FBI assistant director Joseph Demarest testified that “the frequency and impact of cyber attacks on our nation’s private sector and government networks have increased dramatically in the past decade and are expected to grow exponentially" during a joint hearing of the House Counterterrorism and Intelligence and the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittees on Capitol Hill Wednesday.
But Demarest added that "the FBI and our partners have had multiple recent investigative successes against the threat, and we continue to push ourselves to respond more rapidly to prevent attacks before they occur."
In his opening statement at the hearing, subcommittee chairman Rep. Peter King (R-NY]) noted the changing nature of national security efforts.
“While the U.S. has made great strides to secure the homeland since 9/11, our enemies have evolved, and we must now consider that a foreign adversary, terrorist network, or a criminal organization will use cyberspace to penetrate America’s defenses," he said.
King expressed his approval of the efforts of law enforcement to combat “persistent and emerging cyber threats to the United States,” hailing the FBI's recent indictments of Chinese military hackers and users of a malicious program called “Blackshades” as encouraging successes.
“I hope it is a signal of more aggressive U.S. actions to address the cyber threat as we move forward, because this threat is not going away," King said.
The FBI lists cyber crime as its third highest national security priority, behind only terrorism and counterintelligence.
Earlier this week, the Department of Justice (DOJ) unsealed economic espionage indictments against five Chinese military officers who allegedly hacked into the computer servers of multiple U.S. businesses, including Westinghouse, U.S. Steel, and Alcoa, to steal sensitive information.
On Monday, the FBI also announced the results of a “cyber takedown” of Swedish national Alex Yucel and U.S. citizen Michael Hogue, who are charged with developing “a particularly insidious computer malware known as Blackshades,” which was sold and distributed to thousands of people in more than 100 countries and has been used to infect more than half a million computers worldwide.
An “unprecedented law enforcement operation” undertaken in coordination with 18 other countries resulted in over 300 investigations of hackers using Blackshades to penetrate computer systems and over 90 arrests, according to the FBI.
Blackshades employs a form of malware known as a Remote Access Tool (RAT) that can be purchased online for as little as $40. With this tool, criminal hackers can steal passwords and banking credentials, hack into social media accounts, access computer files, record keystrokes, activate webcams, encrypt computer files to hold for ransom, and use the victim’s computer to spread the malware to others.
Last month, a software security firm known as Codenomicon discovered another major bug. Internet services firm Netcraft estimates that this bug, dubbed “Heartbleed,” initially infected about 17% of SSL (Secure Socket Layer) web servers worldwide, including those used by popular websites Twitter, Tumblr and Yahoo.
Caused by a vulnerability in the OpenSSL cryptographic software library, Heartbleed allows remote hackers to eavesdrop on emails and instant messages and retrieve encrypted data from Internet users, including names, passwords, and content.
However, most large websites have already created patches to fix the bug, according to a report by California firm Sucuri Security.
Larry Zelvin, director of the National Cybersecurity and Communication Integrations Center (NCCIC), who also testified at the hearing, stated that the NCCIC has been able to reduce the number of federal Heartbleed vulnerabilities from 270 to 2 in less than three weeks.
“More than half of these vulnerabilities were identified and mitigated in the first six days of scanning,” Zelvin stated.
In mid-April, Stephen Arthuro Solis-Reyes, a 19-year-old Canadian, became the first person arrested for a Heartbleed-related security breach after he was accused of hacking into the Canadian Revenue Agency’s website and stealing over 900 Social Insurance numbers.