Remarks of the Honorable David J. Hickton
United States Attorney for the Western District of Pennsylvania
At the 2012 Cybersecurity Conference
University of Pittsburgh
Thank you Chancellor Nordenberg for that kind and generous introduction and thank you and the University of Pittsburgh for partnering with us in hosting this important and landmark conference on cybersecurity.
I want to welcome all of you and especially our distinguished speakers and panelists. We have a substantive program with an outstanding lineup of experts and I think you will be informed and enjoy today’s program.
Permit me to offer you some context for today’s discussion from the perspective of Western Pennsylvania. We have been leaders in the fight to make our Nation safe from cyber crime. In 2008, we successfully prosecuted Max Butler, a/k/a “The Iceman” for what was then the largest computer crimes case totaling $86.4 million. He was sentenced to 13 years in prison and was ordered to pay $27.5 million in restitution, which were both records for prison time and restitution.
Through the National Computer Forensic Training Academy (NCFTA) and the Computer Security Incident Response Team, both imbedded here in Pittsburgh, we have in our jurisdiction two of the most critical assets in the arsenal to identify, investigate and destroy cyber threats of all types. These organizations have the brightest minds, the most innovative practices and the full support and commitment of the public and private sectors necessary to deal with this 21st Century threat. In addition, our partnership with the FBI and Secret Service, together with allied law enforcement through our Electronic Crimes and High Tech Crimes Task Forces, have positioned us in the state of readiness. More importantly, these task forces have proven successful in dismantling some of the most brazen and complicated schemes concocted by cyber criminals, who misuse the open access to the internet to commit the most sophisticated of crimes.
Yet, despite all of the preparedness and this record of successful leadership in this area, we, like the rest of the Country and the World, remain vulnerable to attack.
Last March and April, this University was the victim of a series on bomb threats, including a string of internet threats, which disrupted the important work of this community, and scared and terrorized students, faculty, parents and families, administrators, medical patients and the community at large. Just this month, PNC Bank was included in a string of coordinated cyber attacks which, according to the CEO, “pummeled” the financial institution causing major disruptions and expense. This week, two Barnes and Noble locations here, in Robinson Township and Homestead, were involved in a national skimming ring where PIN numbers and credit information were stolen.
The good news is that we are engaged in each of these cases and that we have the talent, resources and commitment to reduce the threats and find charge and punish the criminals.
As reported, in the matter of the threats against the University, we have identified and charged the person we believe is the perpetrator. He is under indictment and in custody and we are working with overseas partners to attempt to bring him to justice here. Separate but related cyber criminals who used the "Anonymous" moniker to threaten and extort this University have been charged and have pled guilty.
We were able to offer resources and work with PNC and other victims of the coordinated attacks on the financial institutions to attempt to reduce and mitigate the effect of the intrusions.
And, we are working with our partners in the Department of Justice to deal with the crimes involving Barnes and Noble.
The public needs to understand that these cyber threats are ubiquitous—each day we are working on this evolving problem. We have many open investigations and we are doing as much to prevent these crimes as we are to prosecute them. We need greater public awareness because we need to summon an “all hands on deck” approach to meet this threat. Here in Pittsburgh, like the rest of the Country, the free and open environment which is the signature of our great democracy can be exploited by heartless criminals. The rapid move towards cyber communications has enhanced this threat.
In educating the public, balancing must be done. We need to alert but not scare. We need to warn but offer hope. We need to be frank but not exaggerate. We need to offer the firm and accurate realism of the scope and dimensions of the threat balanced by a candid and thorough discussion of the elements and challenges presented in our response.
For example, given the complexities and multi-national aspects of the crime, we solved the Pitt bomb threats very fast. It was a fantastic investigation; total cooperation of all interested parties here and overseas and total dedication evidenced by many sleepless nights by the boots on the ground. Yet some were under the mis-impression that the investigation was not rapid enough. Some believed incorrectly that we in the government have the power to intercept communications, disable servers and send internet bombs back at cyber criminals. While this makes for good movies and TV, it is simply untrue. A balance of good investigative work together with the protection of civil liberties requires we follow the same processes and afford the same protection as exist with any other crime and the Attorney General and the US Attorney community will accept no less. We can meet this threat without abandoning our core principles.
We need to do a better job in educating our fellow citizens because an educated citizenry leads to safer communities. The resources are there to do this and our national leaders have been speaking about about this. Secretary Panetta for months has been calling for increased vigilance to protect our markets and infrastructure from “the next Pearl Harbor”. This warning has been accompanied with a public and private effort to better protect our assets. There has been a very public debate about legislation called the Cybersecurity Bill which will inform the public awareness no matter where the legislative process goes. And U.S. Attorneys across the Country have been convening these conferences and speaking publicly about this issue. I have often referred to the public comments of FBI Director Robert Mueller in my own outreach as the best summary of the problem.
Our challenge is this: we face a fluid, evolving multi-dimensional cyber threat. The internet is used to exploit our children by child predators; it is used by human traffickers; it is used by nation-states to disrupt our infrastructure and disable our economy; it is used by criminals to steal from our citizens; and it is used by hackers for social causes or attention, and; through social media, it is even used by the narco-gun-gangs to perpetuate lawless community violence. And, of course, it is being used by terrorists, including those who disrupt our Universities.
Our response to this threat is coordinated across federal, state, local and international partners. Cyber crime does not confine itself to jurisdictional boundaries. Our efforts have engaged the private sector in an unprecedented way. We need cooperation of victims, including corporate and institutional victims, to report and help us investigate these crimes. Some are reluctant to admit that they have been hacked or that their systems have been compromised but this cooperation has improved by bringing awareness to the problem and by businesses abandoning the practice of accepting computer intrusions and theft as a cost of business.
You will hear later from Adam Hickey who is with the National Security Division of the Department of Justice and he will outline the dimensions of the problem from his perspective. We are partners in our work together because the President and the Attorney General have recognized that in the rapidly evolving dimensions of the threats we face especially in the areas of terror and cybersecurity, a centralized effort limited to Washington, DC and a few larger districts leaves us exposed and vulnerable. In my earliest interactions and discussions with Eric Holder and Bob Mueller when I was appointed almost 3 years ago, I was encouraged to treat the national security and cyber threat as a top priority and we have done so. In reorganizing our office, we created a dedicated National Security and Cyber Group and I meet with this group each Monday at 9AM. We treat our responsibilities expansively, we do outreach to community stakeholders and we have had measurable success in helping make this community safe.
President Obama has declared this month to be National Cybersecurity Awareness Month so our gathering is timely. The President in his proclamation noted,
"Cybersecurity cannot be guaranteed by government, industry or law enforcement alone. Each of us has an important tole to play in reducing cyber threats and increasing our resilience to cyber incidents."
As I said at the time of the indictment of the Pitt bomb case, the University of Pittsburgh met this challenge with honors. We could not have solved the puzzle with the help of the University, and the resilience of the community was a source of strength.
The challenges going forward are huge. The dynamic technological leap which is occurring in real time requires those of us in law enforcement to be as nimble as the criminal element. The difference is that they need only succeed once and we need to strive to be perfect. It is a huge burden; we take our responsibilities in this arena very seriously and personally. When a heartless opportunistic person or group tests our vulnerabilities and exploits our freedom, we must and will, with your help, bring them to justice. This is our mandate; this is our charge and, this is our solemn responsibility.