Friday, October 16, 2015
Remarks as prepared for delivery
Good afternoon. Thank you to Judge [Patricia] Sullivan for that kind introduction. Thank you also to Professor [Peter] Margulies and to the [Roger Williams University] Law School for inviting me to be here today to talk about the Criminal Division of the Department of Justice’s (DOJ) perspective on cybercrime and cybersecurity.
The Threat Today
The cyber threat landscape has dramatically changed since I first worked as a federal prosecutor. At that time, cybercrime was in its infancy. Now, as everyone in this audience knows, it’s no secret that cybercrime poses a significant threat to the privacy and economic security of American consumers and businesses.
Every day hackers are trying to steal the financial information of millions of victims from a computer halfway around the world. Cyber criminals are orchestrating massive disruptions of businesses or electronically spiriting away trade secrets on a daily basis. And, of course, every day we have threats from within: the disgruntled IT manager or the soon-to-be ex-employee, who steals, deletes or otherwise compromises company information.
Indeed, this past year alone we saw a series of extraordinarily invasive and damaging data breaches that victimized some of our nation’s largest businesses, as well as the federal government itself, with tens of millions of personal and consumer records being stolen or compromised at a time. All types of businesses were victimized, from banks to retailers, to mom and pop financial firms, to entertainment companies, to restaurant chains, to health care providers. Sadly, according to data from a recent report, there will be more than 32,000 additional victims of online crime by the time we’re done with my session this afternoon.
Hackers incessantly target us because barriers to entry are so low and because it is so lucrative. One study released last month estimated that cyberattacks have cost the global economy at least $315 billion over the past twelve months. A study from this past week stated that hacking attacks cost the average American firm $15.4 million per year. These figures only continue to grow and are just the financial effects. They do not capture the very real—but unquantifiable—personal harm suffered by victims of online crime, such as identity theft and sextortion.
So, it is no surprise that the Attorney General has made clear that fighting cybercrime is one of the highest priorities of the Department of Justice. Today, I would like to discuss three aspects of the department’s response to the cyber threat.
First, I am going to describe the front-line work that is being done by federal agents and prosecutors to combat cybercrime.
Second, I will offer some ways in which we can improve our laws and legal authorities to counter cyber threats consistent with our values and civil liberties.
Finally, I will describe some of the department’s recent efforts, going beyond just investigating and prosecuting cases, and promoting cybersecurity.
The Criminal Division of the Justice Department has been successfully combatting cybercrime for two decades. The division created the Computer Crime and Intellectual Property Section—or CCIPS—in 1996. CCIPS is the linchpin of the department’s anti-cybercrime efforts, and has been involved in one capacity or another in practically every significant cybercrime case that has been in the public eye.
CCIPS investigates and prosecutes high-tech crimes and economic espionage, working alongside a network of approximately 270 prosecutors around the country. The section also provides guidance to prosecutors on how technological trends—from the latest app to new social media—may impact investigations.
In addition, CCIPS works in conjunction with attorneys from the Department of Justice’s National Security Division, who are responsible for cyber cases involving nation-state and terrorist actors. The prosecutors in all of the department’s cases, of course, rely on the incredible dedication and expertise of cyber investigators at the FBI and the U.S. Secret Service.
In terms of the DOJ’s current efforts to counter the cyber threat, first, we’re prosecuting hackers from both here and abroad. We’ve extradited almost a dozen foreign cybercriminals in the past year.
As an example, in June, a Turkish citizen was extradited to Brooklyn to face charges that he allegedly helped organize three worldwide cyberattacks that inflicted $55 million in losses to the global financial system within a matter of hours. The defendant’s criminal group allegedly hacked into the computer networks of at least three payment processors for various types of credit and debit card transactions and disseminated stolen debit card information to “cashing crews” around the world to conduct tens of thousands of fraudulent ATM withdrawals.
As another example, just three weeks ago, Vladimir Drinkman, a Russian hacker extradited from the Netherlands, pleaded guilty in New Jersey to his involvement in a worldwide hacking conspiracy that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses. Victims included NASDAQ, Dow Jones, convenience store chains, department stores, supermarkets, clothing retailers and an airline.
The list of the individuals extradited here for prosecution also includes citizens of countries like Iran, Estonia, Latvia, Macedonia, Romania, Ukraine and Vietnam. Collectively, they are responsible for the worldwide theft of hundreds of millions of dollars.
Second, we’re increasingly disrupting cyber schemes by blending traditional law enforcement tools with innovative legal and technical tactics. We’re using both criminal indictments and civil authorities to dismantle “darkweb” marketplaces—used by ordinary criminals to sell drugs, weapons, dangerous toxins and child pornography—and take down “botnets,” networks of victim computers surreptitiously infected with malicious software.
As you probably know, when a computer becomes part of a botnet, it can be remotely controlled from another computer and used as infrastructure for a variety of illicit activities, from stealing passwords or bank account information, to launching distributed denial of service attacks on computers or networks.
One particularly destructive botnet was Gameover Zeus, a sophisticated type of malware that created a global network of between 500,000 and one million infected victim computers that criminals used to steal millions of dollars from businesses and consumers, causing more than $100 million in total financial losses. The Gameover Zeus botnet also was used to infect computers with Cryptolocker—a form of malware that would encrypt the files on a victim’s computer until they paid a ransom. One estimate indicated that victims paid more than $27 million in ransom payments in just the first two months after Cryptolocker emerged.
Last year, under the leadership of the Department of Justice, U.S. law enforcement, foreign partners in more than 10 different countries and numerous private sector partners joined together and mounted joint operations to obtain court authorization to wrest control of the botnet away from criminals, disable it and start to repair the damage it had caused.
And we’re not resting on our laurels. Just this past week, again under the leadership of DOJ, U.S. law enforcement, foreign officials and the private sector did the same to the botnet known as “Bugat” or “Dridex.” The Bugat/Dridex botnet infected computers worldwide and was used by criminals to steal banking credentials and ultimately millions of dollars from victims. The department charged the Moldovan administrator and filed a civil injunction against him and others. Over the long weekend, law enforcement launched a technical operation to free victim computers.
Third, as you can see from our botnet work, we are greatly enhancing our international partnerships, particularly with the European Cybercrime Center—EC3—in The Hague to shut down criminals who operate from overseas.
Because of the global nature of cyber threats, investigating and prosecuting cyber-enabled crime poses unique jurisdictional and technical challenges: cybercriminals operating in one foreign jurisdiction might use infrastructure in a second to victimize businesses or individuals located in other countries—all the while employing sophisticated technical methods to both magnify their capability for crime and shield them from law enforcement. Cybercrime is global and, thus, we’re attacking it globally, working hand-in-hand with foreign governments.
As an example, in July, a coalition of law enforcement from 20 nations—led by the Department of Justice and EC3—worked together to take down the Darkode hacking forum. Darkode served as an online underground marketplace where hackers virtually congregated to buy, sell and trade malicious software, botnets and other tools to facilitate computer intrusions, as well as stolen personal information. The coordinated law enforcement action led to the arrest, charging or searching of 70 Darkode members and associates around the world.
In addition, in order to further enhance our international cooperation, the Criminal Division created a Cyber Unit within our Office of International Affairs, dedicated exclusively to executing foreign authorities’ requests for electronic evidence. Incidentally, those requests have increased by 1,000 percent over the past decade, requiring us to hire more than 60 attorneys and professional staff to process them, and we are hopeful that—with increased funding from Congress—we will be able to develop even greater capacity in the coming months.
And today, I am announcing that the Criminal Division has placed a cyber prosecutor overseas for the first time in order to combat cybercrime in Southeast Asia on a full-time basis. A CCIPS prosecutor is stationed in Malaysia and has been tasked with working with our foreign counterparts to facilitate information sharing, improve cooperation in cyber investigations and build lasting relationships there as well as in Vietnam, Thailand, Indonesia and the Philippines. We hope to dispatch more of these international cyber prosecutors in the future.
Moving on to my second point—based on our efforts to combat cyber threats in individual cases, we have identified gaps in the law which hamstring our already-challenging investigations and prosecutions. We have been working with Congress to close those gaps. In particular, we appreciate Senator [Sheldon]Whitehouse’s leadership on these issues.
Three areas deserve particular attention. First, we believe that the law should be updated to better address “insider threats”—namely, the threat to privacy and security from those who have limited authorization to access computers and networks, but intentionally exceed that authority to compromise sensitive information.
Now, the primary statute that we use to charge computer crime cases is the Computer Fraud and Abuse Act, or CFAA, and it applies, as you’d expect, to hackers in Eastern Europe who have no right to access your data. But it is also the statute we use to prosecute individuals—such as corporate employees—who knowingly abuse their access to sensitive data.
We have used the CFAA, for instance, to charge corrupt police officers who had permission to access law enforcement databases containing information such as criminal history records for official police purposes, but who instead obtained confidential information from the databases for personal reasons, or so that they could sell it for profit.
These are just examples. The insider threat to American companies is both diverse and very real. By necessity, companies grant employees access to sensitive customer data or business information for official business purposes. Access to such information is often limited by strict written agreements or other methods. But insiders nonetheless may intentionally violate those rules—to bring proprietary information to their next employer, to expose a political candidate’s private medical records or simply to sell information without any knowledge or concern of what the buyer intends to do with it.
You would be forgiven for thinking that this kind of behavior must obviously be a prosecutable crime. Unfortunately, recent judicial decisions have imposed obstacles to the government’s ability to prosecute cases like this in large parts of the country. As a result, corrupt insiders may be effectively immune from punishment under the CFAA—even where they intentionally exceed the bounds of their legitimate access and steal their employers’ intellectual property and cause significant harm to individual privacy and organizational data security.
Accordingly, we have submitted a proposal to Congress that would amend the CFAA to make sure that insider abuse of network access is a crime, but only in aggravated circumstances where the information taken is worth $5,000 or more, or comes from a government computer, or the access is committed in furtherance of another crime. We believe this proposal will fill the very real need to punish and deter insiders who use their access to harm privacy and data security, while ensuring that harmless behavior is not suddenly criminalized.
Another area where we believe the law must keep pace with criminals is with respect to combatting spyware. Spyware allows a perpetrator to intercept and remotely monitor a victim’s telephone, email and text communications and track that victim’s location, all without the victim’s knowledge. Purveyors of spyware within the United States make millions of dollars in profit, typically while residing abroad, making it more difficult to bring them to justice.
Now, it is already against the law to sell or advertise such spyware, and the department has aggressively investigated these cases. In one such case last year, the department prosecuted the maker of the notorious cellphone spyware called “StealthGenie”, which allowed anyone to intercept telephone calls, email, text messages, voicemail and photographs—and even activate the microphone—on a victim’s phone.
Still, we must do more. The department has proposed amending current law to permit the forfeiture of any proceeds from the sale of those spyware devices and any property used to facilitate the crime. In addition, we would also add the spyware statute as a predicate offense to the money laundering statute so that prosecutors are able to charge spyware defendants who transfer the proceeds of their crimes through multiple overseas accounts to conceal their profits.
And third, I’ll go back to botnets, which you will recall we have disrupted using civil injunctions. Current law, however, limits civil injunctions to cases involving a list of specified fraud crimes or illegal wiretapping. Botnets, however, can be used for other types of illegal activity that may not be on that list of crimes. To close this gap, we have proposed to change the law to permit the government to seek such a court order in any case where 100 or more victim computers have been hacked.
Let me now turn to the last aspect of my talk: the Justice Department’s efforts not just to prosecute cybercrime but also to promote cybersecurity. We know that prosecuting cybercrime and disrupting cyber schemes is not enough. We must use our experience to be better prepared for—and to prevent—the next attack or intrusion. That is why I announced last December the creation of a Cybersecurity Unit, staffed by CCIPS prosecutors with deep experience in the complex legal and policy issues associated with cybercrime.
The unit has been marshaling this expertise to help advance our common objective of protecting the personal information and privacy of every day Americans and helping the private sector safeguard the data that consumers entrust to it in a number of ways.
I have asked the unit to analyze and, where appropriate, share our thinking on situations where cybersecurity issues implicate criminal statutes such as the hacking statute, the Wiretap Act and Electronic Communications Privacy Act. This analysis and guidance can assist both the public and private sector in developing effective cybersecurity processes that comply with the law and appropriately respect privacy rights.
The unit is also working with all stakeholders within the federal government, and throughout the country and indeed the world on improving cybersecurity—from working with the National Security Council and other U.S. government partners on executive branch cybersecurity initiatives to working with Congress on cybersecurity-related legislative priorities to working with the private sector, academia, security researchers and the public to promote cybersecurity.
Although the Cybersecurity Unit is still less than a year old, it has already made a significant impact.
In the spring, the leadership of the Cybersecurity Unit and I hosted a roundtable discussion with leading private-sector data breach response practitioners from around the country. We talked about ways in which the Department of Justice could assist and collaborate with the private sector in cybercrime prevention and response. In particular, we had a robust discussion regarding the benefits of promptly reporting data breaches to law enforcement. We’re holding similar roundtables all over the country now, in partnership with U.S. Attorneys’ Offices and law enforcement.
The Cybersecurity Unit also released a “Best Practices for Victim Response and Reporting of Cyber Incidents” document, which has been very well-received; several prosecutors from the unit have also conducted follow-up outreach events to further explain the guidance.
The unit is also collaborating with non-DOJ regulatory agencies on cybersecurity issues. We, at the department, view corporations who are victims of a cyberattack as just that—victims. And we have encouraged other agencies to adopt a similar approach.
For instance, we have discussed how those agencies can factor a victim company’s cooperation with law enforcement into decisions they make when investigating a breach. Just this past May, the Federal Trade Commission (FTC) issued a statement that was coordinated with the Cybersecurity Unit and others at DOJ. Among other things, it highlights the consideration that the FTC will give to a company that reports a data breach to law enforcement and cooperates in the ensuing criminal investigation. The Cybersecurity Unit will continue this type of collaboration going forward.
In closing, the incessant barrage of these cyberattacks demonstrates the scope and the scale of the challenge we face, as well as the urgency of forging effective solutions. As we go forward, we in the Criminal Division remain committed to bringing perpetrators to justice wherever they may be, disrupting cyber threats, and forging enduring global partnerships across the public and private sectors to ensure that our data, and our economy, are secure and protected from harm.
Thank you again for having me here. I look forward to answering any questions.