Remarks as Prepared for Delivery
Thank you for that kind introduction, Jim. It’s a pleasure to be here at the Center for Strategic and International Studies, alongside my Principal Deputy and soon-to-be-Acting Assistant Attorney General Nicole Argentieri, to highlight the Criminal Division’s exceptional work on cyber initiatives and investigations. And indeed, to lift up the tremendous work of our sections, and the people who do it, all in an effort to combat cyber-related criminality here in the United States and across the globe.
Over the last few decades, our nation has faced a new, alarming threat. When our businesses, schools, armed forces, and citizens embraced the internet and welcomed its many benefits, they also embraced its vulnerabilities. Few, at the time, understood how the internet could mean that a foreign spy gets access to your health insurance records and credit history, that it gives sex offenders access to teenagers’ webcams, or that it gives Eastern European criminals the power to attack hospitals, school districts, and essential industries.
Last March, the Biden administration announced a comprehensive National Cybersecurity Strategy, and published the implementation plan for that Strategy last week. The strategy requires a whole-of-nation effort that involves input from the private sector, public sector, state, local, Tribal, and territorial governments, as well as international partners and Congress. It is a huge, but necessary, undertaking.
Importantly, both the strategy and the implementation plan give the Department of Justice, including the Criminal Division, a crucial role. Notably, Department of Justice components are slated to lead nine of the 66 or so initiatives in the strategy’s recently-released implementation plan. We are a “contributing entity” on an additional 17 initiatives. The fact that the Department is playing a role in approximately 40% of the strategy’s implementation is a testament to our crucial role in this country’s cybersecurity equation.
But well before this strategy and implementation plan, the Criminal Division has been engaged, consistent with that strategy’s goal of protecting the American people from cyber-attacks.
And the Department of Justice’s Criminal Division is at the center of DOJ’s cyber work. We have been fighting cyber threats for decades. We let our work speak for itself, and our work has a lot to say.
For example, last January, we announced that FBI agents, with the support of prosecutors in the Criminal Division’s Computer Crime and Intellectual Property Section, infiltrated the Hive ransomware network’s computers. This allowed them to disrupt the Hive group’s attempts to ransom the computers of a Louisiana hospital, a Texas school district, and over 300 other victims around the world. We provided victims with a way to decrypt their computers and get back in business without having to pay the ransomware actors a single cent.
That was just one in a long list of disruption actions taken by attorneys in the Criminal Division’s Computer Crime and Intellectual Property Section, which we call CCIPS. CCIPS attorneys were lead or co-counsel on, as of this week, 23 major online disruption operations.
By “online disruption operation,” I mean that CCIPS attorneys obtained court orders, search warrants, seizure warrants, or other legal process that permitted the FBI to do something online that took over criminal infrastructure and disrupted ongoing crime.
CCIPS attorneys have used a combination of legal and technical tools to enable the FBI to take down multiple botnets or malware families, including RSOCKS, Netwalker, CryptoLocker, and Avalanche.
CCIPS attorneys have also taken down dark marketplaces and other forums that sell hacker tools, including Hydra Market, BreachForums, Genesis Market, AlphaBay, and Silk Road.
CCIPS, FBI, U.S. Secret Service, and other important federal law enforcement partners are where the country comes when it needs criminal cyber activity stopped in its tracks. A misconception about our work is that we’re interested only in finding criminals, arresting them, and putting them in prison. It’s true that arrests and prosecutions are a critical component of our work. There’s no better way to stop a perpetrator’s cybercrime than placing him or her behind bars for 20 years. Indeed, as I just noted, we’ve successfully prosecuted hackers responsible for the some of the most notorious botnets and illegal marketplaces.
But as our record of 23 major disruption operations shows, we’re also heavily invested in preventing and disrupting crime, not only through arrests, but through online operations that limit the danger from criminals’ online infrastructure. We understand that we are serving the American people, both helping victims and protecting would-be victims, often without their knowledge.
And it's not only CCIPS. The Criminal Division as a whole acts as the center of the Department’s cyber work.
Our Office of International Affairs (OIA), our country’s central authority for mutual legal assistance, has a dedicated cyber unit, which obtains essential evidence for criminal investigations and prosecutions worldwide by working with domestic partners and foreign counterparts. To cite just one of OIA’s many successes, in March 2022, a Ukrainian man charged with conducting ransomware attacks against multiple victims was successfully extradited and was arraigned in a U.S. federal district court.
Our Office of Enforcement Operations oversees law enforcement’s use of sophisticated and sensitive criminal investigative tools.
And our Child Exploitation and Obscenity Section protects the welfare of America’s children and communities by combatting cyber-facilitated child exploitation and obscenity crimes.
You might ask, why is disruption of threats from cyber criminals the job of the Department of Justice? Or, if it is DOJ’s job, why the Criminal Division? The answer is simple: computer intrusions are crimes. Running a botnet is a crime. Ransomware is a crime. And, disrupting crimes is what the Criminal Division does. We investigate hackers; we prosecute hackers; we disrupt hackers.
There’s another reason why disrupting cybercrime is a job for prosecutors and law enforcement. To take down botnets, or to do any of the online operations I described above, you need information, or what you all in the cybersecurity community call “threat intelligence.” You need to know things like where the criminals’ servers are, how they communicate, and how their software works. Some of that information can be deduced by private-sector security researchers. But much of it requires the type of investigative tools that are only available to law enforcement. When we investigate hacking crimes, we use search warrants to look at data that criminals store online. We use pen-trap orders to monitor what computers they are in contact with, and subpoenas to identify how they paid for online hosting. We use mutual legal assistance treaties to request that foreign law enforcement gather evidence in their countries, and we use extradition treaties to bring Russian and other foreign actors into U.S. courts to stand trial. We arrest and flip co-conspirators, who then give us further threat intelligence in the hopes of receiving a lighter sentence. We are in the intelligence business.
Over the Criminal Division’s 30 years of fighting cybercrime, one resounding lesson has been that international law enforcement partnerships are crucial to our work, including through increasing our partners’ capacities to defend against cyber threats.
The Criminal Division leads the Department’s work in this area.
As I mentioned before, the Criminal Division’s Office of International Affairs is our country’s central authority for mutual legal assistance. OIA is vital to our international cyber cooperations. When U.S. investigators need copies of a web server in Europe, or Internet service provider records from Japan, it’s the Criminal Division’s OIA that provides the assistance to make that happen. Likewise, when our foreign law enforcement partners need evidence or assistance from our country, OIA is there to help.
In addition, we recently created a CCIPS position called the Cyber Operations International Liaison, or COIL, whose job it is to work with foreign law enforcement to build international disruption operations.
We further recognize the importance of strengthening international partner capacities, and expanding our country’s ability to assist allies and partners. The Criminal Division has been leading this mission through our ongoing efforts to build our international partners’ capacities to enforce their own laws against cybercrime.
Three Criminal Division sections – CCIPS, our Office of Overseas Prosecutorial Development, Assistance and Training (OPDAT), and our International Criminal Investigative Training Assistance Program (ICITAP) – have been implementing a worldwide law enforcement capacity-building network.
This network consists of International Computer Hacking and Intellectual Property Attorney Advisors, called ICHIPs for short, located all over the world. Together with our OPDAT Resident Legal Advisors and ICITAP Attachés stationed overseas in nearly 70 countries around the world, the Criminal Division’s network works to strengthen our international partners’ capacities to combat cybercrime and counter threats to our digital ecosystem.
We cannot do this work exclusively from Washington, D.C., or just within DOJ. No, it requires strong cooperation and coordination with foreign law enforcement. Whether it is Bitzlato, Genesis, Chipmixer, Hive, the list goes on and on, these significant disruption operations only work because of the shared commitment and diligence of international partners.
All of that sets the stage for the Criminal Division’s main announcement today, which specifically involves CCIPS.
CCIPS is the Department’s criminal cyber section. It is the largest office in the Department prosecuting cybercrime, with about 45 permanent attorneys and a few more detailees handling more than 200 prosecutions or other criminal matters each year.
The Criminal Division created CCIPS in 1996, from an earlier computer crime unit that had been formed in 1991. Over 30 years, CCIPS has gradually built up a technologically sophisticated, highly trained workforce of experienced criminal lawyers, building that team through recruitment, internal training, and careful management. CCIPS attorneys often have technological backgrounds; some previously worked as computer engineers, wrote software professionally, defended computer networks, and were granted patents. CCIPS attorneys have worked on some of the most significant hacking cases in the Department’s history.
CCIPS serves as the Department’s incubator for innovative ideas, hatched from the frontiers of law and the outer boundary of technology. CCIPS developed and mainstreamed much of the modern cybercrime investigative playbook. CCIPS attorneys today are responsible for training the entire Department on obtaining evidence from online providers, on computer forensics, on drafting search warrants to seize computers, and all the other new techniques that are crucial to almost every criminal investigation in the Department. CCIPS attorneys have also innovated newer techniques, like botnet takedowns, geofence search warrants, search warrants authorizing the remote access of computers, cryptocurrency asset forfeiture, and domain name seizures.
Within the Department, CCIPS maintains primary responsibility for developing the Department’s overall computer and intellectual property offense enforcement strategies, and for coordinating computer crime and intellectual property investigations and cases that may significantly impact more than one district or other countries. CCIPS also oversees and provides programmatic support to the Computer Hacking and Intellectual Property Network, a network of over 200 experienced and technically qualified Assistant United States Attorneys who prosecute cybercrimes in their own districts.
So to all of our Criminal Division personnel involved in the fight against cyber-crime, I say thank you.
And in particular, I know that while CCIPS has an accomplished past, it will achieve even more in the future. And beginning in August, it will do so under the leadership of my Principal Deputy, Nicole Argentieri, who will serve as the acting Assistant Attorney General. A former prosecutor and supervisor in the U.S. Attorney’s Office in the Eastern District of New York, Nicole has been a trusted colleague, advisor, and friend. Her diligence is endless, her commitment is unwavering. She is the right person, at the right time, to lead our Criminal Division. Nicole...