old Model T, and raced away from the police to a state line—where the police had to stop because they didn't have jurisdiction to take the bank robbers over the state line? Congress intervened when that happened. It established interstate banking authority for the FBI with respect to the bank robbery jurisdiction. And everybody thought we had solved the problem. In today's world, though, we are dealing with global borders and economic borders that have ceased to exist. We now need to have authorities from Congress, and we also need technological means to deal with a problem that is getting increasingly more complex and global. We need to draw on your expertise and advice and partner our efforts.

So, let me just close by again thanking you all for your attendance and participation here. We certainly appreciate your interest. We thank your chiefs and director generals for approving this. And we ask that you help us to combat these new crime phenomena. A critical part of our success will come from industry and from you. Thank you very much.