What sort of resources are you bringing to bear on the problem of protecting
the national infrastructure?
At the time of this interview, Vatis was the Deputy Assistant Director within
the FBI National Security Division. He served as the Chief of the National
Infrastructure Protection Center. He resigned from this
position in February 2001. Prior to his work at the FBI, he was Associate
Deputy Attorney General, Executive Office for National Security, (1994-1998).
In this capacity, he advised the Attorney General and the Deputy Attorney
General on national security matters, and coordinated the Department of
Justice's national security activities.
The National Infrastructure Protection Center (NIPC) has approximately 90
special agents. There are also analysts . . . from the FBI and then
approximately 20 other people from other government agencies--the Department
of Defense, the CIA, the National Security Agency and other departments, as
well. In addition to that, we have approximately 193 agents located in FBI
field offices around the country who are the on-the-ground investigators for
computer crime cases. In addition, we have equipment of all sorts to help us
to the technical side of an investigation.
What's the budget for NIPC?
The budget for personnel, headquarters and equipment is approximately $14
And are you able to keep up?
The crime problem is growing considerably, and it's growing very quickly. I
think it's very important that we get additional resources and that we devote
more manpower to this issue, because the crime problem is growing so fast.
We've seen a doubling of our caseload in the last couple of years, yet our
resources have stayed static.
What sort of cases are you dealing with?
Well, I can't talk about any pending investigations. But we have cases that
really run across a very broad spectrum. We have cases involving insiders, who
are basically out for revenge against their employer or former employer, and
they make off with proprietary information or try to damage the system as an
act of revenge. We've got individual hackers, often juveniles, who deface
web sites or break into systems just for the sake of acquiring bragging rights
in the hacker community. We're also seeing a big spike in the number of cases
involving organized criminal groups who are in it for illicit financial gain.
They steal credit card numbers so that they can re-sell those numbers or steal
money, like transferring bank account funds from bank accounts into their own
accounts, and steal proprietary information.
We're also concerned about the prospect of cyberterrorism--not the often
over-used term to refer to any sort of hacking--but violent activity carried
out through cyber means. We're concerned about the shutting down of critical
national systems, such as electrical power or banking systems or
telecommunications by a terrorist group that's seeking to intimidate the US
government into doing something or to refrain from doing something that they
And of course we're also worried about the prospect of information
warfare, which is the foreign military using cyber techniques to shut down
critical systems much like a cyberterrorist would, but as an element of
What evidence is there that organized crime has moved into this area?
Well, we have a number of cases now pending in which groups of people, some in
the US and some abroad, are engaged in hacking to get into systems. They want
to steal information or to steal money or to carry on an extortion attempt.
They contact the owner of the system and basically say, "If you don't pay me a
certain amount of money, I will make public the vulnerabilities in your
system," or, "I'll make public certain proprietary information or credit card
numbers and damage your reputation." We have many cases now that fall into
And what is your success rate compared to the amount of crime that you think
is out there?
Our success rate has really increased a lot over the last few years. We've had
a great success in tracking back people who have written very damaging viruses,
such as the "Melissa" virus or the "I Love You" virus, or the juvenile who launched most of the . . . denial of service attacks in
February of this year. We were able to trace him back with the very
capable assistance of the Royal Canadian Mounted Police, who investigated
within the borders of Canada.
Are you seeing evidence of terrorists?
We've seen terrorist groups begin to use information technology in a very
robust way. They use it for secure communications. They use it for
propagandizing. They use it for fundraising. We've also seen a focus by
terrorists in the last few years on infrastructures as targets, seeking to
disrupt civilian-owned systems that are crucial for a nation's economy. We
have not yet seen a sophisticated cyberterrorist attack that combines those
two things--the use of information technology to focus on the computers that
run an infrastructure system. But I think it's something that really is a
matter of time before we see it, because the trends are taking us in that
Is there a profile of the [computer-related] organized crime?
. . . We are seeing organized groups engaged in criminal activity around the
world. . . . We had one group called the Phonemasters, investigated by
the FBI's Dallas division, which was a group of hackers who stole telephone
calling card information and then re-sold those calling card numbers through a
chain of international intermediaries . Some of those numbers ended up in the
hands of what we would traditionally consider organized crime in Europe, in
Italy in particular. . . .
Given the vulnerabilities on the Net, I'm slightly surprised that the
organized criminals didn't go there earlier.
I think a lot of the focus in the popular imagination in the media has often
been on individual hackers. There's been a romanticization of hackers in the
past as people who weren't really engaging in crime somehow, but who were just
testing their skills at pointing out vulnerabilities. But as e-commerce has
taken off in the last few years, I think people are realizing that hacking it
damages systems, or that exposing vulnerabilities can cause real economic
harm. . . .
It's generally believed that the juveniles and hackers are getting caught
because they're bragging, because they're boasting about it, whereas the more
serious criminal is not, and hence is much more difficult to catch. Is that
still the case?
I think we have seen a number of instances where hackers have been caught in
part because they bragged about their exploits in chat rooms. But we are also
seeing a growing degree of sophistication, and certainly someone who is in it
to try to steal money or to steal sensitive information is not going to be
bragging about his exploits. And clearly, the more sophisticated one's
skills are, the more difficult that person is to catch.
In addition, the international aspects of this problem, the fact that a bad guy
can loop his attack through many different countries and many different
systems, makes catching cyber criminals much more difficult than analogous
investigations in the physical world. We have to rely on the actions of
international law enforcement agencies. We have to rely on their having the
right laws in place and the right investigative skills. And it becomes a very
time-consuming process to work through the international legal assistance
regimes. . . .
Are you still investigating the so-called "Mafia Boy" distributed denial of
service attacks in Canada?
That is still a pending investigation, and since the prosecution has not taken
place yet, I'm limited in what I can say. But obviously the individual known
as Mafia Boy has been charged in Canada with many of the distributed denial of
service attacks that we saw in February, and the related intrusions that
allowed him to carry out those attacks. He intruded into universities and
other systems in the US and other countries, and implanted malicious code on
those systems. He then used those to attack his ultimate targets, such as CNN,
eBay, Amazon.com and Yahoo. There are some other attacks, and the prosecution
is still pending. So in that sense, the investigation is still pending. But
we are satisfied that the Canadian authorities have a very strong case against
Is he the only one who conducted those attacks? He did them all?
There were other attacks, and we have other people under investigation for some
attacks. So we have not said that he is responsible for all of the
In the spectrum of crimes that you've been dealing with, how serious was
It was a serious incident. He knocked e-commerce sites offline that depend on
customers and potential customers' ability to get into a web site for their
business activities. It knocked several new sites offline such as CNN.com,
which depends on advertising revenue, and that depends on how many eyeballs
their system gets in a given day or hour. So knocking those sorts of sites
offline for even a couple of hours can have a very severe financial impact on a
It also has a broader impact in undermining people's confidence in e-commerce. As we're beginning to see this huge growth in commercial activity
online, people's confidence in the security of those transactions is very
important. On an even broader note, I should say that the possibility of
similar sorts of attacks is still a present concern. The vulnerabilities that
were taken advantage of in February are still present. People can still get
into systems and use evolving denial of service tools to carry out those same
sorts of attacks. That's why, in the last 10 days, we've issued two additional
advisories about some new trends in the distributed denial of service area. . .
Given the whole problem of the vulnerabilities of the internet, can you rate
the software in most people's computers in terms of security?
There are a couple of different levels of the problem. There is the state of
the security that's built into the software that's used. And then there's also
the issue of how that security is implemented. The most common and simple
example is that people often have password access to certain files or to their
email system, and yet they use a password that's easy to figure out. They
don't use letters and symbols and numbers all mixed together. They use their
favorite word or a name or something that's easy for someone to guess . . . .
So we have to make sure that the security that is available is implemented
properly. But we also need to improve the security software that's integrated
now into the off-the-shelf packages that people buy.
Hackers are always complaining that the problem is the software companies,
Microsoft and others, have not really taken security seriously enough in the
past. Would you generally agree with that?
I think it's true that security has been, at best, an afterthought. But I think
we've seen change in recent years because of the incidents that we've seen over
the last two years, and the fact that security is so important to e-commerce. .
. . Now that people are trying to engage in commerce online, security is a very
big concern. . . . I think now that the market is beginning to demand better
security, we'll see a response from the manufacturers, and that will inevitably
lead to a stronger foundation for security across the board.
How important was Curador in the great scheme of things?
. . . Curador, or Raphael Gray, was someone who was able to hack into systems
and steal in the vicinity of 26,000 credit card numbers. That's a significant
crime, obviously, and he did it in many different countries. But the skills
that it takes to engage in that sort of crime are not that great. And I think
it's indicative of the level of security that a lot of web sites had at the
time--and still have--that enable people to break into them. So we have other
cases that are very similar to that in nature.
It's sort of an image of our times, isn't it--a 16-year-old geek in his bedroom hacking away and inviting the wrath of the state on him. It doesn't
necessarily look well upon the FBI, ultimately, that you're running around
knocking on the doors of teenagers all over the world.
We investigate crimes that are reported to us. And when we follow the trail
back, we will act appropriately, regardless of the age or the location of the
perpetrator. And so I think the image has been somewhat misleading to people,
because it suggests that this problem is really one of individual young
hackers. In fact, we are focused on a much more worrisome part of this
problem. We are really much more concerned about some of the organized threats
from foreign countries engaged in intelligence gathering, or preparation for
information warfare from terrorist organizations. They will use these tools to
commit violent acts against critical infrastructure systems, and organized
crime groups, who really want to steal money or valuable information.
. . . But I guess the problem the public is still having is that there hasn't been a terrorist incident as far as we know. Other than Phonemasters, there hasn't really been a successful organized crime bust in cyberspace.
I think we just recently had a very good example that disproves that notion.
We've had two subjects from Kazakhstan who were engaged in an intrusion and
extortion plot against Bloomberg LP. And that case was successfully
investigated because of close cooperation between the FBI and authorities in
both the United Kingdom and Kazakhstan. That case involves a number of
subjects, who are engaged in a traditional organized crime
activity--extortion--but they carried out through cyber means. So I differ
strongly with the notion that we haven't had successful organized crime
investigations. We've had quite a few.
What is your greatest fear? When you look at the internet and at the
interconnectivity of the world, what is your greatest fear?
My greatest fear is that the level of vulnerability is still so high that we
are really open to a devastating attack on a broad scale against the computer
networks that run vital systems, such as our electrical power systems,
government operations, the banking and finance system. . . . And another
significant challenge for us is dealing with espionage. The "Cuckoo's Egg"
case, which involved the KGB hiring hackers to break into U.S. Defense
Department systems, is now a 14-year-old case. I think if hostile intelligence
services were engaged in that sort of activity 14 years ago, it doesn't take a
great leap of the imagination to imagine what some of those sorts of
intelligence services might be doing or planning to do today. . . .
What does the future hold? Can we fix this problem?
I think we can fix the problem. I think that, in the near term, we might see
the problem get worse before it gets better. There's a power curve, and right
now security is behind the power curve, because it takes some time for good
security products to be put out there and integrated into networks and
operating systems. And I think we need to make sure that the government has
the resources in place to investigate crimes and, more importantly, to get
information and get warnings out to try to try to prevent crime before it
happens. That's really our number one consideration. But I think we will see
an increase in the number of crimes being committed on the internet before good
security is ubiquitous.
That raises the process of private police or Pinkertons of cyberspace. There's
a huge growth in private security companies. There must be a temptation among
them to just go and take action, whatever action, themselves. Does that
. . . What's most important is that, as people get into the security business,
that they realize that this is not an area where the private sector can go it
alone. If we're going to deter people from engaging in computer crime, we have
to have an effective law enforcement response. That means that victims really
need to report to law enforcement so that we can catch the bad guys, punish
them appropriately, and deter other would-be bad guys from engaging in the same
sort of activity.
Some critics say that government just can't move fast enough, that it's a big bureaucracy, that it's a huge infrastructure in and of itself. They say that it just isn't going to be able to keep up with the crime.
Well, there are certainly challenges to bringing the government around to deal
with this sort of fast-evolving environment. But look at the track record that
we've established in the two and a half years since the NIPC was founded. We
have created a program in the FBI and for the federal government as a whole
that is now capable of investigating some very complex international
investigations. And I think the speed with which we are able to investigate
things such as the "Melissa" virus, the "I Love You" virus, the distributed
denial of service attacks, the Bloomberg extortion, the Curador case and on and
on and on shows that we've made a tremendous amount of progress in a very short
But we can't sit on our hands or rest on our laurels, because the problem
continues to grow. And it's imperative that the executive branch of government
and the Congress realize that we need to keep making progress, that we need to
put more resources into this area to make sure that we can stay at the cutting
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation