Good afternoon, everyone. Thank you to the Georgetown Cybersecurity Law Institute and Larry Center for inviting me to speak here today. The Institute has assembled an impressive group of speakers to discuss some of the most pressing cybersecurity issues. It’s a privilege to be able to contribute to the conversation.
As all of you know, cybersecurity is a complicated issue. It raises challenges that defy simple solutions. There is no single technology, law or policy that will magically guarantee the security of our data and information systems. The victories are often hard-fought and not easily achieved. The same is true of the problem of cybercrime.
The Criminal Division has been fighting cybercrime for two decades. The Division created the Computer Crime and Intellectual Property Section – or CCIPS – in 1996. The Section investigates and prosecutes hi-tech crimes and economic espionage, working alongside a network of computer hacking and intellectual property prosecutors – approximately 270 strong – around the country. CCIPS has become the lynchpin of the department’s anti-cybercrime efforts. It has been involved in one capacity or another in practically every significant cybercrime case you have heard of.
Over the years, the Criminal Division has developed proven strategies to combat cybercrime. For instance, we know that we can produce impressive results by collaborating with the private sector and foreign partners against cybercrime, much of which is international in scope. We can accurately identify the most pernicious cyber threats facing the nation’s networks for prioritized attention. We can also dismantle global infrastructure that criminals use to victimize businesses, home users and government entities around the world.
The Criminal Division has achieved many of its successes by working cooperatively with many of you – representing the businesses and organizations in this room. I want us not only to continue that collaboration, but to expand and enhance it. I also want to impress upon you a sense of urgency.
Every day, cybercriminals are becoming more sophisticated and even more organized, as they virtually invade our homes and offices – robbing us of our sense of security, stealing our data and intellectual property and enriching themselves at the expense of U.S. consumers and companies. We must work with the same determination.
I’m asking you to work more closely with us because the Criminal Division is better positioned than ever before to work with you. We can bring the intruders on your networks to justice. We can also help you better defend your networks. We’ve made changes in the Division that will strengthen cybersecurity and help prevent cybercrimes from happening in the first place. I’ll talk about this in more detail a little later.
Stepping back a moment, everyone in this room knows that global cybercrime – in its many forms – is a serious and expanding threat. A couple of years ago, trade publications dubbed 2013 “The Year of the Breach.” Symantec, the Ponemon Institute and others have now dubbed 2014 the “Year of the Mega Breach.”
In the last year, we have witnessed a series of extraordinarily invasive and damaging data breaches that targeted some of the nation’s largest businesses. In some cases, tens of millions of consumer records were stolen. The victims ranged from mom & pop tax preparers, to restaurant chains, retailers, banks and health care companies—businesses of all types. Anyone holding data that could be monetized on the digital black market was in the crosshairs. The breaches were so frequent and far-reaching that they have possibly desensitized much of the public to the cost of these crimes, which are staggering.
One study last summer estimated the annual loss to the global economy due to cybercrime at about $400 billion. A study from last week projects that, by 2019, cybercrime will cost businesses worldwide $2 trillion. These figures, while daunting, of course do not capture the very real – but unquantifiable – personal harm suffered by victims of online crime.
Against this backdrop, the Criminal Division has achieved some significant victories. These serve as a reminder that, for all its scale and complexity, cybercrime it is not an unsolvable species of crime. As cybercriminals have become more sophisticated and transnational, so too has our approach to combatting their criminal acts.
Coupling old-fashioned investigative work with strong international law enforcement relationships, technical expertise and a long institutional memory has paid significant dividends against even the cagiest of cybercriminals. For example:
Weeks ago we unsealed the indictment of two Vietnamese hackers who were allegedly responsible for the theft of over one billion personal records from 2009 to 2012.
Last year, pursuant to a U.S. request, our foreign partners arrested an alleged, notorious Russian hacker named Roman Seleznev.He was vacationing in the Maldives.He’s now awaiting trial in Seattle.
We also recently successfully extradited alleged Russian hacker Vladimir Drinkman from the Netherlands – part of a group responsible for massive data breaches of retail stores prior to 2009, with 160 million credit card numbers stolen.
In fact, in the last year or so, we have extradited about a dozen high-level cybercriminals from around the world.
In a similar fashion, when the private sector works alongside the Department of Justice, FBI, U.S. Secret Service and foreign law enforcement against a common cyber threat, we have achieved significant victories against transnational organized cybercriminals. A good example is the campaign against botnets that we’ve been waging to deprive criminals of the cyber infrastructure that they use to steal data and attack networks.
Last summer – under the leadership of the Department of Justice – U.S. law enforcement, foreign partners in more than 10 countries and numerous private-sector partners worked closely to disrupt the Gameover Zeus botnet and Cryptolocker ransomware scheme.
In Gameover Zeus, we faced an extremely sophisticated type of malware designed to steal banking and other credentials from the computers it infects. Unknown to their rightful owners, the infected computers also secretly became part of a global network of compromised computers, known as a botnet. Botnets are powerful online tools that cybercriminals use for numerous criminal purposes, in addition to stealing confidential information from the infected machines themselves.
The Gameover Zeus botnet was a global network of somewhere between 500,000 and one million infected victim computers which were used to steal millions of dollars from businesses and consumers. It was also a common distribution mechanism for Cryptolocker – a form of malicious software that would encrypt the files on victims’ computers until they paid a ransom. Security researchers estimate that, as of April 2014, Cryptolocker had infected more than 234,000 computers. About half of those were in the United States. One estimate indicated that victims paid more than $27 million in ransom payments in just the first two months after Cryptolocker emerged – a staggering number given that the individual payments were less than $1,000.
The court-authorized operation against the Gameover Zeus botnet was a success. But this success was achieved only due to the invaluable technical assistance of Dell SecureWorks and CrowdStrike and help from numerous other companies like Microsoft and Shadowserver.
As an aside, our work did not end with our so-called “take-down” operation. We have continued to pursue those responsible for creating and running the botnet. Just a few months ago, the State Department, Department of Justice and the FBI announced a multimillion dollar reward for information leading to the arrest of Evgeniy Bogachev, who allegedly led the criminal group in Russia and Ukraine which was responsible for the development and operation of both the Gameover Zeus botnet and Cryptolocker malware.
In any event, the sort of collaboration that we achieved in the Gameover Zeus operation was not an aberration. It is the new normal. Just weeks ago we assisted in the dismantling of the Beebone – also known as AAEH – botnet. This botnet installed fraudulent anti-virus software and ransomware, in addition to stealing bank log-in and password information from victims’ computers. Once again, the private sector’s assistance was crucial to the success of that operation.
Such coordinated global actions have been the product of a lot of creative-thinking and hard work. But perhaps most of all, they are a powerful demonstration of the successes that we can achieve when we work together. When we use our combined knowledge of the threat, and associated tradecraft, and collaborate, we are capable of accomplishing what otherwise might be impossible for the public or private sector to do acting alone. I challenge all of our private-sector audience members to help us identify and pursue such opportunities to disrupt cyber threats and to bring cybercriminals to justice.
So, I think I’ve made clear that we want your help. But we also want to help you. Last December, at the Legal Symposium on cybercrime on this campus, I announced that the department was taking the fight against cybercrime in a new direction. I announced the Criminal Division’s plan to work more closely with the private sector and federal agencies to address cybersecurity challenges. We created a hub for the Division’s cybersecurity work, which is the new Cybersecurity Unit in CCIPS.
Our reasons for creating the Cybersecurity Unit were simple. First, cybercrime and cybersecurity have always been linked. Vulnerabilities in hardware and software and inadequate implementation of security protocols are what facilitate cybercrime. The tradecraft used by cybercriminals tells us something about the state of cybersecurity.
In creating the Unit, we hope to use the lessons that CCIPS has learned and the skills that its prosecutors have gained from investigating and disrupting cybercrime to create actionable guidance and to support public- and private-sector cybersecurity efforts. Furthermore, by creating a dedicated Cybersecurity Unit we can better ensure that cybersecurity receives the consistent, dedicated attention that it requires.
CCIPS is well-suited to this task. Its expertise regarding the relevant laws is exceptional. They are the department’s experts in laws directly affecting cybersecurity, including:
The Computer Fraud and Abuse Act, which is often referred to as the “hacking statute;”
Statutes which regulate electronic surveillance and are implicated in all varieties of cybersecurity monitoring and intrusions detection technologies, such as the Electronic Communications Privacy Act, the Wiretap Act and the Pen Trap statute; and
The evolving constitutional, statutory and jurisprudential framework broadly relating to the collection and use of electronic evidence.
Moreover, CCIPS has extensive existing expertise in cybersecurity. For years, CCIPS has been providing other government agencies with legal advice on how to lawfully implement their cybersecurity programs.
CCIPS, along with others in the department, also frequently represents the Department of Justice in priority interagency efforts, often led by the National Security Council, on cutting-edge issues at the intersection of technology and criminal law, such as encryption. In addition, CCIPS provides guidance to federal prosecutors around the country on how technological trends – from the latest app to new social media – may impact investigations.
In short, the knowledge base and expertise of CCIPS aligned perfectly with the diverse set of roles and responsibilities that a Cybersecurity Unit at the Department of Justice must possess, including:
Analyzing, and where appropriate, providing legal guidance on situations where cybersecurity issues implicate criminal statutes such as the hacking statute, the Wiretap Act and ECPA;
Working with Congress on cybersecurity-related legislative priorities;
Working with the National Security Council and other U.S. government partners on executive branch cybersecurity initiatives; and
Actively engaging with the private sector, security researchers, privacy advocates and the public at large to address legal challenges related to cybersecurity.
I am pleased to report that in the few months of existence, the Cybersecurity Unit has broken a lot of new ground. At the outset, it has been conducting outreach with stakeholders – including the private bar, computer security researchers, industry groups and trade associations, financial institutions and other private-sector companies – to identify issues that warrant the Unit’s attention. Let me describe a few examples of the projects they have underway:
In conjunction with the Center for Strategic and International Studies (CSIS), the Cybersecurity Unit hosted a discussion with leading security experts from different backgrounds on the subject of active defense.A summary of the discussion is on the Unit’s website at cybercrime.gov.That discussion has helped the Unit identify several legal issues associated with organizations’ efforts to defend their networks that will entail follow-on work by the Unit.
For instance, the Unit learned more about the challenges that in-house counsel at victim companies face when dealing with unfamiliar legal issues that arise when assessing their companies’ network defensive activities and while responding to cyber intrusions.To help address this problem, the Unit has scheduled an initial legal training session with in-house attorneys in a vital sector.
The Unit also learned about the specific types of defensive measures that security experts believe are most effective.We are assessing whether the Unit can assist in the implementation of those beneficial measures by issuing guidance to clarify associated legal issues.
The leadership of the Cybersecurity Unit and I also recently held a roundtable with leading private-sector data breach response practitioners from around the country.We discussed ways in which the Department of Justice could assist, and collaborate with, the private sector in cybercrime prevention and response.In particular, we had a robust discussion regarding the benefits of promptly reporting data breaches to law enforcement.Our new Attorney General, Loretta Lynch, also highlighted her personal commitment to the Cybersecurity Unit’s efforts in remarks delivered at the event.
The Unit has also begun collaborating with non-Department of Justice regulatory agencies on cybersecurity issues.For instance, we have discussed how those agencies can factor a victim company’s cooperation with law enforcement into decisions they make when investigating a breach.The FTC is issuing a statement on its website today that was coordinated with the Cybersecurity Unit and others at the Department of Justice.Among other things, it highlights the consideration that the FTC will give to a company that reports a data breach to law enforcement and cooperates in the ensuing criminal investigation.The FTC statement says, and I quote:
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion.In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”That’s the FTC’s statement. We expect the Cybersecurity Unit to continue this type of collaboration in the future.
The most public example of the Cybersecurity Unit’s work thus far has been the guidance that it released a few weeks ago. That document – “Best Practices for Victim Response and Reporting of Cyber Incidents” – is the Unit’s first contribution to the cybersecurity discourse. It has been well-received.
Consistent with the mission of the Cybersecurity Unit, the guidance draws upon prosecutors’ experience in investigating and prosecuting cybercrime. It also includes input from private-sector organizations that have handled cyber incidents. It captures common sense, prudent measures that organizations should voluntarily institute to prepare for and respond to a cyber incident. It provides step-by-step advice on the measures that organizations should take before, during and after a cyber incident. At each stage, it supplies specific examples of the manner in which these steps might be taken.
For instance, before a cyber incident or attack occurs, the guidance recommends that organizations create and implement an actionable incident response plan.This sounds obvious, but many companies, including big ones, lack this type of plan.
The response plan should identify and protect the organization’s most important cyber assets, adopt risk management practices and include the necessary procedures, personnel and equipment to respond to an incident.
Organizations should also develop relationships – before an incident occurs – with law enforcement, outside counsel and other parties that may be required to assist during an incident.
During a cyber incident, the guidance recommends that organizations:
Assess the scope and nature of the incident;
Take steps to minimize damage from the attack;
Collect and preserve data related to the incident; and
Notify appropriate personnel and outside parties.
These recommendations are the product of experience. We have struggled to help bewildered victim organizations unsure of how to proceed because they lack an incident response plan. We have seen victim companies that may lack adequate authority to monitor their networks to help identify intruders. The guidance is drafted to avoid these types of real-world problems.
While we believe that organizations of all sorts, including sophisticated, large entities, can benefit from the guidance, it was drafted with smaller organizations in mind. We chose to focus on these organizations because they are less likely to have ready access to the type of cybersecurity advice captured in the guidance. Therefore, they are the most likely to benefit from it. Of course, the guidance does not provide “one-size-fits-all” recommendations. Organizations will need to apply its advice to their own specific circumstances.
This guidance document is emblematic of the type of support that the Cybersecurity Unit was created to provide. It is available on the Unit’s website. While discussing the guidance, however, I would also like to focus on a section that has received recent attention.
The guidance does more than advise organizations on what they should do. It also advises them on what they should not do. Consistent with the goals of the Cybersecurity Unit, where necessary, we hope the guidance will channel organizations’ resources away from well-intentioned, but ultimately harmful activities that may undermine cybersecurity.
One issue in this category that has recently garnered much public attention is the use of ostensibly defensive measures, such as “hacking back” into an attacker’s system either to punish an attacker or to retrieve or delete stolen data.
Given recent headlines, it is understandable that some commentators have proposed novel tactics – often in the form of carefully constructed hypotheticals – to counter the very serious cyber threats we currently face. But based on our decades of practical experience, we assess that freelance “hacking back” and similar intentional intrusions onto third-party computers and networks can carry serious legal consequences and policy risks.
Let me first summarize our legal position: based on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful. Some observers, at times employing quite creative legal theories, have suggested that hackback conduct is lawful. That is simply contrary to the plain-text of the statute. However, even if it were lawful, we would still recommend against it, because we think that sound policy also militates against use of hackback tactics.
First, hackback tactics pose a significant threat to innocent third parties. Across numerous investigations, we have seen sophisticated cybercriminals frequently hijack the infrastructure of innocent third-parties in order to more easily commit their crimes and to help mask their identity during subsequent investigations. In fact, cybercriminals commonly use multiple unwitting third-party drop sites at which they temporarily store stolen data for later retrieval. We believe a general rule allowing private hacking back would needlessly expose such third-parties, who often are unaware that their systems have been compromised, to intrusions, privacy violations and potentially property damage.
Second, hacking back and similar activities can – and have – interfered with ongoing government investigations. While these consequences may have been unintentional, the conduct can irreparably harm an investigation.
Third, aside from the risk to innocent third parties and law enforcement investigations, private hacking back carries the danger of dramatic escalation against an unknown adversary. Sophisticated cybercriminals or foreign intelligence services may simply have far more powerful and destructive technical capabilities than private firms who attempt to hackback.
Fourth, given the international nature of cybercrime, it bears mentioning that even if “hacking back” and similar tactics were statutorily permissible in the United States, such activities might be illegal in foreign jurisdictions. Similarly, the innocent third parties I mentioned might also be located abroad and protected by such laws.
Fifth, the possible unintended and collateral consequences that I have outlined could have serious effects on international relations. Another country, particularly one unfriendly to the United States, might presume that a privately-conducted act of hackback was actually an offensive cyberattack sanctioned by the United States. This could have serious foreign policy consequences.
And lastly, even if all these harms could somehow be avoided, our experience – and private discussions with a wide range of security experts, both inside government and in industry – suggests that “hacking back” would in most cases have a low likelihood of being beneficial. Indeed, the weight of professional technological opinion is that there is little to be gained in any event by authorizing private hacking back or similar activities in the overwhelming majority of cases.
This not merely our opinion. The Christian Science Monitor recently polled a “pool of experts from across government, the private sector and the privacy advocacy community” on whether companies should be allowed to hackback. A full 82 percent of these experts said “no.” We received similar feedback from the collection of cybersecurity experts that CSIS and the Cybersecurity Unit recently assembled to learn more about the types of defensive measures actually being conducted in the field.
There are legal reasons not to hackback: our system does not sanction retaliation or self-help that violates the law. And just as importantly, there are practical reasons not to hackback: it could trigger additional negative consequences and is unlikely to yield anything other than the momentary pleasure that comes with taking action, however ineffective.
Personally, I am encouraged by the range of innovative cybersecurity proposals that are currently being considered – from increasing security through advanced alternatives to passwords to improving private-sector capabilities to quickly devalue stolen data. Nonetheless, every idea for defending a network is not, ultimately, a good one. Hacking back is such an example. We would urge practitioners to exercise caution. And we counsel policymakers against significantly altering the law in this area.
That said, in the same spirit of collaboration that I have been discussing, the Cybersecurity Unit is considering whether to offer guidance on other types of effective and truly defensive countermeasures that are considered to be beneficial by cybersecurity experts. Furthermore, we at the Department of Justice are increasing efforts to ensure that we are well prepared to provide timely assistance to secure data taken from a victim’s systems using appropriate legal authorities.
So, I will finish by reiterating my call to action. The status quo will not suffice. The cybercriminals are doing more than ever to virtually invade our homes and our businesses. We must find new ways to alter the state of cybersecurity. Together, we can do that. I look forward to our continued collaboration in combatting cybercrime and enhancing cybersecurity. Thank you.
Note: A summary of a joint Criminal Division and Center for Strategic International Studies discussion with leading security experts may be found here: http://www.justice.gov/criminal/cybercrime/docs/CSIS%20Roundtable%205-18-15.pdf.