IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

U.S. Secret Service


Testimony of Mr. James A. Savage, Jr.

Deputy Special Agent in Charge-Financial Crimes Division




The House Committee on the Judiciary

Subcommittee on Crime

U.S. House of Representatives


June 12, 2001



Mr. Chairman, members of the subcommittee, thank you for the opportunity to address the subcommittee regarding federal law enforcement efforts in combating cyber crime, and particularly the efforts of the Secret Service in this regard.


The Secret Service fights cyber crime as part of our core mission to protect the integrity of this nation’s financial payment systems.  This role has evolved from our initial mandate to suppress the counterfeiting of currency upon our creation in 1865.  Since this time, modes and methods of payment have evolved and so has our mission. Computers and other "chip" devices are now the facilitators of criminal activity or the target of such.  The perpetrators involved in the exploitation of such technology range from traditional fraud artists to violent criminals - all of whom recognize new opportunities and anonymous methods to expand and diversify their criminal portfolio. 


In this era of change, one constant that remains is our close working relationship with the banking and finance sector.  Our history of cooperation with the industry is a result of our unique responsibilities and status as an agency of the Department of the Treasury.  We believe that protection of the banking and financial infrastructure is our "core competency" area.  As an agency, we seek to manage and apply our investigative resources in the most efficient manner possible for the benefit of our banking and finance customers.


Mr. Chairman, there is no shortage of information, testimony, or anecdotal evidence regarding the nature and variety of cyber-based threats to our banking and financial infrastructures and the need to create effective solutions.  There is, however, a scarcity of information regarding successful models to combat such crime in today’s high tech environment.  That is where the Secret Service can make a significant contribution to today’s and future discussions of successful law enforcement efforts to combat cyber crime.


The Secret Service has found a highly-effective formula for combating high tech crime - a formula that has been successfully developed by our New York Electronic Crimes Task Force.  While the Secret Service leads this innovative effort, we do not control or dominate the participants and the investigative agenda of the task force.  Rather, the task force provides a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes.  Other law enforcement agencies bring additional criminal enforcement jurisdiction and resources to the task force while representatives from private industry, such as telecommunications providers, for instance, bring a wealth of technical expertise.


Within this New York model, established in 1995, there are 50 different federal, state and local law enforcement agencies represented as well as prosecutors, academic leaders and over 100 different private sector corporations.  The wealth of expertise and resources that reside in this task force coupled with unprecedented information sharing yields a highly mobile and responsive machine.  In task force investigations, local law enforcement officers hold supervisory positions and representatives from other agencies regularly assume the lead investigator status.  These investigations encompass a wide range of computer-based criminal activity, involving e-commerce frauds, intellectual property violations, telecommunications fraud, and a wide variety of computer intrusion crimes.


Since 1995, the task force has charged over 800 individuals with electronic crimes valued at more than $425 million.  It has trained over 10,000 law enforcement personnel, prosecutors, and private industry representatives in the criminal abuses of technology and how to prevent them.  We view the New York Electronic Crimes Task Force as the model for the partnership approach that we hope to employ in additional venues around the country in the very near future.


An important component in our investigative response to cyber crime is the Electronic Crimes Special Agent Program (ECSAP).  This program is comprised of approximately 175 special agents who have received extensive training in the forensic identification, preservation, and retrieval of electronically stored evidence.  Special Agents entering the program receive specialized training in all areas of electronic crimes, with particular emphasis on computer intrusions and forensics.  ECSAP agents are computer investigative specialists, qualified to conduct examinations on all types of electronic evidence, including computers, personal data assistants, telecommunications devices, electronic organizers, scanners and other electronic paraphernalia.


The Secret Service ECSAP program relies on the 4 year-old, Treasury-wide Computer Investigative Specialist (CIS) initiative.  All four Treasury law enforcement bureaus - the Internal Revenue Service, Bureau of Alcohol, Tobacco and Firearms, U.S. Customs Service and the U.S. Secret Service -- participate and receive training and equipment under this program.


All four Treasury bureaus also jointly participate in curriculum development and review, equipment design and distribution of training assets.  As a result, financial savings by all Treasury bureaus are realized due to economies of scale.  Additionally, agents from different bureaus can work together in the field in an operational capacity due to the compatibility of the equipment and training.  In the end, the criminal element suffers and the taxpayer benefits.


Because of the recognized expertise of those in ECSAP, other law enforcement agencies regularly request training from the Secret Service or advice concerning their own computer forensics programs.  These requests have come from agencies all across the country, as well as foreign countries such as Italy and Thailand.  The Secret Service recognizes the need to promote international cooperation and remains proactive in the dissemination of information to law enforcement agencies, both domestically and internationally, regarding program initiatives and current financial and electronic crimes trends.


Mr. Chairman, we are committed to working closely with our law enforcement counterparts worldwide in response to cyber crime threats to commerce and financial payment systems.  This commitment is demonstrated by the Secret Service’s effort to expand our overseas presence.  We currently have 18 offices in foreign countries and a permanent assignment at Interpol, as well as several overseas initiatives.  Recently, new offices have been opened in Frankfurt, Lagos, and Mexico City.  The Secret Service is also considering opening new offices in Bucharest and New Dehli.  Our expanded foreign presence increases our ability to become involved in foreign investigations that are of significant strategic interest.


In addition to providing law enforcement with the necessary technical training and resources, a great deal more can be accomplished in fighting cyber crime if we are able to harness additional resources that exist outside government in the private sector and academia. The Secret Service believes there is value in sharing information during the course of our investigations with both those in the private sector and academia who are devoting substantial resources to protecting their networks and researching new solutions.  On occasion the Secret Service has shared case-specific information derived from our criminal investigations after taking appropriate steps to protect privacy concerns and ensure that there are no conflicts with prosecutorial issues.  I would further add that there are many opportunities for the law enforcement community to share information with our private sector counterparts without fear of compromise.  The Secret Service recognizes the need for a "paradigm shift" with respect to this type of information sharing between law enforcement and our private sector and academic counterparts.


Finally, law enforcement in general is not sufficiently equipped to train the masses nor can it compete with academic institutions of higher learning in the area of research and development.  However, our partnerships with industry and academia have demonstrated that this should be an integral part of the solution.


Partnerships are a very popular term in both government and the private industry these days and everyone agrees that there is great benefit in such an approach.  Unfortunately, however, partnerships cannot be legislated, regulated, or stipulated.  Nor can partnerships be purchased, traded or incorporated.  Partnerships are built between people and organizations who recognize the value in joint collaboration toward a common end.  They are fragile entities which need to be established and maintained by all participants and built upon a foundation of trust.


The Secret Service, by virtue of the protective mission for which we are so well known, has always emphasized discretion and trust in executing our protective duties.  We learned long ago that our agency needed the full support and confidence of local law enforcement and certain key elements of the private sector to create and maintain a successful and comprehensive security plan.  Furthermore, we are also keenly aware that we need to maintain a trusted relationship with our protectees so that we can work with them and their staffs to maintain the delicate balance between security and personal privacy.


This predisposition towards discretion and trust naturally permeates our investigative mission where we enjoy quiet successes with our private sector partners.  We have successfully investigated many significant cases with the help of our private sector partners such as network intrusions and compromises of critical information or operating systems.  In such cases, even though we have technical expertise that is second to none, we still rely on our private sector counterparts to collaborate with us in identifying and preserving critical evidence to solve the case and bring the perpetrator to justice.  Equally important in such cases is conducting the investigation in a manner that avoids unnecessary disruption or adverse consequences to the victim or business.  With the variety of operating platforms and proprietary operating systems in the private sector, we could not accomplish these objectives without the direct support of our private sector counterparts.


In fact, in one recently completed complex investigation involving the compromise of a wireless communications carrier’s network, our case agent actually specified in the affidavit of the federal search warrant that representatives of the victim business be allowed to accompany federal agents in the search of the target residence to provide technical assistance.  This is unprecedented in the law enforcement arena and underscores the level of trust we enjoy with those we have built relationships with in the private sector.  It is also indicative of the complexity of many of these investigations and serves to highlight the fact that we in law enforcement must work with private industry to be an effective crime fighting force.  In approving this search warrant, the court recognized that in certain cases involving extraordinarily complex systems and networks, such additional technical expertise can be a critical, and sometimes imperative, component of our investigative efforts.


I must point out, however, that such cases are usually not publicized without the express consent of the U.S. Attorney and the corporate victim because it would breach our confidential relationship and discourage the victims of electronic crimes from reporting such incidents.


Four recently-concluded investigations demonstrate the breadth of cases the Secret Service is working, and provide concrete evidence of the continuing success of ECSAP.  The cases include the malicious shutdown of a medical service provider’s communications system, an intrusion into a telecommunication provider’s network, an attack on a private investment company’s trading network, and the disruption of a financial institution’s complete operating system and communications network.


The first case was initiated on March 5, 2001, when a local Secret Service field office received information that a medical diagnostic service provider had suffered a catastrophic shutdown of its computer network and communications system.  The company reported that they were unable to access doctor schedules, diagnostic images, patient information, and essential hospital records, which adversely affected their ability to provide care to patients and assist dependent medical facilities.


Within a matter of hours, a Secret Service ECSAP agent was able to regain control of the network by coordinating with the facility’s system administrator to temporarily shutdown and reconfigure the computer system.  The ECSAP agent also essentially "hacked" into the compromised system, and modified compromised password files to "lock out" the attacker.  This was accomplished while maintaining control of the computer system log files containing evidence of how the intrusion had occurred. 


Using this evidence, a federal search warrant was obtained for the residence of a former employee of the hospital, who had recently been terminated from his position as system administrator.  Computer equipment was seized pursuant to the warrant, the suspect admitted to his involvement, and federal computer fraud charges are pending.


A case with obvious critical infrastructure implications was initiated on February 20, 2001, when two major wireless telecommunications service providers notified the New York Electronic Crimes Task Force that they had identified two hackers in different remote sites who were attacking their systems.  These hackers were manipulating the systems to obtain free long distance service, re-route numbers, add calling features, forward telephone numbers, and install software that would ensure their continued unauthorized access. 


The level of access obtained by the hackers was virtually unlimited, and had they chosen to do so, they could have shut down telephone service over a large geographic area, including "911" systems, as well as service to government installations and other critical infrastructure components. 


On March 20, 2001, the Secret Service simultaneously executed search warrants in New York City and Phoenix and computer equipment was seized at both locations.  One suspect was arrested on federal computer fraud charges, while the other suspect was questioned and released pending a decision by the Department of Justice as to whether or not to pursue federal charges.


The third case occurred from March 9, 2000, through March 14, 2000, when a company located in New York, NY, received several Internet-based "denial of service" attacks on its servers.  A "denial of service" attack occurs when a perpetrator launches malicious programs, information, codes, or commands to a target or victim computer which causes a degradation of service or shutdown, thereby denying access by legitimate customers to those computers.  In this instance, the company was a prominent provider of electronic trading services on Wall Street. 


While the attacks were still occurring, the company’s CEO contacted the Secret Service’s New York Electronic Crimes Task Force.  The CEO identified a former employee as a suspect, based upon the fact that the attacks preyed on vulnerabilities which would only be known to the former employee.  These attacks continued through March 13, 2000, when ECSAP agents and task force members identified the attacking computer and arrested the former employee for violating Title 18, USC, Section 1030 (Computer Fraud).  In a post-arrest statement, the suspect admitted that he was responsible for the denial of service attacks.  As a result of the attacks, the company and its customers lost access to trading systems.  Approximately $3.5 million was identified in lost trading fees, commissions, and liability as a result of  the customers’ inability to conduct any trading.


The last case began just two weeks ago when a financial institution notified local police who in turn notified the local office of the Secret Service, that its entire banking and communications network had been shut down.  The institution reported that it was severely crippled, as it had no access to electronic data used in support of its ATMs, banking transactions, employee payroll and all other critical functions.  Working with the local police and the bank’s technical staff, a former employee emerged as a suspect and electronic evidence was developed that strongly indicated his involvement.  The suspect was promptly interviewed by agents and police in which he admitted to disabling the bank’s system and "hacking" an unrelated database in his attempts to exact revenge upon the bank CEO.  Federal charges are pending.


Let me relate the Secret Service’s mission in fighting cyber crime to the bigger picture of critical infrastructure protection.  As previously stated, we target cyber crime as it may affect the integrity of our nation’s financial payment and banking systems.  As we all know, the banking and finance sector comprises a very critical infrastructure sector and one which we have historically protected and will continue to protect.  In this context, our efforts to combat cyber assaults which target information and communication systems which support the financial sector are part of the larger and more comprehensive critical infrastructure protection scheme.  The whole notion of infrastructure protection embodies an assurance and confidence in the delivery of critical functions and services that in today’s world are increasingly interdependent and interconnected.  To put this all in perspective, the public’s confidence is lost if such delivery systems and services are unreliable or unpredictable regardless of the cause of the problem. 


We also recognize that our unique protective responsibilities, including our duties as the lead federal agency for coordinating security at National Special Security Events, demand heightened electronic security awareness and preparation.  A well-placed cyber attack against a weak technology or support infrastructure system can render an otherwise sound physical security plan vulnerable and inadequate.


Mr. Chairman, it should also be noted that all deliberate infrastructure attacks, before they rise to such a threshold, are also cyber crimes and are likely to be dealt with initially by law enforcement personnel, both federal and local, in the course of routine business.  In fact, I don’t believe there is universal agreement as to when a "hack" or network intrusion rises to the threshold of an infrastructure attack and corresponding national security event but we would all probably recognize one when it reached catastrophic proportions.


Given this continuum and interplay between computer-based crimes and national security issues, the Secret Service recognizes that its role in investigating computer-based attacks against the financial sector can be significant in the larger plan for the protection of our nation’s critical infrastructures.  When we arrest a criminal who has breached and disrupted a sensitive communications network and are able to restore the normal operation of the host --be it a bank, telecommunications carrier, or medical service provider -- we believe we have made a significant contribution towards assuring the reliability of the critical systems that the public relies upon on a daily basis.


As a footnote, the Secret Service met recently with representatives of the Financial Services Information Sharing and Analysis Center (FS/ISAC) that was created pursuant to Presidential Decision Directive (PDD) 63.  The directive mandated the Department of the Treasury to work with members of the banking and finance sector to enhance the security of the sector’s information systems and other infrastructures, a responsibility managed by Treasury’s Assistant Secretary of Financial Institutions.  The role of the FS/ISAC is to devise a way to share information within the financial services industry relating to cyber threats and vulnerabilities.  The Secret Service feels that it can make a significant contribution to the work of the FS/ISAC and is exploring common areas of interest with the FS/ISAC, to include information sharing.   


The Secret Service is also continuing to receive requests from local law enforcement agencies and others for assistance, and we welcome those requests.  On an alarmingly increasing basis, our local field offices and the Financial Crimes Division of the Secret Service receive desperate pleas from local police departments for physical assistance, training and equipment in the area of computer forensics and electronic crimes so that they can continue to provide a professional level of service and protection for their citizens.  In short, the Secret Service has become another option for local law enforcement, the private sector and others to turn to when confronted with network intrusions and other sophisticated electronic crimes.


Over the past 3 years, Secret Service ECSAP agents completed 2,122 examinations on computer and telecommunications equipment.  Although the Secret Service did not track the number of exams done for other law enforcement agencies during this period, it is estimated that some 10 to 15 percent of these examinations fell in this category.  Many of the examinations were conducted in support of other agencies’ investigations such as those involving child pornography or homicide cases simply because the requesting agency did not have the resources to complete the examination itself. 


In spite of our limited resources, we do provide physical assistance on a regular basis to other departments, often sending ECSAP agents overnight to the requesting venue to perform computer related analyses or technical consultation.  In fact, so critical was the need for even basic training in this regard that the Secret Service joined forces with the International Association of Chiefs of Police and the National Institute for Justice to create the "Best Practices Guide to Searching and Seizing Electronic Evidence" which is designed for the line officer and detective alike.   Mr. Chairman, with your permission, I would like to submit a copy of this guide for the record.


We have also worked with this group to produce the interactive, computer-based training program known as "Forward Edge" which takes the next step in training officers to conduct electronic crime investigations.  Forward Edge incorporates virtual reality features as it presents three different investigative scenarios to the trainee.  It also provides investigative options and technical support to develop the case.  Copies of state computer crime laws for each of the fifty states as well as corresponding sample affidavits are also part of the two-CD training program and are immediately accessible for instant implementation.


Thus far we have dispensed over 220,000 "Best Practices Guides" to local and federal law enforcement officers and it is expected that later this summer we will distribute, free of charge, over 20,000 Forward Edge training CDs.


In an additional effort to further enhance information sharing between the law enforcement community and the financial industry, the Secret Service recently created the "E Library" Internet website which serves as a mechanism for all members to post specific information, images and alerts relating to fictitious financial instruments, counterfeit checks, and credit card skimming devices. This website is accessible free of charge to all members of the law enforcement and banking communities and is the only such tool of its kind.


In today’s high tech criminal environment, the challenge to federal law enforcement and government is to identify existing repositories of expertise and provide a framework for inclusion and productive collaboration amongst the many government agencies and their respective industry and academic counterparts.  The Secret Service is convinced that building trusted partnerships with the private sector and local law enforcement is the model for combating electronic crimes in the Information Age.


Mr. Chairman, that concludes my prepared statement, and I would be happy to answer any questions that you or other members of the subcommittee may have.