Justice News

Deputy Attorney General Rosenstein Delivers Remarks at the 2017 North American International Cyber Summit
Detroit, MI
United States
~
Monday, October 30, 2017

Remarks as prepared for delivery


Good afternoon.  Thank you, Mr. DeVries, for that very kind introduction.

I attended an undergraduate business school, before I became a lawyer. So, I understand how business people view attorneys.

One of the most frequently quoted remarks mocking lawyers is from William Shakespeare’s play, Henry VI.  You know the line: “The first thing we do, let’s kill all the lawyers.”

Fortunately, Shakespeare did not mean for it to be taken literally. On the contrary, the remark is intended to be ironic. The speaker is not a businessman upset about overregulation. He is a criminal scheming to take over the government.

Shakespeare’s point is that without lawyers, nobody would need to follow the law. That would be good for criminals. But it would be bad for business!

The rule of law is essential to commerce. It allows businesses to enter contracts, make investments and project revenue with some assurance about the future. It establishes a mechanism to resolve disputes, and it provides some degree of protection from arbitrary government action.

The rule of law is not just about words on paper. It depends upon the character of the people who enforce the law. If they uphold it faithfully, the result will be a high degree of consistency and predictability. Those features build public confidence, and allow our nation to thrive.

The desire to live under the rule of law is what motivated the patriots who wrote our Constitution in 1787.

The rule of law is not just a feature of America. The rule of law is the foundation of America.

One of the finest defenses of the rule of law appears in Robert Bolt’s brilliant play about Sir Thomas More, A Man for All Seasons. In Bolt’s version, More defends the rule of law in an argument with his son-in-law, William Roper.

Roper is angry because More would allow the Devil to benefit from the protection provided by the rule of law.

Roper insists that in order to destroy the Devil, he would cut down every law, if necessary.

More replies, “Oh? And when the last law was down, and the Devil turned round on you – where would you hide, Roper, the laws all being flat?

The point is that if we permit the rule of law to erode when it does not directly harm our personal interests, the erosion may eventually consume us as well. The rule of law is not self-executing. If the people lose faith in it, then everyone will suffer.

I am proud to work with Attorney General Jeff Sessions in the Department of Justice, the executive branch institution that bears the greatest responsibility to protect the rule of law.

President Trump demonstrates his respect for our Department by appointing officials who defend the rule of law.

October is National Cybersecurity Awareness Month.  This initiative was created a few years ago as a collaborative effort between government and industry to raise awareness about the current and future cyber threat landscape. 

Summits like this one are tremendously important in building relationships of trust between the government and industry.  I salute Governor Snyder for his leadership in this critical area.

The city of Detroit is synonymous with American innovation and excellence. It is a privilege to be here with state and local officials, law enforcement personnel, businesspeople, and entrepreneurs. 

You are here today because of a common interest in cybersecurity. I would like to speak to you today about (1) the scope of the cybersecurity threat that confronts us, and (2) the benefits that we all can gain from public-private partnerships. I will also discuss some of the challenges that law enforcement faces in the current cyber environment.

First, let me discuss the scope of the threat.

Whether you work for local law enforcement, a utility provider, a hospital, or a small or large company, you need to protect your critical infrastructure against cyber infiltration.  The threat that cybercriminals pose to public entities and private businesses is substantial.  A single intrusion could mean economic loss, bankruptcy, and in some cases, loss of human life. 

A recent report predicts that the monetary costs of global annual cybercrime will double from $3 trillion in 2015 to $6 trillion in 2021. Those numbers are staggering; and recent events demonstrate why we need to work together to address the growing threat.

Cyber criminals know that a company’s lifeblood is contained in its networks and the information flowing through those systems.  The last few years have witnessed a significant increase in criminals using ransomware. 

On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016.  That is a 300% increase over the approximately 1,000 attacks per day in 2015.  According to FBI estimates, ransomware infects more than 100,000 computers a day around the world. 

A few years ago, ransomware attacks were unsophisticated and haphazard attempts by novice hackers to gain a few hundred dollars, mostly from individual users who happened to be affected.  Today, the attacks are concerted efforts by sophisticated individuals, criminal enterprises, or nation-states that can target a range of home users, businesses, networks, or critical infrastructure with laser-like precision to cause widespread damage. 

The damage is economically significant. Estimates of the amount of ransom paid to criminals approach $1 billion annually.  It can also be life threatening. Earlier this year, the “WannaCry” ransomware infected hundreds of thousands of computers around the globe, and paralyzed Britain’s National Health Service.

In 2016, here in Michigan, the Board of Water & Light fell victim to a ransomware attack when an employee erroneously opened an e-mail attachment containing the virus. 

Although the virus affected only the utility’s e-mail and accounting systems, the Board paid a $25,000 ransom and spent approximately $2 million on other remedial measures.  The Board was lucky — many cyber thieves are happy to pocket ransom payments without unlocking their victims’ computers.  Moreover, if the virus had actually impacted electric or water systems, consumers could have lost services for days or weeks.

Three months ago, Michigan’s Caro Community Hospital and its related facilities lost access for approximately two weeks to computers, phones, patient records, and e-mail services because of a ransomware attack.  Fortunately, no medical devices were directly affected. 

But imagine how much more serious the attack could have been.  Many types of machines critical to emergency treatment are computers.  MRI machines and ventilators may run software and be connected to networks.  A targeted and widespread attack on medical service providers could endanger lives.

State and local law enforcement are not immune from ransomware attacks, either.  Earlier this year, a Texas police department reportedly lost eight years’ worth of digital evidence after falling victim to a ransomware attack. 

Luckily, the department retained copies of most of the lost evidence, so it appears the number of affected prosecutions should be relatively small.  The situation could have been substantially worse.

Ransomware is not the only form of cyber threat that we must safeguard our critical infrastructure against. In 2013, a foreign adversary gained access to a dam in New York.  If the dam’s sluice gate, which controls water levels and flow rates, had not happened to be manually disconnected for maintenance, the adversary may have been able to remotely operate and manipulate the gate. 

Cyber criminals also frequently use distributed denial of service attacks to grind normal network operations to a halt.  The DDoS threat is particularly noteworthy because it will only grow as criminals continue to leverage Internet of Things devices against us. 

A June 2016 attack launched against domain name servers used simple Internet-connected devices, such as cameras and digital video recorders.  The attack vividly illustrates how our digital infrastructure can be used against us.  Cisco recently predicted a continuing increase in DDoS attacks, and noted that they can represent up to 18% of a country’s total Internet traffic.

Speaking of traffic, driverless automobiles are already on the road. As vehicles become increasingly smarter, interconnected, and automated, the risk of their use in a cyber-attack significantly rises. 

A March 2016 Government Accountability Office report finds that “remote attacks” on cars could “involve multiple vehicles and cause widespread impacts including passenger injuries or fatalities.”  That type of attack is especially worrisome because it is scalable. “[C]yber attackers could theoretically achieve massive attacks of multiple vehicles simultaneously.”  Companies must prepare for this threat and ensure that the automobiles of tomorrow are built today with good cyber-defenses.

Every business is responsible for protecting its own systems against cyber-attacks, and individual efforts are unquestionably important.  But unilateral action is not sufficient to address the growing global cyber threat. That is why public-private partnerships are critical to combatting this problem.

Law enforcement can help before, during, and after a cyber-incident. The first step in safeguarding against cyber-attacks is a good defense, and the best time to formulate your response is before the incident occurs. 

The Department of Justice is here to help.  On our website, you will find pamphlets about how to “Protect[] Your Networks from Ransomware” and “Best Practices for Victim Response and Reporting of Cyber Incidents.” 

Reflecting the lessons federal prosecutors and agents have learned while handling cyber investigations, the documents explain how you can safeguard your organization’s computer systems and networks.  They also describe best practices for responding to a real-time cyber-incident.  

Securing your critical infrastructure against cyber-attack helps both your organization, and the public. When cyber defenses prevent criminal infiltration, the public wins because critical systems remain operational and available for use.  Similarly, whether your organization is a large multi-national company or a small start-up that creates web-connected devices like doorbells, thermostats, or kitchen appliances, you can play a critical role in thwarting cyber-attacks by building into your devices mechanisms that secure them against hijacking by criminals.

But even if you take all reasonable precautions, your organization may still fall victim to a cyber-incident.  If that happens, I urge you to immediately notify law enforcement. 

I occasionally hear that business executives do not feel comfortable reporting cyber incidents to law enforcement.  Undoubtedly, the decision to notify law enforcement of a cyber-attack and to cooperate fully in an investigation involves a certain risk-reward calculation weighing the anticipated benefits of a pro-active approach against potential legal, reputational, and other costs. 

But I want to emphasize how important it is to report cyber incidents as quickly as possible.  Your actions, together with law enforcement’s help, could disrupt and deter those who would launch the next attack.  A collaborative approach will be more effective than merely trying to avoid becoming the next victim.

Law enforcement provides substantial benefits to victims of cyber intrusions and attacks. We can help you understand what happened; we can share contextual information about related incidents, thereby helping you to create defenses in case the intruders return; we can ensure proper investigation and preservation of evidence; we can inform regulators about your cooperation; and we are uniquely situated to pursue the perpetrators, through criminal investigation and prosecution. In appropriate cases, we also can pursue economic sanctions, diplomatic pressure, and intelligence operations.

Law enforcement agencies employ investigative tools not available to the private sector, and we strive to work cooperatively with victims to ensure they are not further victimized during our investigation.  We also maintain relationships throughout the world that can help us track down perpetrators, and bring them to justice.

Even where we may be unable to arrest or prosecute the hackers, we can tap into the expertise of other agencies, and deploy tools that reach beyond our borders.

Many cyberattacks are directed by foreign governments.

When you are up against the military or intelligence services of a foreign nation-state, you should have our federal government in your corner.

By alerting law enforcement about a cyber incident, your organization performs a public service; it helps strengthen the cyber defenses of others.  When law enforcement understands the details of an attack, we can promptly work on trying to apprehend the perpetrator, potentially before the next attack.

Even if we cannot quickly arrest the hacker, law enforcement can warn other organizations about a potential impending attack, and include details about the perpetrator’s modus operandi.  Other entities can take additional precautions to safeguard their critical infrastructure. 

Law enforcement can also partner with private industry to address a problem we call “Going Dark.”  Technology increasingly frustrates traditional law enforcement efforts to collect evidence needed to protect public safety and solve crime.  For example, many instant-messaging services now encrypt messages by default. The prevent the police from reading those messages, even if an impartial judge approves their interception.

The problem is especially critical because electronic evidence is necessary for both the investigation of a cyber incident and the prosecution of the perpetrator.  If we cannot access data even with lawful process, we are unable to do our job. Our ability to secure systems and prosecute criminals depends on our ability to gather evidence.

I encourage you to carefully consider your company’s interests and how you can work cooperatively with us.  Although encryption can help secure your data, it may also prevent law enforcement agencies from protecting your data.

Encryption serves a valuable purpose. It is a foundational element of data security and essential to safeguarding data against cyber-attacks. It is critical to the growth and flourishing of the digital economy, and we support it. I support strong and responsible encryption.

I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so.

Responsible encryption is effective secure encryption, coupled with access capabilities. We know encryption can include safeguards. For example, there are systems that include central management of security keys and operating system updates; scanning of content, like your e-mails, for advertising purposes; simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.  No one calls any of those functions a “backdoor.” In fact, those very capabilities are marketed and sought out.

I do not believe that the government should mandate a specific means of ensuring access. The government does not need to micromanage the engineering.

The question is whether to require a particular goal: When a court issues a search warrant or wiretap order to collect evidence of crime, the company should be able to help.  The government does not need to hold the key.

Let me close by thanking you for inviting me to speak, and for your commitment to improving cybersecurity. 

The cyber threats that we face cry out for effective public-private partnerships. You have my commitment that the Department of Justice will work with you to confront them.  I hope that we can count on each of you to do the same.

Updated October 30, 2017