Science and Technology News

Thursday, December 8, 2016

Assistant Attorney General Leslie R. Caldwell Delivers Remarks Highlighting Cybercrime Enforcement at Center for Strategic and International Studies

Washington, DC
United States
~ Wednesday, December 7, 2016

Good morning, and thank you, Jim [Lewis], for that kind introduction.  I am pleased to be here speaking to you today, and I want to thank the Center for Strategic and International Studies (CSIS) for having me. 

Over the past two and a half years, I have had the honor of serving as the Justice Department’s Assistant Attorney General for the Criminal Division – and with that, the responsibility of ensuring that the division and its over 700 prosecutors have the support and authorities they need to fulfill their responsibilities to the American people.  I have also had the opportunity to see first-hand the dedication, rigor, intelligence and respect that America’s prosecutors bring to their work every day.  As my time as the Assistant Attorney General of the Criminal Division comes to a close, I am incredibly proud of where the division stands today and all that we have accomplished together.

One constant truth about investigating and prosecuting crime is that it is never without its challenges, although the precise nature of the difficulties and obstacles we face changes with the times.  Today, some of the most significant hurdles we encounter relate to technology and the Internet. 

Innovation in computing, the Internet, and related services has had tremendous benefits for our economy, our ability to connect with others, and the convenience, efficiency, and security of our everyday lives.  It has also transformed how we in law enforcement do our jobs by expanding our ability to detect, investigate and prosecute criminal activity. 

However, these same innovations permit criminals to more easily victimize Americans, including from afar, while concealing their identities and enabling destruction of evidence.  We face an enormous task in responding to these new threats – ranging from botnets and ransomware to online child sexual exploitation and firearms trafficking, to name just a few – and that task is not getting any easier.  This morning I will focus on four challenges that have been and must continue to be the center of our work if we intend to succeed:
    First, the growth of sophisticated, global cyber threats;
    Second, dangerous loopholes in our legal authorities;
    Third, the widespread use of warrant-proof encryption; and,
    Fourth, inefficient cross-border access to electronic evidence.

As I will explain in more detail, the past few years have marked some significant progress in some of these areas.  We have grown more nimble and effective in cooperative international law enforcement efforts to bring cyber criminals to justice and remediate cybercrime.  And we have managed to effect some targeted and common-sense improvements in legal authorities.  But in other areas, the challenges remain, and in some cases have become more prominent.  Let me begin with the threat.  The global nature of the Internet means that criminals now can easily victimize more people within the United States in more dangerous ways, all without ever setting foot here.  Some of the most significant criminal activity in recent years is the result of sophisticated criminal groups reaching across our borders from perceived safe harbors.  As we rely more and more on network communications to handle virtually every aspect of our lives, the cost of cybercrime will only rise – to over two trillion globally by 2019, according to some estimates – and the United States is a uniquely attractive target.

We have responded first and foremost by aggressively identifying, apprehending, and prosecuting offenders.  This past October, for example, the Russian cybercriminal Roman Seleznev was convicted by a jury in Seattle.  Seleznev was a hacker who, from the other side of the world, pilfered data for millions of payment cards from the computer systems of small business owners across America – a crime that strikes at the trust and security of our everyday financial transactions.  Seleznev was the son of a member of the Russian parliament, and the Russian government filed diplomatic protests and tried to pressure us into releasing him.  But that’s not how justice in America works, and he is now in an American prison.

We recognize that we cannot prosecute our way out of cybercrime, but prosecution must remain an integral component of our response to global cyber threats.  That is why foreign hackers like “Guccifer” – who hacked into the email and social media accounts of about a hundred Americans, including two former U.S. presidents – as well as Vladimir Drinkman and Dmitriy Smilianets – who, along with co-conspirators, conducted a worldwide hacking scheme that compromised more than 160 million credit card numbers – have likewise found themselves within the reach of American law enforcement.  Thanks to the work of our colleagues in the National Security Division, the same holds true for individuals like Su Bin – who conspired with Chinese military hackers to steal cutting-edge U.S. aircraft designs – and Ardit Ferizi – who shared stolen PII belonging to 1,300 U.S. military and government personnel with a member of ISIL, for publication on a hit list.  All have now been brought to the United States to face justice. 

The department’s strong track record in this area is a critical deterrent to would-be attackers.  Over the last twenty years, for example, our Computer Crime and Intellectual Property Section (CCIPS) – the centerpiece of our prosecutorial response to criminal cyber threats – has successfully prosecuted cases involving more than one billion stolen pieces of information, including payment card data, email addresses and social security numbers – more than three pieces of data for every American alive today.

Our international partnerships make this work possible.  And they have been key in another way as well.  Even when prosecution is not yet an option – for example, because we have been unable to identify or apprehend a criminal target – we have developed operational expertise in disrupting cybercriminal infrastructure in the United States and abroad.  For example, we have worked hand-in-hand with our foreign partners to address technical threats like botnets, so-called “bulletproof” hosts, Darknet markets and international hacking forums. 

Indeed, just last week, the department led a multinational operation to dismantle a vast network of dedicated criminal servers known as “Avalanche,” which allegedly hosted more than two dozen of the world’s most dangerous and persistent malware campaigns.  The Avalanche network served clients operating as many as 500,000 infected computers on a daily basis and is associated with monetary losses in the hundreds of millions of dollars worldwide.  We were joined in this effort by investigators and prosecutors from more than 40 jurisdictions across the globe.  We must maintain existing international law enforcement cooperation – and develop new mechanisms to work with foreign partners – if we hope to continue these successes.

These efforts have also benefitted from growth in our technical and investigative capacity.  The Criminal Division has steadily increased resources for CCIPS, along with its in-house Cybercrime Lab, over the last two years.  The Cybercrime Lab has become the go-to resource across U.S. law enforcement for intractable problems in accessing and understanding digital evidence, whether that means uncovering evidence that a defendant accessed online terrorist radicalization materials to rebut a claim of entrapment, or cracking passwords to dozens of devices that hold key evidence of serious crimes.

We have also found that augmenting our own expertise and legal authorities with insight from private sector institutions allows us to identify and develop new, creative responses.  For example, in 2014, the FBI, in conjunction with a coalition of nearly a dozen foreign countries and a group of elite computer security firms, dismantled the Gameover Zeus botnet.  That botnet, which infected more than one million computers around the world, inflicted over $100 million in losses on American victims alone, and was responsible for the spread of the Cryptolocker ransomware.  The Gameover Zeus operation represents what we can achieve when law enforcement agencies collaborate with private sector experts, and indeed, many private organizations provided similar assistance in the recent Avalanche take-down.  I hope that it will continue to serve as a model for the department’s future work.

This relationship works in both directions.  The investigative experience of our CCIPS prosecutors can offer important lessons for private sector entities.  In addition, navigating the federal laws that govern network monitoring practices – laws in which CCIPS specializes – can be fraught for organizations seeking to improve their cybersecurity.  That is why, two years ago, we created the Cybersecurity Unit, a group of CCIPS prosecutors who can leverage their case-related experience to develop and share practical cybersecurity advice with the private sector.  The Unit has also played an integral role in implementation of the Cybersecurity Information Sharing Act (CISA).  So not only have we benefitted from private sector experts for our operational needs, but we have made a practice of sharing our knowledge base as well.

Even as the department addresses technical obstacles to preventing and prosecuting cybercrime, however, we confront a second challenge: arbitrary gaps in the law that frustrate some of our most pressing investigations.  One example of such a loophole was the venue provision of Rule 41 of the Federal Rules of Criminal Procedure.

As that Rule existed prior to Dec. 1, 2016, when law enforcement sought court approval for a search warrant, it generally was required to seek authorization from a court sitting in the same geographic district where the property to be searched was located.   This Rule made perfect sense in dealing with the physical world.  But in the cyber-world, we increasingly face scenarios where criminals use technology to hide the location of their computers, meaning that we could not know where the computers were located.  In those circumstances, federal law did not clearly identify which judge could authorize a search.  

Similarly, we regularly encounter crimes like mass hacking through botnets that are carried out in multiple districts at once, all across the country.  But in order to respond in a timely, comprehensive manner, the prior version of the Rule arguably required authorities to obtain a warrant in each district – up to 94 in all, across 9 time zones, ranging from the Virgin Islands to Guam. 

Last week, a three year effort, spearheaded by the Criminal Division, and approved by the U.S. Supreme Court, culminated in a targeted, procedural fix to the venue provisions of the Rule to ensure that technology does not render our investigative abilities obsolete.  The update to the Rule does not alter the probable cause or other standards we must meet to obtain a search warrant.   What the Rule does change is that now, when criminals hide the location of their computers through anonymizing technology, we don’t have to figure out in which federal district the computers are physically located before we can act to stop criminal activity.  Likewise, when a criminal deploys a botnet that indiscriminately infects computers nationwide – as many botnets now do – we don’t have to go to as many as 94 different judges.

The need to update Rule 41 was not theoretical.  Today, dozens of websites on Tor – a proxy network – openly distribute images of child rape and sexual exploitation, where they are frequented by tens of thousands of pedophiles.  These sites can thrive in the open because proxy networks, like Tor, hide the locations of the criminals’ servers and the identities of their administrators and users.  While law enforcement – and the general public – can easily find images of child sexual exploitation by visiting one of these sites, we often cannot locate and shut down the websites or identify and apprehend the abusers.  More troubling, the child victims stand little chance of rescue.

The recent investigation of “Playpen,” a Tor site used by more than 100,000 pedophiles to encourage child sexual abuse and trade sexually explicit images of that abuse, illustrates why a Rule 41 fix was necessary.  In that case, authorities were able to wrest control of the site from the administrators, and then obtained court approval to use a remote search tool to retrieve limited information, including the user’s IP address, only if a user accessed child pornography on the site.  This enabled a traditional, real-world investigation, leading to more than 200 active prosecutions and the identification or rescue of at least 49 American children who were subject to sexual abuse. 

Yet in some of the resulting cases, federal courts relying on the language of the prior version of Rule 41 found that even though the probable cause and other standards for obtaining a warrant were satisfied, evidence obtained in searches nevertheless had to be excluded because the judges who issued warrants lacked venue over the computers, which turned out to be physically located outside their geographic districts.  This is a perverse result, as it would mean that criminals who are savvy enough to hide their locations – which is not difficult given current technologies – could place themselves beyond the reach of law enforcement. 

This is a good example of why the amendments to Rule 41 are such a crucial step forward.  They make clear which courts are available to consider whether a particular warrant application comports with the Fourth Amendment, without altering in any way the substantive requirements for – or privacy protections provided by – a warrant.  This will ensure that criminals who use anonymizing technologies are not immune from justice, and that threats like botnets are not too big to investigate and remediate effectively.

This fix is a not a cure-all, however.  Our response to cyber threats requires revisiting laws that simply did not anticipate and cannot adjust to modern technology.  We must continue to move forward – not backward – to ensure that our laws protect Americans from criminals, and not the other way around.

I now want to turn to some challenges that, despite the best efforts of many, will continue to confront policymakers in the years to come.  As society’s use of computers and the Internet has grown, so too has the importance of digital evidence in criminal investigations.  In nearly every criminal investigation we undertake at the federal level – from homicides and kidnappings to drug trafficking, organized crime, financial fraud and child exploitation – critical information comes from smart phones, computers and online communications, often instead of physical evidence.  Yet, these materials are increasingly unavailable to law enforcement as a result of certain implementations of encryption, even when we have a warrant to examine them.

This is because, in an attempt to market products and services as protective of personal privacy and data security, companies increasingly are offering products with built-in encryption technologies that preclude access to data even when a court has issued a search warrant.  Service providers with more than a billion user accounts, that transmit tens of billions of messages per day around the world, now advertise themselves as unable to comply with warrants.  And device manufacturers that have placed hundreds of millions of products in the market have embraced the same principle.  We in law enforcement often describe this sort of encryption as “warrant-proof encryption.” 

Let me be clear: the Criminal Division is on the front lines of the fight against cybercrime.  We recognize that the development and adoption of strong encryption is essential to counteracting cyber threats and to promote our overall safety and privacy.  But certain implementations of encryption pose an undeniable and growing threat to our ability to protect the American people.  Our inability to access such data can stop our investigations and prosecutions in their tracks.

Inaction is not a suitable response.  Our occasional success in accessing information protected by seemingly “warrant-proof encryption” is unpredictable and inadequate.  There are devices in evidence lockers across the country that remain locked. 

As the President reminded us recently, the Government has different responsibilities – a different “balance sheet” and different “stakeholders” – than a corporation.  There is nothing wrong with companies pursuing profits and marketing strategies, but no one should expect that they will take into account all of the societal interests that are at stake.  And that is especially true for our public safety mission.  Our ability to protect Americans from crime has become dependent, in thousands of cases, on the business decisions of for-profit corporations.  More troublingly, even when companies have the technical ability to reasonably assist us in accessing encrypted information, they have refused to do so for fear of “tarnishing” their image.  Regardless of which side of this issue you are on, we can all agree that market-driven decisions are not and have never been a substitute for sound public safety policies.

Business decisions made by for-profit companies have had enormous effects on our public safety in other ways as well.  Data held by major Internet service providers can be crucial to identifying and holding accountable the perpetrators of virtually every federal crime we handle.  Increasingly, however, American providers and other providers subject to the jurisdiction of the United States are storing such information outside the United States, and not always at rest and in the same location.  The data can be partitioned and stored in multiple locations, or moved about on an ongoing basis, and some providers may not even know where all data relating to a particular user is at a given time. 

It is this last challenge – foreign-stored digital evidence – that I will close with today.  The department has worked diligently to increase the cross-border availability of data, through mechanisms like the 24/7 Network, which facilitates the preservation of digital evidence, as well as mutual legal assistance treaties and the Budapest Convention on Cybercrime, which enhance international cooperation in obtaining that evidence.  The Criminal Division has also directed additional resources toward a dedicated cyber mutual legal assistance unit in our Office of International Affairs, which has seen a 1,000 percent increase in incoming requests for computer records since 2000.

But while these are important crime-fighting tools, they have significant shortcomings.  The United States has mutual legal assistance treaties with less than half the countries in the world, some of which place limitations on when assistance is available or the types of evidence that can be obtained.  Even then, obtaining evidence can take months, if not years.  Ireland, for example, reports that in routine cases it takes 15 to 18 months to execute a request for assistance from a foreign country.  In less experienced or less cooperative countries, the process can take even longer.  Sometimes we never receive a response at all. 

Recently, the difficulties caused by foreign-stored data for public safety have become more acute.  In July, the Second Circuit Court of Appeals, in the so-called “Microsoft Ireland” case, held that U.S. authorities cannot use a search warrant issued by a U.S. court pursuant to the Stored Communications Act (SCA) to compel a U.S. service provider, such as Microsoft, to produce data that it chooses to store for its own business purposes (and typically without the knowledge or input of its subscribers) outside the United States.

So, what is already a difficult and time-consuming process of gathering electronic evidence may now also become an impossible one, for both the United States and our partners.  Since the Microsoft decision was handed down, U.S. providers such as Google, Microsoft and Yahoo! have refused to produce information that they have chosen to store abroad in response to search warrants issued by courts even outside the Second Circuit.  This has been the case even in instances where the account-holder was an American citizen residing in the United States, and when the crime under investigation is carried out on American soil.  And this includes warrants obtained on behalf of foreign countries pursuant to mutual legal assistant requests.

U.S. law generally does not require our providers to store this data in a particular location or make it accessible in any particular way.  But as a result, the ability of law enforcement to effectively investigate serious crime may now be determined entirely by a provider’s data management practices, well-intentioned or not.  One major American provider, for example, is unable to determine the country in which foreign-stored data is located; and even if it could, the data is frequently moved and may not be in the same country from day to day.  Under the Second Circuit’s decision, a SCA warrant is not available.  But sending an MLAT request to a foreign country could result – after months of delay – in a notification that the relevant data is no longer there.

It is for this reason that, in October, the department filed a petition for the case to be reheard by the entire Second Circuit en banc.  It is also why we intend to submit legislation to Congress to address the decision’s significant public safety implications.  This issue must be resolved before we move to other important initiatives, such as legislation to implement a cross-border data agreement with the United Kingdom.

Looking forward, I cannot predict how the rehearing petition, or the broader concerns implicated by the Microsoft decision, will play out.  And I suspect that, whether the issue relates to warrant-proof encryption or cross-border access to evidence, reaching a resolution will be challenging.  But these decisions must be made in the policy arena, not by the private sector alone.  We cannot allow changing technologies or the economic interests of the private sector to overwhelm larger policy issues relating to the needs of public safety and national security.  And we must let government fulfill its fundamental responsibilities to protect the American people.

I know that the panel to follow will focus on some of these challenges for the future, but let me offer my own thoughts here.  In each of these areas, we must proceed thoughtfully and balance multiple different legitimate interests.  Yet several basic principles should be obvious.  First, sitting back and doing nothing is not an acceptable option.  The world is changing around us, and those seeking to do harm are evolving with it; if those responsible for ensuring public safety do not have the same ability to adapt, public safety will suffer.  Second, these changes pose policy challenges, and we need to develop policy responses.  Rather than let evolutions in technology dictate our responses, we must think ahead as a society and develop appropriate frameworks to address new and upcoming challenges before they become crises.  And finally, when there are multiple interests at stake – public safety, cybersecurity, international comity and civil rights and civil liberties – we cannot allow the most consequential decisions to be made by a single stakeholder, or leave them to the whim of the commercial marketplace.  We would never tolerate that approach in other areas of importance to society, and we should not do so here.  Thank you.

Criminal Justice Technology in the News

Law Enforcement News

Indiana Launches Predictive Crash Tool for Citizens, First Responders
Government Technology, (11/15/2016), Eyragon Eidam

Indiana has a new website to help drivers and first responders with predicting and avoiding traffic accidents. The Crash Prediction Website is an effort between the Indiana State Police and the Management and Performance Hub, which provides centralized data sharing, correlation and analysis. The website maps the probability of fatal and nonfatal traffic accidents based on a range of available data. The predictive portal shows the probability of accidents across the state within three-hour windows throughout the day. Risk decisions are based on the combination of weather, traffic, road conditions, time of day, historical information and census data.
Link to Article

FWB Police to Start Wearing Body Cameras, (11/30/2016), Tony Judnich

Police in Fort Walton Beach, Fla., will soon be wearing body cameras. The city will purchase 35 body cameras for its officers, and 35 vehicle cameras to replace outdated patrol car cameras. Police say the use of body cameras can improve policing practices and community relations.
Link to Article

Several Universities Have Gunshot-Detection Technology. UMD Might Follow Suit
The Diamondback, (12/01/2016), Michael Brice-Saddler

University of Maryland police are piloting gunshot-detection technology on campus. The SecureCampus technology, developed by ShotSpotter, can pinpoint the location of gunfire using strategically placed sensors that would allow police to identify how many weapons are being fired and distinguish between multiple guns of the same model. For the six-month pilot period, 10 sensors were installed on the rooftops of various campus buildings. More than half a dozen U.S. universities currently use SecureCampus.
Link to Article

Police Use Drunk Volunteers for Field Sobriety Training
WECT, (12/01/2016), Amanda Weston

Police from several North Carolina towns and cities recently used volunteers who had been drinking liquor to practice tests designed to spot impaired drivers. The tests included having the subject follow an officer's finger with their eyes, walk toe-to-heel in a straight line and stand on one foot for balance. Officers from Leland, Southport, Wrightsville Beach, Shallotte, Surf City and Oak Island participated in the training.
Link to Article

WSU Researchers Create Bias Training Simulator for Officers
KREM, (12/01/2016), Matt Vergara

Researchers at the Washington State University Spokane campus have created simulation gear to help police train for situations requiring deadly force. Simulated Hazardous Operational Tasks Laboratory researchers combined video scenarios modeled after evidence and research from actual police-involved shootings to create the Counter Bias Training Simulation and test the implicit bias of officers. Most implicit bias trainings are taught in classes, but the simulation will put trainees in real-life, tense situations with actors of different races who portray people of various backgrounds and economic statuses.
Link to Article

NIJ Awards Grant for Tool to Trace Counterfeit Bills
SecuringIndustry, (12/01/2016)

The National Institute of Justice has awarded a grant to a Sam Houston State University researcher to develop chemical signatures that can be used to identify fake currency and documents. Patrick Buzzini, an associate professor in the Department of Forensic Science, will use the grant to develop technology that will allow illicit copies produced with color inkjet printers to be traced back to the source. He is collaborating with the U.S. Secret Service on the project. More than 60 per cent of counterfeit bank notes classified by the Secret Service are made using inkjet printers because of their low cost and wide availability.
Link to Article

Expanding Smart Car Fleet, New York Police Just Got More 'Adorable'
The New York Times, (12/01/2016), Rick Rojas

The New York Police Department is expanding its fleet of Smart cars to replace its three-wheeled scooters. The two-seater cars have red and blue lights and the insignia of the police department. The Smart cars are safer, cheaper and easier to operate than the scooters. In addition, they can serve as an icebreaker with the public. The department currently has 150 of the small cars in service and plans to add at least 75 more.
Link to Article

Dog-Nose-Inspired Adapter Improves Trace Detection of Explosives
RTT News, (12/02/2016)

By mimicking how dogs sniff, a team of government and university researchers fitted a dog-inspired plastic nose to an explosives detector, and reported improved efficiency. Researchers at the National Institute of Standards and Technology, the Massachusetts Institute of Technology's Lincoln Laboratory and the U.S. Food and Drug Administration fitted a dog-nose-inspired adapter, made on a 3D printer, to the front end of a commercially available explosives detector. Adding the artificial dog nose to enable active sniffing improved odorant detection by up to 18 times, depending on the distance from the source. "Applying this bio-inspired design principle could lead to significantly improved vapor samplers for detecting explosives, narcotics, pathogens-even cancer," according to lead researcher Matthew Staymates.
Link to Article

Courts News

County Will Upgrade Its Electronic Court System
Huron Daily Tribune, (12/05/2016), Bradley Massman

Courtrooms in Huron County, Mich., are getting an upgraded communications system. The existing system has saved taxpayers and authorities close to $3 million since 2010. The updated Polycom systems will be installed in early 2017. The system is used to conduct arraignments electronically and handle other proceedings, including video testimony.
Link to Article

Corrections News

CDCR Launches Email Notification System for Victims of Violent Crimes
CBS Sacramento, (12/01/2016)

The California Department of Corrections and Rehabilitation has launched an email notification service to inform violent crime victims when their offenders are being released from custody. The new Automated Email Notification Service sends real-time alerts to digital devices to those who have signed up, providing a 90-day advance notice of the release of an offender. The CDCR currently delivers more than 20,000 notifications each year to victims. The new system streamlines the process.
Link to Article

Sheriff's Office Rolls Out Inmate Search Database
Times-Herald, (12/01/2016), Kayla Galloway

The Solano County Sheriff's Office website has a new search feature to ease access to information about inmates in county detention centers. The feature will allow users to search for current inmates in all of the California county's detention centers. Users can schedule video visitations with inmates, purchase commissary goods for inmates and access inmates' personal information, including bail totals, birth dates, court dates and whether the individual has been sentenced in court.
Link to Article

Ohio Senate Approves Bill Allowing Prisoner Transfer to Private Facilities
Nardonia Hills News-Leader, (12/02/2016), Marc Kovac and David Skolnick

The Ohio State Senate has approved legislation that would allow prisoners to be transferred to private facilities. The bill now goes to the Ohio House for consideration. Proponents say the measure would allow the state to take advantage of inmate beds left vacant when the federal government ended contracts to house federal prisoners at the Northeast Ohio Correctional Center in Youngstown.
Link to Article

How Connecticut Became a Model for Prison Reform
The Crime Report, (12/05/2016), Christopher Moraff

Connecticut has seen its prison population fall to a 20-year low due to reform measures. More than a decade ago, Connecticut embraced a justice reinvestment initiative, diverting $13 million into community supervision and re-entry programs. In 2015, the state began an aggressive set of reform measures that included a repeal of the state's strict drug laws, and made it easier for inmates to gain parole. In September 2016, the state's prison population dropped below 15,000 for the first time since January 1997. Other legislation will raise the age for juvenile transfers to adult court from 16 to 18 by 2019. Also, changes to school disciplinary measures have led to a drop in the number of young adults being arrested.
Link to Article