ad info

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info



Burden of Proof

Web Sites Under Attack: FBI Opens Sweeping Cyber-Investigation

Aired February 10, 2000 - 12:30 p.m. ET



JANET RENO, ATTORNEY GENERAL: We are committed, in every way possible, to tracking down those who are responsible, to bringing them to justice, and to seeing that the law is enforced; and we are committed to taking steps to ensure that e-commerce remains a secure place to do business.

ERIC HOLDER, DEPUTY ATTORNEY GENERAL: The FBI is also working closely with the department's computer crime section and specially trained prosecutors around the country, who have authority and also who have expertise in obtaining court orders for electronic and other forms of evidence.

RONALD DICK, FBI NATIONAL INFRASTRUCTURE PROTECTION CENTER: Your security, or the security of systems within the private sector, or the lack thereof, can cause harm to others, as exemplified in the things that we've seen gone on in the last couple of days.


GRETA VAN SUSTEREN, CO-HOST: Today on BURDEN OF PROOF: an electronic assault. The FBI hunts for hackers in a nationwide cyberstrike, and e-commerce tries to clear the traffic jams on the information superhighway.

ANNOUNCER: This is BURDEN OF PROOF with Greta Van Susteren and Roger Cossack.

VAN SUSTEREN: Hello and welcome to BURDEN OF PROOF.

Across the nation this week, some of the largest Web sites on the Internet have been struck by hackers. Those affected include our own, and eBay.

ROGER COSSACK, CO-HOST: The technique is called the denial of service attack, designed to tie up the site with a flood of messages and overwhelm phone lines. This morning in Washington, Deputy Attorney General Eric Holder said the extent of the cyber-attacks are quite serious and that a substantial amount of computers were involved.

(BEGIN VIDEO CLIP) HOLDER: The recent attacks are serious for a number of reasons. In addition to the malicious disruption of legitimate commerce, so- called "denial of service" attacks involve the unlawful intrusion into dozens or even hundreds of computers, which are used to launch attacks on the eventual target computer, in this case the computers of Yahoo!, eBay, and others. Thus, the number of victims in these types of cases can be substantial and the collective loss and cost to respond to these kinds of attacks can run into the tens of millions of dollars or more.


VAN SUSTEREN: Joining us today from Los Angeles is former hacker Kevin Mitnick. And in Boston, Alan Phillips, who is the vice president of Internet operations and technology at

COSSACK: And here in Washington, Laticia Carr (ph), cyber-law attorney Nicholas Allard, and Daron Ross (ph). And in the back, Brandon Heiner (ph) and Britney Bradshaw (ph). And also joining us here in Washington is CNN justice correspondent Pierre Thomas.

Well, Pierre, what is the response of the FBI and law enforcement to these attacks on the Internet?

PIERRE THOMAS, CNN JUSTICE CORRESPONDENT: Well, Roger, you have a very massive investigation just beginning to unfold: you have the FBI involved, the National Infrastructure Protection Center, as Deputy Attorney General Eric Holder talked about; you have prosecutors in a number of U.S. attorney's offices around the country. So this is a very sweeping investigation.

And the reason why the federal government is responding so quickly, the notion that hackers can disrupt this emerging new Internet economy is something that has them very, very concerned.

VAN SUSTEREN: Alan, did ZDNet get hit by these cyber-terrorists, as we call?

ALAN PHILLIPS, ZDNET: It did. Unfortunately, we were down for about 2 1/2 hours yesterday morning.

VAN SUSTEREN: And what does it mean? I mean, what did they do to you?

PHILLIPS: Well, denial of service is like rush hour on steroids. A variety of requests come in from a variety of computers that make accessing ZDNet all but impossible.

VAN SUSTEREN: Do you have any sort of way around it? I mean, do you not have enough access entries, so to speak, so that people can get into your business; is that the problem?

PHILLIPS: Clearly, we can put up filters that try to identify denial of service attacks. At the same time, technology is moving at a very fast pace, and technology moves both in the front of preventing it, also offering tools to attack sites. And so we do a lot, but we can't do everything.

COSSACK: Pierre, the attorney general also called upon the industry to set up ways to defend themselves from these kinds of things. What exactly do they want?

THOMAS: Well, what they want, they want more of these filter, they want detection devices, but most importantly, they want the industry, that any time there is the beginning of an attack to immediately contact federal authorities so that they can begin investigating. Because one of the things they want to try to do is to get a better handle on the attacks, as they untold, so that they won't at the end of the attack have to sift through millions and millions of these messages to try to work their way back to the person who originally started the attack.

VAN SUSTEREN: All right, let's go to Kevin Mitnick in Los Angeles.

Kevin, you are what we have called a former hacker. How easy is it to hack?

KEVIN MITNICK, FORMER HACKER: It is quite simple. Well, to do a denial of service attack is quite simple because the software is readily available on the Internet. Anyone could download it. A 12- year-old can download it and run a program, which could, you know, do any type of service overloading or message flooding, anything like that to grind any system to a halt.

VAN SUSTEREN: Kevin, explain to me, there is hacking where you go into someone's system and do bad things, like steal files, copy files, or alter files. But when you talk about what has happened in the past couple of days, it's a little different, is it not?

MITNICK: Oh yes, it is completely different. It is where you are basically overloading a system or a network by sending numerous messages, or packets, if you will. And what it does is it uses all the available resources and so the system cannot perform its normal workload.

COSSACK: Kevin, how does the industry protect themselves from this?

MITNICK: Well, you know, there's a few things you can do. First of all, if you have the budget, you can install some type of network monitor so you can try to identify the source of the packets and what exactly the attacker is trying to do. You can try breaking your network or you can try putting your machines or breaking down into different sub-nets, partitioning it out, so if some attacker hits one of your networks, it won't affect your machines on your other sub- nets. And also you can try installing a filter at your router or fire wall to try to reject any connection attempts from any known, unknown hosts or networks.

COSSACK: And Kevin, do I detect from you that you can do all these things, but perhaps you really are not going to be too successful if there is someone who is really determined to do this? MITNICK: Well, I mean, if somebody is really determined to do it, you can -- you can try to -- it's -- there is nothing 100 percent foolproof. But if somebody wants to take down your network, and you partition your machines into different sub-nets, somebody could, you know, go to that different sub-net, and try to, you know, flood that network with messages. So, you know, if someone is a really determined -- if someone is really determined to try to do this, it is pretty simple, and it could easily be done, and it's hard to prevent.

VAN SUSTEREN: Nick, I can understand why Alan and ZDNet cares about this, but why I do care as a consumers? why should the viewers care about this?

NICHOLAS W. ALLARD, CYBER LAW ATTORNEY: Well, first of all, our whole economy right now is based on information technology and this is not just a cyberprank, in a sense, it goes beyond that. And if the infrastructure is not secure, consumer prices go up, you lose speed on the Internet and so on. And so it's very serious.

VAN SUSTEREN: Could it affect like the airline industry, though, and safety? or is it simply just products on the Internet?

ALLARD: Sure, it has a broad affect, but also, before we, you know, panic, there is reason, history teaches us we can take a deep breath and calm down because every single invention, every single communication technology that has been introduced has had similar problems. The telegraph had very, very similar problems with hackers. In fact, that's where the phrase popped up the first time.

And remember, those Old West movies about the bank robbers cutting down the exposed telegraph wire. The Olmstead case in the 1920s, the roaring '20s, that was all about rum runners using a telephone in that case, with the famous Brandeis dissent, the right to be left alone. That case recognized the right of the federal government, ultimately overturned, to eavesdrop on criminals or using the Internet.

So history shows us that criminals are often the first to take advantage of new technology, but law enforcement always catches up.

COSSACK: Pierre, speaking of law enforcement, is there a special unit that is being set up or has been set up to specifically -- consist of engineers and people like that who -- to go out and try and find these people?

THOMAS: Roger, two years ago, the FBI, along with a number of other agencies, set up what's called the National Infrastructure Protection Center. Now that particular unit deals not only with computer attacks, it also deals with attacks on -- potential attacks on electrical grids, waters systems. So the whole goal of these units is to both detect and then deter these kinds of attacks.

So they have the center in place. They're operating budget at the Justice Department is roughly $100 million. In the coming budget they are expecting to ask for an additional $37 million, a more than third increase. So there is some sense in the federal government that they need to keep pace and try to keep up with this particular problem.

ALLARD: They need a sexier name.

COSSACK: Let's take a break.

Pierre Thomas, thank you for joining us today.

Up next, if the FBI can hunt down these terrorists, what types of cyber-laws will be used to prosecute them? Stay with us.


Convicted computer hacker Kevin Mitnick was the first hacker to have his face on an FBI's "Most Wanted" poster.



VAN SUSTEREN: Good news for our Internet-savvy viewers: You can now watch BURDEN OF PROOF live on the Worldwide Web. Just log-on to We now provide a live video feed, Monday through Friday, at 12:30 p.m. Eastern Time. And if you miss that live show, the program is available on the site at any time via Video On-demand. You can also interact with our show and even join our chat room.


RENO: At this time, we are not aware of the motors -- of the motives behind these attacks, but they appear to be intended to interfere with and to disrupt legitimate electronic commerce. That is the reason the FBI has initiated a criminal investigation into these matters.


COSSACK: The Justice Department has launched a full-scale Internet investigation into this week's hacker attacks on many of the nation's most popular Web sites. Federal investigators and prosecutors will be attempting to build cases based on the relatively- new arena of cyber-law.

Well, Nick, what about the new arena of cyber-law? Do we need new laws or are the laws that are on the books good enough? What do we need?

ALLARD: A little bit of both. We need some new laws that realize the new technical realities, but by-and-large, the old laws work pretty well. And it's a general rule of thumb, because we've been talking about criminal activity today, that if something is a crime using 20th or 19th-century forms of communication it's probably a crime on the Internet: theft, trespassing, those kinds of things, and there's plenty of specific computer statutes on the books.

VAN SUSTEREN: Kevin, I want to talk later about your unusual sort of release, or what I characterize a release, but first I want to talk about your conviction. What were you actually convicted of that sent you to prison?

MITNICK: Actually, I ended up pleading guilty to several counts of wire fraud, computer fraud and interception of electronic communications and possession of access devices.

VAN SUSTEREN: What did you do?

MITNICK: Well, I basically trespassed into computer systems by circumventing computer security and accessed confidential information, either reading it online or copying it. And essentially what I ended up doing is I was forced into a position to settle the case even though I don't believe the -- I don't believe that I was guilty of wire fraud or computer fraud because there was no scheme to defraud. I never intended, nor did I ever deprive any of these companies of their property interests in their confidential information, because I never used or disclosed or intended to use or disclose that information. I did it pretty much as an intellectual curiosity, for the knowledge, and for the trophy of obtaining the actual source code.

COSSACK: Alan, if you had your way and could see new laws passed by Congress that would be better protective of, say, people in your industry, what would you look for?

PHILLIPS: Well, I think it's a combination of laws, but I also think it's a combination of all the major Web -- the Web companies working together with law enforcement to put the laws in place necessary to minimize a likelihood of this happening in the future.

VAN SUSTEREN: Nick, how hard is it to prove these cases from a prosecution standpoint?

ALLARD: Well, the technology's becoming a big tool. In they cyber-stalking case we talked about a few weeks ago, for instance, the evidence that in that case was provided by computer technology, so there's digital forensic evidence, there's profiling that can be done, and like any other crime, often it's just loose lips, people talking, developing that kind of evidence. So, there's plenty that could be used to make a criminal case.

One statutory provision I think might be interesting would be if there was a whistle-blowing provision that was created to create incentives for the hacker community to turn in other folks. You know, use the best in the field, fight fire with fire.

VAN SUSTEREN: Kevin, is it possible, and this is to bring Roger and me into the loop, that someone could accidentally hack, or do you really have to have the wherewithal and the intention to go in there?

MITNICK: Oh, I think you'd have to have the intent to do it. I don't think you could really accidentally do it. But I think the media is, you know, is stereotyping this as possibly being done by hackers when there's no evidence that it's hackers. I think it -- I think there's a -- I think the think the definition of a hacker has been distorted, and for someone to do a denial-of-service attack and maliciously, you know, basically sabotage systems by make -- by using up all their available resources so no one else could access it, is really vandalism, and I think it's -- there's a distinction between being a computer hacker and being a vandal.

VAN SUSTEREN: Nick, that's an interesting issue. It really isn't hacking, what we're talking about. It is something different, isn't it?

ALLARD: Well, hacking, cracking, cyber-punks, cyber-brats, whatever you call it, it's still crime, it's still probably exposed to civil...

VAN SUSTEREN: How's blocking crime? I mean, I can see going in and taking, but how's blocking a Web site a crime?

ALLARD: Many different ways. Consider, you know, if you piled up garbage around a pay phone and somebody needed to make a 911 emergency call or if you...

VAN SUSTEREN: How about sell a product? Is that a 911 emergency call?

ALLARD: Well, not necessarily, but if people are, for example, unable to trade shares, small investors, and they lose the value of their property, denial of property; that's a crime. It's costing these businesses and lots of the public across the country significant sums of money. So, there is a real problem.

I just want to make one...

COSSACK: It's the same thing as breaking a window at a shop.

ALLARD: Exactly.

COSSACK: You know, putting that person out of business for the day.

VAN SUSTEREN: But you know, but -- well, I mean, that may be a little bit different, but we need to...

ALLARD: It's the same as sticking up a 7-Eleven in many senses.


ALLARD: It's a crime.

I just...

VAN SUSTEREN: All right, we're going to take a break -- hold that thought.

Up next, the inside story of our guest, Kevin Mitnick. Once one of the FBI's most wanted and why he's not even allowed now to use a computer.

Stay with us.

(BEGIN Q&A) Q: Robert Tappen Morris, one of the first hackers ever charged under the Computer Fraud and Abuse Act of 1986, launched a virus-like program in 1988 that affected 10 percent of the Internet. What sentence did Morris receive for his crime, which affected the federal government, NASA, colleges and universities?

A: Though he faced up to five years in prison and $250,000 in fines, he received three years of probation, 400 hours of community service and a $10,000 fine.



VAN SUSTEREN: One-time computer hacker Kevin Mitnick was freed from prison last month, but the terms of his probation returned him to a very different life. Mitnick is not allowed to use computer hardware or software for three years. He's also forbidden from using a cell phone or even working for a company that has computer equipment on its premises.

Kevin, your reaction to your release and the conditions?

MITNICK: I believe the conditions are extremely onerous and they're punitive in nature. And I believe the purpose of putting somebody on supervised release is to integrate them back into the community into becoming a successful citizen, and yet I believe the conditions in my case are extremely over-broad and even extend to limit my First Amendment rights to be able to talk about certain things.

VAN SUSTEREN: What about -- I mean, what could you possibly do with a cell phone? I mean, did anyone tell what was so sinister that -- what's the suspicion there, do you know?

MITNICK: Well, I mean, I could make calls without -- possibly without paying for them, but I think it's analogous to if I was convicted of mail fraud from banning me from using the U.S. mail, or if I forged a check, banning me from using a pen or a pencil. Why? I think they just chose to basically make anything that -- make it a violation of supervised release if I were to use any technology-driven device.

VAN SUSTEREN: Nick, what's your reaction? Go ahead.

ALLARD: Well, you know, from what I understand of Mr. Mitnick's abilities, you know, a cell phone in his hands is like a piano in Rubenstein's hands, so there's a little bit of that. But I want to make two quick points: Number one is that he, as I understand it, is about as good as it gets, and yet he was caught, prosecuted and served time. And...

VAN SUSTEREN: So he's done. So he should be done or not?

ALLARD: No, the point I want to make is that folks that are out there right now may not even be up to his standard. And so the fact that even the best can be, within our given justice system, pursued, convicted and serve time...

VAN SUSTEREN: Well, give me an idea of what job he could hold. I mean, what kind of job...

COSSACK: Let me just jump in a second.

Alan, if Kevin wasn't on this supervised release where he can't get near a computer or a cell phone, would you consider hiring someone like him? That's great talent.

PHILLIPS: Clearly, he's a great talent and clearly we'd like to have a lot of information on what hackers think about relative to how to invade Web sites. So Kevin would certainly be welcomed and his advice would be cherished at ZDNet.

VAN SUSTEREN: Kevin, what kind of job can you hold. What's in the sort of universe of jobs that fit within this release provision?

MITNICK: You know, I have no idea. I spoke with my probation officer, and even though the judge put the conditions in the discretion of the probation office, it's the position of the probation officer that they don't want to put on them that decision, so they're going to send everything back to the judge, and...

VAN SUSTEREN: Can you have a Palm Pilot, by the way?

MITNICK: No, I can't even possess a Palm Pilot. I had to get permission to possess a beeper. I mean, anything that's wireless can -- you know, technically, I guess, if I were to possess an AM/FM Walkman, that can technically violate the conditions of my release.

COSSACK: Kevin, you were described -- or I've read somewhere that you said that it was almost an addiction with you to do what you did. Do you feel that perhaps what they're trying to do by this release is keep you away from the drugs of your addiction?

MITNICK: I don't really -- I wouldn't characterize it as an addiction, I would characterize it I was very interested in this activity, I enjoyed doing it, and I would -- it would be analogous to a foot -- you know, somebody that's engaged in sports that would just, you know, be very interested in the activity. It wasn't like I was an alcoholic or a drug user in that respect, I just was fascinated with technology and I was very interested in it and I kept going back to the same thing.

COSSACK: All right.

MITNICK: But, you know -- go on.

COSSACK: That's all -- I'm afraid, Kevin, that's all the time we have for today.

Thanks to our guests, thank you for watching.

Today on "TALKBACK LIVE," register your vote on the latest developments of the presidential race: The end of the Forbes campaign and the battle between Senator John McCain and Governor George W. Bush. That's at 3:00 p.m. Eastern time, noon Pacific.

VAN SUSTEREN: And we'll be back tomorrow with another edition of BURDEN OF PROOF. We'll see you then.


Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.