of Mr. James A. Savage, Jr.
Special Agent in Charge-Financial Crimes Division
House Committee on the Judiciary
House of Representatives
Mr. Chairman, members of the subcommittee, thank
you for the opportunity to address the subcommittee regarding
federal law enforcement efforts in combating cyber crime, and
particularly the efforts of the Secret Service in this regard.
The Secret Service fights cyber crime as part
of our core mission to protect the integrity of this nation’s
financial payment systems. This role has evolved from our initial
mandate to suppress the counterfeiting of currency upon our creation
in 1865. Since this time, modes and methods of payment have evolved
and so has our mission. Computers and other "chip" devices
are now the facilitators of criminal activity or the target of
such. The perpetrators involved in the exploitation of such technology
range from traditional fraud artists to violent criminals - all
of whom recognize new opportunities and anonymous methods to expand
and diversify their criminal portfolio.
In this era of change, one constant that remains
is our close working relationship with the banking and finance
sector. Our history of cooperation with the industry is a result
of our unique responsibilities and status as an agency of the
Department of the Treasury. We believe that protection of the
banking and financial infrastructure is our "core competency"
area. As an agency, we seek to manage and apply our investigative
resources in the most efficient manner possible for the benefit
of our banking and finance customers.
Mr. Chairman, there is no shortage of information,
testimony, or anecdotal evidence regarding the nature and variety
of cyber-based threats to our banking and financial infrastructures
and the need to create effective solutions. There is, however,
a scarcity of information regarding successful models to combat
such crime in today’s high tech environment. That is where the
Secret Service can make a significant contribution to today’s
and future discussions of successful law enforcement efforts to
combat cyber crime.
The Secret Service has found a highly-effective
formula for combating high tech crime - a formula that has been
successfully developed by our New York Electronic Crimes Task
Force. While the Secret Service leads this innovative effort,
we do not control or dominate the participants and the investigative
agenda of the task force. Rather, the task force provides a productive
framework and collaborative crime-fighting environment in which
the resources of its participants can be combined to effectively
and efficiently make a significant impact on electronic crimes.
Other law enforcement agencies bring additional criminal enforcement
jurisdiction and resources to the task force while representatives
from private industry, such as telecommunications providers, for
instance, bring a wealth of technical expertise.
Within this New York model, established in 1995,
there are 50 different federal, state and local law enforcement
agencies represented as well as prosecutors, academic leaders
and over 100 different private sector corporations. The wealth
of expertise and resources that reside in this task force coupled
with unprecedented information sharing yields a highly mobile
and responsive machine. In task force investigations, local law
enforcement officers hold supervisory positions and representatives
from other agencies regularly assume the lead investigator status.
These investigations encompass a wide range of computer-based
criminal activity, involving e-commerce frauds, intellectual property
violations, telecommunications fraud, and a wide variety of computer
Since 1995, the task force has charged over 800
individuals with electronic crimes valued at more than $425 million.
It has trained over 10,000 law enforcement personnel, prosecutors,
and private industry representatives in the criminal abuses of
technology and how to prevent them. We view the New York Electronic
Crimes Task Force as the model for the partnership approach that
we hope to employ in additional venues around the country in the
very near future.
An important component in our investigative response to
cyber crime is the Electronic Crimes Special Agent Program
(ECSAP). This program is comprised of approximately 175 special
agents who have received extensive training in the forensic identification,
preservation, and retrieval of electronically stored evidence.
Special Agents entering the program receive specialized training
in all areas of electronic crimes, with particular emphasis on
computer intrusions and forensics. ECSAP agents are computer
investigative specialists, qualified to conduct examinations on
all types of electronic evidence, including computers, personal
data assistants, telecommunications devices, electronic organizers,
scanners and other electronic paraphernalia.
The Secret Service ECSAP program relies on the
4 year-old, Treasury-wide Computer Investigative Specialist (CIS)
initiative. All four Treasury law enforcement bureaus - the Internal
Revenue Service, Bureau of Alcohol, Tobacco and Firearms, U.S.
Customs Service and the U.S. Secret Service -- participate and
receive training and equipment under this program.
All four Treasury bureaus also jointly participate
in curriculum development and review, equipment design and distribution
of training assets. As a result, financial savings by all Treasury
bureaus are realized due to economies of scale. Additionally,
agents from different bureaus can work together in the field in
an operational capacity due to the compatibility of the equipment
and training. In the end, the criminal element suffers and the
Because of the recognized expertise of those
in ECSAP, other law enforcement agencies regularly request training
from the Secret Service or advice concerning their own computer
forensics programs. These requests have come from agencies all
across the country, as well as foreign countries such as Italy
and Thailand. The Secret Service recognizes the need to promote
international cooperation and remains proactive in the dissemination
of information to law enforcement agencies, both domestically
and internationally, regarding program initiatives and current
financial and electronic crimes trends.
Mr. Chairman, we are committed to working closely
with our law enforcement counterparts worldwide in response to
cyber crime threats to commerce and financial payment systems.
This commitment is demonstrated by the Secret Service’s effort
to expand our overseas presence. We currently have 18 offices
in foreign countries and a permanent assignment at Interpol, as
well as several overseas initiatives. Recently, new offices have
been opened in Frankfurt, Lagos, and Mexico City. The Secret
Service is also considering opening new offices in Bucharest and
New Dehli. Our expanded foreign presence increases our ability
to become involved in foreign investigations that are of significant
In addition to providing law enforcement with
the necessary technical training and resources, a great deal more
can be accomplished in fighting cyber crime if we are able to
harness additional resources that exist outside government in
the private sector and academia. The Secret Service believes there
is value in sharing information during the course of our investigations
with both those in the private sector and academia who are devoting
substantial resources to protecting their networks and researching
new solutions. On occasion the Secret Service has shared case-specific
information derived from our criminal investigations after taking
appropriate steps to protect privacy concerns and ensure that
there are no conflicts with prosecutorial issues. I would further
add that there are many opportunities for the law enforcement
community to share information with our private sector counterparts
without fear of compromise. The Secret Service recognizes the
need for a "paradigm shift" with respect to this type
of information sharing between law enforcement and our private
sector and academic counterparts.
Finally, law enforcement in general is not sufficiently
equipped to train the masses nor can it compete with academic
institutions of higher learning in the area of research and development.
However, our partnerships with industry and academia have demonstrated
that this should be an integral part of the solution.
Partnerships are a very popular term in both
government and the private industry these days and everyone agrees
that there is great benefit in such an approach. Unfortunately,
however, partnerships cannot be legislated, regulated, or stipulated.
Nor can partnerships be purchased, traded or incorporated. Partnerships
are built between people and organizations who recognize the value
in joint collaboration toward a common end. They are fragile
entities which need to be established and maintained by all participants
and built upon a foundation of trust.
The Secret Service, by virtue of the protective
mission for which we are so well known, has always emphasized
discretion and trust in executing our protective duties. We learned
long ago that our agency needed the full support and confidence
of local law enforcement and certain key elements of the private
sector to create and maintain a successful and comprehensive security
plan. Furthermore, we are also keenly aware that we need to maintain
a trusted relationship with our protectees so that we can work
with them and their staffs to maintain the delicate balance between
security and personal privacy.
This predisposition towards discretion and trust
naturally permeates our investigative mission where we enjoy quiet
successes with our private sector partners. We have successfully
investigated many significant cases with the help of our private
sector partners such as network intrusions and compromises of
critical information or operating systems. In such cases, even
though we have technical expertise that is second to none, we
still rely on our private sector counterparts to collaborate with
us in identifying and preserving critical evidence to solve the
case and bring the perpetrator to justice. Equally important
in such cases is conducting the investigation in a manner that
avoids unnecessary disruption or adverse consequences to the victim
or business. With the variety of operating platforms and proprietary
operating systems in the private sector, we could not accomplish
these objectives without the direct support of our private sector
In fact, in one recently completed complex investigation
involving the compromise of a wireless communications carrier’s
network, our case agent actually specified in the affidavit of
the federal search warrant that representatives of the victim
business be allowed to accompany federal agents in the search
of the target residence to provide technical assistance. This
is unprecedented in the law enforcement arena and underscores
the level of trust we enjoy with those we have built relationships
with in the private sector. It is also indicative of the complexity
of many of these investigations and serves to highlight the fact
that we in law enforcement must work with private industry
to be an effective crime fighting force. In approving this search
warrant, the court recognized that in certain cases involving
extraordinarily complex systems and networks, such additional
technical expertise can be a critical, and sometimes imperative,
component of our investigative efforts.
I must point out, however, that such cases are
usually not publicized without the express consent of the U.S.
Attorney and the corporate victim because it would breach our
confidential relationship and discourage the victims of electronic
crimes from reporting such incidents.
Four recently-concluded investigations demonstrate
the breadth of cases the Secret Service is working, and provide
concrete evidence of the continuing success of ECSAP. The cases
include the malicious shutdown of a medical service provider’s
communications system, an intrusion into a telecommunication provider’s
network, an attack on a private investment company’s trading network,
and the disruption of a financial institution’s complete operating
system and communications network.
The first case was initiated on March 5, 2001,
when a local Secret Service field office received information
that a medical diagnostic service provider had suffered a catastrophic
shutdown of its computer network and communications system. The
company reported that they were unable to access doctor schedules,
diagnostic images, patient information, and essential hospital
records, which adversely affected their ability to provide care
to patients and assist dependent medical facilities.
Within a matter of hours, a Secret Service ECSAP
agent was able to regain control of the network by coordinating
with the facility’s system administrator to temporarily shutdown
and reconfigure the computer system. The ECSAP agent also essentially
"hacked" into the compromised system, and modified compromised
password files to "lock out" the attacker. This was
accomplished while maintaining control of the computer system
log files containing evidence of how the intrusion had occurred.
Using this evidence, a federal search warrant
was obtained for the residence of a former employee of the hospital,
who had recently been terminated from his position as system administrator.
Computer equipment was seized pursuant to the warrant, the suspect
admitted to his involvement, and federal computer fraud charges
A case with obvious critical infrastructure implications
was initiated on February 20, 2001, when two major wireless telecommunications
service providers notified the New York Electronic Crimes Task
Force that they had identified two hackers in different remote
sites who were attacking their systems. These hackers were manipulating
the systems to obtain free long distance service, re-route numbers,
add calling features, forward telephone numbers, and install software
that would ensure their continued unauthorized access.
The level of access obtained by the hackers was
virtually unlimited, and had they chosen to do so, they could
have shut down telephone service over a large geographic area,
including "911" systems, as well as service to government
installations and other critical infrastructure components.
On March 20, 2001, the Secret Service simultaneously
executed search warrants in New York City and Phoenix and computer
equipment was seized at both locations. One suspect was arrested
on federal computer fraud charges, while the other suspect was
questioned and released pending a decision by the Department of
Justice as to whether or not to pursue federal charges.
The third case occurred from March 9, 2000, through
March 14, 2000, when a company located in New York, NY, received
several Internet-based "denial of service" attacks on
its servers. A "denial of service" attack occurs when
a perpetrator launches malicious programs, information, codes,
or commands to a target or victim computer which causes a degradation
of service or shutdown, thereby denying access by legitimate customers
to those computers. In this instance, the company was a prominent
provider of electronic trading services on Wall Street.
While the attacks were still occurring, the company’s
CEO contacted the Secret Service’s New York Electronic Crimes
Task Force. The CEO identified a former employee as a suspect,
based upon the fact that the attacks preyed on vulnerabilities
which would only be known to the former employee. These attacks
continued through March 13, 2000, when ECSAP agents and task force
members identified the attacking computer and arrested the former
employee for violating Title 18, USC, Section 1030 (Computer Fraud).
In a post-arrest statement, the suspect admitted that he was responsible
for the denial of service attacks. As a result of the attacks,
the company and its customers lost access to trading systems.
Approximately $3.5 million was identified in lost trading fees,
commissions, and liability as a result of the customers’ inability
to conduct any trading.
The last case began just two weeks ago when
a financial institution notified local police who in turn notified
the local office of the Secret Service, that its entire banking
and communications network had been shut down. The institution
reported that it was severely crippled, as it had no access to
electronic data used in support of its ATMs, banking transactions,
employee payroll and all other critical functions. Working with
the local police and the bank’s technical staff, a former employee
emerged as a suspect and electronic evidence was developed that
strongly indicated his involvement. The suspect was promptly
interviewed by agents and police in which he admitted to disabling
the bank’s system and "hacking" an unrelated database
in his attempts to exact revenge upon the bank CEO. Federal charges
Let me relate the Secret Service’s mission in
fighting cyber crime to the bigger picture of critical infrastructure
protection. As previously stated, we target cyber crime as it
may affect the integrity of our nation’s financial payment and
banking systems. As we all know, the banking and finance sector
comprises a very critical infrastructure sector and one which
we have historically protected and will continue to protect.
In this context, our efforts to combat cyber assaults which target
information and communication systems which support the financial
sector are part of the larger and more comprehensive critical
infrastructure protection scheme. The whole notion of infrastructure
protection embodies an assurance and confidence in the delivery
of critical functions and services that in today’s world are increasingly
interdependent and interconnected. To put this all in perspective,
the public’s confidence is lost if such delivery systems and services
are unreliable or unpredictable regardless of the cause of the
also recognize that our unique protective responsibilities, including
our duties as the lead federal agency for coordinating security
at National Special Security Events, demand heightened electronic
security awareness and preparation. A well-placed cyber attack
against a weak technology or support infrastructure system can
render an otherwise sound physical security plan vulnerable and
Mr. Chairman, it should also be noted that all
deliberate infrastructure attacks, before they rise to such a
threshold, are also cyber crimes and are likely to be dealt with
initially by law enforcement personnel, both federal and local,
in the course of routine business. In fact, I don’t believe there
is universal agreement as to when a "hack" or network
intrusion rises to the threshold of an infrastructure attack and
corresponding national security event but we would all probably
recognize one when it reached catastrophic proportions.
Given this continuum and interplay between computer-based
crimes and national security issues, the Secret Service recognizes
that its role in investigating computer-based attacks against
the financial sector can be significant in the larger plan for
the protection of our nation’s critical infrastructures. When
we arrest a criminal who has breached and disrupted a sensitive
communications network and are able to restore the normal operation
of the host --be it a bank, telecommunications carrier, or medical
service provider -- we believe we have made a significant contribution
towards assuring the reliability of the critical systems that
the public relies upon on a daily basis.
As a footnote, the Secret Service met recently
with representatives of the Financial Services Information Sharing
and Analysis Center (FS/ISAC) that was created pursuant to Presidential
Decision Directive (PDD) 63. The directive mandated the Department
of the Treasury to work with members of the banking and finance
sector to enhance the security of the sector’s information systems
and other infrastructures, a responsibility managed by Treasury’s
Assistant Secretary of Financial Institutions. The role of the
FS/ISAC is to devise a way to share information within the financial
services industry relating to cyber threats and vulnerabilities.
The Secret Service feels that it can make a significant contribution
to the work of the FS/ISAC and is exploring common areas of interest
with the FS/ISAC, to include information sharing.
The Secret Service is also continuing to receive
requests from local law enforcement agencies and others for assistance,
and we welcome those requests. On an alarmingly increasing basis,
our local field offices and the Financial Crimes Division of the
Secret Service receive desperate pleas from local police departments
for physical assistance, training and equipment in the area of
computer forensics and electronic crimes so that they can continue
to provide a professional level of service and protection for
their citizens. In short, the Secret Service has become another
option for local law enforcement, the private sector and others
to turn to when confronted with network intrusions and other sophisticated
Over the past 3 years, Secret Service ECSAP agents
completed 2,122 examinations on computer and telecommunications
equipment. Although the Secret Service did not track the number
of exams done for other law enforcement agencies during this period,
it is estimated that some 10 to 15 percent of these examinations
fell in this category. Many of the examinations were conducted
in support of other agencies’ investigations such as those involving
child pornography or homicide cases simply because the requesting
agency did not have the resources to complete the examination
In spite of our limited resources, we do provide
physical assistance on a regular basis to other departments, often
sending ECSAP agents overnight to the requesting venue to perform
computer related analyses or technical consultation. In fact,
so critical was the need for even basic training in this regard
that the Secret Service joined forces with the International Association
of Chiefs of Police and the National Institute for Justice to
create the "Best Practices Guide to Searching and Seizing
Electronic Evidence" which is designed for the line officer
and detective alike. Mr. Chairman, with your permission, I would
like to submit a copy of this guide for the record.
We have also worked with this group to produce
the interactive, computer-based training program known as "Forward
Edge" which takes the next step in training officers to conduct
electronic crime investigations. Forward Edge incorporates virtual
reality features as it presents three different investigative
scenarios to the trainee. It also provides investigative options
and technical support to develop the case. Copies of state computer
crime laws for each of the fifty states as well as corresponding
sample affidavits are also part of the two-CD training program
and are immediately accessible for instant implementation.
Thus far we have dispensed over 220,000 "Best
Practices Guides" to local and federal law enforcement officers
and it is expected that later this summer we will distribute,
free of charge, over 20,000 Forward Edge training CDs.
In an additional effort to further enhance information
sharing between the law enforcement community and the financial
industry, the Secret Service recently created the "E Library"
Internet website which serves as a mechanism for all members to
post specific information, images and alerts relating to fictitious
financial instruments, counterfeit checks, and credit card skimming
devices. This website is accessible free of charge to all members
of the law enforcement and banking communities and is the only
such tool of its kind.
In today’s high tech criminal environment, the
challenge to federal law enforcement and government is to identify
existing repositories of expertise and provide a framework for
inclusion and productive collaboration amongst the many government
agencies and their respective industry and academic counterparts.
The Secret Service is convinced that building trusted partnerships
with the private sector and local law enforcement is the model
for combating electronic crimes in the Information Age.
that concludes my prepared statement, and I would be happy to
answer any questions that you or other members of the subcommittee