Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the Global Cyber Security Summit
Remarks as prepared for delivery
Good morning. Thank you, Ms. Schanbaum, for that very kind introduction.
I understand that most of you represent private sector technology companies. I am reminded of a story about a young schoolboy who was assigned to describe Socrates. The boy wrote, “Socrates walked around giving people advice. So they poisoned him.” I hope to avoid the same fate.
In fact, technology companies routinely work cooperatively and productively with law enforcement and national security officials to advance cyber security and public safety. In many areas, the economic interests of technology companies are aligned with the safety concerns of law enforcement. In other areas, businesses follow legal mandates that help prevent crime. Finally, there are areas in which companies voluntarily adopt rules that limit misuse of their platforms by criminals because they do not want to damage their reputations by facilitating wrongdoing.
But in one particular area, encryption, competitive forces drive technology companies to resist cooperating with the government.
That observation is not a criticism of technology companies. Those companies create jobs, design valuable products, and innovate in amazing ways. But on the issue of encryption, companies simply do not consider law-enforcement needs.
We use the term “responsible encryption” to describe platforms that allow police to access data when a judge determines that compelling law enforcement concerns outweigh the privacy interests of a particular user. In contrast, warrant-proof encryption places zero value on law enforcement. Evidence remains unavailable to the police, no matter how great the harm to victims.
It is completely rational for companies to pursue encryption without weighing the adverse impact on law enforcement. Their job is to maximize profitability and market share. The use of their tools by criminals generally is an externality. But someone needs to be candid about the collateral harm.
So let me take this opportunity to speak to you about three issues: (1) the scope of the global cybersecurity threat that confronts us; (2) the ways that law enforcement can help; and (3) the challenges we face in countering the threat.
First, let me discuss the scope of the global cyber threat. Everyone agrees that it is significant and growing. One estimate of the annual cost of global cybercrime predicts a doubling from $3 trillion in 2015 to $6 trillion in 2021.
A private report puts the risk of suffering a material data breach at better than one in four—and the odds continue to rise. In the United States, we are dealing with one of the largest breaches ever of a private company holding sensitive financial data. Public reports indicate that as many as 145 million people may have been affected—including over 15 million people here in Britain.
One major web service provider suffered a breach that reportedly affected every one of its 3 billion email accounts. Mass data breaches can be extremely costly to victims. Private reports peg the average cost of a data breach at over $3.6 million. One large retailer reported spending $291 million in breach-related expenses, related to one attack on its network. Breaches sometimes drive smaller businesses into bankruptcy.
Even if a company does not hold large quantities of financial information, it probably has valuable intellectual property in its computers. Foreign criminals regularly break into systems to steal ideas that make our nation strong and competitive in the global marketplace. One of the cases we prosecuted involved the theft of technology that allegedly caused $800 million in losses.
The G20 leaders agreed in 2015 that no country should steal trade secrets or other confidential business information with the intent of advantaging its companies or commercial sectors.
Breaches that target financial data and intellectual property raise serious concerns. But protecting data is not the only thing we worry about. Ransomware is another global phenomenon.
Earlier this year, the “WannaCry” ransomware spread across the globe, targeting computers by encrypting data and demanding ransom payments in bitcoin. Over 230,000 computers in 150 countries were affected. Here in the United Kingdom, the ransomware crippled the National Health Service, as authorities ordered doctors and nurses to immediately turn off all computers and told patients to come to the hospital only in emergencies. The next month, ransomware infected computers worldwide, impacting a Ukrainian state power company, a major international shipping company in Denmark, and a prominent law firm in the United States, among other victims.
Ransomware infects more than 100,000 computers a day around the world. The total amount of ransom payments approaches $1 billion annually. Attacks used to be indiscriminate, scattershot attempts to squeeze a few hundred dollars from anyone who happened to be affected. Now, sophisticated and targeted attacks focus on particular businesses.
Attackers also use Distributed Denial of Service attacks to go after everything from banks to critical Internet infrastructure.
The “Internet of Things” exponentially increases the number of devices connected to networks. Those devices often are susceptible to control by hackers.
Computer disruptions not only can bring a business to a halt; they also can endanger lives. Even MRI machines and ventilators may run software and be connected to networks.
Finding and eradicating vulnerabilities is an important aspect of cybersecurity. All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities.
The U.S. Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises.
Let me turn to how law enforcement can help. Law enforcement is an essential component of combatting cyber threats. Our goal must be to disrupt and deter future attacks, as well as punish perpetrators of previous crimes.
Our Department of Justice focuses on transnational, organized cyber criminals. Earlier this year, we dismantled the largest dark market, AlphaBay. It operated for more than two years and was used to sell a host of illicit items. American law enforcement officials, in close coordination with European counterparts, shut down the illicit criminal marketplace. Our investigators also worked closely with their Canadian and Thai partners, who arrested the alleged founder of the site in Bangkok.
Also in 2017, we worked with foreign authorities to arrest the alleged creator of the Kelihos botnet and dismantle that pernicious network of tens of thousands of infected computers. Over several years, the network was used to steal login credentials, distribute hundreds of millions of spam e-mails, and install ransomware and other malicious software. Last week, Spain’s highest court granted our request to extradite the suspect to the United States.
Some cyber criminals act on behalf of foreign governments. In March, we indicted two officers of the Russian state security service. They are charged with stealing information from at least 500 million e-mail accounts, conducting economic espionage, and engaging in other criminal offenses in connection with a years-long conspiracy to access a major web service provider's network and the contents of webmail accounts.
We recently unsealed charges against Iranian nationals, accusing them of stealing software and selling it to Iranian military and government entities. Some of the software had military applications and was export-controlled. Drawing on the criminal investigation, the Treasury Department sanctioned seven hackers and their Revolutionary Guard-affiliated employers for attacking the global financial system.
Law enforcement provides many benefits to victims of cyber intrusions and attacks. We can help victims understand what happened; we can share information about related incidents or malware; we can ensure proper investigation and preservation of evidence; we can inform regulators about cooperation; and we can pursue the perpetrators, if appropriate, through criminal prosecutions, economic sanctions, diplomatic pressure, and intelligence operations.
The Department of Justice is keeping very busy in the fight against cybercrime. But we face significant challenges.
Dark markets are one example of a broader problem we call “Going Dark.” “Going dark” describes the ability of criminals to conceal their communications and transactions in platforms that cannot be accessed by law enforcement.
Increasingly, technology frustrates traditional law enforcement efforts to collect evidence needed to protect public safety and solve crimes. For example, many instant-messaging services now encrypt messages by default. And smartphone manufacturers made a conscious decision to engineer their phones to eliminate the capability to recover data stored on the devices.
Our government is empowered to protect society from criminals, and we are expected to protect society. Law enforcement officers are authorized to use approved tools for investigating crimes, such as subpoenas, search warrants, and wiretaps.
Those legal authorities enable investigators and prosecutors to gather the evidence needed to enforce the laws. Evidence is essential because our legal system protects criminal defendants by requiring the prosecution to produce admissible evidence that establishes their guilt beyond any reasonable doubt.
But increasingly, the tools we use to collect evidence run up against technology that is designed to defeat them.
Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.
But “warrant-proof” encryption poses a serious problem.
In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.
Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.
In a democratic society, the decision systematically to eliminate our ability to balance privacy against safety should involve review by citizens and their elected representatives. We should have a candid public debate about the pros and cons of allowing companies to create lock boxes that cannot be opened even with a court order.
Today, thousands of devices seized in the United States sit in storage, impervious to search warrants. Over the past year, our FBI was unable to access about ** mobile devices submitted to its Computer Analysis and Response Team, even though there was legal authority to do so.
In May 2015, terrorists targeted people attending an event in Garland, Texas. On the morning of the attack, one of the terrorists exchanged 109 instant messages with an overseas terrorist. He used an application employing end-to-end encryption, so law enforcement could not decode the messages.
Billions of instant messages are sent each day using mainstream apps employing default end-to-end encryption. The app creators do something that the law does not allow telephone carriers to do: they exempt themselves from complying with court orders.
We believe that responsible encryption is achievable. We can have managed security that permits fair and effective enforcement of laws rather than absolute, privacy that conceals criminal activity.
Responsible encryption systems already exist. Examples include the central management of security keys and operating system updates; the scanning of e-mails for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets a password.
No one calls any of those functions a “back door.” In fact, those capabilities are marketed and sought out by many users.
Responsible encryption means that when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help. Providers could retain the capability to make sure evidence of crimes can be accessed when appropriate, without the government holding the keys or requiring every company to use the same means.
Technology companies lack the incentive to adopt responsible encryption, because competitors will always try to attract customers by promising absolute privacy. They are in the business of selling products and making money.
We use a different measure of success. We are in the business of preventing crime and saving lives.
Companies can and do make accommodations when required. Recent media reports suggest that a major technology company developed a tool to suppress online posts in certain geographic areas in order to enforce a foreign government’s censorship policies. Another major tech company recently acquiesced to a foreign partner’s request that local customers stop using software to circumvent foreign censorship restrictions. A third major corporation stopped supporting virtual private network apps at the behest of a foreign government, to prevent internet users from overcoming censorship policies.
Surely those same companies and their engineers could help us access data when the request is supported by a court order issued in accordance with the rule of law.
Some critics argue that the evidence concealed by encryption can be offset by new sources of non-content data. That argument misunderstands what sort of evidence law enforcement needs in order to prevent and punish crime. While metadata may be helpful, in many cases there is no substitute for the substance of the communication.
Warrant-proof encryption produces grave consequence. When investigations of violent criminal organizations come to a halt because we cannot access a phone, lives may be lost. When child molesters can operate anonymously over the internet, children may be exploited. When terrorists can communicate covertly without fear of detection, chaos may follow.
We recognize that there will be risks in allowing lawful access. But the public safety and national security benefits may be worth the additional risk.
What we have in mind is that the engineering goals should include the option of law enforcement access to data, when there is judicial approval based upon a showing of legitimate and particularized need.
Technology providers are working to build a world with armies of drones and fleets of driverless cars, a future of artificial intelligence and augmented reality. Surely such companies could design consumer products that provide data security while permitting lawful access.
If companies are permitted to create law-free zones for their customers, citizens should understand the consequences for the rule of law. “Going dark” threatens to disable law enforcement and enable criminals and terrorists to operate with impunity. When police cannot access evidence, crime cannot be solved. Criminals cannot be stopped and punished.
There is an alternative. Responsible encryption can protect privacy and promote security without forfeiting access for legitimate law enforcement needs supported by judicial approval.
Technology companies cannot be expected to develop and market responsible encryption on their own. Competition leads them to produce products that are more and more impregnable. That gives criminals and terrorists more opportunities to cause harm with impunity.
Sounding the alarm about the dark side of technology is not popular. People who speak candidly about “going dark” face attacks by advocates of absolute privacy.
Some absolute privacy advocates are motivated by profit. Others demonstrate sincere concern about the benefits of privacy. However, they do not worry about preserving law enforcement capabilities. We do.
Warrant-proof encryption comes at a cost because it enables criminals and terrorists to communicate without fear of detection. Obviously, there is no constitutional right to sell warrant-proof encryption. If society chooses to let companies market technologies that cloak evidence of crimes, it should be a fully-informed decision.
Let me conclude with the hope that you consider my remarks in the spirit of frank discussion that is intended. The Department of Justice will continue to work with you to promote cyber security. I hope we can count on you to do the same.
** Due to an error in the FBI's methodology, an earlier version of this speech incorrectly stated that the FBI had been unable to access 7,800 devices. The correct number will be substantially lower.
Updated May 23, 2018