microsoft, working with law enforcement, has obtained several civil restraining orders to disrupt, and in some cases, takedown individual botnets, including the citadel botnet which was responsible for stealing hundreds of millions of dollars. ..ions of dollars. and earlier this year the justice department and the fbi working with the private sector and law enforcement agencies around the world obtained a restraining order allowing them to take over the game over zeus botnet. this action was particularly challenging because the botnet relied on a decentralized command structure that was designed to thwart effort to stop it. each of our witnesses today has played a role in efforts to stop botnets. i look forward to learning more about these and other

enforcement actions and the lessons that we should take away from them. we must recognize that enforcement actions are just one part of the answer, so i'm interested in hearing also about how we can better inform computer users of the dangers of botnets and what other hygiene steps we can take to address this threat. my hope is that this hearing starts a conversation among those dealing day to day with the botnet threat and those of us in congress who are deeply concerned about that threat. congress, of course, cannot and should not dictate tactics for fighting botnets. that must be driven by the expertise of those on the front lines of the fight, but congress does have an important role to make sure there is a solid legal foundation for enforcement actions against botnets and clear standards governing when they can occur. we must also ensure that botnet takedowns and other actions are carried out in a way that protects consumers' privacy.

all while recognizing that botnets themselves represent one of the greatest privacy threats that computer users face today. they can actually hack into your computer and look at you through your web cam. and we must make sure that our laws respond to a threat that is constantly evolving and encourage, rather than stifle, innovation to disrupt cyber criminal networks. i look forward to starting this conversation today and to continuing it in the months ahead. i thank my distinguished ranking member for being such a terrific colleague on these cyber issues. we hope that a good piece of cyber botnet legislation can emerge from our work together. i thank you all for participating in this hearing and for your efforts to protect americans from this dangerous threat, and before we hear from our witnesses, i'll yield to my distinguished ranking member,

senator lindsey graham. >> thank you, mr. chairman. i just want to acknowledge your work on this issue and everything related to cyber threats. there is no stronger, clearer voice in the senate than sheldon whitehouse in terms of the threats we face on the criminal front and the terrorist front that come from cyber misdeeds, and congress is having a difficult time organizing ourselves to combat both threats, but to make sure this is not an academic exercise, i guess it was last year, it might have even been a bit longer, but the department of revenue in south carolina was hacked into by -- we don't know all the details, but a criminal enterprise that stole thousands -- millions of social security numbers and information regarding companies' charters, revenue, and that's required the state of south carolina to purchase protection. i think it was a $35 million per year allocation to protect those who had their social security

numbers stolen we believe by a criminal enterprise. it happened in south carolina. it can happen to any company, any business, any organization in america, and our laws are not where they should be so the purpose of this hearing is to gather information and hopefully come out and be a friend of law enforcement. so senator whitehouse you deserve a lot of credit in my view about leading the effort in the united states senate if not the congress as a whole in this issue. thank you. >> i'm delighted to welcome our administration witnesses. before we do, his timing is perfect, senator chris kunz has joined us. and yields on making an opening statement. the girs witness is leslie caldwell, the head of the criminal division at the department of justice and was confirmed on may 15th, 2014. she oversees they'rely 600 attorneys who prosecute federal criminal cases across the

country. she has dedicated most of her professional career to handling criminal cases having served as the director of the enron task force and as a federal prosecutor in new york and california. after her testimony, we'll hear from joseph demarest who is the assistant director for the fbi's cyber division. he joined the fbi as a special agent in 1988 and has held several leadership positions within the bureau serving as, for instance, head and assistant director of the international operations division and as the assistant director in charge of the new york division. he was appointed to his current position in 2012, and i have to say that i have had the chance to work very closely with mr. demarest and i appreciate very much the energy and determination he has brought to this particular arena of combat against the criminal networks of the world and look forward to

his testimony. let me begin with assistant attorney general caldwell. >> ranking member graham, and senator, thank you for the opportunity to discuss today the justice department's fight against botnets, and i particularly want to thank the chair for holding this hearing and for his continued leadership on these important issues. the threat from botnets defined in simple terms as networks of hijacked computers surreptitiously infected with malicious software or malware which are controlled by an individual or an organized group for criminal purposes has increased dramatically over the past several years. criminals are using state of the art techniques, seemingly drawn from science tix fiction movies to take control of thousands or even hundreds of thousands of victim computers or bots. they can then command these bots to do various things as senator whitehouse indicated. they can flood an internet site with junk data, they can knock

it offline by doing that, that he can stel banking credentials, credit card numbers, other personal information, other financial information, send fraudulent spam e-mail, or even spy on unsuspecting computer users through their web cams. they are intended to undermine americans' privacy and security and to steal from unsuspecting victims. if left unchecked, they will succeed in doing so. as cyber criminals have become more sophisticated over recent years, the department of justice working through highly trained prosecutors at the computer crime and intellectual property section of the criminal division, the national security division of the justice departme department, u.s. attorneys offices across the country and the fbi and other law enforcement agencies, we have likewise adapted and advanced our tactics. as one example, in may of this year the u.s. attorney for the western district of pennsylvania and the fbi in partnership with other federal and private sector

organizations disrupted the game over zeus botnet and indicted a key member of that group that operated that botnet. until its disruption, game over zeus was widely regarded as the most sophisticated criminal botnet in existence worldwide. from 2011 to 2014, game over zeus infected between 500,000 and 1 million computers. and it caused more than $100 million in financial loss. put simply, the bot master stole personal information from victim computers and with the click of a mouse used that stolen information to empty the bank accounts and rob small businesses, hospitals, and other victims by transferring funds from the victims' kts to the criminal's own accounts. they used it to install krip toe locker, a type of malware known as ransom ware installed on infected computers and it inabled these computers to

encrypt key files and charge them a ransom for the release of their own files. in the short period between their emergence and their action, it infected more than 260,000 computers world wide. there was a complex international investigation. it continued through the department's use of a combination of court authorized criminal and civil legal process to stop infected computers from communicating with one another and with other servers around the world. the investigation and operation ultimately permitted the team not only to identify and charge one of the leading perpetrators but also to cripple the botnet and to stop the ransom ware from functioning. moreover, the fbi was able to identify victims and working with the department of homeland security, foreign governments, and private sector partners was able to facilitate the removal of malware from many victim computers. as we informed the court last week, at present the game over zeus botnet remains inoperable and out of the criminals' hands.

game over zeus infections are down 30% and crypto locker remains nonoperational. we are employing investigative tools that congress has given us to protect our citizens and businesses. we've leveraged our strengths by partnering with agencies all over the world and in the private sector. if we want to remain effective in protecting our citizens and businesses, however, our laws and resources must keep pace with the increasingly sophisticated tactics and growing numbers of our adversaries. our adversaries are always adapting, so must we. in my written statement i describe several legislative proposals and resource increasings that will assist the department in its efforts to counter this threat. these proposals include an amendment to the computer fraud and abuse act and several other proposals. we look very much forward to working with the committee to address these issues. we also need additional resources at the department to continue to disrupt botnets

including hiring new attorneys as indicated in my statement. thank you again for the opportunity to discuss our work in this area and i look forward to answering any questions you might have. >> thank you, assistant attorney general caldwell and now mr. demarest. director demarest. >> good afternoon, chairman whooishouse, ranking chair member, senator graham, and senator kunz. thank you for holding this carrying, chairman whitehouse, and i look forward to discussing the progress the fbi has made on campaigns to disrupt and disable our significant botnets that you know that we target. cyber criminal threats pose a very real risk to the economic security and privacy of the united states and its citizens. the use of botnets is on the rise. industry experts estimate botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major businesses. they also affect universities, hospitals, defense contractors, government, and even private citizens. the weapons of a cyber criminal

are tools, like botnets, which are created with malicious software that is readily available for purchase on the internet. criminals distribute this malicious software also known as malware that can turn a computer into a bot. when this occurs, a computer can perform automated tasks over the internet without any direction from its rightful user. a network of these infected computers is called a botnet, as you pointed out. botnets can be used for organized criminal activity, covert intelligence collection, or even attacks on critical infrastructure. the impact of this global cyber threat has been significant. according to industry estimates, botnets have caused over $9 billion in losses to u.s. victims and over $110 billion in losses globally. approximately 500 million computers are infected each year translating into 18 victims per second. the fbi with it's law enforcement partners and private sector partners to include the panel of distinguished

presenters today from microsoft, symantec, far sight, has had success in taking down a number of large botnets, but our work is never done and by combining the resources of government and the private 1ek9or and with the support of the public we will continue to improve cyber security by identifying and catch complicated nature of today's cyber threat, the fbi has developed a strategy to systematically identify enterprises and individuals involved in the development and support of schemes impacting the u.s. systems. the complete strategy involves a holistic look at the entire cyber underground ecosystem and all facilitators. the fbi initiated an aggressive approach to dismantle threatening the u.s. economy and our national security. the initiative coined "operation clean slate" is spearheaded by the fbi. our national cyber investigating joint task force with a host of u.s. partners with dhs and

private sector. it is a comprehensive public/private network. targeting the bot infrastructure at the same time that coders or those responsible for creating them. this initiative incorporates all facets of the usg, international partners, u.s. financial sector and other stake holders. again, point out dell secure work is one of the main and we talked about game over zeus. operate clean slate to disgrade the information of victims, to increase the cost of doing business and causing concern of action against them. just a brief description of the successes of late. december 2012, the fbi disrupted an organized crime ring related to butterfly botnet which stole

credit card information, bank account and other personal identifiable information. the butterfly botnet comprised of more than 11 million computer systems and resulted in over $850 million in losses. the fbi along with international law enforcement partners, executed numerous search warrants, conducted interviews and arrested ten individuals from bosnia and henriquez va, new zealand, peru, united kingdom and the united states. all of this not possible without doj's csips in particular. in june 2013, again, the formal debut of "operation clean slate" the team with microsoft and financial service industry leaders disrupted the citadel botnet and facilitated unauthorized access to computers of individuals and financial institutions to steal online banking credit rnls, credit card information, other pii. citadel was responsible for the loss of $half a billion dollars over a thousand citadel domains

seized accounting for more than 11 million victim computers word wide. building on that success of the disruption of citadel, in december 2013, the fbi and euro poll with microsoft and again the opt clean slate team and other partners disrupted ze ra access botnet responsible for more than 2 million computers infected and targeting search results on google, bing and yahoo! and estimated to cost online advertisers $2.7 million each month. again, in april 2014, the team investigative efforts resulted in the indictments of nine members of the enterprise and conspiracy that infected computers known as zeus or jaba zeus a malware that captured passwords, account numbers and other information necessary to log on to online banking accounts. the conspirators allegedly used the information captured to

steal millions of dollars of account holding victims of bank accounts. later, june, 2014, yet another operation by the clean slate team announced a multinational effort to disrupt the game over zeus botnet, the most sfit fist kated. in the u.s. and around the world. this effort to disrupt it involved an impressive cooperation with the private sector, namely dell secure works and international law enforcement. game over zeus is extremely sophisticated type of malware designed to steal banking and other credentials from compute earls it infects. in the case of game over zeus, primary purpose is to capture banking credit rentials and inie or redirect wire accounts to overseas controlled by the criminals. losses attributed estimates to more than $100 million. much like the fbi's other

investigative priorities and programs, our focus impacting the leaders of the criminal enterprises and terrorist organizations we pursue. we are focusing same effort on the major cyber actors behind the botnets. we refeign focused on defending the united states against the threats and welcome the opportunity like the one today to discuss our efforts. we are grateful for the committee's support and yours in particular, senator whitehouse, and we look forward to working closely with you continuing the forge aggressive campaigns against our botnets. >> thank you very much. assistant director demarest, has to be millions of botnets throughout? >> yes. >> one could say so many botnets, no little time. so given that, what are your factors for prioritizing which ones to go after through the clean slate program or just generally? >> so by operation of clean slate for private sector and

government and then prioritize the most egregious botnets in the wild we know about so working with not only government, dhs being principle and friends in the intelligence community, but also, i'll say in the private sector, microsoft being chief, and looking across, you know, the world and those botnets that are seemingly causing the most damage, economic damage or other means or potentially physical damage and then prioritizing those and then developing a campaign about going after not only the infrastructure but the actors behind that botnet or those botnets. >> assistant attorney general caldwell, one of the -- this predates you, but i've had some concerns based on my time in the department of justice as a u.s. attorney about the way in which the department has responded to the botnet threat. i think you're doing a, you know, a good job, but there's

cultural divide sometimes between the criminal prosecutors and the civil attorneys for the government. these cases to take down the botnet tend to be civil cases in nature so i've worried a bit about the extent to which it's instinctive on the part of criminal prosecutors to think that that's a lesser task and a lesser pursuit than what they are doing and whether that gets in the way of adequately pursuing the civil remedies that shut these botnets down. the second is that when the core flood take down took place, it appeared to me that that was kind of an ad hoc group of very talented group of people brought together to address themselves to core flood and succeed at taking it down but once the operation was complete they went back to their individual slots

around the country and the effort was dispersed. i think that the botnet problem is a continuing one. i think as soon as you strip out as mr. demarest said, some of i'm interested first how you're making sure this is prioritized despite the civil nature of the legal proceeding that cures the botnet problem, that strips it out of the system and what you've done to try to establish a permanent, lasting, institutional presence for taking down botnets without having to reas symphony we teams each time a botnet rears its head as a target? >> thank you, senator. i think that the gameover zeus operation is the perfect example of how we see this going forward. although i wouldn't dispute thao theren are some criminal assistant u.s. attorneys who may think the civil attorneys have a less exciting job. we don't see it that way. the civil component as you

indicated is a very critical part of this but there are different ways to approach botnets. they're all different as you indicated earlier. in gameover zeus we use ad combination of civil and criminal authorities and i think that's, again, it isn't one size fits all but i think that is likely what we'll continue to see in the future. as you know the leading perpetrator of that particular botnet was indicted criminally and the civil injunctions were obtained at the same time. i was very carefully coordinated. there was a lot of communication between the civil prosecutors who were handling the injunctior paperwork and the criminal prosecutors who were, was really all one team. so i think the civil tools is a very important tool and we expect to continue to use it. there are some holes in that tool. right now we're permitted to get a civil injunction against fraud and a civil injunction against wiretapping but as you indicated in your opening remarks botnets are not always engaged in fraud and wiretapping.

they're engaged in other things too. one thing we would like to see happen is an amendment to the statute to permit injunctions in other circumstances in which we see botnets operating. then on the issue of the institutional knowledge, the computer crime and intellectual property section is really the, really is the receptacle, that is a bad word but where all that knowledge is based. the computer crime ands intellectual t property section has headquarters components, has field components, has a lot of institutional knowledge about botnets, so if one prosecutor leaves the knowledge isn't going to leave. we coordinate regularly with the fbi. there is lot of coordination. there is lot of coordination with the u.s. intellect wall hacking and u.s. attorney's office there is institutionalty knowledge about botnets so even -- in a nutshell you feel right now that of course has been

adequately institutionalized in the department? there will be continuity and persistence rather than ad hoc efforts? >> yes. and i think that although they weren't as prominent there were at least a half dozen other botnet takedowns in the last couplenk of years between core flood and gameover zeus. so d there is definitely, it iss definitely a priority and there is ico definitely a focus and te is a lot of knowledge among the ccips prosecutors and their counterparts at the fbi about these botnets. they will keep coming and we will keep attacking them. >> i yield to my ranking member but my impression some of those were sort of sporadic and ad hok takedowns that appeared in u.s. attorneys offices and not necessarily consistent with a continuing, lasting persistent presence stripping down one botnet after another. i'm glad that you've gotten to where you've gotten so thank you. senator graham. >> are you the elliot necessary

of botnets? do we have elliot ness of botnets? >> i think he is elliot ness of botnets. >> no e matter what behavior, deter it,of if i do this i will get caught. if i get caught bad things are going to happen. what do you think the deterrents is like right now, mr. demarest? >> i think it is significant now. i think in years past not very much so where they did travel and they felt they could take actions with impunity. we're finding today on some of actions, enforcement actions, successful we're causing impact. we zoo that in other collection, them talking amongst each other and concern about traveling now. question is a way of containing some of the threats that we see from individuals today. >> what nation states do we need to worry about in terms of being involved in this activity? >> i would say nation states ofo eurasia w principally.of we have seen a lot of criminal

actors coming from that area of the world. >> are they reliable partners, the nation, the governments? >> we're opening dialogue. i will say on that front. i think you will find with some of our russian counterparts in law enforcement are a bit more agreeable. but any new relationship, i at this he especially in thisw space, we're working toward improving them. >> if itw is possible, maybe by the end of the year could you provide the committee with a list owef countries you think yu have been good partners? and the list of countries that you think c have been resistant. >> yeah. easily done. >> thank you. >> based on our activities working with the countries we do work with. >> once we identify maybe we change their behavior. there is all kinds of ways for getting people's attention. was this a problem five years ago? how long ago has this been a problem? >> this has existed for years. probably we're just now, you know, this is the tip of the iceberg. i think as we get more sophisticated internally the u.s. government, seeing being

able to identify. >> what made us aware of it today, more than say five years ago? just the consequences? >> i think consequences. i think victim reporting. i think major losses occurring to private industry. >> is there any end to this? how far can these people go? >> they will keep on going going. as you can see each bot will evolve. we o take actors off. malware will change. we see complete evolution. but again we're actually placing at least, there's a price to pay for actually engaging in this activity now. >> are terrorist organizations involved in this? >> we track them very closely. i would say there's an interest but much further than that, senator graham, probably in a different setting we could give you a further briefing. >> miss caldwell, on theen civil-criminal aspectt of this, what are the couple of things you would like congress to do to enhance your ability to protect our nation?

i'm sure you've got this written down somewhere but just fors te average person out there listening to this hearing what are the couple things you would like to see us do? >> well one, is the one that i already mentioned which is -- >> myle phone off. >> changing civil injunction abilities so that we will have the capability to enjoin botnets other than those that are engaged in fraud and wiretapping because there are for example, directed denials of service attacks right now. we can't get an injunction against that we would like to be able to do that. >> do we d need increasedta penalties? >> that is an interesting question, senator and i think. that we have been seeing increased penalties being imposed by courts. so- >> statutorily, mr. demarest, do we need to change any statutes to make this bite more? >> i will defer to miss caldwell but, i will defer to you. >> i think that the maximum sentences under most of the statutes are adequate. i don't think we need any kind of mandatory minimums because

we've been seeing judges impose sentences around the seven, eight, nine-year range which i think is a very substantial sentence there are a couple of other things we would like to see. right now there is no law that explicitly covers the sale or transfer of a botnet that is already in existence. we've seen evidence that a lot of folks sell botnets. they rennt them out and we would like to see a law that addresses that. one of the things which is a little bit off point but i think is still relative to botnets is, right now there is no law that prohibits the overseas sale of u.s. credit cards unless there has been sop action taken in the united states or unless money is being transferred from overseas to the united states. so, we see credit card situations where people hav e millions of credit cards from u.s. financial institutions but they never set foot in the united states. that's currently not covered by our existing law. >> so you could steal my credit card information from overseas and basically be immune?

>> correct. unless you transferred proceeds of your scheme back to the united states. >> okay. one last question, here. when it, when they basically seize your computer or hijack your computer, the information contained therein, they actually hold, i mean they ask for, they make a ransom demand? >> so -- >> how does that work? >> under cryptolocker what happens, i'm certainly not a technical expert so jump in, you would see on your computer and see something flash up on the screen basically told you all your files were encrypted and remain encrypted until you paid ransom within x hours. if you didn't pay all your files would all be deleted. . .and if you didn't the files would be deleted. >> and a payment made but bitcoin or whatever lish established venue is they expect the payment within a given amount of time and if not it's

encrypted. >> do people pay? >> they do. >> what's the biggest payout you have seen? >> well, all things involved, crypto locker and crypto wall now and a major concern of paying in excess of probably $10,000 but they're focused now more on major concerns, businesses. and entities as opposed to single victims. >> is that extortion under our law? >> yes. >> so you don't need to change that statute? >> no. the problem is, though, that as with a lot of these cyber crimes, most of the people engaged are overseas. >> thank you. >> let me recommends senator kuntz who's been interested and dedicated to this topic and home state is energized on the topic because the delaware national guard actually has a cyber wing that's active and one of the best cyber national guard detachments in the country. i say one of the best because rhode island has one, too. senator kuntz? >> thank you very much. thank you chairman and senator

graham. you're great and effective leaders on this issue. to the point raised by the chairman, given the per sis ten sy of this threat, given it trajectory, its scope, its scale and the resources that you're having to deploy in order to take down these botnets and in order to break up the criminal gangs, is it acceptable, is it possible for us to deal with this threat with a federal law enforcement response alone? do we need a partnership from state and local law enforcement? i assume the answer is yes. how are we doing it? delivering an integrated capability, federal, state and local, first, second? what kind of capabilities do businesses and individuals, does the private sector and citizens have and what are we doing to help scale up that? because the resiliency of our country, the ability to respond to the threats as we all know much as it is with natural disasters or with terrorism threats, requires a sort of everybody engaged response that

engages our private sector, engages entrepreneurials and engages state and local and federal law enforcement. >> sure. thank you, senator kuntz. we have khyber tasks forces throughout the offices, 56 out there. each office is engaging at the local level to bring state and local authorities aboard. net defenders from the organization thai represent. very difficult with resources constrained at the state and local level and appreciating. we kicked off a well spring, defauding the elderly and real estate and bring an investigator or officer aboard or analyst, we work closely with them to foster or develop the skill in this area working cyber crime. it's worked well in the initial offices in salt lake city, with the utah department of public

safety. and down in dallas with some of the local department of dallas police department. we have a long way to go in that space and for them to fully appreciate the threats today facing the public or the citizens they're responsible for. on the private sector, we have worked far and wide and somewhat limited force and focused on those priority sectors if you will most threatened. but we have found time and time again the most threatened and most vulnerable are small to medium-sized business owners with one single person that's responsible for internet security or cyber security and insurance and the like and how to target the band and bring them aboard? we had health care, representatives from the health care industry in the headquarters working through what that relationship would look like with health care and we focused on energy, telecommunications and the like over the past two years and now how do we broaden that effort out? >> implicitly from the reference

to health care, as we go to electronic med ral records, we have data for cyber criminals to go after. ms. caldwell? >> yes. i think -- i'm sorry. i think any online database is vulnerable. some obviously have more security protections than others. and as you indicated, senator kuntz, the health care databases have a lot of sensitive personal information so we've seen i know in some of the botnets that we have seen over the years including if i'm not mistaken game over zeus some of the victims were hospitals so that's a very serious area of concern we're concerned about. >> one other question. as senator whitehouse referenced, we have a warfare squadron of the national guard. they've stood up and grown and developed this national guard capability which takes advantage of the fact that we have a fairly sophisticated financial

services community. we have credit card processing and as a result there's a lot of fairly capable and sophisticated online security and financial services security professionals who can then also serve in a law enforcement and national security first responder context through the national guard. what lessons do you think we could learn from that partnership, that collaboration in our two home states and lead us to a better scale-up of the needed federal workforce to respond to and deal with the law enforcement challenges? >> the treasure trove of skill in the guard and reserve forces. we participated, actually hosted at the fbi academy the cyber guard exercise for 2014. a lot of -- we brought personnel in from around the field, at least 50 from the local cyber it is a forces and local guard units in. great capability there. our director along with deputy director had a meeting with the cyber command, osd an joint

staff to better core late or corroborate in the space. tomorrow we have another meeting with the commanders at my level to put it in place with reserve and guard units. admiral rogers held a meeting up at nsa recently to talk through what that looks like and working with cyber command, the guard forces and reserve forces. and what skills they bring, how that may assist the fbi in our operations and also training opportunity that is we can leverage with one another. >> terrific. thank you for your testimony. i look forward to hearing more of the development of the partnership and thank you for your leadership in this area, senator whitehouse. >> well, i'll let you two go. i'm sure we could ask you questions all afternoon. this is such a fascinating and emerging area of criminal law enforcement. i appreciate very, very much the work that you do and i want you to pass on to attorney general holder my congratulations for the dedication that he's brought to this pursuit, particularly as

exemplified by the game over zeus take down and indictment of the china pla officials, those were both very welcomed steps and i'm looking forward to seeing more criminal prosecution of foreign cyber hackers. i think the opening gambit with the indictment was terrific. congratulations to you both. thank you for your good work, and we'll release you and call the next panel forward. [inaudible conversations]

all right. thank you all so much for being here. this is a really terrific private sector panel on this issue and i'm grateful t you i make the formal introductions right now other going into we can just go right across which are statements. our first witness is going to be richard boscovich who is the assistant attorney general counsel on microsoft digital crimes unit, a position where he developed legal strategies used in the takedowns and disruptions of several botnets including the citadel, zeus and zeus access botnets. he previously served for over 17 years at the department of justice assets is his attorney in florida southern disagree directed the district's computer hacking and intellectual property unit. southern district with the sbe lukt ideal property unit.unit.

hearing from cheri macguire from sy man tech corporation, one of the cyber security providers in this country. she is responsible for the global public policy agenda and government engagement strategy including cyber security data integrity, critical infrastructure protection and privacy. before she joined sy man tech in 2010, she was director of critical infrastructure and cyber security in microsoft's trustworthy computing group and before that at department of homeland security including as acting director and deputy director of the national cyber security division and the u.s. cert. then we'll hear from dr. paul vixie, chief executive officer of far sight security which is a commercial internet security company. he previously served as the chief technology officer for above net, an internet service provider, as and the founder and ceo of maps, the first anti-spam

company and as the operator of the fdns root name serve enear author and was the maintainer of bind, a popular open source system for 11 years. and he was recently inducted into the internet hall of fame. finally, i will hear from craig spits l, executive director, founder an president of the online trust alliance. he -- online trust alliance encourages best practices to help protect consumer trust and he works to protect the vitality and innovation of the internet. prior to founding the online trust alliance, he worked at microsoft again, the fraternity, where he drove development of anti-spam, anti-fbiing, anti-malware and privacy enabling technologies, on the board of the identity theft council and appointed to the fcc's communication security reliability and

interopinionerability council and a member of the partnership between fbi and the private sector and experienced and knowledgeable witnesses and let me begin with richard boscovich. we're so glad you're here. thank you. >> chairman whitehouse, ranking member graham and members of the committee, i'm richard boscovich, assistant general council. thank you for the opportunity to discuss microsoft's approach to fighting and detecting bot nets. we also thank you for your leadership in focusing attention to this complicated and important topic. botnets are groups of computers remotely by hackers without knowledge or consent enabling criminals to steal information and identity, disrupt networks and distribute software and spam. i'll describe how microsoft fights botnets, disrupting the tools and tle carefully designs these operations to protect

consumers. to understand the devastating impact of botnets, we can look at how they affect one victim. consider in use power. a chef in the united ding come do found a warning she could not access the files unless she paid a ransom within 72 hours. all of her photos, financial accounting information and other data were permanently deleted. all this was caused by a botnet. she later told the reporter, if someone had robbed my house, it would have been easier. indeed, botnets conduct the digital equivalent of home invasions but on a massive scale. botnet operators quietly hijack web cams to spy on people in their homes and then sell photos of the victims on the black market. they use malicious software to log every key stroke that they enter on the cuters including credit card numbers, social security numbers, work documents and personal e-mails.

they send deceptive messages to appear as though they're sent by banks to convince people to disclose the account information. microsoft has long partnered with other companies and global law enforcement agencies to battle malicious cyber criminals such as those who operate botnets. we do not and cannot fight botnets alone. as the title of the hearing suggests it requires efforts of both the private and the public sector. we routinely work with other companies and des midwestic and law enforcement agencies to dismantle botnets. our joint efforts dpon strait that partnerships are highly effective as combatting cyber crime. problems as complicated of botnets cannot be addressed without partnerships. microsoft's philosophy is simple. we aim for their wallets. cyber criminals operate botnets to make money. we disrupt botnets underlying the profit of the attacks.

microsoft draws on our deep technical and legal expertise to develop carefully planned and executed operations that disrupt botnets pursuit to court approved proceedings. in general terms, microsoft asked for permission to destroy the botnets breaks the connection between the botnets and the computers. traffic generated by infected computers is either disabled or routed to domains controlled by microsoft where the ip addresses of the victims identified. privacy's a fundamental value. when we execute an operation we are required to work within the bounds of the court order. we never have access to e-mail or other continent of victim communications from infected computers. microsoft receives the addresses used by the infected computers to identify the victims. we give domestic ip addresses to providers in the united states to alert customers directly.

we give the rest of computer emergency response teams commonly the owners are then notified of the assistance in cleaning their computers. in summary, to the course of an anti-botnet operation microsoft works with partners to protect millions of people and their computers against malicious cybercriminals. this has led to the disruption and shutdown of some of the most menacing threats to public trust and security on the internet. cybercriminals continue to evolve their tactics. they keep developing more sophisticated tools to profit from the online chaos that they create. we remain firmly committed to working with other companies and law enforcement to disrupt botnets and make the internet a more trusted and secure environment for everyone. thank you for your time, senator, and i am happy to answer any questions you may have. >> ms. mcguire. >> chairman whitehouse, think that opportunity testifying today. i am especially pleased to be

with you again to focus attention on botnets and cybercrime and how industry and government are working together to address these serious issues. as the largest secured a software company in the world, symantec protects much of the world's information. but botnets today are the foundation of the cyber criminal ecosystem. and as was discussed earlier, the uses for malicious botnets are only limited by the imagination of the criminal bot master's. these can range as you mentioned from distributed denial of service attacks to bitcoin mining to distribution of malware and span. bot master's also rent out the botnets as well as use them for stealing passwords, credit card data, intellectual property or other confidential information which is then sold to other criminals. and till now virtually all botnets have been networks of infected laptops and desk top computers. however, in the past few years we have seen botnets made up of mobile devices and we fully

expect that the coming internet of things will bring with it a future of thing bots ranging from appliances to home routers to video recorders. and who knows what else? taking down a botnet is technically complex and requires a high level of expertise. but despite these obstacles, law enforcement and the private sector, working together, have made significant progress in the past several years. symantec works to bring them as their access botnets, one of the largest botnets in history at 1.9 million infected devices is a good example of how coordination can yield results. zero access was designed for click fraud and bitcoin mining with an estimated economic impact of tens of millions of dollars lost per year. the electricity alone to run that botnet cost as much as $560,000 per day. one year ago today to make it began to sing call zero access infection which quickly resulted

in the detachment of more than half a million bots. this meant these bots could no longer receive any command and were effectively unavailable to the bot master, for updating or installing new revenue generation malware. another significant win came last month with the major operation against the financial fraud botnet gang of resist as several witnesses have testified to. as part of this effort symantec work in a broader coalition to provide technical insights into the operation and impacts of this botnet. as a result, authorities were able to seize a large portion of the criminals infrastructure. in our view of the approach used in the gang over this operation was the most successful to date, and should serve as a model for the future. a group of more than 30 international organizations from law enforcement to security industry, academic and researchers and isps all cooperated to collectively disrupt this botnet. this successful model of public and private cooperation should

be repeated in the future. wow zero access and gain overseas were successful for and discover a deadly more criminal rings a britain today but, unfortunately, that are just not enough resources. as you said, so many botnets, so little time. as criminals migrate online, law enforcement needs more skilled personnel dedicating, dedicated to fighting cyber crime. symantec and we take new steps to assist victims of botnets and cybercrime, and to aid law enforcement around the world. in the interest of time i will mention they can foist.org, a new online assistance program that we unveiled in april. this site helps cybercrime victims filed complaints and understand the investigation process. and in particular i'd like to thank again, senator whitehouse, for your participation in the launch. it's helped many victims of cybercrime. in combating botnets and

cybercrime, cooperation is key and the private sector we need to know that we can work with the government and industry partners to disrupt botnets without undue legal barriers. to be clear, i cannot talk about a blank check, but consistent with privacy protections and legal parameters we need to be able to share cyberthreat information and coordinate our efforts quickly. information sharing legislation will go a long way to do this. but it also must address the considerable privacy concern and must include a civilian agency laid and data minimization requirements for both government and industry. last, the law governing cybercrime should be modernized. in the u.s. we need to amend laws such as the electronic communication privacy act, cfaa, and others that were written before our modern internet and e-commerce was envisioned. in addition mutual legal assistance treaties and their process that allows governments to cooperate takes far too long to address the real-time nature

of international cybercrime and should be streamlined. as the subcommittee knows so well, we still face significant challenges in her effort to take on botnets and dismantle cybercrime networks. but while there remains much work to be done, we have made progress. at symantec were committed to improving online security across the globe and we will continue to work collaboratively with our customers, industry and governments on ways to do so. thank you again for the opportunity to testify today, and i'll be happy to answer any questions you may have. >> thank you for your leadership in this area. i'm going to briefly recess the hearing and then return. we have a vote on the senate floor that started 15 minutes ago, and i have 15 minutes to get there and vote. so i have zero time but with any luck that means i can get over there, vote, vote on the next vote and then come right back and then we will be able to proceed in uninterrupted fashion. so please, just relax in place.

it will probably be five to eight minutes and we will resume. mq. -- thank you. [inaudible conversations] >> all right. the hearing will come back to order. i appreciate everybody's courtesy while i got those two votes done.

and now dr. vixie, we welcome your testimony. please proceed. >> thank you, mr. chairman. thank you for inviting me to testify on the subject of botnets. i am speaking today in my personal capacity based on a long history of building and securing internet infrastructure, including domain name system infrastructure. i'm also at the behest of the messaging malware and mobile anti-abuse working group, a nonprofit internet security association its international membership is actively working to improve internet security conditions worldwide. we start by reviewing some successful botnet takedowns in recent years, since mainly a proved instructive they are successes after all. in 2008 the conflict a worm was discovered by 2009 to over 10,000 infected computers can in this botnet, the largest to that

time. i had a hands on keyboard role in offering the data connection and management infrastructure for the takedown team in which competing commercial security companies and internet service providers, most of which were members of mmawg, cooperated with each other and with the academic research and law enforcement committees to mitigate this global threat. then in 2011 the u.s. department of justice led operation ghost click in which criminal gang headquartered in a stone was arrested and charged with wire fraud, computer intrusion and conspiracy. that botnet included at that time at least 600,000 infected computers and the mitigation task was make obligated by many to keep all of these victims online while shutting off the criminal infrastructure the victims depended on. my employer was the court-appointed receiver for the criminals internet connectivity and resources, and and i personally operated the

replacement servers necessary for the takedown. in each of these examples, we see an ad hoc public-private partnership in which trust was established and sensitive information, including strategic planning, was shared without any contractual framework. these takedowns were so-called handshake deals where personal credibility, not corporate government passed was the glue that held it together and made it work. and in each case the trust relationships we form as members of mmawg were key enablers for rapid and coherent reaction. each of these takedowns is also an example of modern multilateralism in which intent, competence and merit with the guiding lights. the importance of multilateralism cannot be over emphasizeemphasize d. we found when a single company or a single agency or a nation goes it alone in the takedown action, the result is usually been catastrophe. because the internet is richly

interdependent and many of the rules governing its operations are unwritten. the ad hoc nature of these public-private partnerships may seem like cause for concern, but i hope you'll consider the following. first, this is how the internet was built an of the internet works. second, this is a criminals work with other criminals. we would not get far by trying to solve these fast evolving global problems with top down control or through government directives and rules. let me explain what makes this possible. as you yourself pointed out in your opening remarks, a botnet is literally a network of robots whereby robots we mean a computer that has been captured and made to run software neither provided by the computers maker nor authorized or installed by its own. every internet connected device has some very complex -- conflict software. the only hard and fast requirement for any of this software is interoperability,

meaning that it merely has to work. the cost of the internet's spectacular growth -- yeah, s sorry. the cost of the internet's spectacular growth, most of the software we run was not tested. today there's perhaps more assurance for the ul listed a toaster oven will not burn down our house than it is that some of our vastly more expensive and powerful internet connected devices are insulated from becoming a tool of online criminals. these are consumer devices in a competitive and fast-moving market, so time to market is often the difference between success and a bankruptcy. this is a very brief overview. i'd like to leave you with the following thoughts. number one, the internet is the greatest invention in recorded history in my opinion in terms of its positive impact on human, health, education, freedom, and on every national economy. number two, the internet is also the greatest invention in

recorded history in terms of its negative impact on human privacy and freedom, as evidenced by the massive and continuing intrusion's that have been described here today. number three, our democratic commitment to the rule of law has very little traction on the internet compared to how it works in the real world. the internet is borderless and yet it carries more of the world commerce every year. number four, takedown of criminal infrastructure including botnets must be approached not just as reactions after the fact but also as prevention by attacking underlying causes. number five, the u.s. department of justice is the indie of the world in its approach to takedown and its awareness of the technical and social subtleties involved. and i want to give a special nod to a public-private partnership with strong fbi guys located in pittsburgh. number six and finally, no legislative or regulatory relief is sought in these remarks.

the men and which government and industry have coordinate and cooperate on botnet takedowns efforts have underscored the effectiveness of public-private partnerships as currently practiced in this field. mr. chairman, this concludes my oral statement. thank you for this opportunity to speak before you, and i will be happy to answer your questions. >> thank you very much. finally, doctor spee so. but before i let you begin your statement my apology for the men's initiation earlier. and let me also say that without objection from everybody complete status will be made a part of the record and i appreciate the abbreviated version that it allows testimony to proceed expeditiously out of the hearing. .. >> thank you very much. >> i would also thank you for your leadership and focus and

attention to this important topic. my name is craig spiezle. i'm with the online trust alliance. ota is a global nonprofit to enhance online trust, and promoting the vitality of the internet. botnets pose a significant risk to governments and businesses. increasingly bots are -- ransom wear, driving identity theft, takeovers and holding users and their data hostage. it's important to recognize that fighting bots is not a domestic issue. criminals are leverages the jurisdictional limitation of the law infersment and often operation with impunity. left uninvaded they are a significant threat to our infrastructure and our economy. in my brief testimony, i will touch on five keir areas -- status of industry efforts, a

holistic anti-bot strategy, the role and issues of range of public and private efforts. an example is the sec's communications security reliability and inneroperability council which last year developed an anti-botnet code of conduct for isps this is the first step of example of industry's ability to self-regulate n parallel the ota multistakeholders efforts bringing in leaders throughout theel world. as a result weel published specific remediation and notification best practices and anti-bot guidelines for hosters and cloudav service providers. the initial adoption of these practices are now paying dividends helping to protect user data and their privacy. fighting botnets requires a global strategy as outlined here in exhibit aa, ota advocates a five-pronged framework, prevention, detection, notification, remediation and

recovery. and within each up with of these we've outlined a partial list of tactics which underscores increased need for collaboration, research and data sharing between both the public and private sectors. in the bottom of this it also points out the role of consumers and education. we need to help them update their device and also look to how we can educate them on the risks of botnets. as outlinedded law enforcement is an important part here as well and it serves three major funks, disrupting cyber criminals, gathering intelligence and bringing criminals to justice. but law enforcement can not act on this alone. a trusted partnership is required and progress has been made with industry leaders including a microsoft, symantec and others but takedowns need to be taken with respect to three major considerations. one, risk of collateral damage, two, the errors and in identifieding targets for mitigation, and three, the importance of respecting users

privacy. for example, when taking down a web hoster because they have a handful of bad customers there is risk of collateral damage. at the same time service providers can not hide behind bad actors and they must take steps to prevent harboring of such criminals. it is h important to note anti-abuse and security tactics all run similar risks. the anti-spam community often blocks legitimate senders. web browsers can misidentify phishing sites and av solutions can mistakenly block downloads. recognizing the these possibilities risk assessment procedures musty be preestablished with process in place to remediate any unintended impact. data sharing has a promise of being one of the most impactful tool in our arsenal but yet must be recipro ral. collaboration is required in all sectors, includingst retail, financial services and advertising n this void criminals move from one industry tod another, sending malicious spam one day and perpetrating click fraud and malware the

next. landscape is rapidly evolving containing perceived obstacles to data sharing. privacy must be the foundation of all fraud prevention and data sharing practices. i believe these can be easily addressed. when data used and collected for threat detection should be afforded safe harbor. conversely industry needs assurances that law enforcement will not use data for any other purposes. asha the exhibit outlines every stakeholder has responsibility and progress is made and but renewed commitment is required by all stakeholders as internet ofst things, mobile, smart grid and wearable technologies become prevalent we need to look beyond the desktop. in summary it is important to recognize there is no absolute defense. both public and private sectors need to increase investments in data sharing and adopting privacy enhancement practices while providing new approaches to work with law enforcement and expandti international cooperation.

working together we can make the internet more trustworthy, secure and resilient. thank you, and i look forward to your questions. >> thank you very much, mr. spiezle. thank you all. let me start with a question that i will ask each of you for record, which means if you could provide a written response and that is, that as you've heard senator graham and i are working on legislation in this area. as you heard from the first panel, the department of justice and the federal bureau of investigation have aar number of suggestions. i'd like to ask you to provide your comments, if any, to the suggestions that have been made so far and add any suggestions have of your own for this legislation so that we can build a good legislative record to support our proposal going forward. i'm also interested in your thoughts as a layperson. it strikes me that botnets are more dangerous.

that their capabilities are growing. my first exposure to botnets when theyab were spam propagatetores and then they game distributed denial of service vectors to swamp individual websites. but now they seem, to many additional capabilities have been listed in this hearing right up to and including having people spy on you through your webcam on your computer while going about your business and, tracking your keystrokes individually so that they can know your passwords and have access to your accounts. is my lay reading, that botnets are becoming more dangerous or learning the criminals behind them are learning more dangerous capabilities a correct one and what do you think the rate is of that change, if i'm correct? let me start with mr. boscovich. >> yes, senator.

i think d the observation is correct. i think we'r oe seeing an ever-changing sophistication on the part of cyber criminals. i would like to point out to one particular case which really demonstrates how creative cyber criminals are. in this particular case which was the o bamatol case, if my memory services me correctly one of our industry partners was symantec on the case. the bot herders developed code which took a step backwards. one reason why they did that. technical countermeasures put in place by binge, google and other companies -- bing. to detect click fraud identified a certain algorithm. they knew that and reduced a certain element to the code. in essence what they did they changed their code and took one step back t o take two steps forward, in such a way now the user would be using his mouse or her mouse. while he or she thought she was actually clicking or looking for

something, the reality was that they were in fact clicking on ads that the user was not even seeing was appearing behind the screen that they were looking at. introducing a certain variation that was consistent with human behavior. so the observation that criminals are in fact always learning, always changing, is an accurate one. i think this example really underscores how sophisticated these cyber criminals are. >> in both dimensions, i mean in terms of, if you view the a botnet as an infrastructure for criminal activity it is one that has to be maintained and groomed and they're getting more sophisticated at that. they are also getting more sophisticated ata the type of criminal payload if you will, that they deliver through that botnet as well, is that correct miss mcfire? >> that's correct. i think your summary is quite accurate, that these have begun to progress and become much more sophisticated over the last five

years. for example, the type of technology or infrastructure that they are using now, moving fromti central command-and-control, simple command-and-control servers to peer-to-peer networks which are more difficult to take down because of their complexity is a type of morphing that we're seeing by the cyber criminals to use all avenues that, at their availability. >> dr. vixie, you mentioned that in the face of this threat prevention was something that we should be looking at and you used the phrase in your testimony, underlying causes. we should be prepared to address underlying causes that allowed this to occur even before harm of a particular botnet is made manifest. what did you mean by underlying causes and what would you recommend if anything, we do to get ahead of this more by going after those underlying causes as you have defined them? >> i think that the, the reason

that botnets have gotten stronger is because our computers have gotten stronger. better cpus, more memory, more storage, et cetera. ourtn network has also gotten stronger. so it is possible to get a lot more work done with each computer you steal now compared to five years ago or five years before that. if we wanted to start kicking the dependencies under botnets, we would need to somehow address the lack of testing. i mentioned in my written remarks that this last week there was internet of things, i think a wireless light bulb that has a terrible security flaw in it and i understand how that can happen. i've tried to get things, software products out the door myself and it is difficult to say, yeah, let's hold it back another couple weeks while we try to attack it every witch

way. what you want to do is get it out there, put it in customers hands and so forth. that is not going to work. we have got to find a way to test the software the way bad guys do.d do the so-called red team test where you try to break in. if you can you get some sort of internal prize. we have got to find a way to encouragees that. >> electricity with the new technology and people are trying to get stuff out the door that caught fire if you left it on too long, as you pointed out with respect to the toaster, underwriters laboratories was established to make sure that appliances met basic standards and as a result, toaster fires and things like that have not been a very prominent concern for americans for quite some time. do you think that a equivalent to an underwrites laboratories the internet and how would you see it as being overseen? >> i don't think a direct

equivalent is possible. when you're doing this kind of testing you're looking for combinations and permutations of sort of how the set the knobs, what you put in the toaster, other conditions and, you know, everyone of those conditions is a state variable and the problem is that my laptop has more complexity of that kind than all the computers on the planet had 30 years ago. and so coming up with a direct analog of the way ul tests our electric devices i think is misleading. i think standards in software development, standards in testing, possibly getting away from some of the older programing languages that almost encourage the type of defects that we see in our monthly updates are going to be better approaches and but do want to say -- >> can those approaches be administered? >> excuse me? >> how would those proposals be best administered?

through government, through the internet governance system? through a rating that gets, you can advertise you you have on your product if you have been through it voluntarily? what is your -- >> in that sense the underwriters laboratory system is perfect because it is voluntary. if you want to sell a device that is not listed, that is up to you. if people would not buy as many, if fewer people want to buy it because it doesn't have that stamp that's up to them. so i think there is room for someone to step into that role but it is not a government role. >> gotcha. and, mr. spiezle, you said that you felt that there were steps that consumers, individuals could take to better acquaint themselves with this threat and to better protect themselves from this threat. what would your rep takeses be? seems like such a giant and complex and very high-tech type of crime and if you're a

innocent user of your own computer going about your own business and doing what you're good at, which may not be anything to do with computers, how canco you, what sensible sts should people be thinking about who aren't computer whizs to defend themselves and their computers? >> i will claire my point. we all have shared responsibility. not unlike driving a car we ned to drive safely. we need to make sure the car is updated and have new tires on it. that was the point there. i think realistically has limited effect here. these attacks are social engineered. they're drive-bys. by their very nature going to a trusted e website that someone types in a url, there can be malicious ads served on them. so it's a shared responsibility but i don't put the faith that that is going to be the solution but it should be one part.

i do want to address one point your original question about the sophistication and clearly in the technical aspect, clearly the bot masters are more and more sophisticated but also they're more sophisticated now in leveraging big data. data mining capability and analytics. so that adds to the profitability. their ability to use that data, append data from other sources and then in the underground economy makes it very profitable. they have become very nimble. they have become good marketers in a sense and they are learning from, business. are some of the challenges that we must address. >> two final questions. the first is that many of the perpetrators in this area are foreigners and, we're obviously going to work with the department of justice and the federal bureau of investigation to make sure that they have the capabilities that they need to be as strong as they can be in terms of pursuing foreign

criminals. but none of you are involved as law enforcement officials. you're involved representing private companies and organizations and in that sense when you bring a civil action to close down a botnet, you may have civil remedies against individuals overseas that are different than what a prosecutor would be looking at. are there recommendations that you would have as to how we could strengthen overseas enforcement against the individuals and organizations that are running the botnets, that would supplement just technical capabilities to take down the botnets? let me start with you mr. boscovich. >> well, senator, i think obviously as a private company, as you mentioned our main sphere of influence is only using the sieve process. even inva the civil process once you get default judgments there is actually a procedure where we

could seek to, for example, localize a u.s. judgment overseas. it's ath complex and lengthy process. in all of the actions we take with our partners we then go ahead and always refer cases and evidence that are the basis of the information that we arrive at through the civil process to lawer enforcement. the process that law enforcement uses has been around for quite some time. ior believe some of the representative of doj and fbi were here earlier today and made reference to the process and things of that sort. these are procedures that have been around for very long times and in terms of how quickly these things could turn around there's always been a question. i could only talk about my experiences when i was at justice, that it does take time to turn these, this information request around. but from the civil perspective, i think -- >> coordinating country is of two minds as to how much they want to take down this industry? >> that's why the partnership on the private and public partnership is important because what we try to focus on of

course is the immediate cessation of the harm to people onat the internet. and to sever that communication, to stop the harm and notify the victims and try to do something to remediate and clean their computers, working through isps and country certs. that is job we believe we can do well with industry partners and with the government as well. in terms of the criminal side i would have to defer to my former colleagues at the justice department. >> i was thinking more of the civil side and pursuing personal liability and accountability of foreigners who have done harm to your companies. ms. ma geyer, any thoughts on that? >> just this -- mcguire. we have seen reports that gameover zeus, modifications that particular malware a new criminal gang or perhaps the original perpetrator who fled to eastern europe, to launch new criminal activity.

this is a kind of thing where if we had a faster, speedier process that we could potentially address these kinds of issues at the speed of the internet as opposed to what i have been told by law enforsment partners can take anywhere from six months to never. and so, those are the kinds of enhancements, modernizations to these international treaties that we really need in order to go after them. >> again you're comfortable relying on the law enforcement process for that and at this point don't have any interest in pursuing civil liability on the part of your private sector companies against foreign individuals to, as a deterrent to recover for the damages that they have caused you? >> most of the activity is on the sharing of information and notification to our international both law enforcement and cert partners so they can take the action they

need within their jurisdictions. >> and, what have each of you seen in terms of the coordination that has been your experience between thedi private sector and between law enforcement? it has emerged and it seems to me from what i hear to be in a pretty good place right now. there are number about mechanisms through which the fbi in particular but other federal law enforcement agencies cooperate with the private sector and exchange information and deconflict activities. i think there's been a lot of improvement there but rii would like to hear from each of you how close you think we are to what we should be doing and whether there's any specific recommendations you would have. start from this side, dr. spiezle. >> i think we have had great success but i think there is whole another layer of information-sharing we're not getting today and we need to bring other data sources together so more data should

have sharing between the financial services and certainly we're seeing progress with the fsisac. we're seeing more breaches in retail sector. we get data from them. the reason it is important it is connecting the dot. it is not always from the isps and other sectors. we need to get that and open a dialogue but also that to remove the burden of whether it is antitrust, concerns of privacy or concerns of regulatory authorities coming after them. so how do we open up that dialogue even domestically so we can get a higher level of granularity and telemetry from other data sources. >> dr. vixie? >> sof i mentioned in my remarks that the internet is borderless and you>> mentioned in this question that the criminals are borderless. i think that firmly points to the fact that our solutions have to be borderless. so, i will say, again, ncfta in pittsburgh has a huge

international outreach program. i go in and do some training there of the international law enforcement community every summer but they do it year-round and it's huge thing because a lot of the other countries who wherey cybercrime is originatig right now don't have the capability to train their people locally. they don't necessarily have budget for tools needed and so forth. so i think, i really want to encourage more outreach of that kind, possibly not just by ncfta but by other u.s. agencies who are leading in the world. i don't have an answer for civil lawsuits. i know that, it can be used if you're trying to get at somebody and you don't know who they are, you can often get a court order using a john doe but it is messy and it hasn't really produced consistent results.

>> ms. mcguire. >> i also echo the ncfta, a terrific organization particularly on the internal front working with industry and law enforcement partners and government agencies but in particular to your question on information sharing and has it gotten better with the fbi and the department of justice we've seen significant improvements frankly over the last two years in our ability to work with them, their responsiveness to the information that we are sharing with them about indicators of compromise. about just the process they are using. as i think i mentioned earlier, gameover zeusem we think is the best example so far where they reached out to more than 30 international organizations including industry, government, researchers, isps, brought all of them together so that collectively we could be ready and work the takedown once the

injunctions and appropriate actions were taken. so that's, i think -- >> borderless response to dr. vixie's point. >> borderless response, exactly and rii think that's the model e need to work toward the future and we have one now as proof pointe' for the future. >> mr. boscovich, last thoughts? >> i think deconflict shun is one of the key components of a successful private public partnership. in cases such as citadel, gameover zeus and recently shylock capture operation recently went down in europe is a perfect example of public/private partnerships, civil process complimenting criminal process, all while stopping the harm immediately, working to help the victims, yet at the same time allowing the criminal side to do what they do best. deterrent effect, going out and arresting individuals. and i think we've come a long way inim getting at that sweet spot where we now have an

appropriate mechanism which we share information, where we deconflict with law enforcement both domestically and international to achieve the greatest impact possible in the takedowns. >> thank you very much. a final good word to microsoft, just lawyer to lawyer, you are among the earliest companies, probably all three of you were involved, over the years, a lot of people who were connected to microsoft here, in the first civil takedowns and just as lawyer to read those early come plains, and see the statutory ground-based on very modern, complicated electronic privacy statutes and at the same time, doctrines of english common law were transplanted to america when we formed our country and that are part of the common law history dating back to the 1400s side by side as a separate count, it was, must

have been a lot of fun. it was terrific legal work and had a wonderful effect so i compliment you on it and i assume you would want, you know, we're legislators. so we think about legislating. like story about the hammer. every solution that a hammer sees requires a nail and so we tend to think in terms of new and amended statutes but i gather you would want to make sure that we left room for traditional common law remedies to maintain themselves as a part of the repertoire here and to allow the natural development that the common law permits. is that fair to say? >> absolutely, senator. one of the beauties behind the common law system, its ability toy, adapt constantly to new fas and what we're looking at here is a threat which is constantly adapting. something that is always moving, always morphing and the beauty

behind common law and trespass, chattels, tortious interference of contractual relationship these are theories we can use over and over again and a part of a system in it at its core is able to adapt quickly. sor yes, i think that, i would love the see the standard common law principles remain intact as we tackle these. having said that, it doesn't mean there is not always room for improvement in both present statutes and potentially even w statutes. we would gladly take a look at any type of amendmentment or proposed legislation, congress and yourself would have to give our comments so you could have the best insight possible from us at least. >> certainly when they came upon trespass upon chattels, it was well before anybody had inkling there could be internet. that certainly has been as lag doctrine. let me thank all of t the witnesses for this hearing. i appreciate very much your input. i look forward to responses to the question for the record.

i think that we have a very strong bipartisan group of senators who are very interested in this interested coming up with legislation that can bass and help you all in your your pursuits to protect our economy and your clients and your companies from the kind of attack we are seeing largely from overseas. so, godspeed to you all in your work. thank you very much for what you've done and for your testimony today. and we will keep the record open for, one week? one week for anybody who cares to add anything to the record and for those questions for the record in and with that we a adjourned. >> live now to the floor of the u.s. senate where members open the day with a debate on a judicial nomination for the

eastern district of missouri. later this afternoon, work on a bill related to birth control and health care. procedural vote to move forward on the legislation is scheduled for 2:10 p.m. ern. live now to the u.s. senate here on c-span2. the presiding officer: the senate will come to order. the chaplain, dr. barry black, will lead the senate in prayer. the chaplain: let us pray. eternal god, we worship you for your loving kindness, truth and faithfulness sustain us. though you are high, you respect the lowly.

so today infuse our senators with the spirit of lowliness and humility. give them the wisdom to know that you give grace to the humble, but oppose the proud. may their humility bring them that reverential awe that leads to honor and life. lord, help them to remember that america's greatness comes not from the swagger of might, but from the lowliness of that righteousness which exalts any nation. guide our lawmakers with your

wisdom and uphold them with your might. we pray in your sacred name. amen. the presiding officer: please join me in reciting the pledge of allegiance to the flag. i pledge allegiance to the flag of the united states of america and to the republic for which it stands, one nation under god, indivisible, with liberty and justice for all. the presiding officer: the clerk will read a communication to the senate. the clerk: washington d.c, july 16,2014. to the senate: under the provisions of rule 1, paragraph 3, of the standing rules of the senate, i hereby appoint the honorable edward markey, a senator from the commonwealth of massachusetts,

to perform the duties of the chair. signed: patrick j. leahy, president pro tempore. mr. reid: mr. president? the presiding officer: the majority leader. mr. reid: i move to proceed to calendar number number 459, s. 2578, protect women's health from corporate interference. the presiding officer: the clerk will report. the clerk: motion to proceed to calendar number 459, s. 2578, a bill to ensure that employers cannot interfere in their employees birth control and other health care decisions. mr. reid: there are two bills at the desk due for second reading, mr. president. the presiding officer: the clerk will read the titles of the bills for the second time. the clerk: s. 2609, a bill to restore states sovereign rights to enforce state and local sales and use tax laws, and for other purposes. h.r. 5021, an act to provide an extension of federal aid highway, and so forth and for other purposes. mr. reid: i would object to any further proceedings regarding these bills at this

time. the presiding officer: objection having been heard, the bill will be placed upon the calendar. mr. reid: mr. president, following my remarks and those of the republican leader the senate will proceed to executive session to resume consideration of the nomination of ronnie white to be united states district judge. the debate will be until 10:15. senators grassley, cornyn and shaheen will control ten minutes of that control. senator mccaskill will control any remaining time. at 10:15 -- we moved the time up and i appreciate very much the cooperation of the republicans, because this is so, so one of our senators can attend the funeral of one of the his best friends. we're not going to extend the time past 10:15. in light of that, mr. president, i'm not going to give any statement today f. cloture is invoked we'll have a 12:20 vote. upon disposition of the white nomination the senate will proceed to 2578, protect women's thelgt from corporate

interference with the time until 2:10 p.m. to be controlled by the leaders or their designees. at 2:10 the senate will proceed to invoke cloture on the motion to proceed to 2578, i ask unanimous consent the time between 3:30 and 4:30 be under republican control and the time between 4:30 and 5:30 p.m. be controlled by the majority. the presiding officer: without objection. mr. reid: there will be an all senators briefing this afternoon to address the child and adult migration from central america to the southwest border.

mr. mcconnell: mr. president? the presiding officer: the republican leader. mr. mcconnell: members of congress don't always see eye to eye on everything. that's fairly obvious. there are often strong and principled disagreements about taxes, the size and scope of government, obamacare, foreign policy; you name it. but let's be clear, when it comes to decisions about contraception, both parties believe a woman should be able to make her own decisions. now, some on the other side would like to pretend otherwise. they think they can score political points and create divisions where there aren't any by distorting the facts. and that's why there are

increasingly outlandish claims, claims fact checker describes as -- quote -- "simply wrong" just keep getting debunked. even worse, our friends on the other side are now on record as saying that we should pretend the freedoms -- we should protect the freedoms of some while stripping away the freedoms of others. well, republicans continue to insist that we can and should be in the business of protecting everyone's rights. we think that instead of restricting america's religious freedoms, congress should instead work to preserve a woman's ability to make contraception decisions for herself. and the legislation senators ayotte, fischer and i filed yesterday would do that. the preserving a woman's religious freedom will verify an

employer cannot block an employee from legal access to her f.d.a.-approved contraceptives. it is a commonsense proposal. it reaffirms that we can both preserve america's long tradition of tolerance and respect for people of faith while at the same time preserving a woman's ability to make her own decisions about contraception. our bill would also ask the f.d.a. to study whether contraceptives could be made available to adults safely without a prescription. and it would allow women to set aside more money in their flexible spending accounts so they can cover out-of-pocket medical expenses, many of which are skyrocketing under obamacare. so if democrats are serious about doing right by women, if they're not just interested in stoking divisions in an election year, then they should get on board with our legislation. that's a start. and then they can work with us to undo the damage that their policies like obamacare have

already caused to millions, millions of middle-class women. research shows that american women make about 80% of the health care decisions for their families. yet, thanks to obamacare, millions of women lost the health insurance plans they had and they liked, causing enormous disruptions in their lives and in the lives of their families. when women first spoke out about the betrayal they felt when they lost their plans, washington democrats said their plans were junk, or worse, that they were lying because democratic politicians thought they knew better than all of these people we were hearing from. it was insulting to many, including one constituent who wrote me from wooford county. she described herself as a life long professional who shopped hard for a policy that she liked and wanted to keep. here's what she said after

washington's democratic policies overruled her own personal choice of a plan. "the president has referred to my type of policy as substandard. in fact, it's a good product for people in my situation. it appears that the president does not understand personal finance and does not trust americans to choose products that are good for them. he also does not appreciate people like me who are willing to accept personal responsibility for a large part of my own routine medical expenses." she's not the only one who feels this way and she's not the only one who's been hurt by obamacare. as a result of obamacare, too many women now have fewer choices of doctors and hospitals. as a result of obamacare, millions of americans -- nearly two-thirds of them women -- are now at risk of having their hours and their wages reduced. as a result of obamacare, married women can face penalty taxes just for working.

as a result of obamacare and other changes by the obama administration, a woman on medicare advantage could see her benefits reduced by more than $1,500 a year. and thanks to obamacare, millions of women have had their flexible spending accounts limited and can no longer use tax-preferred medical savings to purchase all the medications they use. a wrongheaded policy that the bill we introduced yesterday seeks to address. but that's just a start. washington democrats need to work with us to pass real health reform, actual patient-centered reform that won't hurt women the way obamacare does. because we've seen the letters from our constituents, letters like the one i received from a woman in mount sterling who says obamacare did more than just cause her premiums to nearly double. it might make her medications unaffordable as well. i'm on three medications, and

two years ago the co-pay was $60 for each, she said. "now my medications are costing me a little over $700 a month." that's not fair. it's not right. and this is just the kind of challenge both parties should be working together to address. so let's do away with the false choices. let's focus on actually helping women instead. let's work together to boost jobs, wages and opportunity at a time when women are experiencing so much hardship as a result of this administration's policies. republicans have been asking washington democrats to do all of this for years now. it's about time they started showing they really care. a senator: mr. president? the presiding officer: under the previous order, the leadership time is reserved. under the previous order, the senate will proceed to executive session to consider the following nomination, which the clerk will report.

the clerk: nomination, the judiciary, ronnie l. white of missouri, to be united states district judge for the eastern district of missouri. the presiding officer: under the previous order, the time until 10:15 a.m. will be controlled as follows: ten minutes for the senator from iowa mr. grassley, ten minutes for the senator from texas mr. cornyn, ten minutes for the senator from new hampshire mrs. shaheen, and any remaining time under the control of the senator from missouri, mrs. mccaskill. mrs. shaheen: mr. president? the presiding officer: the senator from new hampshire. mrs. shaheen: mr. president, i ask unanimous consent that fellows in my office annie dreesen and lamenta tafara be granted floor privileges for the remainder of the 113th congress. the presiding officer: without objection. mrs. shaheen: thank you. mr. president, i ask to speak as if in morning business. the presiding officer: without objection. mrs. shaheen: thank you. i am here today to express my

concerns with the supreme court's recent decision in the hobby lobby case and the steps that we're taking hopefully this week to protect a woman's right to make her own health care decisions. and i want to thank senators murray and udall for their leadership on this issue and for introducing the not my boss's business act. i appreciate hearing from the republican leader about their interest in supporting women's access to contraceptive care, and i hope that's something that we can all agree on. but the issue here is not direct -- it's not just access to that care. it's the cost of that care. and when you charge women more for contraceptive coverage, then you are denying them access to that care. the legislation that's been introduced by senators murray and udall that i'm a cosponsor of will prevent employers from being involved in an employees'

health care decisions and it will reverse the supreme court's decision. throughout my career in office, i have fought to ensure that women have access to important contraceptive services and that women are able to make their own decisions about their health care with their doctors and with their families. in 1999 when i was governor of new hampshire, i signed into law a bipartisan bill that required insurance companies to cover prescription contraceptives, the issue that we are debating right now. i signed that law with strong bipartisan support because both republicans and democrats knew that it was the right thing to do, and in fact that legislation passed in the new hampshire house with 121 democratic votes and 120 republican votes and two independents. and that law passed in 1999 has now provided thousands of new hampshire women with the ability to access the medications that

they and their doctors decide are right for them because they have that insurance coverage to pay for those medications. the affordable care act also established that women would have access to prescription contraceptive services with no co-pays, just like new hampshire did in 1999. and you know, it's interesting we're having this debate about religious objections. back in 1999, the legislature appointed a committee to look at whether there were any religious concerns about what we had done, and they came back and reported that this was not an issue. a recent analysis by the department of health and human services reports that because of the affordable care act, more than 30 million women are now eligible to receive preventative health services, including contraception with no co-pays. in fact, since 2013, women have

saved nearly $500 million in out-of-pocket costs because of the a.c.a.'s requirement to cover contraceptive care. the supreme court's decision has a real financial bearing on women and their families throughout the country, because this ruling will have a profound impact on the health and economic security of women throughout this nation. as noted by justice ginsburg in her dissent in the hobby lobby case, when high cost is a factor, women are more likely to decide not to pursue certain forms of health care treatments that involve contraceptive care. and there are many reasons why a doctor may decide to prescribe contraceptives for a woman's health needs. contraceptives can be used to treat a broad range of medical issues. hair loss, endometriosis, acne, irregular menstrual cycles.

contraceptives have also been shown to reduce the risk of certain cancers. but just a few weeks ago, the supreme court jeopardized that access to affordable preventative health care for too many women. as a result of the hobby lobby case, some employers now have the ability to claim religious objections as a justification for not providing contraceptive health care with no co-pays. i understand the host of issues that employers face on a daily basis, and i appreciate the complexities that they face when they decide to offer health insurance coverage to their employees. for example, take jane ballier who owns hermanos mexican restaurant in concord, new hampshire. i recently had the opportunity to sit down with jane and to discuss the hobby lobby case. jane made it clear that while she has many choices and decisions to make on a daily

basis to keep her business running, she never expected to be put in a position where she could be responsible for making a health care decision for her employees at the restaurant. and like jane, i don't think it makes sense for employers to make those personal, private health care decisions for their employees. critical health decisions are simply not an employer's business. where a woman works should not determine whether she gets insurance coverage that has been guaranteed to her under federal law. and while we don't yet know the full extent of the impact from this ruling, we do know that the supreme court's decision turns back progress that women across the country have fought for years to achieve. we must ensure that women have access to the health care services and medications they need, and that means making them affordable. that they are able to make their own decisions about their care with their doctors and their

families. thankfully, we have an opportunity this week to correct the supreme court's shortsighted decision. this week, the senate can stand up for women and pass the not my boss' business act. a woman's health care decisions should be made with her doctor, with her family, with her faith, not by her employer with her employer's faith. i urge my colleagues to support this bill, and i yield the floor. thank you, mr. president. mr. grassley: mr. president? the presiding officer: the senator from iowa. mr. grassley: later on, we're voting on a judge for the eastern district of missouri, and i come to the senate floor today to explain why,

regrettably, i'm unable to support the nominee. as my colleagues know, justice white was originally nominated by president clinton during the 105th congress, and this body voted on and rejected his nomination in 1999. after careful consideration of his record, i voted against justice white's nomination at that time. since 1999, justice white completed a term as chief justice of the missouri supreme court and has returned to private practice, so today i'd like to revisit a few aspects of justice white's legal and judicial career that first led me to vote against his nomination, and i will also discuss developments since 1999.

unfortunately, his record since that time has only reinforced my concerns. first, i begin with some troubling aspects of justice white's record during his days on the missouri supreme court in the 1990's. i only need to point to a few cases to illustrate concerns. in 1998, johnson case, justice white -- in the 1998 johnson case, justice white was the sole dissenter on the state high court, and it was a capital appeal case involving a claim of ineffective assistance of counsel. the case was heart breaking. the defendant shot four people to death, three missouri sheriffs and one of the sheriff's wives. the facts were stark and very clear cut.

this was not a close case. the defendant was convicted based upon overwhelming evidence of his guilt. now, justice white conceded that there was more than sufficient evidence to sustain the conviction on appeal, but he went out of his way to create a standard that wasn't based on missouri law when he evaluated the conduct of the defense attorney. unsurprisingly, not a single member of the state court agreed with justice white's dissenting opinion. that's because it was obvious there was no reasonable probability that anything the defense attorney did would have changed the outcome of the trial. that's the applicable legal standard.

it's straightforward, very straightforward, and in that case, every member of the state supreme court applied it correctly except justice white. unfortunately, justice white's dissent in that case was not an isolated example. on a number of other occasions throughout his judicial career, justice white misapplied standards of review or considered issues that were not germane to the law when he was deciding cases. justice white has even admitted as much. discussing his judicial philosophy, he said in 2005 that he thinks it's appropriate for judges to let their opinions be -- quote -- shaped by their own life experiences, end of quote. i think the personal characteristics of any judge,

what this nominee calls his --quote, unquote -- own life experiences, should play absolutely no role whatsoever in the process of judicial decisionmaking. i know that my colleagues on our judiciary committee share that view as well. and let me get back to the nominee's judicial track record. justice white was a sole dissenter in another case that the missouri supreme court decided in 1997. that case raised the question of whether the defendant was entitled to additional evidentiary hearing. in his dissent joined by none of his colleagues, justice white again ignored a straightforward standard of review and wrote that the defendant should have the hearing because justice

white thought it would cause --quote, unquote -- little harm. here again, we see justice white's personal preferences creeping into what should be objective, law-based decisionmaking. something pretty elementary to being a judge at any level, federal or state in our system of jurisprudence. so those are just two examples of what led me after consideration of the nominee's record as a whole to vote against his nomination in 1999. unfortunately, my concerns about justice white's first nomination have only been reaffirmed by his subsequent record. for instance, i'm troubled by justice white's concurrence in the eighth amendment case of roper versus simmons.

that case was first heard by the missouri supreme court, was appealed to the supreme court and was eventually affirmed. but the affirmative is not what my colleagues should focus on. we should -- what should concern my colleagues is the opinion that justice white concurred in, which ignored binding supreme court precedent, and that precedent was the stanford versus kentucky case, so i will explain. in 2003, when justice white court decided roper, binding supreme court precedent at that time permitted applying the death penalty to individuals if they committed their crimes when they were under 18. nonetheless, justice white concurred in the state'ser court's opinion that simply ignored that precedent.

justice white concurred -- concurred even though the supreme court had reaffirmed the stanford principle twice in 2002, the year before justice white's state courts decision. moreover, in 2003, the supreme court rejected an appeal raising legal arguments that were identical to the ones that justice whiten doctored. that's the very same year that justice white's court ruled in roper and ignored stanford outright. now, my colleagues on our judiciary committee often ask nominees about their commitment to supreme court president and the faithfulness to the doctrine of staredecisis. nominees who appear before us

repeat the mantra that they will unfailingly apply precedent and nothing else. in other words, leave personal views out. justice white did as much at his hearing as well, but -- and this is what i find so troubling -- when i asked him about the stanford case, he admitted that stanford was, in fact, binding on his state court at the time he concurred in roper. what he didn't explain and what he couldn't explain was why he ignored that binding precedent as a state supreme court justice. he couldn't explain why he thought it was appropriate for him to concur in a state court opinion that in effect overruled u.s. supreme court precedent. i don't doubt that justice white has always done what he thought was right and that he ruled the way he thought best to achieve justice for the litigants before him, but in my view, that's not

an appropriate role for a federal district judge. judicial decisionmaking requires a disinterested and objective approach that never takes into account the judge's life experiences or policy preferences. and from the careful look that i've taken at justice white's 13-year track record as a judge, i just have too many questions about his ability to keep his personal considerations separate from his judicial opinions. finally, it's worth noting that there continues to be opposition to this nominee from law enforcement. specifically, both the national sheriffs association and the missouri sheriffs association oppose this nominee. i always try to give judicial nominees theen