Bristol, RI
United States
Friday, October 16, 2015
Remarks as prepared for delivery
Good afternoon. Thank
you to Judge [Patricia] Sullivan for that kind introduction. Thank you also to Professor [Peter] Margulies
and to the [Roger Williams University] Law School for inviting me to be here
today to talk about the Criminal Division of the Department of Justice’s (DOJ)
perspective on cybercrime and cybersecurity.
The Threat Today
The cyber threat landscape has dramatically changed since I
first worked as a federal prosecutor. At
that time, cybercrime was in its infancy.
Now, as everyone in this audience knows, it’s no secret that cybercrime
poses a significant threat to the privacy and economic security of American
consumers and businesses.
Every day hackers are trying to steal the financial information
of millions of victims from a computer halfway around the world. Cyber criminals are orchestrating massive
disruptions of businesses or electronically spiriting away trade secrets on a
daily basis. And, of course, every day
we have threats from within: the disgruntled IT manager or the soon-to-be
ex-employee, who steals, deletes or otherwise compromises company information.
Indeed, this past year alone we saw a series of
extraordinarily invasive and damaging data breaches that victimized some of our
nation’s largest businesses, as well as the federal government itself, with
tens of millions of personal and consumer records being stolen or compromised
at a time. All types of businesses were
victimized, from banks to retailers, to mom and pop financial firms, to
entertainment companies, to restaurant chains, to health care providers. Sadly, according to data from a recent
report, there will be more than 32,000 additional victims of online crime by
the time we’re done with my session this afternoon.
Hackers incessantly target us because barriers to entry are
so low and because it is so lucrative.
One study released last month estimated that cyberattacks have cost the
global economy at least $315 billion over the past twelve months. A study from this past week stated that
hacking attacks cost the average American firm $15.4 million per year. These figures only continue to grow and are
just the financial effects. They do not
capture the very real—but unquantifiable—personal harm suffered by victims of
online crime, such as identity theft and sextortion.
So, it is no surprise that the Attorney General has made
clear that fighting cybercrime is one of the highest priorities of the
Department of Justice. Today, I would
like to discuss three aspects of the department’s response to the cyber threat.
First, I am going
to describe the front-line work that is being done by federal agents and
prosecutors to combat cybercrime.
Second, I will
offer some ways in which we can improve our laws and legal authorities to
counter cyber threats consistent with our values and civil liberties.
Finally, I will
describe some of the department’s recent efforts, going beyond just investigating
and prosecuting cases, and promoting cybersecurity.
Our Response
The Criminal Division of the Justice Department has been
successfully combatting cybercrime for two decades. The division created the Computer Crime and
Intellectual Property Section—or CCIPS—in 1996.
CCIPS is the linchpin of the department’s anti-cybercrime efforts, and
has been involved in one capacity or another in practically every significant
cybercrime case that has been in the public eye.
CCIPS investigates and prosecutes high-tech crimes and
economic espionage, working alongside a network of approximately 270
prosecutors around the country. The
section also provides guidance to prosecutors on how technological trends—from
the latest app to new social media—may impact investigations.
In addition, CCIPS works in conjunction with attorneys from
the Department of Justice’s National Security Division, who are responsible for
cyber cases involving nation-state and terrorist actors. The prosecutors in all of the department’s cases,
of course, rely on the incredible dedication and expertise of cyber
investigators at the FBI and the U.S. Secret Service.
In terms of the DOJ’s current efforts to counter the cyber
threat, first, we’re prosecuting hackers from both here and abroad. We’ve extradited almost a dozen foreign
cybercriminals in the past year.
As an example, in
June, a Turkish citizen was extradited to Brooklyn to face charges that he
allegedly helped organize three worldwide cyberattacks that inflicted $55
million in losses to the global financial system within a matter of hours. The defendant’s criminal group allegedly
hacked into the computer networks of at least three payment processors for
various types of credit and debit card transactions and disseminated stolen
debit card information to “cashing crews” around the world to conduct tens of
thousands of fraudulent ATM withdrawals.
As another
example, just three weeks ago, Vladimir Drinkman, a Russian hacker extradited
from the Netherlands, pleaded guilty in New Jersey to his involvement in a
worldwide hacking conspiracy that targeted major corporate networks, stole more
than 160 million credit card numbers and resulted in hundreds of millions of
dollars in losses. Victims included
NASDAQ, Dow Jones, convenience store chains, department stores, supermarkets,
clothing retailers and an airline.
The list of the individuals extradited here for prosecution
also includes citizens of countries like Iran, Estonia, Latvia, Macedonia,
Romania, Ukraine and Vietnam. Collectively,
they are responsible for the worldwide theft of hundreds of millions of
dollars.
Second, we’re increasingly disrupting cyber schemes by
blending traditional law enforcement tools with innovative legal and technical
tactics. We’re using both criminal
indictments and civil authorities to dismantle “darkweb” marketplaces—used by
ordinary criminals to sell drugs, weapons, dangerous toxins and child
pornography—and take down “botnets,” networks of victim computers
surreptitiously infected with malicious software.
As you probably know, when a computer becomes part of a
botnet, it can be remotely controlled from another computer and used as
infrastructure for a variety of illicit activities, from stealing passwords or
bank account information, to launching distributed denial of service attacks on
computers or networks.
One particularly destructive botnet was Gameover Zeus, a
sophisticated type of malware that created a global network of between 500,000
and one million infected victim computers that criminals used to steal millions
of dollars from businesses and consumers, causing more than $100 million in
total financial losses. The Gameover
Zeus botnet also was used to infect computers with Cryptolocker—a form of malware
that would encrypt the files on a victim’s computer until they paid a
ransom. One estimate indicated that
victims paid more than $27 million in ransom payments in just the first two
months after Cryptolocker emerged.
Last year, under the leadership of the Department of
Justice, U.S. law enforcement, foreign partners in more than 10 different
countries and numerous private sector partners joined together and mounted
joint operations to obtain court authorization to wrest control of the botnet
away from criminals, disable it and start to repair the damage it had caused.
And we’re not resting on our laurels. Just this past week, again under the
leadership of DOJ, U.S. law enforcement, foreign officials and the private
sector did the same to the botnet known as “Bugat” or “Dridex.” The Bugat/Dridex botnet infected computers
worldwide and was used by criminals to steal banking credentials and ultimately
millions of dollars from victims. The
department charged the Moldovan administrator and filed a civil injunction
against him and others. Over the long
weekend, law enforcement launched a technical operation to free victim
computers.
Third, as you can see from our botnet work, we are greatly
enhancing our international partnerships, particularly with the European
Cybercrime Center—EC3—in The Hague to shut down criminals who operate from
overseas.
Because of the global nature of cyber threats, investigating
and prosecuting cyber-enabled crime poses unique jurisdictional and technical
challenges: cybercriminals operating in one foreign jurisdiction might use
infrastructure in a second to victimize businesses or individuals located in
other countries—all the while employing sophisticated technical methods to both
magnify their capability for crime and shield them from law enforcement. Cybercrime is global and, thus, we’re
attacking it globally, working hand-in-hand with foreign governments.
As an example, in July, a coalition of law enforcement from
20 nations—led by the Department of Justice and EC3—worked together to take
down the Darkode hacking forum. Darkode
served as an online underground marketplace where hackers virtually congregated
to buy, sell and trade malicious software, botnets and other tools to
facilitate computer intrusions, as well as stolen personal information. The coordinated law enforcement action led to
the arrest, charging or searching of 70 Darkode members and associates around
the world.
In addition, in order to further enhance our international
cooperation, the Criminal Division created a Cyber Unit within our Office of
International Affairs, dedicated exclusively to executing foreign authorities’
requests for electronic evidence.
Incidentally, those requests have increased by 1,000 percent over the
past decade, requiring us to hire more than 60 attorneys and professional staff
to process them, and we are hopeful that—with increased funding from
Congress—we will be able to develop even greater capacity in the coming months.
And today, I am announcing that the Criminal Division has
placed a cyber prosecutor overseas for the first time in order to combat
cybercrime in Southeast Asia on a full-time basis. A CCIPS prosecutor is stationed in Malaysia
and has been tasked with working with our foreign counterparts to facilitate
information sharing, improve cooperation in cyber investigations and build
lasting relationships there as well as in Vietnam, Thailand, Indonesia and the
Philippines. We hope to dispatch more of
these international cyber prosecutors in the future.
Legal Improvements
Moving on to my second point—based on our efforts to combat
cyber threats in individual cases, we have identified gaps in the law which
hamstring our already-challenging investigations and prosecutions. We have been working with Congress to close
those gaps. In particular, we appreciate
Senator [Sheldon]Whitehouse’s leadership on these issues.
Three areas deserve particular attention. First, we believe that the law should be
updated to better address “insider threats”—namely, the threat to privacy and
security from those who have limited authorization to access computers and
networks, but intentionally exceed that authority to compromise sensitive
information.
Now, the primary statute that we use to charge computer
crime cases is the Computer Fraud and Abuse Act, or CFAA, and it applies, as
you’d expect, to hackers in Eastern Europe who have no right to access your
data. But it is also the statute we use
to prosecute individuals—such as corporate employees—who knowingly abuse their
access to sensitive data.
We have used the CFAA, for instance, to charge corrupt
police officers who had permission to access law enforcement databases
containing information such as criminal history records for official police
purposes, but who instead obtained confidential information from the databases
for personal reasons, or so that they could sell it for profit.
These are just examples.
The insider threat to American companies is both diverse and very
real. By necessity, companies grant
employees access to sensitive customer data or business information for
official business purposes. Access to
such information is often limited by strict written agreements or other
methods. But insiders nonetheless may
intentionally violate those rules—to bring proprietary information to their
next employer, to expose a political candidate’s private medical records or simply
to sell information without any knowledge or concern of what the buyer intends
to do with it.
You would be forgiven for thinking that this kind of
behavior must obviously be a prosecutable crime. Unfortunately, recent judicial decisions have
imposed obstacles to the government’s ability to prosecute cases like this in
large parts of the country. As a result,
corrupt insiders may be effectively immune from punishment under the CFAA—even
where they intentionally exceed the bounds of their legitimate access and steal
their employers’ intellectual property and cause significant harm to individual
privacy and organizational data security.
Accordingly, we have submitted a proposal to Congress that
would amend the CFAA to make sure that insider abuse of network access is a
crime, but only in aggravated circumstances where the information taken is
worth $5,000 or more, or comes from a government computer, or the access is
committed in furtherance of another crime.
We believe this proposal will fill the very real need to punish and
deter insiders who use their access to harm privacy and data security, while
ensuring that harmless behavior is not suddenly criminalized.
Another area where we believe the law must keep pace with
criminals is with respect to combatting spyware. Spyware allows a perpetrator to intercept and
remotely monitor a victim’s telephone, email and text communications and track
that victim’s location, all without the victim’s knowledge. Purveyors of spyware within the United States
make millions of dollars in profit, typically while residing abroad, making it
more difficult to bring them to justice.
Now, it is already against the law to sell or advertise such
spyware, and the department has aggressively investigated these cases. In one such case last year, the department
prosecuted the maker of the notorious cellphone spyware called “StealthGenie”,
which allowed anyone to intercept telephone calls, email, text messages,
voicemail and photographs—and even activate the microphone—on a victim’s phone.
Still, we must do more.
The department has proposed amending current law to permit the
forfeiture of any proceeds from the sale of those spyware devices and any
property used to facilitate the crime.
In addition, we would also add the spyware statute as a predicate
offense to the money laundering statute so that prosecutors are able to charge
spyware defendants who transfer the proceeds of their crimes through multiple
overseas accounts to conceal their profits.
And third, I’ll go back to botnets, which you will recall we
have disrupted using civil injunctions.
Current law, however, limits civil injunctions to cases involving a list
of specified fraud crimes or illegal wiretapping. Botnets, however, can be used for other types
of illegal activity that may not be on that list of crimes. To close this gap, we have proposed to change
the law to permit the government to seek such a court order in any case where
100 or more victim computers have been hacked.
Cybersecurity Unit
Let me now turn to the last aspect of my talk: the Justice
Department’s efforts not just to prosecute cybercrime but also to promote
cybersecurity. We know that prosecuting
cybercrime and disrupting cyber schemes is not enough. We must use our experience to be better
prepared for—and to prevent—the next attack or intrusion. That is why I announced last December the
creation of a Cybersecurity Unit, staffed by CCIPS prosecutors with deep
experience in the complex legal and policy issues associated with cybercrime.
The unit has been marshaling this expertise to help advance
our common objective of protecting the personal information and privacy of
every day Americans and helping the private sector safeguard the data that
consumers entrust to it in a number of ways.
I have asked the unit to analyze and, where appropriate,
share our thinking on situations where cybersecurity issues implicate criminal
statutes such as the hacking statute, the Wiretap Act and Electronic
Communications Privacy Act. This
analysis and guidance can assist both the public and private sector in
developing effective cybersecurity processes that comply with the law and
appropriately respect privacy rights.
The unit is also working with all stakeholders within the
federal government, and throughout the country and indeed the world on
improving cybersecurity—from working with the National Security Council and
other U.S. government partners on executive branch cybersecurity initiatives to
working with Congress on cybersecurity-related legislative priorities to working
with the private sector, academia, security researchers and the public to
promote cybersecurity.
Although the Cybersecurity Unit is still less than a year
old, it has already made a significant impact.
In the spring, the leadership of the Cybersecurity Unit and
I hosted a roundtable discussion with leading private-sector data breach
response practitioners from around the country.
We talked about ways in which the Department of Justice could assist and
collaborate with the private sector in cybercrime prevention and response. In particular, we had a robust discussion
regarding the benefits of promptly reporting data breaches to law
enforcement. We’re holding similar
roundtables all over the country now, in partnership with U.S. Attorneys’
Offices and law enforcement.
The Cybersecurity Unit also released a “Best Practices for
Victim Response and Reporting of Cyber Incidents” document, which has been very
well-received; several prosecutors from the unit have also conducted follow-up
outreach events to further explain the guidance.
The unit is also collaborating with non-DOJ regulatory
agencies on cybersecurity issues. We, at
the department, view corporations who are victims of a cyberattack as just
that—victims. And we have encouraged
other agencies to adopt a similar approach.
For instance, we have discussed how those agencies can
factor a victim company’s cooperation with law enforcement into decisions they
make when investigating a breach. Just
this past May, the Federal Trade Commission (FTC) issued a statement that was
coordinated with the Cybersecurity Unit and others at DOJ. Among other things, it highlights the
consideration that the FTC will give to a company that reports a data breach to
law enforcement and cooperates in the ensuing criminal investigation. The Cybersecurity Unit will continue this
type of collaboration going forward.
Conclusion
In closing, the incessant barrage of these cyberattacks
demonstrates the scope and the scale of the challenge we face, as well as the
urgency of forging effective solutions.
As we go forward, we in the Criminal Division remain committed to
bringing perpetrators to justice wherever they may be, disrupting cyber
threats, and forging enduring global partnerships across the public and private
sectors to ensure that our data, and our economy, are secure and protected from
harm.
Thank you again for having me here. I look forward to answering any questions.
Posts
No comments:
Post a Comment