Assistant Attorney General Leslie R. Caldwell Speaks at Cybercrime 2020 Symposium
Good morning and welcome to the Criminal Division’s inaugural symposium on cybercrime. Before we start, I would like to thank Dean Treanor and the Georgetown Law Center for being such gracious partners in planning and holding this event.
I would also like to thank the moderators and panelists for traveling from across the country to contribute their expertise to today’s discussions. We have assembled an impressive array of experts from the private sector, academia, privacy groups, and all three branches of government, and I am looking forward to the diverse perspectives they will be sharing with us today.
A special welcome and thanks to Troels Orting, our keynote speaker, who has traveled the farthest to be with us today. Troels is the Director of Europol’s European Cybercrime Center or “EC3,” which is headquartered at the Hague in the Netherlands. In recent months, the Criminal Division, U.S. Attorneys’ Offices, federal investigators, and private companies have executed some of the most elaborate law enforcement operations ever attempted in the cybercrime arena. Troels and EC3 have been instrumental to the success of those operations.
You’ll hear more about that in a moment, but I wanted to make sure I expressed my personal appreciation to him and EC3. I believe that such robust cooperation within the international law enforcement community is the necessary future of cybercrime investigations. I anticipate that the Department of Justice and EC3 will be allies for years to come.
Today’s symposium is focused on the future of technology and online crime, so I expect that you will be hearing a lot about “change” and “evolution.” I want to briefly discuss the state of affairs today, and how I see cybercrime evolving over the coming years.
I also want to take this opportunity to talk about changes within the Criminal Division and our evolving efforts to deter, investigate, and prosecute cyber criminals and to protect the country’s computer networks from cyber threats in the first instance.
In that regard, I will highlight two ways in which we are addressing the growing threat:
First, we are mounting increasingly innovative and cooperative, international law enforcement operations to disrupt cyber criminal organizations across the globe;
Second, we are increasing our efforts to prevent cyber attacks by providing resources for our public and private partners to enhance cyber security across the board. In furtherance of this effort, we are creating a dedicated Cybersecurity Unit within the Criminal Division, which I will discuss more in a moment.
As I mentioned, I will start with a few words about the Internet and technology, how they are influencing the crimes we see today, and how we anticipate they will shape the crimes of tomorrow.
By now it has become obvious not only to those of us who gather at events like this but to the entire world: the Internet and related technologies have changed the way we work, play, and live. Everyone in this room is carrying a cell phone, tablet, or some other device that is connected to the Internet right now. The vast majority of Americans have made technology part of their everyday lives.
This boom in Internet-driven technology brings with it new opportunities for innovation, productivity, and entertainment. It is helping people connect locally and globally through email, social networking, and various other forms of communication. It is helping our businesses compete in expanding markets. It is giving us ready access to a seemingly endless stream of information, resources, and services unlike anything that preceded it. From big companies to tiny start-ups, innovation is taking place around the world at a dizzying pace.
Unfortunately, there is also a flip side to these advances. A tool that has become so vital to families, consumers, businesses, and governments was also bound to become a target for criminals. Not surprisingly, cyber criminals are taking advantage of the same advances in technology to perpetrate more complex and extensive crimes. Indeed, according to data from the 2013 Norton Report, there will be more than 14,000 additional victims of online crime by the time I have finished this speech.
For the foreseeable future, cybercrime will increase in both volume and sophistication. By exploiting technology, the most skilled cyber criminals will be capable of committing crimes on a scale that will result in more lost data, greater damage to the security of networks, and greater risk to Internet users. We are already getting glimpses of this new criminal tide.
Last year, two cyber intrusions targeting the banking system inflicted $45 million in losses on the global financial system in a matter of hours. Let me emphasize, that figure is not a speculative estimate or a projection. That is the sum total of money that the perpetrators withdrew from banks around the world by breaking into bank computers and removing limits on the amount of money they could withdraw from ATM machines. That crime dwarfed the biggest bank heists in U.S. history several times over, and the masterminds never had to worry about security guards, dye-packs, or silent alarms. In fact, they never had to leave home.
Our dependence on technology is also ushering in a new era of online breaches. Ever larger networks are processing more consumer data in an effort to make our purchases simpler and less time consuming. These networks transmit vast amounts of personal and financial data, and enterprising hackers are targeting them to produce data breaches that dwarf anything we’ve seen before. Individual breaches regularly put at risk the financial information of tens of millions of consumers. This threatens consumer confidence and has devastating consequences for companies who have fallen victim.
We have also witnessed the rise of another type of intrusion that causes harms less simple to quantify. Rather than stealing money or valuable financial data, these breaches have robbed people of their privacy. Some hackers have become virtual home invaders, using malware to tap into personal webcams located in homes around the world so they can spy on our most intimate moments. Other hackers have broken into online storage accounts and personal devices to snatch personal photos or communications for money or prurient thrills.
So, how is the Department responding to these new types of online threats and challenges? In the case of the $45 million dollar cyber heist I mentioned, we were able to promptly find, arrest and prosecute some of those responsible. Thus far, 13 defendants have been convicted for their participation in the scheme. The Criminal Division and U.S. Attorneys’ Offices are bringing the lessons of this successful prosecution and others to the investigations of recent breaches that have been in the news.
While arrests and prosecutions are our primary goal, we recognize that it is increasingly common for sophisticated cyber criminals to base themselves overseas in countries where they are not so easily reached. Consequently, we have adjusted our tactics in two significant ways. We are engaging in larger, international law enforcement operations to target criminals around the globe. And, we are acting up front to stop the harm that these cyber criminals are causing, even before we can get them into custody. A prime example of this has been our approach to “botnets.”
“Botnets” are networks of computers that have been secretly infected by malware and controlled by criminals. Some botnets are millions of computers strong. Once created, they can be used without a computer owner’s knowledge to engage in a variety of criminal activities, including siphoning off personal and financial data, conducting disruptive cyber attacks, and distributing malware to infect other computers.
One particularly destructive botnet—called Gameover Zeus—was used by criminals to steal millions of dollars from businesses and consumers and to extort additional millions of dollars in a “ransomware” scheme. Ransomware is malware that secretly encrypts your hard drive and then demands payments to restore access to your own files and data. Ransomware called “Cryptolocker” was distributed through the Gameover Zeus Botnet, which infected hundreds of thousands of computers, approximately half of which were located in the United States. It generated more than $27 million in ransom payments for its creators, including Russian hacker Evgeniy Bogachev, in just the first two months after it emerged.
But through carefully choreographed international law enforcement coordination, we not only identified and obtained a 14-count indictment against Bogachev, but also obtained injunctions and court orders to dismantle the network of computers he used to orchestrate his scheme. The Justice Department, U.S. law enforcement, numerous private sector partners, and foreign partners in more than 10 countries, as well as EC3, mounted court-authorized operations that allowed us to wrest control of the botnet away from the criminals, disable it, and start to repair the damage it caused.
This afternoon, you will hear from David Hickton, the U.S. Attorney for the Western District of Pennsylvania, whose office worked with CCIPS to spearhead this effort. This case serves as a model of both international cooperation and our ability to mitigate the damage caused by cyber criminals even before making an arrest.
In another international operation, just a few weeks ago, we targeted so-called “dark market” websites selling illegal goods and services online. These websites were operating on the “Tor” network, a special network of computers on the Internet designed to conceal the locations of individuals who use it. The websites we targeted traded in illegal narcotics; firearms; stolen credit card data; counterfeit currency; fake passports and other identification documents; and computer-hacking tools and services. Using court-authorized legal process and mutual legal assistance treaty requests, the Department, the FBI, and international partners from approximately 16 foreign nations working under the umbrella of EC3 seized over 400 Tor addresses associated with dozens of websites, as well as multiple computer servers hosting these websites.
Once again, international cooperation among the world’s law enforcement agencies was pivotal to the success of this global operation. And, once again, we were able to disrupt cybercrime in manners other than traditional arrest and prosecution.
In addition to undertaking these innovative international operations and takedowns, the Criminal Division is also re-orienting itself to better address the complex nature of cyber threats on multiple fronts.
High-tech crimes are not new to the Criminal Division. We have been investigating and prosecuting computer crimes since the Division created the Computer Crime and Intellectual Property Section, or “CCIPS,” in 1996. As I have already described, CCIPS prosecutors have led complex computer crimes investigations for years, and this work will continue.
Through CCIPS, the Criminal Division has also supported and expanded our U.S. Attorneys’ Offices’ expertise and capacity to tackle the most complex cybercrimes. CCIPS has worked over the last 12 years to build the Computer Hacking and Intellectual Property or “CHIP” Network with U.S. Attorneys’ Offices across the nation, which is now over 270 prosecutors strong. That network has fostered a close partnership between CCIPS and the U.S. Attorneys’ Offices in addressing the nation’s most sophisticated computer crimes. In addition, over the last two years, the CHIP Network was used as the model for the National Security Cyber Specialists’ network, a partnership among the National Security Division, the U.S. Attorneys’ Offices, and CCIPS that focuses on cyber threats to national security.
As the threats increase daily, however, I want to make sure that cyber security is receiving the dedicated attention it requires. It is important that we address cyber threats on multiple fronts, with both a robust enforcement strategy as well as a broad prevention strategy. I am, therefore, announcing today the creation of the Cybersecurity Unit within CCIPS. The Cybersecurity Unit will have responsibility on behalf of the Criminal Division for a variety of efforts we are undertaking to enhance public and private cyber security efforts.
Given the growing complexity and volume of cyber attacks, as well as the intricate rubric of laws and investigatory tools needed to thwart the attacks, the Cybersecurity Unit will play an important role in this field. Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic surveillance statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of every day Americans. The Cybersecurity Unit will work hand-in-hand with law enforcement and will also work with private sector partners and Congress. This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks.
As you know, the private sector has proved to be an increasingly important partner in our fight against all types of online crime, but particularly cyber security-related matters. Prosecutors from the Cybersecurity Unit will be engaging in extensive outreach to facilitate cooperative relationships with our private sector partners. This is a fight that the government cannot and will not wage alone.
As just one example of the kind of outreach we can do, earlier this year, we heard concerns expressed by communications service providers about uncertainty over whether the Electronic Communications Privacy Act prohibits sharing certain cyber threat information. This uncertainty limited the lawful sharing of information that could better protect networks from cyber threats. In response, we produced a white paper in May to address these concerns and publicly released our analysis of the issue. We will continue to engage in this open dialogue about emerging issues and to clear roadblocks like this one.
Finally, we will be engaging with the public at-large about cyber security issues. Over the past several years, but especially this past year, I have noticed a growing public distrust of law enforcement surveillance and high-tech investigative techniques. This kind of mistrust can hamper investigations and cyber security efforts. Most of this mistrust, however, comes from misconceptions about the technical abilities of the law enforcement tools and the manners in which they are used. I hope to engage the public directly on these issues and to allay concerns.
CCIPS already plays an important role in this regard, and I expect that to expand with the Cybersecurity Unit. CCIPS’s manuals on laws governing searching and seizing computers, electronic surveillance, and prosecuting computer crimes are probably the most comprehensive materials on those topics you will find anywhere. To ensure transparency and wide access to this helpful information, those manuals are publicly available on CCIPS’s website, cybercrime.gov.
I would like to start the public dialogue, however, by briefly addressing an overarching misconception: the apparent belief that privacy and civil liberties are afterthoughts to criminal investigators. In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously. Privacy concerns are not just tacked onto our investigations, they are baked in. Privacy concerns are in the laws that set the ground rules for us to follow; the Departmental policies that govern our investigative and prosecutorial conduct; the accountability we must embrace when we present our evidence to a judge, a jury, and the public in an open courtroom; and in the proud culture of the Department.
We not only carefully consider privacy implications throughout our investigations, but we also dedicate significant resources to protecting the privacy of Americans from hackers who steal our financial and credit card information, online predators that stalk and exploit our children, and cyber thieves who steal the trade secrets of innovative American entrepreneurs. As just an example our efforts, we recently announced the conviction of a Danish citizen who marketed and sold StealthGenie, a spyware application or “app” that could remotely monitor calls, texts, videos and other communications on mobile phones without detection. This app was marketed to individuals who wanted to spy on spouses and lovers suspected of infidelity.
Additionally, earlier this year, the FBI and the U.S. Attorney for the Southern District of New York announced charges against the owner of “Blackshades,” which sold the Blackshades Remote Access Tool. EC3 again played a substantial role in this worldwide takedown, which resulted in the arrests of more than 90 people across the globe. The Blackshades tool was used by hackers to gain access to victims’ personal computers to secretly steal files and account information, browse personal photos, and even to monitor the victims through their own webcams. This software tool illustrates one of the scariest capabilities of hackers to date, as the Blackshades product or a similar tool was used by one hacker to secretly capture naked photos of teens and young women, including Miss Teen USA. The hacker then used the photos to extort his victims—with threats that he would post the photos on the Internet—into sending additional nude photos and videos.
These are just two examples of our work to investigate and prosecute criminals who invade the privacy of unsuspecting citizens. We hope that continuing to host symposiums like this one—and other outreach efforts—will help combat misconceptions about the Department’s efforts to protect the privacy of Americans. Outreach allows us to participate in the growing public debate about evolving technology. The open debate will benefit from the information that we can contribute about how technology is being used by criminals, how we are leveraging technology to investigate and disrupt criminal activity, and how technology can be leveraged in the public and private sectors to enhance cyber security. Without that information, misconceptions and inaccuracies can take root and hamper enforcement efforts as well as cyber security programs.
Georgetown and the Department designed today’s event to bring diverse viewpoints together. Our aim is to make sure that a range of perspectives are presented. Of course, there will be limits to what Department representatives can publicly discuss for a variety of reasons, including the potential of harming an ongoing investigation, the need to protect individuals who are the subjects of investigations, and statutory and Departmental restrictions on disclosure of certain information. Regardless, we are excited to add our voice to the debate and grateful to Georgetown and to all of you for supporting this event. We hope it will be the first of many.