Remarks as prepared for delivery
Thank you very much for that thoughtful introduction. I am very happy to be back (almost) in Baltimore, if only for an hour!
Over the past two decades, I spent only four years in Washington, DC, from 2001 to 2005. I spent 16 years working with local, state and federal law enforcement officers here in my home state of Maryland.
My goals for the U.S. Attorney’s Office were simple: to work cooperatively with our partners to promote the rule of law, punish criminals, deter crime and safeguard government property. And to inspire public trust and confidence by adhering to the highest ethical and professional standards while pursuing justice in each case.
Some people refer to me as a career prosecutor, but I studied management, marketing and finance at an undergraduate business school. I expected to put those skills to use in corporate America. Law enforcement took me in a different direction, but understanding the business world remains valuable to my work.
As a white-collar crime prosecutor, it is helpful to know how business works. First, you need to understand transactions in order to recognize when they are fraudulent. Second, familiarity with the business world sometimes allows me to spot an innocent explanation for conduct that otherwise may appear suspicious.
In my new job, business skills are useful for a more practical reason. Some of you may not be familiar with my new job. Deputy Attorney General is supposed to be a low-profile management position in the Department of Justice.
The Deputy Attorney General is responsible for managing an organization of 115,000 employees and tens of thousands of contractors. I often have more in common with a chief operating officer than a litigator.
One of my most important duties is to protect our brand—to safeguard the integrity and defend the reputation of the Department of Justice.
Like you, we deal with customers and other stakeholders.
And we often confront unexpected challenges.
When I started my first supervisory job in 2001, one of the most popular management books was “Who Moved My Cheese?” If you are about my age, you probably are familiar with it. It is a fable about how to manage change.
The story involves two men who live in a maze. There is a place in the maze where they can always find cheese, which represents success.
One day, the cheese stops showing up in the usual spot. In the face of this new challenge, one of the men decides to adapt and venture through the maze looking for more cheese. The other man sticks with his old routine and refuses to change.
The adaptable man realizes that the cheese is always moving. He constantly monitors his cheese supply and explores the maze to prevent complacency from setting in.
The complacent man goes hungry.
That simple lesson is a reminder about the need to evolve to meet changing circumstances.
Adaptability is important for organizations as well as individuals. Business organizations should always plan for unexpected events. It sounds like a paradox. But the point is captured by Donald Rumsfeld’s famous remark that there are known-knowns, known-unknowns, and unknown-unknowns.
Your goal should be to shrink the unknown category as much as possible, but always recognize that it exists. Assume that you will need to respond to unforeseeable crises, with very little notice.
As a lawyer with business training, I understand how attorneys are sometimes viewed by businesspeople. Attorneys frequently have the unpleasant task of telling you what you cannot do, and delivering bad news. In law school, the professor in my Property class referred to the students as “budding transaction costs.”
One of the most frequently quoted remarks mocking lawyers is from William Shakespeare’s play, Henry VI. You know the line: “The first thing we do, let’s kill all the lawyers.”
But that quote is often taken out of context. Shakespeare intended for it to be ironic. The speaker is not a businessman upset about overregulation. He is a criminal scheming to take over the government.
Shakespeare’s point is that, without lawyers, nobody would need to follow the law. That would be good for criminals. But it would be bad for business!
The rule of law is not just a feature of America. The rule of law is the foundation of America.
One of the finest defenses of the rule of law appears in Robert Bolt’s brilliant play about Sir Thomas More, A Man for All Seasons. In Bolt’s version, More defends the rule of law in an argument with his son-in-law, William Roper. Roper is angry that More would give the benefit of the rule of law even to the Devil himself.
Roper insists that he would cut down every law if it were necessary, in order to destroy the Devil.
More replies, “Oh? And when the last law was down, and the Devil turned round on you – where would you hide, Roper, the laws all being flat?”
The point is that if we permit the rule of law to erode because it does not directly harm our personal interests, the erosion may eventually consume us as well. If people lose faith in the rule of law, then everyone will suffer.
As Attorney General Jeff Sessions explained, “Societies where the rule of law is treasured … tend to flourish and succeed. Societies where the rule of law is subject to political whims and personal biases tend to become … afflicted by corruption, poverty, and human suffering.”
The rule of law allows businesses to enter enforceable contracts, make investments, and project revenue with some assurance about the future. It establishes a mechanism to resolve disputes, and it provides some degree of protection from arbitrary government action.
But the rule of law is not just about words. Written rules are not self-executing.
The rule of law depends upon the character of the people who enforce the law. If they uphold it faithfully, the result will be a high degree of consistency and predictability. Those features build public confidence, and allow our nation to thrive.
The Department of Justice’s most fundamental mission is to protect the American people by enforcing the rule of law. That helps to support an environment that deters crime and permits honest businesses to flourish.
One challenge that honest businesses face is cybercrime. The threat that cybercriminals pose to public entities and private businesses is substantial. A single intrusion could mean economic loss, bankruptcy, and in some cases, even loss of human life.
A recent report predicts that the monetary costs of global annual cybercrime will double from $3 trillion in 2015 to $6 trillion in 2021. Those numbers are staggering; and recent events demonstrate why we need to work together to address the growing threat.
One example that may have affected many people in this room is the data breach suffered by the University of Maryland in 2014. According to public reports, cyber criminals reportedly breached a database with names and personal identifying information of more than 300,000 students, staff, and alumni.
Cyber criminals know that a company’s lifeblood is contained in its networks and the information flowing through those systems. The last few years have witnessed a significant increase in criminals using ransomware.
In March 2016, hackers reportedly attacked MedStar Health’s system. This attack resulted in the shutdown of computer systems, and required the hospital system to revert to paper medical records. And the attack was seemingly for ransom: hackers encrypted the hospitals’ data and demanded bitcoin payment in exchange for the data being unlocked.
On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. Estimates of the amount of ransom paid approach $1 billion annually. Earlier this year, the “WannaCry” ransomware infected hundreds of thousands of computers around the globe, and paralyzed Britain’s National Health Service.
Cyber criminals also frequently use distributed denial of service attacks to grind normal network operations to a halt. The DDoS threat is noteworthy because it will only grow as criminals find ways to manipulate internet-connected devices.
A June 2016 attack launched against domain name servers used simple Internet-connected devices, such as cameras and digital video recorders. The attack vividly illustrates how our digital infrastructure can be used against us. According to one report, DDoS attacks can represent up to 18% of a country’s total internet traffic.
Every business is responsible for protecting its own systems against cyber-attacks. Individual efforts are unquestionably important. But unilateral action is not sufficient to address the growing global cyber threat. Private-public partnerships are critical to combatting this problem.
Law enforcement can help before, during, and after a cyber incident. The first step in safeguarding against cyber-attacks is a good defense, and the best time to formulate your response is before the incident occurs.
We at the Department of Justice are here to help. If you look on our website, you will find advice about protecting your networks from ransomware and responding to cyber incidents.
Whether your organization is a large, multi-national company or a small start-up that creates web-connected devices like doorbells, thermostats, or kitchen appliances, you can play a critical role in thwarting cyber-attacks by building into your systems and devices mechanisms that secure them against criminals and by cooperating with law enforcement officials during any investigation.
But, unfortunately, even if you take all reasonable precautions, your organization may still fall victim to an attack. If that happens, I urge you to immediately notify law enforcement.
It is important to report cyber incidents as quickly as possible. Your actions, together with law enforcement’s help, could prevent the next attack. And a collaborative approach will be more effective than merely trying to avoid being the next victim.
Law enforcement has tools that are not available to the private sector. In the long run, a swift and decisive response that involves cooperation with law enforcement is more likely to be effective and sends a strong signal to your customers that you responded with the necessary urgency.
Another topic that is especially important to business interests is intellectual property crime. As our markets become more global, more complex, and more sophisticated, intellectual property rights become even more important.
Intellectual property enforcement assures innovators and investors that when they devote time and money to develop new concepts and products, they will reap the financial rewards.
If we fail to protect intellectual property rights, the immediate consequence will be monetary losses to individual property owners. But the longer-term impact is that there will be less investment of time and resources, and fewer innovations.
I saw the scale of this problem firsthand eight years ago, when my office prosecuted a case here in Maryland. Over the course of 20 months, criminals imported 500,000 counterfeit handbags manufactured in Asia with fraudulent logos.
Intellectual property enforcement does not prevent retailers from selling inexpensive products, or stop customers from getting bargains. Entrepreneurs are free to manufacture discount items and sell them using novel brand names. Innovators can create and market new songs, movies, books, and computer programs.
But people are not free to sell something that belongs to someone else.
The most valuable intellectual property a company owns may be technical information that it keeps secret. Our government is committed to vigorously enforcing the law that criminalizes the theft of corporate trade secrets. IP enforcement often implicates health and safety concerns. Earlier this year, we brought criminal charges against an engineer at a large government contractor that worked on commercial and military satellites sold to the United States Air Force, the Navy, and NASA.
The defendant’s employer gave him access to proprietary trade secrets, including anti-jamming technology, encryption plans for communication with satellites, and related technical data. Using this access as an opportunity for illicit profit, the defendant attempted to sell the information to people he believed were foreign agents interested in military technology. They turned out to be undercover federal law enforcement officers. The defendant pleaded guilty in federal court to the crime of economic espionage.
Those are just a couple of examples of cases prosecuted by the Department of Justice to prevent and deter thieves from stealing intellectual property and marketing fake products. We will continue fighting IP crime and upholding the rule of law.
I have just a few minutes left, so let me use them to address one of the most significant problems facing law enforcement today. Until very recently, police and prosecutors who had a Constitutionally-valid purpose and the approval of a judge could obtain documents and physical evidence relevant to a criminal investigation.
Now, most data is stored and transmitted electronically. Companies market devices and applications that encrypt data so that it cannot be intercepted by criminals. Strong encryption is good. The problem is that some manufacturers design systems so that police and prosecutors also cannot access the data, even with a warrant.
“Warrant-proof encryption” of electronic devices sometimes has grave consequences.
The issue caught the public’s attention in February 2016, when the government obtained an iPhone used by a terrorist who shot and killed 14 people and injured 22 others at an office Christmas party in San Bernardino, California. The FBI wanted to know whether the phone contained information about other terrorists who might launch attacks.
So, the FBI obtained the consent of the phone’s legal owner—the San Bernardino county government—and also obtained a search warrant. But the data on the phone was encrypted, and Apple refused to help the FBI access the data. Ultimately, the government found a way to access the data. But considerable time and resources were spent on that difficult task.
And the problem is not going away. Some companies keep updating their encryption to stay a step ahead of law enforcement.
Consider the tragic mass shooting at the First Baptist Church in Sutherland Springs, Texas. The FBI has the suspect’s phone, but cannot access the data inside because of encryption.
Nobody has a legitimate privacy interest in that phone. The suspect is deceased. Even if he were alive, it would be legal for police and prosecutors to find out what is in the phone.
When you shoot dozens of innocent American citizens, we want law enforcement to investigate your communications and stored data. We expect police and prosecutors to investigate such horrendous crimes. There are things that we need to know.
As a matter of fact, no reasonable person questions our right to access the phone. But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge.
Maybe we eventually will find a way to access the data. But it costs a great deal of time and money. In some cases, it surely costs lives. That is a very high price to pay.
We need to find a solution.
The last topic that I would like to mention is overregulation. Unnecessary and cumulative regulations can stifle innovation and harm businesses, consumers, and employees. That is why I am proud that President Trump ordered the Department of Justice, along with other agencies, to review all regulations in order “to alleviate unnecessary regulatory burdens placed on the American people.”
Our Associate Attorney General, Rachel Brand, chairs the Department’s Regulatory Reform Task Force. She is working to make the rules easier for businesses to navigate.
Let me conclude with this commitment: We regard you as partners in achieving our mission to prevent crime, enforce the rule of law, and maintain a stable business climate.
Your leadership in managing law-abiding enterprises sets the standard for others to follow.
Thank you very much.