Testimony as prepared for delivery
Good afternoon Chairman [Lindsey] Graham, Ranking Member [Sheldon] Whitehouse and members of the subcommittee. Thank you for the opportunity to discuss the Department of Justice’s response to the ransomware threat. I want to thank the chair and ranking member for their continued leadership on the issues of cybersecurity and fighting cybercrime. We appreciate your work to ensure that the Department of Justice has the tools and resources necessary to address cyber threats.
The Attorney General has repeatedly made clear that fighting cybercrime is one of the department’s highest priorities. Cyber threats continue to grow more prevalent, more sophisticated and more destructive. As was described in your opening statements, one threat has been particularly troubling: the rise of ransomware. And because some ransomware variants can infect other computers, a single person opening an email or visiting an infected website can result in the network of an entire organization being held hostage.
The threat from ransomware is staggering. One ransomware scheme extorted an estimated $27 million in just its first two months. While ransom fees are typically between $200 and $10,000, victims suffer additional harms due to things like lost productivity and the cost of mitigation.
The growth in ransomware is fueled by many factors. Our computers are still more vulnerable that we would like. And advances in technology – such as anonymizing proxy networks and bitcoin – offer even average criminals highly sophisticated tools to avoid detection.
Despite these challenges, law enforcement is actively working to disrupt and deter ransomware schemes. The FBI currently has dozens of active investigations into different ransomware variants. And this hard work has paid off. In 2014, for example, the Department of Justice led a multi-nation effort that disrupted a highly sophisticated ransomware scheme called Cryptolocker, which had encrypted computer files on more than 260,000 computers.
Defeating ransomware schemes, however, requires a strategy that encourages the public and private sectors to work together. Computer owners everywhere need to improve their “digital hygiene” by taking steps like installing the latest patches and ensuring that backups are up to date. The department has tried to assist in raising awareness by issuing public service announcements about the dangers of ransomware, and which provide tips on how to protect systems and respond to malware infections.
In addition, we must work to disrupt the means used to distribute and profit from ransomware. Like other malicious software, ransomware is often facilitated by botnets. As you may know, botnets are networks of computers infected with malware, or “bots,” that criminals can control remotely to do their bidding. They allow small groups of criminals to use hundreds – or hundreds of thousands – of infected computers to attack other victims. As botnets grow more sophisticated, and as the threat from botnets continues to evolve, we must continually strive to ensure that our laws remain up to date and provide law enforcement with the tools and authorities it needs to address this threat.
Congress has a significant role to play. The Computer Fraud and Abuse Act (or CFAA) clearly makes it a crime to hack into computers to create a botnet, and of course we could bring charges against criminals who use botnets to commit other crimes. It is not clear, however, that the CFAA also criminalizes selling or renting access to botnets, which is increasingly common among cybercriminals. We support closing this loophole.
In addition, federal law currently provides courts with authority to issue civil injunctions to disrupt botnets – but only if the botnet is being used to commit certain specific categories of crime. Yet botnets are used for many types of criminal activity, such as denial of service attacks and sending phishing emails. The administration has proposed updating the law to allow courts to issue civil injunctions to stop botnets no matter what the criminals are using them for.
While use of civil injunctions is a valuable tool, there may be circumstances in which it is preferable to seek a warrant from a court in order to disrupt a botnet. Because of this, the department supports the Supreme Court’s recent action to amend Rule 41 of the Federal Rule of Criminal Procedure to clarify which court is the right court to consider warrant applications. While this amendment would not change the substantive authority to authorize such a warrant, it would eliminate needless inefficiency in the process for applying for this sort of warrant.
Thank you again for the opportunity to testify today on this important issue, and I look forward to answering your questions.