Remarks as Prepared for Delivery
Good afternoon. Thank you, Richard, for that kind introduction.
It is a privilege to address this year’s symposium, and I want to thank American University’s Washington College of Law for their collaboration on this important event.
This year’s theme is “Justice in Cyberspace,” and I want to spend some time talking about what that means for the Department of Justice and the Criminal Division.
Let’s start with “Justice.” The Robert F. Kennedy Building, where I work, is a monument to the importance of justice under law. It contains dozens of murals, frescoes, and inscriptions reminding those who work there of the ideals we stand for, and of the consequences when we fall short.
One of those works of art is a limestone carving over the Constitution Avenue entrance. It depicts three figures representing Opportunity, Peace, and Prosperity. They are protected by Law on the left, and Order on the right, with the Latin motto “Everything happens through Law and Order.” That carving reminds us that the opportunities we receive, the peace we enjoy, and the prosperity we achieve are possible only because we are a nation that respects the rule of law.
Another inscription, on the Pennsylvania Avenue side of the building, tells us that “Where law ends, tyranny begins.” I see that inscription as a daily reminder of our obligation as prosecutors to exercise our important responsibilities with humility and steadfast adherence to the rule of law.
As former Attorney General Robert Jackson noted in a famous 1940 speech, “the prosecutor has more control over life, liberty, and reputation than any other person in America.” And according to Jackson, that gives prosecutors “immense power to strike at citizens, not with mere individual strength, but with all the force of government itself.” In recognition of that awesome power, we have a duty to conduct ourselves in strict accordance with the law as we pursue our important mission. We hold ourselves to a higher standard, as we should.
Our primary mission at the Department is to deter and punish serious wrongs. Our job is to hold those who inflict harm to account. And we must vindicate and provide redress to victims of crime, whether that’s a person who has been defrauded, a child who has been subjected to unthinkable crimes, or someone who lives in fear of violence. And we do so in accordance with the law. That is the work that the Criminal Division does, on a daily basis.
The second part of today’s theme is “Cyberspace,” a concept central to our modern economy and prosperity. Technologies have enabled enormous, important, and disruptive change in a very short time. Some of this country’s wealthiest companies were founded within the last few decades, and have experienced tremendous growth at almost lightning speed. New products and services emerge every day founded on the communications infrastructure that we have built. As a result, we can pursue dreams in ways that were impossible 50 years ago.
The innovations of cyberspace have brought unprecedented conveniences and connections. We can now ask voice assistants to shop for us, answer our questions, and even translate languages. We can deposit checks and transfer money from anywhere using an app. We can check in on a sleeping child with video baby monitors. We have experienced decades of these advances, and the pace of change continues to accelerate in astonishing ways.
With this immense change comes equally enormous responsibility. We have the responsibility to ensure that we continue to advance the ideals of justice.
For just as we have integrated these remarkable innovations into our lives, so too have criminals used and exploited them to do harm. The news brings almost daily stories about thefts of personal information and trade secrets. Ransomware attacks have extorted our neighbors, our businesses, and even our government agencies. And heinous crimes are being planned and committed each day under a cloak of anonymity.
In response, of course, our nation’s prosecutors and law enforcement agents have sought to maintain law and order. We have tried to adapt to a dynamic technology landscape yet adhere to the enduring principles of justice. We have sought to identify cybercriminals and hold them accountable, in a manner that protects our liberty while respecting our privacy. This is a considerable challenge – one that all of us share as a society.
This is why the discussions that we are having today, and that we hope to continue in open dialogue, are so important. The way we do our work has had to adapt – and will continue to adapt – to the changing ways that crimes are committed. Yet those adaptations must, at the same time, remain consistent with our foundational principle of justice under law.
I am honored to be here today to contribute to this discussion. It is important for us to hear different perspectives as we think through this challenge. This symposium is a platform to respectfully exchange positions, understand the concerns behind any differences, and search for areas of common ground where possible. It is one of the reasons that the Criminal Division has continued to partner with key institutions like those represented here today– to bring together a spectrum of views on tough issues, examine where we have been, and seek ideas about where we can go from here.
I would like turn more specifically to some of the challenges we face in this emerging landscape and share some thoughts about how the Department of Justice has responded.
I. Cybercrime Trends: Transnational Organized Crime
First, I want to discuss cybercrime trends and the proliferation of cyber threats to our privacy, society, and national security. Only by countering these threats and deterring these offenders can we assure that the rule of law will continue to flourish.
Popular culture often depicts cybercriminals as “lone wolves,” tapping away at a computer in some basement in a remote part of the world. But our experience tells us otherwise; it demonstrates that many of the most serious threats we face are large, organized, and multinational. Cybercriminals are meeting online every day, brokering deals, and exchanging skills and tools to commit increasingly more sophisticated and damaging crimes. They can, with mere clicks, target Americans with fraudulent schemes and thefts of money and intellectual property. They exploit the impediments created by national borders and differences in legal systems. And they can flourish in places that ignore – or even openly protect – those causing harm elsewhere in the world.
The roles of cybercriminals also are becoming more specialized. We see that, for example, in the criminal ecosystems that support the mass theft and sale of personal and financial information. Some cybercriminals author the malware designed to steal information from victims’ computers. Others hunt for vulnerabilities in computer systems that will allow the malware to breach a computer’s defenses. Still others make malware undetectable. When malware infiltrates a computer network, other individuals search to find the information that is valuable to the criminals. And others then use that data to wire money out of the compromised accounts and launder the proceeds.
Of course, criminal organizations are nothing new. But today nearly all the players involved can work from anywhere in the world, accomplishing their objectives through online communications. Indeed, criminals can plan and execute crimes together without ever meeting in person or learning each other’s real names or locations. As a result, a bustling underworld has emerged, in which criminals may buy and trade information, malicious tools, and criminal services every day.
Dismantling and disrupting these massive, transnational criminal networks is difficult and time-consuming. Even as crimes are committed against millions of individuals with relative ease, investigators and prosecutors must carefully follow the law in tracing those crimes to their source. Here, our commitment to the rule of law is most necessary and most demanding. To guard against the tyranny of the state, we must apply exacting standards for the collection of evidence and scrupulously follow the rules protecting liberty and privacy.
These principles have been developed over the 200 years of our nation’s history, but that time has barely prepared us for the challenges of law enforcement in cyberspace. Investigators and prosecutors are called upon to apply traditional investigative techniques to a vastly changed landscape. Courts must regularly grapple with the difficulties of applying established legal doctrines to new technologies. And the U.S. Supreme Court has established precedents in response to technological changes that fundamentally alter our lens of analysis.
Beyond our borders, the challenges continue to grow. In an ever-connected world, we have companies increasingly storing data in multiple jurisdictions. Concepts of venue and jurisdiction readily applied only a few years ago have become the source of considerable friction among rights-respecting countries today as the Internet has rendered the very concept of location fluid. The Mutual Legal Assistance process was not designed to handle the volume of demands now placed upon it or the pace at which those demands must be executed.
In short, countries have had to grapple with the best way to obtain access to data that is critical to their investigations. While we must never take shortcuts that endanger liberty, we also need practical solutions to these challenges – solutions that enable lawful investigations across borders at the speed necessary to prevent harm.
The Department of Justice has responded to this challenge by focusing its resources in ways that maximize our ability to disrupt and dismantle online criminal networks.
Just like complex drug and financial investigations must target the organizations and infrastructures that enable the criminal activity, we have focused on the foundations of online crimes and the services that enable them. Our commitment to ensuring the rule of law means that we cannot allow the infrastructures that enable these crimes to operate unchallenged.
While investigating and prosecuting online cases present unique challenges, we do not shy away from novel approaches. Last month, an appellate court affirmed the jury convictions of Ruslans Bondars, an individual based in Latvia, who designed and operated an online tool that allowed hackers to test whether viruses and other malware were detectable by antivirus systems. This is a valuable capability hackers use to check their exploits before deploying them to infiltrate victim computers.
Bondars, himself a computer hacker, realized early on in his criminal career that this kind of tool could be sold to fellow hackers. By providing the tool for a price, Bondars’s service assisted other hackers in causing untold damage against U.S. victims over a span of years. He was sentenced to 14 years in prison, after the judge found that Bondars was responsible for over 20 billion dollars in losses. This case represents the approach we must pursue in a world in which roles are becoming increasingly specialized.
The case recently brought against Maksim Yakubets also represents our adaptive, flexible approach to transnational criminal schemes. In December, the Department unsealed details of charges against Yakubets, a Russian national accused of deploying and distributing particularly insidious malware. According to court documents, Yakubets used the Dridex malware to intercept passwords and other private information, and then used that information to make wire transfers from victims’ bank accounts to foreign bank accounts controlled by his criminal syndicate.
Yakubets and his co-conspirators are alleged to have stolen tens of millions of dollars from American businesses, nonprofits, and government and religious entities. Each one of these computer intrusions was, in effect, a cyber-enabled burglary, directed and committed from thousands of miles away in Eastern Europe. Despite an intensive multi-year investigation conducted with our partners in the United Kingdom and elsewhere, we have not yet been able to arrest Yakubets.
In fact, one of our most frustrating challenges in bringing offenders to justice has been the willingness of countries to protect and foster cybercrime committed by their citizens and within their territories. Russia, specifically, has harbored cybercriminals within its borders. And more than that, the Russian government has worked consistently to interfere with the extradition of Russian criminals arrested in neutral third countries. There is no graver threat to the rule of law than a system that lets serious criminals evade justice.
Even when we cannot impose criminal consequences directly, we have worked to use other means to deter those who would harm our citizens. As part of the U.S. government’s “all-tools” approach to combat cybercrime, the Treasury Department’s Office of Foreign Asset Control issued sanctions against Yakubets’s organization, the aptly named “Evil Corp.” In addition, the State Department has offered a five million dollar reward for information leading to Yakubets’ arrest. Pursuing Yakubets and his partners has been challenging, and we will continue those efforts. But this case demonstrates the commitment of the U.S. government to seek creative solutions and to take down transnational crime syndicates using all aspects of national power.
II. Addressing International Challenges: Borderless Evidence and Improved Transnational Cooperation
Next, I want to address the international law enforcement challenges we increasingly face. Ensuring the rule of law means working to ensure that critical evidence anywhere in the world does not lie beyond the reach of the law.
Today, virtually every serious threat that we investigate requires access to electronic evidence – the contents of emails, instant messages, photos, server data, session logs, subscriber information, and the like. At the same time, companies are fanning out across the globe and storing their data in other countries in efforts to gain new footholds and achieve operational efficiencies. The confluence of those two trends poses new challenges for law enforcement.
The Department has worked hard to develop mechanisms to address the fact that evidence today is often located overseas. In October, Attorney General Barr signed our first CLOUD Act agreement with the United Kingdom. If Congress and Parliament approve, starting in July of this year, U.S. and U.K. law enforcement will be able to directly serve communication service providers in the other country with court orders for electronic evidence. And they should be able to more quickly obtain the critical evidence they need in investigations of serious crime and terrorism.
This CLOUD Act agreement is important because it represents a new path forward to cross-border data sharing. Every country is contending with dramatic advances in technology and unprecedented proliferation of platforms. As one U.K. government official observed in his testimony before Congress, two criminals in the U.K. plotting a major drug deal, murder, or kidnapping could have their communications intercepted under a U.K. wiretap order if they communicated via text message. But those same messages could not be intercepted if those criminals instead used a U.S. company’s messaging service. That simply does not make sense.
The CLOUD Act offers a way forward: Starting in July, the U.K. should be able to get the evidence it needs directly from American companies. And it will do so because the U.K. meets certain rigorous standards: Our agreement with the U.K. is premised on both countries’ appropriate protections of privacy and freedom. U.K. orders under this agreement must be based on articulable and credible facts. They must be for the purpose of preventing, detecting, investigating, or prosecuting a serious crime, punishable by at least three years in jail. They must target specific accounts. And they must be subject to the review or oversight of an independent authority, which must be independently satisfied that the order is properly issued. These are core principles of due process and fairness that we share with the U.K., even if our laws differ in their precise implementing mechanisms.
The CLOUD Act thus forges international cooperation while protecting the rights that both countries hold dear. By requiring countries to meet such rigorous standards to be eligible for a CLOUD Act agreement and its benefits, we are encouraging countries to heighten their legal protections and prove through practice their respect for human rights.
We want more countries to be able to access electronic evidence quickly and solve crimes faster. That makes us all safer. For when other countries succeed in holding cybercriminals accountable under their justice systems, we benefit as well; criminals targeting personal information in other countries are often also targeting our own citizens. But we must also be able to trust that our foreign counterparts will seek digital evidence held by our providers only when necessary and use it only as required. For those countries that demonstrate their commitment to due process and human rights, we are willing and eager to begin discussions with them to facilitate our mutual efforts to combat transnational crime.
The U.S. government has also engaged in efforts to strengthen our cybercrime enforcement and capacity-building partnership with Europe, a region whose laws and institutions are most similar to our own. One of the most effective ways of doing this has been U.S. law enforcement coordination with Eurojust and Europol’s European Cybercrime Center (EC3).
Coordination at or through EC3 has led to some of the most significant cybercrime enforcement actions anywhere in the world. These have included actions targeting transnational organized crime, such as the AlphaBay and GameOver Zeus takedowns and the arrest of the world’s top child exploitation target, Eric Marques.
EC3 also facilitated an operation involving over 15 countries, including Hungary, Latvia, and Bulgaria, resulting in the seizure of over 400 TOR hidden service addresses peddling drugs, weapons, stolen credit card data, fake passports, and computer hacking tools.
Meanwhile, the Department recently placed an “ICHIP” – an International Computer Hacking and Intellectual Property Attorney Advisor – in The Hague. Funded by the State Department, this “ICHIP” will focus on training and mentoring and ultimately building additional capacity to fight cybercrime in Eastern Europe.
III. Challenges Posed By Encryption
Finally, I want to touch on the challenges posed by encryption to the rule of law. Many devices and services today have default encryption controlled by the user. This particular kind of encryption often bars access to evidence, even where law enforcement officers obtain a warrant from a neutral judge. This provides a “lawless space” that criminals, terrorists, and other bad actors can exploit. This is not just a problem for law enforcement, but for society as a whole.
In cybercrime cases, encrypted communications may provide rich details about the members of a criminal conspiracy. It may illuminate the roles they play and the breadth of their activities. It may identify victims, both actual and potential. Without access to this information through lawful legal process, criminal investigations may be unable to arrest and prosecute the members of a criminal organization. Crimes that could be prevented may go unchecked. And indeed, there have been investigations where this type of electronic evidence has exonerated a particular suspect.
All too often, whether an investigation succeeds or fails – and whether justice for victims is achieved or denied – depends upon the engineering and business decisions of a few individuals in technology companies.
Our system of justice is, at its core, a search for the truth. When evidence is made unavailable, it strikes at the heart of the rule of law. Decisions that affect the availability of evidence should not be left to an unelected few motivated largely by profit or their own personal views about how the world should work. Instead, they should be considered by Congress with the needs of all in our society in mind.
While there are no easy answers, society needs a solution that equips our law enforcement officers with the ability to protect Americans from technology-enabled crime. I know that this issue was discussed in the last panel, which brought together a range of viewpoints from government, former government, and civil society. Finding an effective way forward is essential.
The Department and its leadership will continue to highlight this problem until a solution is reached that respects the rule of law and our constitutional order. One that allows law enforcement to meet its obligation to prosecute crimes to the fullest extent and to vindicate the rights of victims. One that is reached by politically accountable policy makers tasked with balancing the important legal and other issues at stake, and not by Silicon Valley executives with their own financial or personal motivations.
After all, as the mural I mentioned at the outset so accurately depicts, those executives, their employees, and shareholders have enjoyed tremendous opportunity and prosperity, which can only flourish in an economic and legal system like the one we have in the United States. They have as much of an obligation to protect and defend law and order as we prosecutors. Not just to ensure that crimes are punished and prevented. But to preserve the prospect of opportunity and prosperity for the next generation of entrepreneurs.
In closing, I want to thank all of you for your work and cooperation with us in addressing these complex issues. I am encouraged by the diversity of interests represented by today’s panelists engaging on tough questions relating to cybercrime.
Conversations like the ones happening today will enable to us to forge the best path forward as we strive to maintain the rule of law in this rapidly changing environment.
Thank you for listening, and I hope you enjoy the remainder of the symposium.