Deputy Assistant Attorney General Adam Hickey of the National Security Division Delivers Remarks at CyberNext DC
Washington, DC ~ Thursday, October 4, 2018
Remarks as Prepared for Delivery
Thank you, to the Cybersecurity Coalition and the Cyber Threat Alliance, for the invitation to speak at CyberNext DC.
When I was preparing my remarks, I noticed that the theme of the conference is “Privacy, Partnerships, Protection.” That’s a helpful framework for my remarks today, because I want to talk about all three of those.
I will start with protection, which is at the core of law enforcement’s mission. Investigating crimes, building cases, and holding individuals, entities, and even nations, accountable, is a large part of how the Justice Department protects the public and contributes to cybersecurity.
It is fairly straightforward why: criminal prosecution is a means of reinforcing the difference between right and wrong, between acceptable state behavior, on the one hand, and that which violates accepted norms of conduct on the Internet.
And imposing consequences, whether through imprisonment, fines or sanctions, or other tools, is a way of deterring malicious conduct, by raising its costs (personal, reputational, financial, and otherwise). As the First Pillar of the Administration’s recent National Cyber Strategy puts it, “Law enforcement actions to combat criminal cyber activity serve as an instrument of national power by, among other things, deterring those activities.”
The last year has seen significant prosecutions of foreign hackers, including those acting on behalf of foreign governments, for computer intrusions and attacks. It is worth recounting some of them, for what they show about the Department’s priorities and the lengths we will go in doing our part to enforce the law and protect the public.
In October 2017, the Department announced charges against three Chinese nationals and residents who worked for a purported Internet security firm known as Guangzhou Bo Yu Information Technology Company Limited (a/k/a “Boyusec”).
The defendants are accused of computer hacking and trade secret theft between December 2015 and March 2016. Among other things, the indictment alleges they stole a prominent economist’s e-mail messages and trade secrets related to global navigation technology that “had no military application,” but was marketed to construction, land survey, and agricultural sectors.
Now, the Indictment does not allege action by the Chinese state. But what made the defendants’ alleged trade secret theft notable (besides the fact that they worked for a firm that marketed its cybersecurity services), was that it continued after China committed in September 2015 (1) not to steal trade secrets or confidential business information “with the intent of providing competitive advantages” to its own companies, and (2) to cooperate with requests to investigate cybercrimes emanating from its territory, which this did.
The September 2015 commitment ushered in broad, public acceptance of a norm against computer espionage for economic benefit (soon accepted by all of the other members of the G-20). And it was incumbent on the U.S. government to hold China to the commitments it made.
As we previously revealed, the Boyusec indictment was returned under seal, while we sought China’s assistance in investigating and putting a stop to Boyusec’s activities. When we received “no meaningful response” to those requests, there was no longer a basis to keep the charges sealed, and we made them public.
Thereafter, the U.S. Trade Representative cited the Boyusec indictment in its March 2018 study of China’s trade practices under Section 301 of the Trade Act of 1974, which concluded that a combination of China’s practices are unreasonable, including its outbound investment policies and sponsorship of unauthorized computer intrusions.
In this way, you can draw a direct line from the DOJ’s indictment of China’s military officers in 2014, through China’s commitments in 2015, to our monitoring for compliance with those commitments, and this Administration’s response to China’s economic aggression, which includes state-sponsored theft of intellectual property.
In March of 2018, the Department announced charges against nine Iranian nationals associated with the Mabna Institute in Iran for a massive coordinated hacking campaign that targeted intellectual property and other research at more than 300 colleges and universities around the world.
The very purpose of the Mabna Institute, according to the indictment, was to assist Iranian universities and scientific and research organizations obtain access to scientific resources outside Iran. It contracted with the Iranian government (including the Islamic Revolutionary Guard Corps.) as well as private organizations, and it sold some of the stolen data on websites marketed to Iranian customers.
The indictment alleges the campaign was executed in three phases:
- First, the defendants researched which university professors were doing work of interest to the Iranians. The defendants targeted data across all fields of research and academic disciplines, including science and technology, engineering, medicine, and the social sciences.
- Next, they e-mailed the authors, feigning interest in their work, and tricking them into clicking on malicious links, and stealing their credentials.
- Finally, they used those credentials to steal academic journals, theses, dissertations, and books they would not otherwise have access to.
Over the course of four years, the Mabna Institute and these nine individuals are accused of stealing more than 31 terabytes of academic data, intellectual property, and communications. That amounts to 7.75 trillion sheets of paper. (And that’s printing double-sided.) U.S. universities had collectively spent $3.4 billion to have access to that intellectual property.
The charges themselves virtually guarantee the defendants cannot leave Iran without arrest. And on the day they were announced, the Department of the Treasury, leveraging our investigation, sanctioned the Mabna Institute and the defendants “for engaging in malicious cyber-enabled activities related to the significant misappropriation of economic resources or personal identifiers for private financial gain,” under a provision of Executive Order 13694 (2015).
In September, the Department unsealed a massive complaint, outlining some of the government’s proof behind its prior, higher-level attribution that North Korea launched a destructive malware attack against Sony Pictures Entertainment in 2014, stole $81 million from the Bank of Bangladesh in 2016 (and attempted to steal at least $1 billion from other banks), and created the malware used in the WannaCry 2.0 global ransomware attack last year.
The complaint lays out more than 170 pages of evidence that a single conspiracy, backed by the North Korean government, was responsible for those crimes among others, and it identifies one of the men who was a member of that conspiracy.
As the complaint makes clear, however, the U.S. government was not alone in this investigation. The complaint cites to security researchers whose expertise and dogged pursuit of the threat was critical to the allegations of the complaint. Our investigative efforts not only validate theirs, they yield specific information that expanded the security community’s understanding of the Lazarus Group (a popular name for the intrusion set) and how best to protect against it.
USADA, et al.
Finally, this brings me to this morning’s announcement of an indictment in Pittsburgh (where the first public national security cyber case was unsealed in 2014).
A grand jury there has indicted seven Russian GRU officers with an international hacking conspiracy targeting international anti-doping organizations, among others.
Among the conspiracy’s goals: to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize those organizations, which had publicly exposed Russia’s state-sponsored athlete doping program; and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs.
The indictment also alleges how, when the efforts to obtain remote access failed to achieve their objectives, the GRU sent several of the defendants to locations where their targets were physically located. Then, using specialized equipment, those close access teams hacked the WiFi networks used by the victim organizations or their personnel (like hotel networks where they were staying).
There are some who question this approach, of criminally investigating and charging hackers sponsored by foreign states, often because we have not yet arrested the defendants I have described above.
It is probably easy to forget that, until relatively recently, such charges were unheard of, because for a long time, we viewed the problem of foreign state-sponsored hacking through the lens of intelligence collection alone, without regard to disruption and deterrence (which are our objectives in confronting terrorism, espionage, and other challenging national security threats).
But imagine a world in which there are no criminal charges, no detailed, formal allegation of wrongdoing (which the government is prepared to stand behind in court). The private sector would be left alone to accuse the guilty, without recourse. What message does that send to a foreign hacker?
Certainly not the same message we have sent to Karim Baratov, the 23-year-old hacker who worked with FSB officers to hack into e-mail accounts around the world, who was recently sentenced to five years’ imprisonment after being arrested in Canada and waiving extradition. Or to Ardit Firizi, the Kosovar who was arrested in Malaysia, pled guilty here, and was sentenced to 20 years in prison, for giving ISIS PII for 1,300 military and government personnel, which he stole from the network of a U.S. retailer. Or to countless other hackers arrested on purely criminal charges, who thought they were safe from the consequences for their actions, because they operated under regimes that ignored (if not sponsored) their crimes.
And even in the cases above (where we have yet to apprehend a defendant), the charges were never the end of the story: whether it is trade remedies, sanctions, contributions to network defense, or diplomatic efforts to rally likeminded nations to confront an adversary together, all of those charges served a greater purpose.
So often, privacy is spoken about as if it is a value opposed to law enforcement. But each of the cases I described vindicates the right to privacy, whether it is the right of a company to control who has access to its trade secrets, or of professors to prevent their hard-earned research from being stolen, preempted, and plagiarized; the expectation of privacy we have in our e-mail communications or our medical records.
Privacy isn’t dead, but it is under attack, and much of what we are doing through law enforcement honors the privacy of innocent persons, by investigating those who would breach it. As the Sony case as well as the GRU cases illustrate, data breaches are not just trees that fall in forests when no one else is around; their consequences are often painfully visible to their victims (and the rest of the world).
But leaving aside these examples of DOXing, I want to shift gears for a moment, to talk about the Department of Justice’s changing approach to personal privacy, and why the privacy of your personal information can be a matter of national security.
This portion of my remarks comes from a different vantage point, from my experience with the Committee on Foreign Investment in the United States (or CFIUS), where I represent the Department.
Now CFIUS, for those of you who are not familiar, is a committee of federal departments that reviews foreign acquisitions of U.S. businesses for national security risk. When it finds risks that cannot be mitigated, it recommends actions to the President, who has the authority to prohibit a transaction.
CFIUS does not review the vast majority of foreign investments in the United States. Even among those transactions we do review, we usually conclude that there are no unresolved national security concern.
A classic example of the risk CFIUS examines arises when the target of an acquisition is in close proximity to a DOD facility. But an increasing focus of DOJ’s work on the committee relates to data security, to the potential national security consequences of personal information ending up in the wrong hands. The kind of information I am talking about is collected every day, from thousands or even millions of consumers. Transaction information, PII, health information, even smartphone habits.
Now you might ask why the security of that kind of consumer data would be relevant to CFIUS, whose mission is to protect national security. And ten years ago, or so, such information did not seem like it would be. But a few things have changed.
First, the volume and variety of data has increased exponentially. Information that was not previously stored in a digital form now is. And the rate at which data are being created, the velocity of data growth, is increasing.
Consider the increasing connectedness of physical devices and sensors, often referred to as the Internet of Things. Everything from medical devices, such as pacemakers, to fitness trackers, to the control systems that deliver water and power to our businesses and homes. One estimate predicts the number of Internet-connected devices will reach more than 20 billion by 2020. These Internet-connected devices have increased the volume, variety, and velocity of information.
Take cars, for example. Not long ago, a car was essentially a mechanical device, an engine with seats that moved you from point A to point B. Whatever limited electronic components it had were self-contained.
Today’s cars, by contrast, contain communication devices, sensors, GPS navigation, and other computers with a variety of functions. They allow drivers to check fuel levels and tire pressure on their cell phones, track a stolen vehicle over the Internet, call for help from the car in an emergency, and access the same entertainment they’re used to enjoying in their home.
Another example: the universe of health information is rapidly expanding. More people are taking advantage of DNA testing to learn about their health, longevity, paternity, and ancestry. According to one 2017 report, the market for testing has become an $830 million industry. Meanwhile, our smartphones and watches are accruing ever more precise information about our health and habits.
New forms and pools of data merely add to what has been collected for years, and it remains possible for a determined adversary to steal it, given enough time and resources.
A second insight we have developed is that information that seems unimportant, or purely personal, or irrelevant, can, in fact, be used to threaten national security.
In January, a 20-year-old Australian student discovered that open source maps of where Fitbit and other fitness device users frequently go could be used to identify military facilities in remote areas. As the Washington Post put it, “In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.”
Some data might be valuable, in and of themselves, like a military secret or the admin password to an industrial control system. But other data are valuable because they are part of what a hacker or other malicious actor needs to achieve their objective, to get to their target.
The information a modern car collects provides insight into the users’ network of contacts, entertainment preferences, driving habits, and locations visited on a regular basis.
In the aggregate, this information provides commercial and cultural insights that might have monetary or other use. But this information about the “pattern of life” of a company’s CEO or government official could also be used to target that individual.
By themselves, the music you favor, your children’s birthdates, your anniversary, and the addresses you’ve lived at—these are not national security secrets.
But with that information, a criminal hacker could answer password reset questions or use a password cracker to obtain control of your accounts. And even if it is a personal (as opposed to a professional) account, and I might not care about the last photo you posted from your vacation, masquerading as you online makes it that much easier to trick the people who know you into clicking on a link or otherwise compromising their network security.
Our third insight is this: the fact that most people in a data set might not be targets themselves (in fact, that only a few might be) provides little comfort. Anyone on any form of social media has learned that we are more connected than it seems. In 2016, Facebook reported that its American users were separated by fewer than 3.5 degrees of separation on average. Extrapolating what that means offline, anyone’s information can be useful more for what it tells us about her brother, the CISO at a major bank, or her aunt in the intelligence community.
Our concerns are exacerbated by the fact that traditional methods of de-identification of data (such as anonymization or encryption of content) may be defeated, by, for example, sensor and geolocation data, or by cross-referencing sanitized data sets against others.
Researchers from two studies several years ago reported that, with a sufficient pool of data, they could distinguish a unique user of a cellphone, or a credit card, based on just four geolocations or transactions, respectively, with at least 90 percent accuracy. I cannot vouch for the methodology of those studies, but they give me pause when I think about the potential that nefarious actors could have access to large pools of such data without legal process.
What does this mean for companies, and the way they should think about their data?
First, and most important, they should not assume that hackers are not interested in the data or that it cannot be used to threaten national security.
Second, cybersecurity policies and practices need to keep pace as businesses grow and deploy new technologies, such as biometric identification or artificial intelligence.
Third, joint ventures or other arrangements with foreign parties may provide network access or other elements of control over data. Businesses should consider the ways an aggressive foreign intelligence service could exploit that data, in light of other data it might have from other sources.
Fourth, and finally, report computer intrusions, because the breach you think is merely a private matter, may in fact be a matter of national security.
This brings me to the final theme, partnerships. The cases we bring require true partnerships, between law enforcement and the victims who cooperate with us; between us and the intelligence community and other components of the government; and, increasingly, between our government and the governments of likeminded nations, whether in gathering and sharing information, validating our conclusions, extraditing defendants, or imposing other consequences.
But as much as I believe in the value of criminal prosecutions, we have always known that we will not prosecute our way to cybersecurity. The partnership that may be most critical to our future is among the professionals in and out of government who share common goals. Which is why one of the National Security Division’s greatest successes this year did not result in a criminal charge.
In May, agents of the FBI were tracking a virulent botnet infecting home and office routers around the world, attributed to the same group responsible for today’s indictment, known to some as “Fancy Bear.”
The botnet was growing at an alarming rate by that point, and private sector researchers studying it told us they felt an increasing urgency to publish what they knew, so that affected router manufacturers, ISPs, and others could take steps to protect the public before it was too late.
There was no easy technical solution to this pernicious malware. Its second stage (which could steal information and even brick the device) could be cleared from memory with a simple restart, but if a router were infected, complete mitigation could be virtually impossible, short of replacement, because the first stage of malware (the actors’ toe-hold in the system) would just call out for instructions to reinfect.
With no time to waste, in little more than a week (including late nights and a weekend), agents and prosecutors devised the best mitigation plan they could under the circumstances.
In a coordinated action,
- one company would shut down the accounts that would be the primary means of reinfection, if the second stage of the malware were purged;
- the FBI obtained an order, allowing it to seize control of a domain that was the secondary means reinfection, and allowing it to record the IP addresses of routers that attempted to reinfect;
- finally, by partnering with the non-profit Shadowserver Foundation, FBI ensured that IPs of infected devices would be shared with those who could best assist their remediation, including foreign CERTs and ISPs.
Researchers drew attention to the botnet at the same time that the FBI executed the orders and blasted out a public service advisory to restart your router, purging the second stage of malware and causing the first stage to call out for instructions, now to the FBI’s server, so that help could be alerted. These efforts were our best effort to identify and remediate the infection worldwide in the time available, before Fancy Bear actors learned of the vulnerabilities in the C2 infrastructure through the research firm’s imminent announcement.
Last week, Cisco Talos, the research firm I mentioned, published a follow-up to its original report. It found that the VPNFilter malware possessed even greater capabilities than previously identified, in the form of third-stage malware modules that provide additional capabilities to map networks, exploit systems connected to infected devices, and obfuscate or encrypt malicious traffic.
But Cisco Talos also reported, based on information from partners as well as its own analysis, that “it appears that VPNFilter has been entirely neutralized since” the effort I described earlier by a coalition of international partners (which included the Cyber Threat Alliance). So far, they said, there have been no signs of the actors attempting to reconnect with the devices that remain infected with the pernicious first stage of the malware. Not bad, for the first (but I promise you, not the last) effort to mitigate a botnet tied to nation-state actors.
Once, there was no one. Attribution was whispered in classified channels alone. We spoke, haltingly at first, of cyber threats “emanating from Asia.” Then the U.S. led the way, calling out the malicious behavior of specific foreign states, first in speeches, then by indictment.
Today, we are joined by three other nations in attributing specific conduct to Russia.
I cannot tell you where our commitment to partnership will take us next. But I can tell you, based on this, that there is reason for hope, and to continue working together to maintain an “open, interoperable, reliable, and secure Internet.”