Remarks Prepared for Delivery By Deputy Attorney General Mark R. Filip at the International Conference on Cyber Security
Thank you very much.
Wednesday, January 7, 2009
Before I get into any issues concerning cyber security, please let me address two important initial matters. First, let me please begin by offering special thanks to the conference organizers, Fordham and the Federal Bureau of Investigation. I was originally scheduled to speak tomorrow, but last minute schedule changes in Washington beyond my control forced me to come a day early. Thanks for your patience in working with my schedule. I know it wasn’t easy.
Second, let me please begin by acknowledging the many brave members of the law enforcement community - most notably from the FBI but also from state and local law enforcement, and also from the law enforcement agencies of some of our foreign allies - who are here today. One of the most humbling parts about having the opportunity to serve as Deputy Attorney General is the fact that I get the privilege of entering the FBI headquarters in Washington, D.C., every morning, where I go with some of my colleagues for the national security threat briefing. I did not grow up in a family of lawyers, but there certainly were law enforcement people, and I must tell you that I get a little lump in my throat every morning when I have the honor of entering the FBI headquarters for work. Very few people - certainly almost no lawyers or prosecutors - put their lives on the line on a regular basis to make our neighborhoods, and our nation, and our world a safer place. Our law enforcement people do. We owe them a tremendous debt of gratitude. On behalf of the 110,000 men and women of the Justice Department, please know how much we appreciate what you do.
Moving on to the general topic of cyber security and cyber threats, let me please begin by acknowledging that many, perhaps most of you, are far more expert on the technological issues and engineering issues than I am as a law enforcement official at the Department of Justice. In this regard, I must confess at the outset that I feel a bit like a student who is called to give a lecture to a group of distinguished professors on some extremely complicated topic. So, I do not intend to pretend to be well-positioned to share any great technical expertise previously unknown to you. What I do hope to share, however, is one view from an official in the executive branch about the high priority the Department of Justice places on cyber security, about the challenges the U.S. government faces in this area, and about the crucial importance of cooperation with allies and with private industry around the world.
Cyber related issues are present among all of the critical subject matters areas we address at the Department of Justice. In the 21st century, terrorism, traditional espionage, economic espionage, organized crime, child exploitation and old-fashioned fraud all present their own cyber related concerns. In my experience, almost all of the issues implicate three broad challenges for the Justice Department, and often for the Executive Branch and federal government as a whole.
First, cyber cuts across national boundaries. You know better than I that the infrastructure of the Internet is largely blind to national boundaries and the speed with which communications occur today allows for websites owned by people in Europe to be controlled from a location in Asia and to be actually housed in California. Today this seems like a commonplace observation, but until recently in the United States, and indeed, to this day, some of our most important laws had not caught up with this reality. In many ways, the cross cutting nature of cyber technology is what the FISA reform effort was really about. A bipartisan group changed the FISA law to adjust our surveillance rules to the changing communications technology of the 21st century. This dynamic will continue to present operational challenges going forward – to try to reform the law on an organic basis to address new realities created by technological advances and new business practices and activities based on them.
Second, cyber cuts across bureaucratic boundaries. We in the Executive Branch are relatively comfortable with the geographic boundaries and resulting divisions of labor associated with “ordinary” law enforcement, intelligence, and military operations. By law and Executive Order, the FBI has a unique role to conduct to counterterrorism and counterintelligence work within the United States. The State Department, the U.S. Military, and the intelligence community play specific roles around the globe and in war zones.
But cyber transcends these neat bureaucratic boundaries just as it transcends national boundaries. Spies and criminals from abroad can use the infrastructure of the Internet to steal information from locations in the United States without ever coming close to our shores. Their acts are a problem, to be sure, for the FBI, but also creates related challenges for the Intelligence Community and our foreign partners, and for a military worried about our cyber vulnerabilities.
Third, cyber implicates public and private networks on a simultaneous and often integrated basis. This is an obvious point with profound implications for the challenges facing our country. Physical government facilities can change their security posture with relative ease to keep out bad actors and dangerous people. We can try to harden the borders, with more or less success if not perfection, and we can arrest more criminals by hiring or redeploying more law enforcement agents and prosecutors.
For the most part, the government can do these things on its own terms and more or less unilaterally. But cyber operations and cyber security are different. The cyber infrastructure of the U.S. government is closely linked to the national cyber infrastructure that we all know and use. And that infrastructure is largely made up of privately owned networks. Moreover, our economic security is quickly becoming linked to our ability to protect information in cyberspace. Even if the government wanted to devise cyber security policies without private input, these policies would have limited reach, and would not reach many of the most critical potential vulnerabilities in the United States. For instance, electrical grids depend on cyber components to function, and the banking system and Wall Street rely on computers and Internet-based transactions. The crown jewels of our technology and intellectual property rights - held in corporations and research universities - are similarly affected by such vulnerabilities. These and many more like examples make clear that we cannot have a rational national cyber security policy without thinking long and hard about how to protect private networks.
These challenges of international boundaries, bureaucratic line drawing, and public/private partnerships are not going away any time soon. They are the sorts of difficulties that sometimes bring what otherwise is real progress and forward movement to a screeching halt in the government. But they are also the sorts of challenges that can be overcome either by creating new institutions or by subjecting them to sustained senior level attention within the Executive Branch. In the past few years we’ve done both. I’m sure these efforts were not perfect on the first cut, but that’s ok. The world, hopefully at least, is marked by cycles of progress and not deterioration, and we welcome the future efforts of our successors to improve the initial steps. For the past few years, though, please know that cyber has gotten a lot of attention among the senior ranks of the Department of Justice and the rest of the Executive Branch. And we’re trying to build new institutions or change relevant laws to put our country on a better cyber footing.
Of course, it is important not to get carried away in describing the quote-unquote “new world” the Internet has created. People often talk about cyberspace as though it’s a unique situation wholly separate from all that we’ve known before. In some sense, of course, the internet is new and different, and it presents many new and difficult challenges. But it is also important to remember that our national laws are not written as though cyberspace is a unique world. Rather, our laws closely track geography and put limits on government and private action where data is resident in locations within this country. Indeed, I don’t know of any nation that as a matter of law or policy treats cyberspace as a stateless realm analogous to outer space.
Today, as always, governments everywhere attempt to control what happens within their borders. Even though the Internet does not exist within geographic borders, Internet Service Providers and people do. As a result, as long as governments can exert control over what happens within their physical borders, they can attempt to positively control, at least to some extent, or at least fundamentally affect, what happens on the Internet.
In some areas, and I would argue in positive respects, we have had some success at keeping the Internet from becoming a lawless frontier. Consider traditional cyber crime – the fraud schemes and individual hacking that we all know well. The U.S. and partners abroad and private industry have made substantial progress at battling cyber crime despite the challenges that cyber operations and investigations present. For example:
In short, we as a collective team have taken significant steps to deal with traditional criminal activity that occurs through cyberspace, and we have put institutions in place to help assist cyber investigations and prosecutions. But even “traditional” cybercrime presents unique challenges that we must constantly work to overcome.
- The Department of Justice chairs the G-8 High Tech Crime Group, which now includes over 50 countries. The group is designed to facilitate parallel criminal investigations with law enforcement agencies abroad and allow for quick cooperation on emerging and exigent cyber crime matters.
- The United States ratified the International Convention on Cybercrime. The Convention provides a basic framework for substantive and procedural laws to allow greater cooperation among nations in the investigation and prosecution of cybercrime, and sets minimum levels for substantive cyber laws, procedural laws, and standards of cooperation with other nations.
- The Department of Justice, in cooperation with other government agencies, helps train foreign police, prosecutors, and judges on investigating and prosecuting cybercrime and the importance of obtaining and preserving electronic evidence.
- Finally, the FBI has created InfraGard, a partnership between the government and private industry that encourages information sharing to better protect America’s physical and electronic infrastructure, including banks, water and food supplies, and transportation and communications networks. InfraGard, as many of you know, includes federal, state, and local law enforcement; military officials; business executives; entrepreneurs; and academics. FBI agents are able to provide threat alerts and warnings, investigative updates, and other information, and private sector partners share expertise and information that helps law enforcement track down criminals and terrorists.
One area of great concern is the threat from international organized criminal organizations. These groups are constantly evolving, and they have grown far beyond the original and familiar threat posed by groups such as La Cosa Nostra, as ominous and dangerous as La Cosa Nostra was and is. The new face of international organized crime is increasingly sophisticated, and many of these groups have global reach. International cooperation is essential to defeating this threat.
Recently, we at the Justice Department and FBI worked successfully with our colleagues in Romania, some of whom are here today, to address cybercrime targeting both Romania and the United States. In May of last year, I was privileged to join the Prosecutor General of Romania in announcing the indictment of 38 people who were part of an international cybercrime ring, which was based primarily in Los Angeles and Bucharest, but also had tentacles extending throughout the world, including to Viet Nam and the Middle East.
These individuals carried out a “phishing” scheme that lured innocent people into disclosing personal information over the Internet, and then used that information to defraud thousands of victims of substantial millions of dollars. As a result of extremely close cooperation with Romanian authorities, nine people were arrested in the United States, and police in Romania conducted several searches yielding crucial evidence. This case has already resulted in several guilty pleas and the promise of several more.
This example demonstrates a couple of the challenges I noted earlier about the threats we face. First, many traditional organized crime figures, who in the past committed crimes such as extortion and drug smuggling, are now setting up shop online. These figures are less constrained by national borders or geographical location, but instead use the global reach and seeming anonymity of the Internet to carry out their schemes. And rather than employing foot soldiers to rob and intimidate, they recruit young hackers to elude authorities by leaving no trace of their crimes. The challenges these groups present are not just new – they are far more daunting that those posed by traditional crime, which in general was more limited in its sophistication and geographic reach.
The second point is that we cannot combat these new threats without close international cooperation. Even the relatively less sophisticated “phishing” schemes such as the one I described was uncovered only after careful coordination between U.S. and Romanian authorities. More sophisticated schemes, and those that pose even larger threats to business and government infrastructure, or to financial systems, including perhaps those attacks sponsored by very sophisticated and powerful nations or other entities, will require even greater cooperation to defeat.
The Romania prosecution is a good example of our ability to deal with cyber criminal activity cutting across national boundaries. But we face other threats too and other challenges that highlight the unique hurdles that cyber issues present. Consider the threat of terrorism and the Internet. Here, cyber is something of a microcosm of larger counterterrorism challenges. Terrorists hide among open societies and use the freedom of movement that we all cherish as a shield to their plots. Cyberspace provides terrorists and groups with anonymous communications platforms to raise money, post propaganda, recruit jihadists, and plan and train for attacks throughout the globe. A terrorist in Europe can use the Internet to radicalize someone in our country from a website serviced in a different part of the world. Keeping up with terrorist plotting and terrorist trends wherever they occur is one of the great challenges of the U.S. government and is the highest priority of the Department of Justice.
Perhaps the most daunting cyber challenge we face is what I gather is the primary topic that you’re discussing at this conference this week: Identifying how best to secure our national cyber infrastructure writ large. I can’t tell you how strongly I believe, how much I’ve been convinced by my colleagues in the FBI, and the rest of the Executive Branch, that we must secure our cyber infrastructure in a manner that addresses threats from foreign armies, adversary intelligence services, criminals, and terrorists. It’s hard to exaggerate how important this is or how hard it is to accomplish fully.
We’ve made real progress in this area, but we all know there’s a lot to do. First, let me highlight some examples of progress.
The FBI has created a cyber fusion center in Pennsylvania to bring private parties and government investigators together to do the hard work of collaborating on cyber breaches and cyber threats.
The Department of Justice and others in the Executive Branch are heavily involved in supporting the President’s cyber security initiative to focus all Executive Branch resources on cyber vulnerabilities. I understand that you’ll be hearing from government officials who are close to these efforts. I won’t speak in detail to duplicate those briefings, but those efforts are among the most important efforts that will be made by our generation to protect the safety and prosperity of our nation for our children and grandchildren.
We’re focusing substantial energy on cooperating with other government agencies to address cyber espionage and cyber terrorism threats. We do this work at places like the Joint Terrorism Task Forces and the National Counterterrorism Center. When we succeed in this area, it is because we are able to clear the international hurdles and bureaucratic barriers that often stop us.
But we’re also still at early stages of these efforts and there are substantial challenges remaining. For example, I’m sure you have or will talk about Georgia and cyber attacks during this conference. Those events are a stark and probably simplistic example of the ways in which information operations can be used during a war. What is our strategy to deal with such threats?
In the coming years we’re going to face the same sort of adversaries we’ve been facing: spies, criminals, terrorists, and armies. But we’re now living in a world where technology moves much faster than the government typically moves, and where our adversaries are anxious to exploit every vulnerability that technological change can offer. Our response requires that the government be both nimble and effective at working in collaboration with the private sector. For now, I suspect our success will require very senior government officials to understand these threats and to commit agencies of government to overcome the hurdles that have in the past allowed inertia to slow our progress. I’m told that President Elect Obama has stated that he may create a senior post within the White House to coordinate cyber policy across the government. I don’t offer an opinion on the wisdom of that particular model but I do believe that this topic requires extreme vigilance and close attention from the Department of Justice and the entire Executive Branch.
Conferences such as this one help further this effort. We must not only improve U.S. government policy and institutions, but also encourage cooperation between foreign governments, and between governments and private industry. The challenges are difficult, but we cannot afford to fail.
Thank you to all of you for your leadership in this area, and thank you for having me here today.