Assistant Attorney General Lanny A. Breuer Speaks at Fordham University School of Law
New York, NY
Thank you, Professor Griffith, for that kind introduction. It’s a great privilege to be here with you and so many members of the Fordham community this evening.
As I told another audience in New York last week, even though I have lived and worked in Washington, D.C., for more than 20 years, there is no place I feel more at home than New York City. I was born in Manhattan and grew up in Queens. I went to Newtown High School in Elmhurst, and then, as Professor Griffith said, to Columbia College and Columbia Law School, before starting my legal career at the Manhattan District Attorney’s Office.
You are lucky to be studying law in such a magnificent city, and at such an excellent university, which has produced so many great New Yorkers. It is a true honor to be speaking with you tonight. I feel privileged to be here.
I have been Assistant Attorney General of the Criminal Division for nearly three-and-a-half years, which I am told makes me the longest serving head of the Division in nearly 50 years. The Criminal Division is based in Washington, D.C., and has approximately 600 lawyers across 15 sections.
This evening, I want to speak with you about one area of our focus in particular, and one of the most serious threats to our security that we face in the United States: the threat of cybercrime.
No one needs to explain to you why the Mexican drug cartels pose a threat to our security as a nation. The dangers of public corruption, gang violence, and child exploitation are similarly obvious. And we have separate units in the Criminal Division focused on each of these threats.
It is probably less obvious to some of you that the computer you have in your home or office, or the mobile device you are carrying with you right now, and the networks that facilitate so many aspects of modern life, pose what is perhaps the most comprehensive threat of all to our safety and security.
In addition to changing the way we interact with each other, modern developments in technology have also changed the way people commit crime and the types of crimes they commit. We frequently see large-scale hackers, often based overseas, attempting to gain access to the private financial and personal information of individuals, as well as to sensitive government information. And because of how sophisticated these criminals have become, and because they are often located abroad, they can be very hard to catch.
Your generation knows better than anyone how dependent we are on computers. When I was going to law school, we didn’t have laptops or smartphones. As quaint as it now sounds, we actually did legal research with books. Many of you have never known a world without Westlaw or Google. Today, so many of us bank, shop, conduct business and socialize remotely, and with extremely powerful devices that can fit into our pockets. Which makes us even more vulnerable to cybercriminals, who seek to attack not only traditional computers, but smartphones and tablets as well.
There are of course things we can and should do, as consumers and individual computer and mobile device users, to protect ourselves. But I don’t have to tell you that antivirus software is not the answer to our collective vulnerability to cybercrime. While antivirus software is critically important, it can only protect us from known vulnerabilities. And criminals around the world are working every day to come up with new ways to attack our computers and networks.
A great illustration of the nature of the threat cybercrime poses to all of us is the growth of “botnets,” which are networks of compromised computers under the remote command and control of cybercriminals. These criminals hack into networks of computers, located in homes, schools and offices, and install, without permission, malicious software on those computers. Once the software is installed, the botnet’s owner can capture every password, credit card number and email typed on the infected computer. The users of these infected computers are suffering from an extensive invasion of their privacy almost every time they turn on their devices – and they don’t even know it.
The privacy invasion from hackers using malicious software can go much deeper than theft of information. In one recent case, the U.S. Attorney’s Office in Los Angeles secured a six-year prison sentence for a defendant who infected dozens of computers with malicious software that gave him complete access to, and control over, those computers. He targeted teens and young women, reading their e-mails, turning on their computer microphones, and listening to conversations taking place in their homes. Moreover, he watched his victims through their webcams as they undressed. He obtained images and videos from female victims, which he used to extort these victims by threatening to post intimate pictures on the Internet, unless they provided him with even more images or videos. At the time of his arrest, FBI computer forensics experts had determined that he had infected more than 100 computers used by approximately 230 people, including at least 44 minors.
This case, like so many cybercrime cases, offends not just our sense of privacy, but also our sense of decency. At the Justice Department, we are working hard to come up with new ways to try and stay ahead of cybercriminals who invade every aspect of our private lives.
As an example, in April of last year, the Criminal Division’s Computer Crime and Intellectual Property Section, or CCIPS, and the U.S. Attorney’s Office in Connecticut, took innovative steps to dismantle an international botnet known as Coreflood.
The Coreflood botnet had infected hundreds of thousands of computer systems and was stealing and exploiting computer owners’ personal financial data. It effectively wiretapped victims while they were typing passwords and other sensitive information into their computers. While the individuals controlling the network resided overseas, and were therefore largely outside the direct reach of U.S. law enforcement, prosecutors used a combination of civil and criminal authorities to seize key control servers, shut down the network and work with private sector partners to help disinfect victims’ computer systems.
What made this effort particularly innovative was that we wanted to send a “sleep” command to the software that infected the computers. In essence, when the malicious software “phoned home” to get more instructions from the criminals, the government would substitute a command that would cause the malware to stop running. Because this action would reach out and control software on computers in homes, businesses and schools around the world, we debated whether it would be the right thing to do. Eventually, we were satisfied that our measures complied with the law and, based on that assessment, we went to a federal district judge, explained our reasoning, and obtained the legal authority to seize control of the botnet and send the “sleep” command.
It is important to note that, as in the Coreflood case, many cybercriminals targeting the United States often operate abroad, which adds additional complexity to our efforts. In order to be more effective crime fighters in a global environment, the Department of Justice has reached out in an unprecedented way to our international partners to facilitate worldwide cooperation. We have established a 24-7 international assistance network that allows us to respond to threats more nimbly, and we have developed strong partnerships with many of our counterparts in foreign law enforcement. This type of international cooperation is critical in today’s world.
In order to investigate and prosecute cybercrime cases effectively, law enforcement needs access to electronic information, and we often need to obtain this information from Internet Service Providers, or ISPs, and other communications providers. As these companies connect phone calls, deliver email and maintain social networking pages, they accumulate records about who is saying what, when and to whom, and these records constitute key sources of evidence in our cases – and not just in our cybercrime cases. Gang members, insider traders, drug traffickers and purveyors of child pornography, for example, often leave electronic trails of their crimes.
As more and more details about people’s lives move to the Internet, however, Internet users have developed legitimate concerns about their privacy in the online world, and policymakers and others are engaged in an important discussion about the balance between privacy and public safety.
A federal statute known as the Electronic Communications Privacy Act, or ECPA, establishes a framework for law enforcement access to stored electronic communications data. It attempts to strike the right balance between privacy and public safety. Whether it does so is the subject of ongoing debate in Congress and across the country. We can all relate to the desire that our online information remain private. At the same time, law enforcement often depends upon this information to catch cybercriminals and other dangerous offenders.
Some have suggested that ECPA should be amended to require law enforcement officers to obtain a search warrant based on probable cause for most types of electronic evidence. But, making it more difficult to obtain electronic evidence would hamper, in significant ways, our ability to build cases.
Agents usually do not start out an investigation by intercepting the email of a suspect in real time, searching his house or listening to her phone conversations, because we typically lack probable cause for a search warrant or a wiretap at the investigation’s outset. We must use other, less-intrusive techniques, such as subpoenas and court orders, to collect the information we need to develop our case. For example, we often seek access to less sensitive records – such as an ISP’s billing records – as building blocks to establish probable cause.
One of our top priorities at the Justice Department is to protect the privacy of ordinary citizens by investigating and prosecuting the criminals who threaten it, through botnets and other means. As we do that important work, we obtain appropriate legal process, subject to necessary judicial oversight. It is important to recognize that, if hackers and other cybercriminals can steal your personal information, but law enforcement cannot obtain the data it needs to catch those criminals, our job to protect your privacy becomes that much harder.
In addition, too often, we find that ISPs and other communications providers have deleted critical online data by the time investigators discover its existence and can satisfy the legal requirements for obtaining it.
The lack of data retention by ISPs and other providers is a serious problem and one that many within and outside the Department of Justice have recognized. Today's cybercriminals are more sophisticated than ever. They use botnets, proxy servers and other methods to hide their true identities. To track them down, we often need to follow an electronic trail, frequently around the globe, and that usually means obtaining a search warrant or other legal process to gain access to critical online data. To the extent that following such trails is made more difficult – because the legal standards become more stringent, or because ISPs delete the data too quickly – our job as law enforcement officers will also become more difficult.
The Department of Justice used a combination of civil and criminal authorities, and considerable technical skill, to seize control of, and shut down, the Coreflood botnet. By doing that, we saved hundreds of thousands of people from being the victims of ongoing privacy violations. The Coreflood example shows why, in many ways, the government’s interests are perfectly aligned with those of privacy advocates. By saving so many people from criminal intrusions into their private lives, we measurably advanced individual privacy interests.
Cybercrime is a threat that exists all around us. In our homes, in our workplaces, and in the schools, stores and government buildings we visit every day. Every one of us has a duty to remain vigilant over our own electronic devices and information. The law enforcement community is hard at work every day finding new ways to fight cybercrime and protect you from online threats. But make no mistake, the challenges are real in this area, and we must recognize that cybercrime is a threat that is not going away. I am committed to this fight, and I hope you will join me and my partners at the Justice Department and across the law enforcement community, as we continue to root out cybercriminals and bring them to justice.
Updated September 17, 2014