constraints across all the different programs. in the six states, they are working to integrate across the data systems, first starting with those discharge papers, then if it is an unemployed veteran receiving unemployment insurance, to be able to get those systems to talk to each other, and then you have the educational institutions that -keepingir own record process. that's probably the number one challenge that these states have identified. it is hard to identify who the unemployed veterans are in the states. iowa and nevada, where you are doing work in this area over the past few years, that barrier still exists. if there is a way to bring together those systems and

better integrate those data systems, that will be a major step towards improving the services. the second barrier is getting institutionsndary thatt up bridge programs will allow the military inerience to be recognized any of the training and of theon -- and any training and education that was received in the military can be recognized so this -- these programs can be shortened for veterans. there is an effort by community colleges, the main educational institutions that are working in this area -- part of the problem is they are concerned there won't be enough demand for program once it is put up to the other is there's a lot of complexity found -- once it is put up. the other is there is a lot of complexity.

another one is raising awareness among licensing boards. this is of particular concern in the health area because of concerns about making sure the quality standards are met, loosening requirements may lower the quality standards and, in the medical area, that is a major concern. it is also looking at options for training programs. partnership is one. in iowa, you are trying to increase the apprenticeship programs across different and raising awareness with the licensing .oards the fourth one is measuring costs. because of the data comparison issues, it is difficult to track costs and to be able to identify where there can be cost savings

or where there are duplicate of costs in the systems. those are four major challenges that these six states have identified. i'm going to stop there been -- because the governors have already talked about some of the innovations in their states. i will turn it over to you. be very brief. this was a great session. pleased to serve on the advisory committee. we are able to take a lot of the states' innovations directly into the administration. this is not about legislation. it is about working together. , theepartment of defense department of education -- at the federal level, they are working hard to break down their silos, just as the states have done. from the state standpoint, it is about telling the story you are telling here and making sure it .ranslates

the most important thing over the next six months is that nga, through both the center for best practice and the office of federal relations, will do a survey of all the states, the benefits being provided to veterans, and tried again and inventory of all these programs, put them in one place, so our --eral and state parties partners have them, our business partners have them. everybody is interested. this is a win, win, win. information is king. our federal advocacy will be about putting that information together so we can act. >> thank you very much. we appreciate everybody's efforts. we should also note that we are getting done early. unless you want ash are you ok? understand of all -- governor sandoval, on behalf of nga, we represent -- we thank the states for being here.

we want to successfully compete. this is one of the areas where the demand is high and the challenge is real but our successes are also measurable and very real for the families involved and our country. thank you for your involvement today. [applause] [captions copyright national cable satellite corp. 2014] [captioning performed by national captioning institute]

screeria -- nigeria. -

then postal board nominations. than meeting on employing returning veterans. tuesday the fbi's assistant

director for cyber crime testified about the agency's efforts to dismantle and disrupt cyber criminal networks. this hearing of the senate judiciary subcommittee on crime and terrorism is an hour and 35 minutes. >> i call this hearing of the judiciary subcommittee on crime and terrorism to order and thank everyone for being here. i have the permission of my ranking member to get under way. he will be joining us shortly, but allowing for opening statements and so forth. i think it's probably the best way to do this to simply proceed and get under way. today's hearing is entitled

taking down botnets, public and private efforts to disrupt and dismantle cyber criminal networks. we are going to be hearing testimony about these botnets and about the threat that they pose to our economy, to our personal privacy, and to our national security. a botnet is a simple thing. it's a network of computers connected over the internet that can be instructed to carry out specific tasks. the problem with botnets is typically the owners of those computers don't know that they are carrying out those tasks. botnets have existed in various forms for well over a decade, and they are now recognized as a weapon of choice for cyber criminals, and it is easy to see why. a botnet can increase the computing resources at a hacker's disposal exponentially

all while helping conceal the hacker's identity. a cyber criminal with access to a large botnet can command a virtual army of millions, most of whom have no idea that they have been conscripted. botnets enable criminals to steal individual's personal and financial information, to plunder bank accounts, to commit identity theft on a massive scale. for years botnets have sent most of the spam that we all receive. the largest botnets are capable of sending billions of spam messages every day. botnets are also used to launch distributed denial of service or ddos attacks which can shut down websites by overwhelming them with incoming traffic. this is a constant danger for businesses in every sector of

our economy, but we have seen this strategy used against everything from businesses to sovereign nations. the only limit to the malicious purposes for which botnets can be used is the imagination of the criminal who controls them. and when a hacker runs out of uses for a botnet, he can simply sell it to another criminal organization to use for an entirely new purpose. it presents a virtual infrastructure of crime. let's be clear, the threat from botnets is not just a threat to our wallets. botnets are effective weapons not merely for those who want to steal from us, but also for those who wish to do us far more serious harm. experts have long feared that the next 9/11 may be a cyber attack. if that's the case, it is likely that a botnet will be involved.

simply put, botnets threaten the integrity of our computer networks, our personal privacy, and our national security. in recent years the government and the private sector have launched aggressive enforcement actions to disrupt and to disable individual botnets. the techniques used to go after these botnets have been as varied as the botnets themselves. many of these enforcement actions use the court system to obtain injunctions and restraining orders utilizing innovative legal theories, combining modern statutory claims under statutes such as the computer fraud and abuse act with such ancient common law claims as trespass to chattels.

in 2011 the government obtained for the first time a court order that allowed it to seize control of a botnet using a substitute command and control server. as a result, the fbi launched a successful takedown of the core flood botnet freeing 90% of the computers core flood had infected in the united states. microsoft, working with law enforcement, has obtained several civil restraining orders to disrupt and in some cases take down individual botnets, including the citadel botnet which was responsible for stealing hundreds of millions of dollars. and earlier this year the justice department and the fbi working with the private sector and law enforcement agencies around the world obtained a restraining order allowing them to take over the game over zeus botnet.

this action was particularly challenging because the botnet relied on a decentralized command structure that was designed to thwart effort to stop it. each of our witnesses today has played a role in efforts to stop botnets. i look forward to learning more about these and other enforcement actions and the lessons that we should take away from them. we must recognize that enforcement actions are just one part of the answer, so i'm interested in hearing also about how we can better inform computer users of the dangers of botnets and what other hygiene steps we can take to address this threat. my hope is that this hearing starts a conversation among those dealing day to day with the botnet threat and those of us in congress who are deeply concerned about that threat. congress, of course, cannot and should not dictate tactics for fighting botnets. that must be driven by the expertise of those on the front lines of the fight, but congress

does have an important role to make sure there is a solid legal foundation for enforcement actions against botnets and clear standards governing when they can occur. we must also ensure that botnet takedowns and other actions are carried out in a way that protects consumers' privacy. all while recognizing that botnets themselves represent one of the greatest privacy threats that computer users face today. they can actually hack into your computer and look at you through your web cam. and we must make sure that our laws respond to a threat that is constantly evolving and encourage, rather than stifle, innovation to disrupt cyber criminal networks. i look forward to starting this conversation today and to continuing it in the months ahead. i thank my distinguished ranking member for being such a terrific

colleague on these cyber issues. we hope that a good piece of cyber botnet legislation can emerge from our work together. i thank you all for participating in this hearing and for your efforts to protect americans from this dangerous threat, and before we hear from our witnesses, i'll yield to my distinguished ranking member, senator lindsey graham. >> thank you, mr. chairman. i just want to acknowledge your work on this issue and everything related to cyber threats. there is no stronger, clearer voice in the senate than sheldon whitehouse in terms of the threats we face on the criminal front and the terrorist front that come from cyber misdeeds, and congress is having a difficult time organizing ourselves to combat both threats, but to make sure this is not an academic exercise, i guess it was last year, it might have even been a bit longer, but the department of revenue in south carolina was hacked into by -- we don't know all the details, but a criminal enterprise that stole

thousands -- millions of social security numbers and information regarding companies' charters, revenue, and that's required the state of south carolina to purchase protection. i think it was a $35 million per year allocation to protect those who had their social security numbers stolen we believe by a criminal enterprise. it happened in south carolina. it can happen to any company, any business, any organization in america, and our laws are not where they should be so the purpose of this hearing is to gather information and hopefully come out and be a friend of law enforcement. so senator whitehouse, you deserve a lot of credit in my view about leading the effort in the united states senate if not the congress as a whole in this issue. thank you. >> i'm delighted to welcome our administration witnesses. before we do, his timing is perfect, senator chris coons has joined us. and yields on making an opening statement.

let's go ahead to the witnesses. the first witness is leslie caldwell, the head of the criminal division at the department of justice and was confirmed on may 15th, 2014. she oversees nearly 600 attorneys who prosecute federal criminal cases across the country. she has dedicated most of her professional career to handling criminal cases having served as the director of the enron task force and as a federal prosecutor in new york and california. after her testimony, we'll hear from joseph demarest who is the assistant director for the fbi's cyber division. he joined the fbi as a special agent in 1988 and has held several leadership positions within the bureau serving as, for instance, head and assistant director of the international operations division and as the assistant director in charge of the new york division.

he was appointed to his current position in 2012, and i have to say that i have had the chance to work very closely with mr. demarest and i appreciate very much the energy and determination he has brought to this particular arena of combat against the criminal networks of the world and look forward to his testimony. let me begin with assistant attorney general caldwell. >> ranking member graham, and senator coons, thank you for the opportunity to discuss today the justice department's fight against botnets, and i particularly want to thank the chair for holding this hearing and for his continued leadership on these important issues. the threat from botnets defined in simple terms as networks of hijacked computers surreptitiously infected with malicious software or malware which are controlled by an individual or an organized group for criminal purposes has increased dramatically over the past several years. criminals are using state of the

art techniques, seemingly drawn from science fiction movies to take control of thousands or even hundreds of thousands of victim computers or bots. they can then command these bots to do various things as senator whitehouse indicated. they can flood an internet site with junk data, they can knock it offline by doing that, that can steal banking credentials, credit card numbers, other personal information, other financial information, send fraudulent spam e-mail, or even spy on unsuspecting computer users through their web cams. botnet attacks are to undermine american's security. and to steal from unsuspecting victims. if left unchecked, they will succeed in doing so. as cyber criminals have become more sophisticated over recent years, the department of justice working through highly trained prosecutors at the computer crime and intellectual property section of the criminal division, the national security division of the justice

department, u.s. attorneys offices across the country and the fbi and other law enforcement agencies, we have likewise adapted and advanced our tactics. as one example, in may of this year the u.s. attorney for the western district of pennsylvania and the fbi in partnership with other federal and private sector organizations disrupted the game over zeus botnet and indicted a key member of that group that operated that botnet. until its disruption, game over zeus was widely regarded as the most sophisticated criminal botnet in existence worldwide. from 2011 to 2014, game over zeus infected between 500,000 and 1 million computers. and it caused more than $100 million in financial loss. put simply, the bot master stole personal information from victim computers and with the click of a mouse used that stolen information to empty the bank accounts and rob small businesses, hospitals, and other

victims by transferring funds from the victims' accounts to the criminal's own accounts. they used it to install cryptolocker, a type of malware known as ransom ware installed on infected computers and it enabled these computers to encrypt key files and charge them a ransom for the release of their own files. in the short period between their emergence and their action, it infected more than 260,000 computers world wide. the department's operation began with a complex investigation. it continued through the department's use of a combination of court authorized criminal and civil legal process to stop infected computers from communicating with one another and with other servers around the world. the investigation and operation ultimately permitted the team not only to identify and charge one of the leading perpetrators but also to cripple the botnet and to stop the ransom ware from functioning.

moreover, the fbi was able to identify victims and working with the department of homeland security, foreign governments, and private sector partners was able to facilitate the removal of malware from many victim computers. as we informed the court last week, at present the game over zeus botnet remains inoperable and out of the criminals' hands. game over zeus infections are down 30% and crypto locker remains nonoperational. as the successful operation demonstrates, we are employing investigative tools that congress has given us to protect our citizens and businesses. we've leveraged our strengths by partnering with agencies all over the world and in the private sector. if we want to remain effective in protecting our citizens and businesses, however, our laws and resources must keep pace with the increasingly sophisticated tactics and growing numbers of our adversaries. our adversaries are always adapting, so must we. in my written statement i describe several legislative proposals and resource increases that will assist the department

in its efforts to counter this threat. these proposals include an amendment to the computer fraud and abuse act and several other proposals. we look very much forward to working with the committee to address these issues. we also need additional resources at the department to continue to disrupt botnets including hiring new attorneys as indicated in my statement. thank you again for the opportunity to discuss our work in this area and i look forward to answering any questions you might have. >> thank you, assistant attorney general caldwell and now mr. demarest. director demarest. >> good afternoon, chairman whitehouse, ranking chair member, senator graham, and senator coons. thank you for holding this hearing, chairman whitehouse, and i look forward to discussing the progress the fbi has made on campaigns to disrupt and disable our significant botnets that you know that we target. cyber criminal threats pose a very real risk to the economic security and privacy of the

united states and its citizens. the use of botnets is on the rise. industry experts estimate botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major businesses. they also affect universities, hospitals, defense contractors, government, and even private citizens. the weapons of a cyber criminal are tools, like botnets, which are created with malicious software that is readily available for purchase on the internet. criminals distribute this malicious software also known as malware that can turn a computer into a bot. when this occurs, a computer can perform automated tasks over the internet without any direction from its rightful user. a network of these infected computers is called a botnet, as you pointed out. botnets can be used for organized criminal activity, covert intelligence collection, or even attacks on critical infrastructure. the impact of this global cyber threat has been significant. according to industry estimates, botnets have caused over $9 billion in losses to u.s.

victims and over $110 billion in losses globally. approximately 500 million computers are infected each year translating into 18 victims per second. the fbi with its law enforcement partners and private sector partners to include the panel of distinguished presenters today from microsoft, symantec, far sight, has had success in taking down a number of large botnets, but our work is never done and by combining the resources of government and the private sector and with the support of the public we will continue to improve cyber security by identifying and catching those who threaten it. due to the complicated nature of today's cyber threat, the fbi has developed a strategy to systematically identify enterprises and individuals involved in the development and support of schemes impacting the u.s. systems. the complete strategy involves a holistic look at the entire cyber underground ecosystem and all facilitators.

the fbi initiated an aggressive approach to dismantle threatening the u.s. economy and our national security. the initiative coined "operation clean slate" is spearheaded by the fbi. our national cyber investigating joint task force with a host of u.s. partners with dhs and private sector. it is a comprehensive public/private network. targeting the bot infrastructure at the same time that coders or those responsible for creating them. this initiative incorporates all facets of the usg, international partners, u.s. financial sector and other stake holders. again, point out dell secure work is one of the main and we talked about game over zeus.

operation clean slate has three objectives. to degrade the information of victims, to increase the cost of doing business and causing concern of action against them. just a brief description of the successes of late. december 2012, the fbi disrupted an organized crime ring related to butterfly botnet which stole credit card information, bank account and other personal identifiable information. the butterfly botnet comprised of more than 11 million computer systems and resulted in over $850 million in losses. the fbi along with international law enforcement partners, executed numerous search warrants, conducted interviews and arrested ten individuals from bosnia and crotia, new zealand, peru, united kingdom and the united states. all of this not possible without doj's csips in particular. in june 2013, again, the formal debut of "operation clean slate" the team with microsoft and

financial service industry leaders disrupted the citadel botnet and facilitated unauthorized access to computers of individuals and financial institutions to steal online banking credentials, credit card information, other pii. citadel was responsible for the loss of $half a billion dollars over a thousand citadel domains seized accounting for more than 11 million victim computers word wide. building on that success of the disruption of citadel, in december 2013, the fbi and europol with microsoft and again the opt clean slate team and other partners disrupted ze ra access botnet responsible for more than 2 million computers infected and targeting search results on google, bing and yahoo! and estimated to cost online advertisers $2.7 million each month. again, in april 2014, the team investigative efforts resulted in the indictments of nine

members of the enterprise and conspiracy that infected computers known as zeus or jaba zeus a malware that captured passwords, account numbers and other information necessary to log on to online banking accounts. the conspirators allegedly used the information captured to steal millions of dollars of account holding victims of bank accounts. later, june, 2014, yet another operation by the clean slate team announced a multinational effort to disrupt the game over zeus botnet, the most sophisticated ever used. this effort to disrupt it involved an impressive cooperation with the private sector, namely dell secure works and international law enforcement. game over zeus is extremely sophisticated type of malware designed to steal banking and other credentials from compute

detective -- computers it infects. in the case of game over zeus, primary purpose is to capture banking credentials and initiate or redirect wire accounts to overseas controlled by the criminals. losses attributed estimated to more than $100 million. much like the fbi's other investigative priorities and programs, our focus impacting the leaders of the criminal enterprises and terrorist organizations we pursue. we are focusing the same effort on the major cyber actors behind the botnets. we remain focused on defending the united states against the threats and welcome the opportunity like the one today to discuss our efforts. we are grateful for the committee's support and yours in particular, senator whitehouse, and we look forward to working closely with you as we continue the aggressive campaigns against our botnets. >> thank you very much. assistant director demarest, has

to be millions of botnets throughout? >> yes. >> one could say so many botnets, no little time. so given that, what are your factors for prioritizing which ones to go after through the clean slate program or just generally? >> so by operation of clean slate for private sector and government and then prioritize the most egregious botnets in the wild we know about so working with not only government, dhs being principle and friends in the intelligence community, but also, i'll say in the private sector, microsoft being chief, and looking across, you know, the world and those botnets that are seemingly causing the most damage, economic damage or other means or potentially physical damage and then prioritizing those and then developing a campaign about going after not only the infrastructure but the actors behind that botnet or those botnets. >> assistant attorney general caldwell, one of the -- this predates you, but i've had some

concerns based on my time in the department of justice as a u.s. attorney about the way in which the department has responded to the botnet threat. i think you're doing a, you know, a good job, but there's cultural divide sometimes between the criminal prosecutors and the civil attorneys for the government. these cases to take down the botnet tend to be civil cases in nature so i've worried a bit about the extent to which it's instinctive on the part of criminal prosecutors to think that that's a lesser task and a lesser pursuit than what they are doing and whether that gets in the way of adequately pursuing the civil remedies that shut these botnets down. the second is that when the core flood take down took place, it

appeared to me that that was kind of an ad hoc group of very talented group of people brought together to address themselves to core flood and succeed at taking it down but once the operation was complete they went back to their individual slots around the country and the effort was dispersed. i think that the botnet problem is a continuing one. i think as soon as you strip out as mr. demarest said, some of the worst offenders, others pop up into the next most wanted botnet slot and i'm interested first in how you're making sure that this is prioritized despite the civil nature of the legal proceeding that cures the botnet problem, that strips it out of the system and what you've done to try to establish a permanent, lasting institutional presence for taking down botnets without

having to reassemble teams each time a botnet rears its head as a target. >> thank you, senator. i think that the game over zeus operation is a perfect example of how we see this going forward. although i wouldn't dispute that there are some criminal assistant u.s attorneys who may think that the civil attorney vs a less exciting job. we don't see it that way. the civil component as you indicate is a very critical part of this. but there are different ways to approach botnets. they're all different as you indicated earlier. in game over zeus we used a combination of civil and criminal authorities and i think that's, again it isn't one size fits all but i think that's likely what we'll continue to see in the future. as you know the leading perpetrator of that particular botnet was indicted criminally

and the civil injunctions were obtained at the same time. it was very carefully coordinated. there's a lot of communication between the civil prosecutors who are handling the injunction paper work and the criminal prosecutors who were -- it was really all one team, so i think the civil tool's a very important tool and we expect to continue to use it. there are some holes in that tool. right now, we are permitted to get a civil injunction against fraud and civil injunction against wiretapping but as you indicated in your opening remarks, botnets are not always engaged in wiretapping and fraud and we'd like to see an amendment to the statute to permit injunctions in other circumstances in which we see botnets operating. then on the issue of the institutional knowledge, the computer crime intellectual property section is really -- it really is the receptacle, that's a bad word but where the knowledge is based. the commuter and intellectual

division had a headquarters component, field components and institution all knowledge of botnets. so if one prosecutor leaves, the knowledge isn't going to leave. we coordinate regularly with the fbi and there's a lot of coordination, there's a lot of coordination with the computer hacking intellectual property network in the u.s. attorney's offices and there is an institutional base of knowledge about botnets so -- >> in a nutshell you feel right now that that task has been adequately institutionalized in the department that there will be continuity and persistence rather than ad hoc efforts? >> yes. and i think that although they weren't as prominent, there were at least a half dozen other botnet takedowns in the last couple of years between core flood and game over zeus so there's definitely -- it's definitely a priority and a focus and there's a lot of knowledge among the prosecutors and their counterparts at the fbi about the botnets, and they will keep coming and we will keep attacking them. >> yeah. i yield to my ranking member but

my impression was that some of those were sort of sporadic and ad hoc takedowns that appeared in individual u.s. attorney's offices and not necessarily consistent with a continuing, lasting, persistent presence stripping down one botnet after another and i'm glad you've gotten to where you have gotten so thank you. senator graham? >> are you the eliot ness of botnets? >> i think he's the eliot ness of botnets. >> okay. you try to deter the behavior, make people think if i do this i'm going to get caught. and if i get caught, bad things are going to happen. what do you think the deterrence is like right now, mr. demarest? >> i think it's significant now and maybe in years past maybe not so much and traveled and felt they can take some actions with impunity and we're finding today with the actions, enforcement acts, successful, we're causing impact and see

that in other collection, them talking amongst each other and concern about traveling now which is a way of containing some of the threats that we see, individuals today. >> what nation states do we need to worry about in terms of being involved in this activity? >> i would say nation states of eurasia principally. the criminal actors come from that part of the world. >> are they reliable partners, the nations, the governments? >> we're opening dialogue i will say on that front. i think you would find with some of our russian counterparts in law enforcement are a bit more agreeable but as, you know, any new relationship, i think in especially in this space, we're working toward improving them. >> if it's possible, maybe by the end of the year could you provide the committee with a list of the countries you think are good partners? and the list of countries you think have been resistant? >> yeah. easily done.

based on our activities and working with the countries we do work with. >> once we identify them, maybe we can change their behavior. there's all kinds of ways of getting people's attention. was this a problem five years ago? how long has this been a problem? >> this has existed for years. and probably we're just now, you know, this is the tip of the iceberg and i think as we get more sophisticated, internal u.s. government, seeing and being able to identify -- >> what made us aware of it today more than say, five years ago? consequences? >> consequences, victim reporting. major losses occurring to private industry. >> is there any end to this? how far can these people go? >> they'll keep on going. as you can see, each bot will evolve. we take actors off. malware will change. we see a complete evolution. but again, we're actually placing at least there's a price to pay for actually engaging in

this activity now. >> are terrorist organizations involved this? >> we track them very closely. i would say there's an interest but much further than that, senator graham, probably a different setting we could give you a further briefing. >> ms. caldwell, on the civil-criminal aspect of this, what are the couple things that you would like congress to do to enhance your ability to protect our nation? i mean, i'm sure you have this written down somewhere but just for the average person out there listening to this hearing, what are the couple of things you would like to see us do? >> well, one is one i already mentioned which is -- >> my phone off? >> changing the civil injunction ability to have the capability to enjoin botnets other than those engaged in fraud and wiretapping because there are, for example, direct denial of service attacks. we can't get an injunction against that. we would like to do this. >> we need to increase penalties? >> that's an interesting question, senator. and i think that we've been

seeing increased penalties being imposed by courts. so -- >> i mean statutorily, do we need to change any statutes to make this bite more? >> i'll defer to ms. caldwell, but -- i'll defer to you. >> yeah. i think that the maximum sentences under most of the statutes are adequate. i don't think we need any kind of mandatory minimums because we have been seeing judges imposing sentences around the seven, eight, nine-year range which i think is a substantial sentence. there are a couple other things we would like to see that right now there's no law that covers the sale or transfer of a botnet that's already in existence. and we've seen evidence that a lot of folks sell botnets. they rent them out. and we'd like to see a law that addresses that. one other thing which is a little bit off point but i think is still relevant to botnets is we -- right now there's no law

that prohibits the overseas sale of u.s. credit cards unless there's an action taken in the united states or unless money's being transferred from overseas to the united states and we see credit card -- situations where people have millions of credit cards from u.s. financial institutions and never set foot in the united states. that's currently not covered by the existing law. >> you could steal my credit card information from overseas and basically be immune. >> correct. unless you transferred proceeds of the scheme back to the united states. >> okay. one last question here. when it -- when they basically seize your computer, hijack your computer and the information contained therein, they actually hold -- i mean, they ask -- they make a ransom demand? how does that work? >> under crypto locker, what happened and i'm certainly not a technical expert so jump in. you would be on the computer and see something on the screen that told you the files were

encrypted and would be unless you paid a ransom and within "x" hours and if you didn't the files would be deleted. >> and a payment made but bitcoin or whatever established venue is they expect the payment within a given amount of time and if not it's encrypted. >> do people pay? >> they do. >> what's the biggest payout you have seen? >> well, all things involved, crypto locker and crypto wall now and a major concern of paying in excess of probably $10,000 but they're focused now more on major concerns, businesses. and entities as opposed to single victims. >> is that extortion under our law? >> yes. >> so you don't need to change that statute? >> no. the problem is, though, that as with a lot of these cyber crimes, most of the people engaged are overseas. >> thank you. >> let me recognize senator

kuntz who's been interested and dedicated to this topic and home state is energized on the topic because the delaware national guard actually has a cyber wing that's active and one of the best cyber national guard detachments in the country. i say one of the best because rhode island has one, too. senator kuntz? >> thank you very much. thank you chairman and senator graham. you're great and effective leaders on this issue. to the point raised by the chairman, given the persistency of this threat, given the trajectory, its scope, its scale and the resources that you're having to deploy in order to take down these botnets and in order to break up the criminal gangs, is it acceptable, is it possible for us to deal with this threat with a federal law enforcement response alone? do we need a partnership from state and local law enforcement? i assume the answer is yes. how are we doing it? delivering an integrated capability, federal, state and local, first, second? what kind of capabilities do

businesses and individuals, does the private sector and citizens have and what are we doing to help scale up that? because the resiliency of our country, the ability to respond to the threats as we all know much as it is with natural disasters or with terrorism threats, requires a sort of everybody engaged response that engages our private sector, engages entrepreneurs and engages state and local and federal law enforcement. >> sure. thank you, senator coons. we have cyber tasks forces throughout the offices, 56 out there. each office is engaging at the local level to bring state and local authorities aboard. net defenders from the organization thai represent. very difficult with resources constrained at the state and local level and appreciating what the threat is.

ing operation well spinning is defrauding the elderly and bringing an investigator or officer on board or analyst. we work closely with them to foster or develop the skill in this area working cyber crime. it's worked well in the initial offices in salt lake city, with the utah department of public safety. and down in dallas with some of the local department of dallas police department. we have a long way to go in that space and for them to fully appreciate the threats today facing the public or the citizens they're responsible for. on the private sector, we have worked far and wide and somewhat limited in force and now focused on those priority sectors if you will most threatened. but we have found time and time again the most threatened and most vulnerable are small to medium-sized business owners with one single person that's responsible for internet security or cyber security and insurance and the like and how to target the band and bring them aboard?

we had health care, representatives from the health care industry in the headquarters working through what that relationship would look like with health care and we focused on energy, telecommunications and the like over the past two years and now how do we broaden that effort out? >> implicitly from the reference to health care, as we go to electronic medical records, we have data for cyber criminals to go after. ms. caldwell? >> yes. i think -- i'm sorry. i think any online database is vulnerable. some obviously have more security protections than others. and as you indicated, senator coons, the health care databases have a lot of sensitive personal information so we've seen i know in some of the botnets that we have seen over the years including if i'm not mistaken game over zeus some of the victims were hospitals so that's a very serious area of concern we're concerned about. >> one other question.

as senator whitehouse referenced, we have squadrons of the national guard. they've stood up and grown and developed this national guard capability which takes advantage of the fact that we have a fairly sophisticated financial services community. we have credit card processing and as a result there's a lot of fairly capable and sophisticated online security and financial services security professionals who can then also serve in a law enforcement and national security first responder context through the national guard. what lessons do you think we could learn from that partnership, that collaboration in our two home states and lead us to a better scale-up of the needed federal workforce to respond to and deal with the law enforcement challenges? >> there's a treasure trove of skill in the guard and reserve forces. we participated, actually hosted

at the fbi academy the cyber guard exercise for 2014. a lot of -- we brought personnel in from around the field, at least 50 from the local cyber task forces and local guard units in. great capability there. our director along with deputy director had a meeting with the cyber command, osd and joint staff to better core late or corroborate in the space. tomorrow we have another meeting with the commanders at my level to put it in place with reserve and guard units. admiral rogers held a meeting up at nsa recently to talk through what that looks like and working with cyber command, the guard forces and reserve forces. and what skills they bring, how that may assist the fbi in our operations and also training opportunity that we can leverage with one another. >> terrific. thank you for your testimony. i look forward to hearing more of the development of the partnership and thank you for your leadership in this area, senator whitehouse.

>> well, i'll let you two go. i'm sure we could ask you questions all afternoon. this is such a fascinating and emerging area of criminal law enforcement. i appreciate very, very much the work that you do and i want you to pass on to attorney general holder my congratulations for the dedication that he's brought to this pursuit, particularly as exemplified by the game over zeus take down and indictment of the chinese pla officials, those were both very welcomed steps and i'm looking forward to seeing more criminal prosecution of foreign cyber hackers. i think the opening gambit with the indictment was terrific. congratulations to you both. thank you for your good work, and we'll release you and call the next panel forward.

all right. thank you all so much for being here. this is a really terrific private sector panel on this issue and i'm grateful that you have all joined. i'll make the formal introductions right now of everyone and then go right across with your statements. our first witness is going to be richard boscovich who is the assistant attorney general counsel on microsoft's digital crimes unit. a position where he developed the legal strategies used in the

take downs and disruptions of several botnets including the citadel, zeus and zeus access botnets. he previously served for over 17 years at the department of justice as an assistant u.s. attorney in florida's southern district with the property unit. hearing from cheri macguire from symantech corporation, one of the cyber security providers in this country. she is responsible for the global public policy agenda and government engagement strategy including cyber security data integrity, critical infrastructure protection and privacy. before she joined symantech in 2010, she was director of critical infrastructure and cyber security in microsoft's trustworthy computing group and before that at department of homeland security including as acting director and deputy director of the national cyber security division and the u.s.

cert. then we'll hear from dr. paul vixie, chief executive officer of far sight security which is a commercial internet security company. he previously served as the chief technology officer for above net, an internet service provider, and the founder and ceo of maps, the first anti-spam company and as the operator of the fdns root name server. he is an author and was the maintainer of bind, a popular open source system for 11 years. and he was recently inducted into the internet hall of fame. finally, i will hear from craig spitsl, executive director, founder an president of the online trust alliance. he -- online trust alliance encourages best practices to help protect consumer trust and he works to protect the vitality and innovation of the internet. prior to founding the online

trust alliance, he worked at microsoft again, the fraternity, where he drove development of anti-spam, anti-phishing, anti-malware and privacy enabling technologies, on the board of the identity theft council and appointed to the fcc's communication security reliability and interoperability council and a member of the partnership between fbi and the private sector and experienced and knowledgeable witnesses and let me begin with richard boscovich. we're so glad you're here. thank you. >> chairman whitehouse, ranking member graham and members of the committee, i'm richard boscovich, assistant general counsel. thank you for the opportunity to discuss microsoft's approach to fighting and detecting botnets. we also thank you for your leadership in focusing attention to this complicated and important topic. botnets are groups of computers remotely controlled by hackers without knowledge or consent

of the owners, enabling criminals to steal information and identity, disrupt networks and distribute software and spam. i'll describe how microsoft fights botnets, disrupting the tools and carefully designs these operations to protect consumers. to understand the devastating impact of botnets, we can look at how they affect one victim. consider in use power. a chef in the united kingdom found a warning she could not access the files unless she paid a ransom within 72 hours. when she failed to meet the deadline, all of her photos, financial accounting information and other data were permanently deleted. all this was caused by a botnet. she later told the reporter, if someone had robbed my house, it would have been easier. indeed, botnets conduct the digital equivalent of home invasions but on a massive scale. botnet operators quietly hijack

web cams to spy on people in their homes and then sell photos of the victims on the black market. they use malicious software to log every key stroke that they black market. they use malicious software to lock every key stroke including credit card numbers, social security numbers, work documents and personal e-mails. they send messages designed to appear as though they were sent by banks. microsoft has long partnered with other companies and agencies to battle malicious cyber criminals such as those who operate botnets. we do not and cannot fight them alone. as the title of the series suggests, fighting botnets requires efforts from the public and private sector. we will work with companies to work with agencies to dismanhattaning them that have cost billions in worldwide economic damage. i join efforts democratic that

partnerships are highly effective at combatting cyber crime. problems as complex as botnets -- microsoft is simple. we aim for your wallets. we disrupt them by underlying their ability to profit from their attacks. microsoft draws on our deep technical and legal expertise to conduct operations pursuant to court approved procedures. in general term, microsoft asked to serve the command and control structure of the most destructive botnets. this breaks the connection between the botnets. traffic generated is either disabled and rerouted to control. now, privacy is a fundamental value. when we execute an operation, we

are requireded to work within the bounds of the court order. we never have access to e-mail or other content of victim communications from other infected computers. instead, microsoft receives the ip addresses to identify the victims. we give domestic addresses to internet providers in the united states so they can alert their customers. we give the rest of the computer response teams referred to as sirtes. the owners are then notified of the infeks and offers assistance in cleaning their computers. microsoft is working to protect millions of people and their computers against malicious cyber criminals. this has led to the disruption of some of the most menacing threats. cyber criminals continue to evolve their tactics. they keep developing new sophisticated tools to profit

from the online chaos they create. we remain committed to working with other companies and law enforcement to disrupt them and make a internet a more trusted and secure environment for everyone. thank you for your time, senator and i am happy to answer any questions you may have. >> chairman, thank you for the opportunity to testify today. i'm especially pleased to be here with you again to focus attention on botnets and cyber crime. as the largest security software company in the world, semantic products much makes, but botnets -- and the uses for them are only limited by the imagine information of the bott masters. these are range to bit coin

mining. bott masters rent out their bott nets as well as using them for stealing passwords or other confidential information, which is then sold o other criminals. until now, they have all been networks of infected laptops and desktop computers. however in the past few year, we have seen bott nets made up of mobile devices and we expect that the coming of things will bring thing botts, ranging from appliances to home route rs to video recorders and who knows what else. taking down a bott net is complex and requires a high level of expertise, but des pete this, law enforcement and the private sector working together have made significant progress in the past several years. semantics worked to bring town the zero access bott net at 1.9 million. is a good example of how

coordination can yield results. zero access was designed for bit fraud. with an estimates impact of tens of millions of dollars lost per year and the electricity alone to run that cost as much as $560,000 per day. one year ago today, semantic began to sinkhole zero access infections, which resulted in the detach m of more than half a million botts, which meant that he could no longer receive commands. another win came last night. as part of this effort, smandic works in a coalition to provide insights. as a result, authorities were able a to seize a large portion of the criminal's infrastructure.

in our view, the approach used was the most successful to date and should serve as a model for the future. a group of more than 30 international organizations from law enforcement, the security industry, ak deem area, researchers and isps all cooperated to collectively disrupt this bott net. this successful model should be repeat nd the feature. while zero access and game over zeus were successes, there were more criminal rings operating today. unfortunately, just not enough resources. as you said, so many bott nets, so little time. as criminals migrate online, law enforcement needs more personnel dedicated to fighting cyber crime. we take numerous steps to assist the victims and to aid law enforcement around the world. in the interest of time, i will

mention victimvoice.com. a new program we unveiled in april. this sight helps victims file complaints and understand the investigation process and in particular, i'd like to thank you again for your support and participation in that launch. it's helped many victims of cyber crime. in combatting victims, cooperation is key and the private sector we need to know that we can work with government and industry partners to disrupt them without undo legal barriers. privacy preks, we need to share cyber threat information and coordinate our efforts quickly. information sharing legislation will go a long way to do this. but it must address the consider privacy concerns and must include a civilian agency lead and min mization requirements.

last, the law governing cyber crime should be modernized. in the u.s., we need to amend laws such as the electronic communications privacy act and cfa and others that were written before our modern internet was envisioned. in addition, mutual legal treaties and their process that allows governments to cooperate take too long and should be streamlined. as this subcommittee knows so well, we still face challenges in our efforts to take down bott nets and dismantle cyber crime networks. but while there remaining much work to be done, we have made progress. we are committed to committing online security across the globe and we will continue to work with our customer, industries to do to. thank you for the opportunity so. >> thank you.

thank you for your leadership in this area. i'm going to briefly recess the hearing and then return. we have a vote on the senate floor that started 15 minutes ago and i have 15 minutes to get there and vote, so i have zero time, so i can get over there and vote, then come back and we'll proceed in uninterrupted fashion. relax in place. probably is going to be five to ten minutes and we'll resume. thank you.

fines paid which are important. >> all right. the hearing will come back to order. i appreciate everybody's courtesy while i got those two votes done. and now dr. vixie we welcome your testimony. we welcome you here. please proceed. >> thank you, mr. chairman. thank you for inviting me to testify on the subject of botnets. i am speaking today in my i am speaking in my personal capacity based on a long history of securing infrastructure, most here at the messaging mall ware and antiabias working group

who's international mep ship is working to improve the security condition worldwide. we start by reviewing some successful bott net take downs in recent years. they may prove instructive as they are successes. in 2008, the conflict worm was discovered. i had -- competing commercials security companies. members cooperated with each other to mitigate this global threat. then in 2011, the u.s. department of justice led operation ghost click, in which a criminal gang in estonia was arrested, charged with wire fraud and conspiracy.

while shutting off the criminal infrastructure the victims depended on. my employer was the court-appointed receiver for the criminals internet connectivity and resources. i personally prepared, installed and operated the replacement servers necessary for that takedown. in each of these examples, we seed an ad hoc public/private partnership in which trust was established and sensety information, including strategic planning was shared without any contractual framework. these takedowns were so-called handshake deals. where personal not government heft was the glue that made it work. in each case the trust relationships we had performed were key enablers in which intent, competent and merit were the guiding lights. the important cannot be

overemphasized. we have found that when a single company or agency or a nation goes it alone in a takedown action, the result has usually been catastrophe. the ad hoc nature of these public/private partnerships may seem like cause for concern, but i hope you'll consider the following. first, this is how the internet was built and how the internet works.