Remarks by Assistant Attorney General John P. Carlin on Cyber-Crime at Carnegie Mellon University
In particular, I’ll discuss cyber threats linked to a diverse range of dangerous cyber actors. And I’ll tell you what we in the National Security Division, at the Department of Justice, are doing to counter those threats.
I should note at the outset that this week marks a busy time for national security law. There is a lot going on in the world, all of which we are tracking closely. But I’m going to focus today on the threats associated with national security cyber issues.
Just last week, the 9/11 Commission published its reflections on the tenth anniversary of the Commission’s original report. And it specifically pointed to the growing significance of cyber threats to our Government and private sector.
In its report, the Commission noted that: “We are at September 10th levels in terms of cyber preparedness.” They added that “American companies’ most-sensitive patented technologies and intellectual property, U.S. universities’ research and development, and the nation’s defense capabilities and critical infrastructure, are all under cyber attack.”
I could not agree more.
As the Commission concluded, “One lesson of the 9/11 story is that, as a nation, Americans did not awaken to the gravity of the terrorist threat until it was too late. History may be repeating itself in the cyber realm.”
I’m particularly glad to talk about these important issues here in Pittsburgh. In a way, this brings me back to earlier days of my cybersecurity work.
I began my career as a prosecutor handling a wide range of crimes, but I have spent nearly a decade focusing on cyber issues – including as the National Coordinator of the Justice Department’s Computer Hacking and Intellectual Property, or “CHIP,” program.
Then, I had the honor of joining FBI Director Mueller as he led a critical shift. Even back then, he understood just how significant cyber threats would soon become.
Soon after arriving I was asked to prepare a speech on the FBI’s role in tackling national security cyber threats. We saw this as an important opportunity to underscore how serious the national security cyber threat was—at a time when not many people were talking about it.
It was his first major FBI speech on the national security cyber threat. Much of what the Director said that day remains true today. We warned of the particular dangers lurking in the intersection between cyber and terrorism.
But we also emphasized that terrorists are not the only ones seeking to harm us online—there are other dangerous actors out there, including nation-states. We pointed to the growing use of botnets as a way to attack networks, infect computers, and inject spyware.
We talked about the dangers of cyber espionage, including economic espionage. And we explained that the FBI was mobilizing to address these threats by collaborating with partners across the Federal Government and in the private sector.
That speech, a significant moment in the FBI’s cyber history, was delivered just a few hours east of here, at Penn State. Not just because of the balmy November weather it’s known for. But rather, as explained then, because “[m]uch of our collaboration begins in Pittsburgh—at the FBI’s Cyber Fusion Center.”
The Director said to think of that fusion center as a hub, with spokes emanating out to federal agencies, software companies, Internet service providers, merchants, and members of the financial sector.
That model was right then and it is right now.
The fusion center, and Pittsburgh generally, is the center of so much of our cybersecurity collaboration, which is critical to our efforts to disrupt cyber threats.
That is why a key theme from our time near Pittsburgh nearly seven years ago was collaboration. Back then we talked about the cooperation underway as part of Operation Bot Roast.
Through that project, the Justice Department, the FBI, the CERT Coordination Center at Carnegie Mellon, and private companies were working to identify infected computers and shut down bot-herders.
Also on that trip, we visited the National Cyber-Forensics and Training Alliance, right here in Pittsburgh. Today I came full circle. Now I am delivering a speech about cyber in Pittsburgh. And I spent this morning with the current FBI Director, Jim Comey, visiting NCFTA again.
I could scarcely have guessed back in 2007 that by today the NCFTA would have aided in successful prosecutions of more than 300 cyber criminals worldwide. Or that it would be specifically called out by the recent 9/11 Commission Report, as “a promising example of the type of cross-sector collaboration that will be needed to combat this threat.”
Returning to Pittsburgh, I am struck by just how much progress we have made in seven short years. But there is more that must be done. Our recognition of the magnitude of the cyber threat has grown over that same time.
Director Comey recently said, as the torch was passed, that Director Mueller told him he believed cyber issues would come to dominate Director Comey’s tenure just as counterterrorism had dominated his. Director Comey has continued to express FBI’s steadfast commitment to tackling cyber threats.
Just this morning as the FBI Director and I toured the NCFTA, he reiterated what he has said before, “John Dillinger couldn’t do a thousand robberies in the same day in all 50 states in his pajamas halfway around the world. That’s the challenge we now face with the Internet.”
So the threat is real, it is here, and it is not going away. But today, seven years later, our ability to detect, disrupt and deter has also improved.
Our most recent successes can be traced to the visionaries who predicted the threat years ago and laid the foundation to meet the challenge.
Take as just one example, another Pittsburgh story. A historic indictment that came right out of the Western District of Pennsylvania.
Earlier this summer, we announced unprecedented charges against five members of the Chinese military for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.
What these charges allege is stealing from America’s heartland, literally and figuratively.
The charges allege that cyber thieves grabbed the hard work of companies right here in Pennsylvania. And they allege that the thieves targeted key American economic sectors, like metals and energy.
This is the true face of cyber economic espionage and of those it targets. This type of theft hurts American competitiveness by stealing what we work so hard for.
These charges against uniformed members of the Chinese military were the first of their kind. Some said they could not be brought. But this indictment alleges, with particularity, specific actions on specific days by specific actors to use their computers to steal valuable information from across our economy.
It alleges that while the men and women of our businesses spent their work-days innovating, creating, and developing strategies to compete in the global marketplace, these members of Unit 61398 spent their work days in Shanghai stealing the fruits of our labor.
It alleges that they stole information particularly beneficial to Chinese companies, and took communications that would provide competitors with key insight into the strategy and vulnerabilities of the victims.
We should not and will not stand idly by, tacitly giving permission to anyone to steal from us. We will hold accountable those who steal—no matter who they are, where they are, or whether they steal in person or through the Internet.
Because cyber crime affects us all, including those here in Pennsylvania who have suffered at the hands of cyber thieves.
While cases like the one brought here in Pittsburgh are extremely challenging, we proved that they are possible. The criminal justice system is a critical component of our nation’s cyber security strategy.
At the Justice Department, we follow the facts and evidence where they lead. Sometimes, the facts and evidence lead us to a lone hacker in the United States, or a sophisticated organized crime syndicate in Russia. And sometimes, they lead us to a uniformed member of the Chinese military.
Other times, as we recently saw, they may lead us to a foreign businessman alleged to have conspired to hack in and steal information from Boeing and other defense contractors.
Information that included more than six hundred thousand data files of sensitive information related to U.S. military aircraft and other defense matters.
And yet other times, they may lead to other types of criminals, like those investigated and prosecuted by DOJ’s Criminal Division for spyware, botnets, and similar conduct.
But, no matter where they lead, there can be no free passes because the stakes are too high. The list of threats out there is significant and it is expanding.
We have all seen the harms inflicted by state actors and criminals, and we have responded. But we know they are not the only ones interested in cyber activity.
Terrorists are also using cyberspace to further their goals. They are using it to communicate and plan. They are using it for propaganda and recruitment. And they are intent on getting to the point where they can conduct cyber attacks themselves.
That last category is a relatively new one. But we know that terrorists are looking to launch cyber attacks. They have that intent now.
Over the past few years, we have seen al-Qaeda issue calls for cyberattacks against networks such as the electric grid, comparing vulnerabilities in the United States’ critical cyber networks to the vulnerabilities in the country’s aviation system before 9/11.
If successful, terrorists could use cyber attacks to bring about economic or physical damage, or even, in extreme cases, serious injury or death.
These are serious threats. To disrupt them, we take an all-tools approach, deeply rooted in our Division’s history.
While the Pittsburgh case was the first of its kind in some ways, it was not the first charges we have brought against individuals who steal from Americans to benefit state-owned enterprises.
As just one example, in March, we successfully obtained a significant conviction against Walter Liew for economic espionage.
What Liew stole was something Americans see and use daily. Something that does not have a national security implication. Something that simply brings a profit.
Liew stole the formula for the color white from Dupont and passed it to a large Chinese state-owned company. Just this month, he was brought to justice -- sentenced to 180 months’ incarceration and ordered to pay restitution of about half a million dollars.
Our success in the cyber arena builds upon a solid foundation. But its roots go back even farther, and extend well beyond the economic espionage context.
NSD was created in response to the grave threat of terrorism.
After the devastating attacks of September 11, it became clear that the Justice Department needed to reorganize to tackle terrorism and national security threats more effectively.
We needed a single Division to integrate the work of prosecutors and law enforcement officials with intelligence attorneys and the Intelligence Community.
So, in 2006, Congress created the Department’s first new litigating division in almost half a century: NSD.
NSD works closely with partners throughout the government to ensure we leverage all available tools to combat the terrorism threat. And we’ve proven, in that context, that the criminal justice system is a vital part of our nation’s counterterrorism strategy.
Just this spring, Abu Hamza al-Masri was convicted by a jury in New York on eleven counts. He was involved in an attack in Yemen in December 1998 that resulted in the deaths of four hostages.
And he provided material support to terrorists, including al Qaeda and the Taliban.
In March, Sulaiman Abu Ghaith was convicted of conspiring to kill Americans and other terrorism charges. Abu Ghaith was the son-in-law of Usama bin Laden and a senior member of al Qaeda. He was the face and voice of al Qaeda in the days and weeks after the 9/11 attacks.
In both of these cases, it took more than a decade; but, as a result of our integrated approach to combating terrorism, we brought these men to justice.
These cases are the two most recent in a long line of successful terrorism prosecutions.
At NSD, we took the lessons we learned from counterterrorism and applied them to our work on national security cyber threats. In the face of escalating threats, we recognized the need to reorganize. To integrate.
When I was chief of staff for Director Mueller, the FBI undertook a transformation to meet the growing cyber threat—a transformation built around the type of collaboration, coordination, and cooperation that the Director discussed in his speech right here in Pennsylvania. In 2011, NSD did the same.
In late fall of 2011, ten years after 9/11, we established a review group to evaluate NSD’s existing work on national security threats and chart out a plan for the future.
Six months later, that team issued recommendations that shaped what NSD’s national security cyber program looks like today.
Most significantly, in 2012, we created and trained the National Security Cyber Specialists’ Network to focus on combating cyber threats to the national security.
This Network—known as NSCS—includes prosecutors from every U.S. Attorney’s Office around the country, along with experts from the Department’s Computer Crime and Intellectual Property Section (or “CCIPS”) and attorneys from across all parts of NSD.
Adopting the successful counterterrorism model, we now have prosecutors nationwide routinely meeting with the FBI to review intelligence and investigative files.
The creation of the NSCS Network was motivated by a desire to increase the Department’s contribution to U.S. cybersecurity efforts through criminal investigation and prosecution.
By December 2012, we made public predictions that with the establishment of the NSCS—by empowering more than a hundred prosecutors in the field working with the FBI on these cases—one would be brought.
And, in May, we made good on that promise. It is this new, integrated approach that made the Pittsburgh case possible.
As part of the creation of the NSCS, we brought prosecutors from around the country—Wisconsin, New York, and Georgia—to help NSD build this case.
We partnered with colleagues across the government, like U.S. Attorney David Hickton here in the Western District of Pennsylvania, where entities were repeatedly hit. And we worked with offices across the FBI—from California, to Oregon, to Oklahoma, and back in D.C.
Our team thought creatively. They worked collaboratively. They explored all available options for stopping this activity.
That’s how we were able to indict five members of the Third Department of the People’s Liberation Army. And now these men stand accused of cyber intrusions targeting a range of U.S. industries.
But we recognize that charges are just one tool – albeit a very effective one – in our toolbox. We are committed to working with our colleagues throughout the government to ensure we bring all tools to bear to disrupt cyber threats – both criminal and national security.
A great example is yet another Pittsburgh story. Back in June, our colleagues in the Criminal Division, the Western District of Pennsylvania, and the Bureau undertook an operation that disrupted the GameOver Zeus botnet.
This criminal threat was significant – losses attributable to the botnet were estimated to be more than $100 million. But disruption involved more than just criminal charges – it also involved civil court orders, significant information sharing, and seizures of servers in many foreign countries.
This is just one example. In the national security context, we look to the viability of sanctions, designations, diplomatic options, and other enforcement mechanisms. Through collaboration and creative thinking, our toolset continues to grow.
But we at NSD recognize that stopping attacks before they ever take place is the ultimate goal. That we will succeed when there are no more criminal charges to bring.
To that end, we also worked hard to improve cyber defenses, both in Government and with the private sector. We’ve emphasized precisely the type of collaboration that Director Mueller discussed here in Pennsylvania seven years ago.
Through the FBI’s InfraGard, the FBI works closely with companies that have been the victims of hackers.
That program, which has grown to more than 25,000 active members, continues to bring together individuals in law enforcement, government, the private sector, and academia to talk about how to protect our critical infrastructure.
Likewise, the Department of Homeland Security, the Department of Energy, and other departments and agencies routinely work closely with companies to protect critical infrastructure.
We at the Justice Department heard from such companies. And we are taking steps to respond to the concerns of the private sector.
In April, we teamed up with the Federal Trade Commission to issue a policy statement making it clear that antitrust law is not and should not be a bar to legitimate cyber security information sharing.
And in May, the Justice Department issued a white paper, which clarifies that the Stored Communications Act doesn’t ordinarily restrict network operators from sharing certain data with the Government to guard information.
This guidance will help the private sector collaborate more freely to protect itself.
All of this is just a start. Going forward, we need legislation to facilitate greater information sharing between the private sector and the government.
In conclusion, we’ve come a long way in seven years.
In Pennsylvania seven years ago, we warned that “[c]yber criminals and terrorists seek to harm our economy, our infrastructure, and our way of life.” That was true then; and it’s even more true now.
We noted that “[o]ur capabilities are strong, but they rely on key partnerships with other federal agencies, law enforcement, private industry, academia, and citizens alike.” That was true then; and it’s even more true now.
Finally, the Director of the FBI issued an imperative: “we must continue to work closely with all of you—members of the privacy sector and the academic community.”
I’m here today with a new FBI Director to reaffirm that call. Because it was true then; and, as the 9/11 Commission’s recent report makes clear, it’s even more true now.
Through charges like the ones announced in the Pittsburgh case, we at the Justice Department continue to protect Americans from being victimized through cyberspace as they were here in Pittsburgh. We need your support. Talk with us; share with us; work with us. Build trust.
Together, we can ensure that, here in America’s heartland and throughout this country, the hard work of Americans doesn’t fall prey to cyber criminals. Together, we can stay connected, and also stay safe.
Thank you for your attention. I look forward to your questions.
# # #