Wednesday, September 23, 2015
And thank you to the National Cyber-Forensics and Training
Alliance (NCFTA) for organizing this Executive Summit. Since 1997 – long before the cybersecurity
conversation was in the forefront of American minds and back when one of the
biggest threats to industry was spam – NCFTA has been a leader in bringing
together law enforcement, private industry and academia to share information to
stop emerging cyber threats and mitigate existing ones. Today, nearly two decades later, as the
threats we face have grown to include malware, nation state-sponsored theft and
critical infrastructure attacks, among many others, your work has become only
more important.
You should be commended – not only for the work you do each
and every day, but for your foresight.
You recognized long ago that we are most secure when the government and
private sector share strategies and best practices on secure information
access, threat detection and incident response.
As a result, you created the model that others should follow.
Discussions like this one today, and the collaboration you
undertake on a daily basis, allow us to learn from one another, so that the
same actors, using the exact same tools and signatures, cannot simply move to a
new victim when they have been kicked out of another organization’s network.
And that is both critically important and incredibly
urgent. Because while we gather here in
Pittsburgh to work together to make this country safer, our adversaries
likewise gather together to strategize against us. Nation states have developed entire economic
espionage campaigns against us and our corporations – relying on their own kind
of public-private partnerships to do us harm.
Right now, other nations’ governments issue their own calls to action,
threatening our livelihood, our economic security and our safety.
That is why this conversation is so important. To keep our nation secure, to enable American
businesses to compete fairly in our global economy and to ensure we have an
early warning system to help mitigate threats, we need to work together. When a foreign government attacks, private
industry cannot and should not go it alone.
Your own government ought to help you.
And we will.
The Role of the National Security Division
That is precisely why the Department of Justice’s National
Security Division – or NSD, for short – was created.
After the devastating attacks of September 11th, it became
clear that the Justice Department needed to reorganize to tackle terrorism and
national security threats more effectively.
We needed a single division to integrate the work of
prosecutors and law enforcement officials with attorneys and analysts in the
Intelligence Community. So, nearly a
decade ago, Congress created the department’s first new litigating division in
almost half a century: NSD.
In the years since NSD was created, it has become
increasingly clear that the same things that motivated our creation and guided
our efforts to combat terrorism were equally true in the cybersecurity
realm. We have a host of tools available
to us to combat online threats to the national security – criminal prosecution,
sanctions, designations and diplomatic options – and we have the ability to
pick the best tool or combination of tools to get the job done under the rule
of law.
Our attorneys live by that approach. We use all available tools to combat online
threats to the national security and have ensured that we have the necessary
expertise no matter who is behind the threat, what their motivation is, or what
tool we need to use. Under unified NSD
leadership, we have integrated the full range of national security expertise of
the department under one roof and we bring broad and varied skills and
expertise to cyber issues. And we
created the nation-wide NSCS Network, which consists of over 100
specially-trained federal prosecutors in every jurisdiction, who focus on
combating online threats to the national security.
The Threats We Face
That integration is critical as we face an onslaught of new
threats and intrusions that raise national security concerns.
In the Sony hack late last year, we saw a foreign,
state-sponsored actor wage a destructive attack intended to chill the speech of
a company in the United States and U.S. citizens. The Sony attack was perpetrated by North Korean-sponsored
hackers who destroyed computer systems, stole valuable information, released
corporate data and intellectual property at significant cost and threatened
employees and customers.
As a hybrid threat, presenting national security and criminal
concerns, we see both state and non-state actors using the Internet to steal
our intellectual property and export-controlled information at unprecedented
levels. As the President said recently,
industrial espionage and the theft of trade secrets is fundamentally different
from the traditional intelligence-gathering functions that all states engage
in. China’s campaign to steal trade
secrets and other proprietary information is “an act of aggression that has to
stop.” As the world’s two largest
economies, the United States and China have a vested interest in working
together on this issue. President Obama
is prepared to address these issues with the Chinese, recently saying that
“this will probably be one of the biggest topics that [he will] discuss with
President Xi” during the upcoming visit.
Just this week the Wall Street Journal published a transcript of an
interview with Chinese President Xi Jinping in which he agreed that cyber theft
of commercial secrets and hacking attacks against government networks are both
illegal.
Similarly, we have also seen an uptick in the theft of
personally identifiable information in bulk quantities. A concerted series of malicious cyber
activity targeting OPM – the agency that manages personnel records for federal
employees – resulted in the compromise of millions of sensitive records,
including background investigation files for national security clearances.
Similar intrusions over the past two years have targeted
several major health insurers’ customer financial and medical information and
even airline passenger travel reservation records. Just this month, a New York Blue Cross Blue
Shield provider revealed that it was the victim of a massive breach, exposing
the data of more than 10 million people.
The challenge transcends this rampant information theft, as
malicious actors are seeking to build the capabilities and develop the access
necessary to disrupt United States critical infrastructure.
In short, online threats of all types are increasing in
frequency, sophistication and scope. And
these threats are occurring against a background of increasing worry about the
nation’s overall network security. The
past year has seen the announcement of several significant software
vulnerabilities – some now so famous that they have their own brand names, such
as Heartbleed, Shellshock and Stagefright.
This year, the Department of Homeland Security’s Computer
Emergency Readiness Team published a list of 30 “high risk vulnerabilities”
that, according to DHS, are exploited in “[a]s many as 85 percent” of attacks
on critical infrastructure organizations.
These included several software vulnerabilities that were disclosed
years ago, including one as far back as 2006.
This means that companies are not falling victim to new and unidentified
exploits, but rather, to vulnerabilities that have been known for almost a
decade.
Finally, new threats appear on the horizon. We know that terrorists seek to exploit our
reliance on weak or outdated network security to harm our way of life. To date, terrorist groups are largely
experimenting with hacking, but this could serve as the foundation for
developing more advanced capabilities.
We’ve also seen calls to action through Internet jihad by both Al Qaeda
and ISIL and our international partners have experienced attacks conducted by
purported jihadists. We are concerned
those groups will not hesitate to deploy offensive capabilities if they are
able to acquire them.
The threat from these terrorist organizations has a second
and equally troubling dimension: unprecedented and sophisticated use of social
media to radicalize and recruit new associates for heinous attacks.
Al Qaeda was very guarded with its brand and selective in
its recruiting; by contrast, ISIL blasts out tens of thousands of social media
messages daily, calling for sympathizers worldwide to act in ISIL’s name – at a
time, place and method of the attacker’s choosing. ISIL claims credit, whether successful or
not.
Although ISIL uses social media and open platforms for recruitment,
they conduct their operational planning through encrypted communications using
mainstream technology. It is important
that those providing the services take responsibility for how their services
can be abused. Responsible providers
need to understand what the threats are and to take action to prevent terrorist
groups from abusing their services to induce recruits to commit terrorist acts.
Our Response: U.S. Government All-Tools Approach
This audience knows all too well that adversaries with
extensive resources can pose a serious threat to anyone’s network. Our collective response must extend beyond
awareness campaigns and scanning e-mail for phishing attacks. We also need the ability – after a
sophisticated hacker has gotten in – to detect and disrupt that attacker. Then, we need to respond to the attack in a
way that will deter future foes.
The government must take concrete and decisive action to
respond to these threats. Along with our
partners in other federal, state, and local agencies, we intend to raise the
costs of state-sponsored offenses against our nation, both for targets in
government and the private sector. We
want to reach the point where the costs outweigh the benefits of targeting our
systems and stealing our data.
For example, last year, here in Pittsburgh, we brought the
first-ever charges against state-sponsored actors – the five named members of
the Chinese People’s Liberation Army Unit 61398 – for computer hacking,
economic espionage and other offenses directed at six American companies in the
U.S. nuclear power, metals and solar products industries.
It was true when we said it in May 2014 following the PLA
indictment, and it remains true today: we are aware of no nation that publicly
states that theft of information for commercial gain is acceptable. It is time for us to, once and for all, come
to a common agreement about acceptable state behavior on the Internet. Ambassador Susan Rice recently reiterated this
point in a speech at the George Washington University, stating that,
“Cyber-enabled espionage that targets personal and corporate information for
the economic gain of businesses undermines our long-term economic cooperation
and it needs to stop.”
And, when those norms are not abided by, we must hold
responsible individuals and entities accountable and increase the costs of
their activity.
The need to increase the costs of malicious activity online
is especially obvious in light of the destructive acts targeting Sony
Pictures. North Korea’s use of computer
network attacks to destroy computer systems and deter and punish Americans from
exercising their First Amendment rights is unacceptable and indefensible.
Only weeks after the attack, we were able to publicly
attribute that a nation-state was responsible.
That, alone, is significant, because attribution can be very
difficult. Unlike terrorists, who claim
credit for attacks, our online adversaries often try to hide their
conduct. Of course, naming those
responsible publicly is only the first step.
This is a national security problem, and it demands a
national security solution. That
includes holding perpetrators accountable and increasing the cost of their
activity in other ways as well. Until
nation states and terrorists stop stealing and waging bullying, destructive
attacks, we must actively disrupt and deter them.
Whether you are the Syrian Electronic Army, North Korea,
ISIL or a state-sponsored hacker, we must demonstrate that we can and will find
you. And when we do, there will be
consequences.
The United States is pursuing a comprehensive,
whole-of-government strategy to confront malicious actors who seek to harm
critical infrastructure, damage computer systems and steal trade secrets and
sensitive information.
The criminal justice system is a central and effective
component of this disruption effort.
Indictments and prosecutions are a clear and powerful way, governed by
the rule of law, to legitimize and prove allegations. It is a necessary but not sufficient tool to
bring to the fight.
But it is not the only tool we possess to communicate our
expectations regarding acceptable online behavior. We must be strategic; we must evaluate the
full range of options – law enforcement, intelligence, diplomatic, military and
economic – and use the most appropriate tool to respond.
Earlier this year, President Obama signed an Executive Order
that provides a new means to respond to significant online threats. The executive order authorizes the Secretary
of the Treasury, in consultation with the Secretary of State and the Attorney
General, to impose sanctions on individuals or entities that engage in
significant malicious cyber-enabled activities – that could threaten the
national security, foreign policy, or economic health or financial stability of
the United States.
Of particular interest, the order will allow us to hold
accountable companies that knowingly receive or use trade secrets stolen
through cyber-enabled means. These
beneficiary companies are taking advantage of the hard work of Americans and
harming our competitiveness.
This executive order – and the profound consequences for
entities sanctioned under it – should make companies think twice before hiring
hackers or making use of information that they know was stolen. If they don’t, we will take appropriate
actions, which can include sanctioning those companies and cutting off their
access to U.S. markets. This is the same
approach we have taken in counterterrorism and counter-proliferation.
Some of the nations that steal from us also have obligations
under international trade agreements, committing to protect intellectual
property rights. Our colleagues in the
office of the U.S. Trade Representative are currently exploring the tools at
their disposal under those agreements, and whether the World Trade Organization
and other rules could provide ways to challenge state-sponsored trade secret
theft.
Importance of Private-Public Sector Partnership
Despite our ability and willingness to deter this conduct,
no one is immune from malicious cyber activity.
We know that we will never achieve impenetrable defenses – no network
wall is high enough to keep a determined, sophisticated actor out of our
systems.
But you can take steps to mitigate the risk, and protect
yourselves and your companies. Part of
the response must be to ensure that that your systems are resilient to attacks.
And, it is crucial that you not go it alone. This challenge requires a new kind of
partnership between the government and industry – such efforts will be crucial
to defending our companies and our citizens from these threats. For the government’s part, we are committed
to building this partnership.
We currently share sensitive information with you so you can
defend against attacks in real time and engage in disruption efforts. In the past year alone, the FBI presented
over three dozen classified, sector-specific threat briefings to companies, but
we need to keep getting better.
We’re working to lower the barriers to information sharing
even further. At the Department of
Justice, for example, we’ve clarified that certain laws are not impediments to
sharing information with the government to protect against cyber threats.
The Department’s Antitrust Division published guidance
reaffirming that companies who engage in properly designed threat information
sharing will not run afoul of antitrust laws and the Criminal Division
published guidance to help clarify that companies can and should share certain
aggregated threat information with the government.
We also continue to work with Congress to improve and update
the legal framework for sharing threat information.
After an intrusion or attack, if a company works with law
enforcement, it puts us both in the best possible position to find out exactly
what happened and to remediate and prevent further damage. The evidence is often fleeting, so early
notification and access to the data is extremely important.
In addition, we may have seen the same indicators of
malicious activity in other incidents, so we can conclude who was responsible
and identify possible impacts and means of remediation. Importantly, it also allows us to share
information with other potential victims.
One company’s vulnerability is everyone’s vulnerability and it is
critical that we work together.
The Department of Justice may be able to use legal
authorities and tools that are unavailable to non-governmental entities. As a government, we can also enlist the
assistance of international partners to locate stolen data or identify a
perpetrator.
These tools and relationships can greatly increase the odds
of successfully apprehending an intruder or attacker and securing lost
data. Finally, this cooperation is vital
to successful prosecutions or other enforcement actions that can prevent criminals
from causing further damage to victim companies and others. Prosecutions, sanctions and other steps will
help deter would-be hackers.
A united front is critical because the threat you face
includes hackers with the full backing of their governments and hackers that
are part of sophisticated, international criminal syndicates. You shouldn’t have to face those threats on
your own and you don’t have to. We are
here to help. At the same time, it is
increasingly clear that dealing with expanding cyber threats must be a team
effort. You bring vital expertise and
information to the effort, just as the government brings essential resources and
capabilities.
There are many good sources of recommendations concerning
how to respond to breaches across the U.S. government, including DHS and
NIST. Within the Department of Justice,
our Criminal Division recently issued “Best Practices for Victim Response and
Reporting of Cyber Incidents.” It covers
a number of subjects, but let me highlight one of its key takeaways: When
companies suffer a breach, they immediately face a host of difficult choices,
and that reality is not lost on us.
We understand that the decision whether to call law
enforcement, in particular, is difficult.
Companies must weigh numerous considerations that can seem to cut in
opposing directions. What are the
ramifications of publicizing this breach?
Will employees be embroiled in lengthy legal proceedings? Will the government treat my confidential and
proprietary information with the care and discretion it deserves?
We understand these concerns, and we can assure you that we
will roll up our sleeves and work with you to try to satisfy them. We understand also that your customers,
employees and investors, when they finally do learn of a breach, will also ask
you whether you worked with law enforcement.
Increasingly, they see that as a necessary step; they want to know that
you are doing everything you can to address the breach, including informing law
enforcement.
To repeat what I said at the outset: We are in this fight
together. As you work to make your
organizations succeed and to protect their assets from adversaries – both
state-sponsored and otherwise – always keep in mind that we in government stand
ready to assist your efforts.
Thank you again for having me. I look forward to your questions.
No comments:
Post a Comment