Good afternoon.
Thank you for having me here today.
I am grateful to the U.S. Attorney’s Office for the Western
District of Washington and to U.S. Attorney Jenny A. Durkan, for
organizing a conference on this important topic.
Thank you all for taking the time out of your schedules to discuss these issues.
Events like these are critical to helping us succeed in combating cyber threats.
The Threat
If there is one thing we all know from the presentations today and our
work in the field, it is the seriousness of the cyber threat.
The President has called it “one of the most serious economic and national security challenges we face as a nation.”
It’s hard to quibble with that.
Hardly a day goes by when cyber events don’t show up in the news.
As many of you know, over the last several weeks, financial
institutions in the United States have been hit by a series of
Distributed Denial of Service (or DDOS) attacks.
Such attacks are relatively easy to carry out, but they can
cause serious harm by disrupting companies’ website services and
preventing customer access.
Although these disruptions have been temporary, their frequency
and persistence underscores recent Intelligence Community warnings
about the “breadth and sophistication of computer network operations . .
. by both state and nonstate actors.”
The cyber alarm bell has been rung.
The Intelligence Community’s most recent Worldwide Threat
Assessment confirms that U.S. networks have already been subject to
“extensive illicit intrusions.”
The head of the National Security Agency and the Pentagon’s
Cyber Command, for one, believes such intrusions may have resulted in
“the greatest transfer of wealth in history.”
We often think of national security threats, like that of a catastrophic terrorist attack, as questions about prevention.
But the cyber threat is not simply looming – it is here.
It is present and growing.
Although we have not yet experienced a devastating cyber attack
along the lines of the “cyber Pearl Harbor” that Defense Secretary
Panetta recently mentioned – we are already facing the threat of a death
by a thousand cuts.
Outside the public eye, a slow hemorrhaging is occurring; a
range of cyber activities is incrementally diminishing our security and
siphoning off valuable economic assets.
This present-day reality makes the threat of cyber-generated
physical attacks, like those that might disrupt the power grid, appear
no longer to be the stuff of science fiction.
And all of this comes against the backdrop of sobering forecasts from the highest ranks of our national security community.
FBI Director Mueller – a man not prone to overstatement –
predicts that “the cyber threat will pose the number one threat to our
country” in “the not too distant future.”
Despite all we know about intrusions against U.S. businesses and
government agencies, what is more sobering still is the Intelligence
Community’s assessment that “many intrusions . . . are not being
detected.”
Even with respect to those that are detected, identifying who is behind cyber activity can be uniquely challenging.
Technologies can obscure perpetrators’ identities, wiping away
digital footprints or leaving investigative trails that are as long as
the web is wide.
Cyber intrusions don’t announce themselves or their purpose at the threshold.
Depending on the circumstances, the purpose or endgame of a particular intrusion may be anyone’s guess – is it espionage?
Mere mischief?
Theft?
An act of war?
The threats are as varied as the actors who carry them out.
A growing number of sophisticated state actors have both the
desire and the capability to steal sensitive data, trade secrets, and
intellectual property for military and competitive advantage.
While most of the state-sponsored intrusions we are aware of
remain classified, the onslaught of network intrusions believed to be
state-sponsored is widely reported in the media.
We know the Intelligence Community has noted that China and
Russia are state actors of “particular concern,” and that “entities
within these countries are responsible for extensive illicit intrusions
into US computer networks and theft of US intellectual property.”
Indeed, “Chinese actors are,” according to a public report of
our top counterintelligence officials, “the world’s most active and
persistent perpetrators of economic espionage.”
And we know that Secretary of Defense Panetta has stated that
“Iran has also undertaken a concerted effort to use cyberspace to its
advantage.”
In cases involving state actors and others, trusted insiders pose particular risks.
Those inside U.S. corporations and agencies may exploit their access to funnel information to foreign nation states.
In these cases, perimeter defense isn’t worth much; the enemy is already inside the gates.
The Justice Department has prosecuted a number of corporate
insiders and others who obtained trade secrets or technical data from
major U.S. companies and routed them to other nations via cyberspace.
Earlier this year, in the first indictment of foreign state-owned
entities for economic espionage, several companies controlled by the
government of China were charged in San Francisco for their alleged
roles in stealing a proprietary chemical compound developed by a U.S.
company for China’s benefit.
While this particular theft was not cyber-enabled, cyberspace makes economic espionage that much easier.
In an Internet age, it is no longer necessary to sneak goods
out of the country in a suitcase; a single click of a mouse can transmit
volumes of data overseas.
Indeed, the Department has secured convictions of individuals
who stole corporate trade secrets by simply e-mailing them overseas.
In one recent case, a chemist downloaded a breakthrough
chemical process just developed by his company in the United States and
e-mailed it to a university in China where he had secretly accepted a
new job.
The other major national security threat in cyberspace is cyber-enabled terrorism.
Although we have not yet encountered terrorist organizations
using the Internet to launch a full-scale cyber attack against the
United States, we believe it is a question of when, not if, they will
attempt to do so.
Individuals affiliated with or sympathetic to terrorist
organizations are seeking such capabilities. We have already seen
terrorists exhorting their followers to engage in cyber attacks on
America.
Just this year, an al-Qaeda video released publicly by the
Senate Homeland Security Committee encouraged al-Qaeda followers to
engage in “electronic jihad” by carrying out cyber attacks against the
West.
Terrorists have already begun using cyberspace to facilitate bomb plots and other operations.
These activities go beyond the use of cyberspace to spread propaganda and recruit followers.
For example, the individuals who planned the attempted Times
Square bombing in May 2010 used public web cameras for reconnaissance,
file sharing sites to share operational details, and remote conferencing
software to communicate.
Najibullah Zazi attempted to carry out suicide bomb attacks
against the New York subways around the anniversary of 9/11 three years
ago.
After returning to the United States from terrorist travel, he
used the Internet to access the bomb-making instructions he had received
in Pakistan and tried to communicate via the Internet in code with his
al-Qaeda handlers in Pakistan just prior to the planned attack.
Khalid Aldawsari, who was convicted in June of this year in the
Northern District of Texas, used the Internet extensively to research
U.S. targets and to purchase chemicals and other bomb-making materials.
Evolving To Meet the Threat -- Learning from the Counterterrorism Model
The threats we face in cyberspace are changing, and we must change with them.
Of course, we have faced similar challenges before.
After the devastating attacks eleven years ago, we learned some hard lessons.
We have since put those lessons into practice:
working across agencies to share information, and bringing down legal, structural, and cultural barriers.
Law enforcement’s approach to terrorism has become intelligence-led and threat-driven.
We have erected new structures, including the National Security Division, which I am privileged to lead.
As the first new litigating division at the Justice Department
in nearly fifty years, the National Security Division was created to
bring together intelligence lawyers and operators on the one hand, and
prosecutors and law enforcement agents on the other, to focus all talent
on the threats before us.
Since September 11, we have made great progress against terrorism by
developing effective partnerships that help us identify threats and
choose the best tools available to disrupt them.
Much of our success is attributable to the all-hands-on-deck approach we have adopted for countering terrorism.
From where I sit, I can see this change reflected in our day-to-day operations.
In our investigations, for instance, we actively seek to
preserve the ability to prosecute even while using intelligence tools
and vice versa.
We must bring the same approach, a whole-of-government
approach, an all-tools approach, to combat cyber threats to our national
security.
Investigations and prosecutions will be critical tools for deterrence and disruption, ones that we have a responsibility to use.
But they are not the only options available.
The diversity of cyber threats and cyber threat actors demands a diverse response.
This nation has many tools – intelligence, law enforcement,
military, diplomatic, and economic – at its collective disposal as well
as deep, and diverse, expertise.
The trick is in harnessing our collective resources to work effectively together.
Those of us charged with investigating and disrupting cyber threats to
national security and advising operators and agents must be creative and
forward-looking in our approach.
First, we must consider – in conjunction with our partners – what cyber threats will look like in the coming years.
Only by knowing what is on the horizon can we ensure that the
right tools exist to address cyber threats before they materialize.
Second, we must be vigilant to prevent the formation of what
the WMD Commission after 9/11 called “legal myths” that have led to
“uncertainty” in the past “about real legal prohibitions” among
operators.
And, together with operators, we must consider what kinds of
tools, investigations, and outreach we can launch now to lay the
groundwork for future cyber efforts.
These may be relatively simple things, like standardized
protocols and established points of contact to make reporting intrusions
easier.
Or they may take the form of institutional relationships between the government and the private sector for sharing information.
On an operational level, both public and private sector attorneys need
to be able to tell clients what options they have available to deal with
cyber threats.
If cyberspace is an “information super-highway,” then lawyers are the GPS system in a client’s car:
It is our job to tell the client how to get there.
When obstacles get in the way, we should tell the client how to avoid them.
We must look ahead, anticipate jams, and route clients around them.
This metaphor is particularly applicable in the cyber realm.
As cyber events unfold in real time, we learn more about our
adversary, the means available to him or her, and the vulnerabilities in
our own systems.
Our advice must adapt accordingly.
For those of us in government who act as operational lawyers,
it is important in this environment to be clear about where the legal
debate stops and the policy debate begins.
For those of you in the private sector, I imagine one concern
is that your clients not be left vulnerable in a shifting legal
landscape.
And for those of you in academia, we need your help testing
boundaries and pushing forward with questions that need to be asked and
answered by all of us as we navigate this legal space together.
One of the significant operational challenges we face is the same one
the Intelligence Community confronted in reorganizing itself after the
attacks of September 11.
The cyber threat demands ready and fluid means of sharing information and coordinating our actions.
At the National Security Division, we have made this evolution, and combating this threat, a top priority.
Working with our partners – including the FBI, the U.S.
Attorney community, and the Computer Crime and Intellectual Property
Section (one of their leaders, Richard Downing is here today) – we are
ensuring that all resources are brought to bear against national
security cyber threats.
To help accomplish these goals, the National Security Division
established earlier this year a National Security Cyber Specialists’
Network to serve as a one-stop shop in the Justice Department for
national security-related cyber matters.
The network brings together experts from across the National
Security Division and the Criminal Division and serves as a centralized
resource for the private sector, prosecutors, and agents around the
country when they learn of national security-related computer
intrusions.
Each U.S. Attorney’s office around the country has designated a point of contact for the network.
These skilled Assistant U.S. Attorneys will act as force
multipliers, broadening the network’s reach and ensuring a link back to
their counterparts at headquarters.
Drawing upon the Joint Terrorism Task Force model, which has
been successful in the terrorism realm, the network seeks to improve the
flow of national security cyber information to offices throughout the
country.
This means more information, earlier on, in national security cyber incidents.
Thanks to the contribution of other parts of the Department,
especially CCIPS, the FBI, and the U.S. Attorney’s offices, the network
has helped us to focus nationwide on bringing more national security
cyber investigations.
Through this nationwide network, we are consolidating and
deepening the Department’s expertise, institutionalizing information
sharing, ensuring coordination, and pursuing investigations.
We have also trained our attention on the diverse cyber capabilities that reside throughout the government.
The U.S. Secret Service, the Department of Commerce, and the
Department of Defense, not to mention the FBI, are all common partners
in this fight, each using their distinct tools to achieve a common goal.
We have enhanced our joint work with the FBI’s National Cyber
Investigative Joint Task Force, where we now have a dedicated National
Security Division liaison.
Within DOJ, we are putting more prosecutors against the threat and focusing on how to best equip and educate our cyber cadre.
Through the National Security Cyber Specialists’ Network, we are training prosecutors around the country.
Next month, more than 100 prosecutors will gather in
Washington, D.C. to share expertise on everything from digital evidence
to the Foreign Intelligence Surveillance Act.
No matter who the perpetrator is, being an effective adviser today requires an understanding of the technologies at hand.
Perhaps we should all take a page from Estonia—where I
understand they’re beginning a system of teaching first graders how to
program!
As courts confront these technologies, we also have a role in
helping them grapple with what these changes mean for the development of
the law and interpretations of existing legal authorities.
Partnership with the Private Sector
Of course, the need for collaboration does not end there.
While interaction with the private sector is something that
does not always come easily to the national security community, which is
accustomed to operating in secrecy, it is absolutely necessary here.
The Intelligence Community has noted the considerable portion
of U.S. companies that report they have been the victims of
cybersecurity breaches as well as the increased volume of malware on
U.S. networks.
Private companies are on the front lines.
Individual defenses, as well as broader efforts to reform –
like the legislation proposed by the Administration last year – will
require our joint efforts.
To succeed in these efforts, we must develop a greater understanding of
the concerns and pressures under which our private sector partners
operate.
A home computer user, whose machine is used in a botnet attack might not have much incentive to remove or check for malware.
But a company targeted by such an attack has considerable incentive to do so.
When dealing with corporate victims, the government must understand the competing interests at play.
Companies may have shareholders, reputational concerns, and sometimes legal limitations.
Yet we cannot fight the current or the future threat with old mindsets on either side.
My colleague, the U.S. Attorney for the Southern District of
New York, has spoken compellingly about the need for a “culture of
security” and a “culture of disclosure” in industry.
For our part, we need to understand the private sector’s
concerns; we need to understand that it is not just the red tape of
government that industry fears.
They also fear that the disclosure of computer intrusions will
bring yellow tape as well – that it will disrupt business by converting
the corporate suite into a crime scene.
Reporting breaches and thefts of information is the first step toward preventing future harm.
For our part, we will work with industry.
We will share information where we can and use protective
orders and other tools to protect confidential and proprietary
information.
Conclusion
How we respond to cyber intrusions and attacks, and how we organize and
equip ourselves going forward, will have lasting effects on our
government and its relationship with the private sector.
Particularly in these early moments, in what will no doubt be a
sustained endeavor, it is incumbent upon us to take notes – to identify
impediments, legal questions, technical challenges, and address them
together.
All the while we must bear in mind the great potential of these
technologies and the importance of not stifling them as we find better
ways to make them secure.
We have heard the warnings about the potential for a cyber 9/11, but we
are, for the moment, in a position to do something to prevent it.
The cyber threat poses the next test of the imperative that we see law enforcement and national security as joint endeavors.
Our work offers an opportunity to demonstrate the strength and
adaptability of the lessons we have learned over the last eleven years
in the fight against terrorism.
U.S. Attorney’s Offices – and all of you sitting in this room – are at the forefront of these issues.
I look forward to pursuing the threats we face in partnership.
Thank you for being with us today.
Posts
No comments:
Post a Comment