Detroit, MI
~ Monday, October 30, 2017
Remarks as prepared for delivery
Good afternoon. Thank
you, Mr. DeVries, for that very kind introduction.
I attended an undergraduate business school, before I became
a lawyer. So, I understand how business people view attorneys.
One of the most frequently quoted remarks mocking lawyers is
from William Shakespeare’s play, Henry VI.
You know the line: “The first thing we do, let’s kill all the lawyers.”
Fortunately, Shakespeare did not mean for it to be taken
literally. On the contrary, the remark is intended to be ironic. The speaker is
not a businessman upset about overregulation. He is a criminal scheming to take
over the government.
Shakespeare’s point is that without lawyers, nobody would
need to follow the law. That would be good for criminals. But it would be bad
for business!
The rule of law is essential to commerce. It allows
businesses to enter contracts, make investments and project revenue with some
assurance about the future. It establishes a mechanism to resolve disputes, and
it provides some degree of protection from arbitrary government action.
The rule of law is not just about words on paper. It depends
upon the character of the people who enforce the law. If they uphold it
faithfully, the result will be a high degree of consistency and predictability.
Those features build public confidence, and allow our nation to thrive.
The desire to live under the rule of law is what motivated
the patriots who wrote our Constitution in 1787.
The rule of law is not just a feature of America. The rule
of law is the foundation of America.
One of the finest defenses of the rule of law appears in
Robert Bolt’s brilliant play about Sir Thomas More, A Man for All Seasons. In
Bolt’s version, More defends the rule of law in an argument with his
son-in-law, William Roper.
Roper is angry because More would allow the Devil to benefit
from the protection provided by the rule of law.
Roper insists that in order to destroy the Devil, he would
cut down every law, if necessary.
More replies, “Oh? And when the last law was down, and the
Devil turned round on you – where would you hide, Roper, the laws all being
flat?
The point is that if we permit the rule of law to erode when
it does not directly harm our personal interests, the erosion may eventually
consume us as well. The rule of law is not self-executing. If the people lose
faith in it, then everyone will suffer.
I am proud to work with Attorney General Jeff Sessions in
the Department of Justice, the executive branch institution that bears the
greatest responsibility to protect the rule of law.
President Trump demonstrates his respect for our Department
by appointing officials who defend the rule of law.
October is National Cybersecurity Awareness Month. This initiative was created a few years ago
as a collaborative effort between government and industry to raise awareness
about the current and future cyber threat landscape.
Summits like this one are tremendously important in building
relationships of trust between the government and industry. I salute Governor Snyder for his leadership
in this critical area.
The city of Detroit is synonymous with American innovation
and excellence. It is a privilege to be here with state and local officials,
law enforcement personnel, businesspeople, and entrepreneurs.
You are here today because of a common interest in
cybersecurity. I would like to speak to you today about (1) the scope of the
cybersecurity threat that confronts us, and (2) the benefits that we all can
gain from public-private partnerships. I will also discuss some of the
challenges that law enforcement faces in the current cyber environment.
First, let me discuss the scope of the threat.
Whether you work for local law enforcement, a utility
provider, a hospital, or a small or large company, you need to protect your
critical infrastructure against cyber infiltration. The threat that cybercriminals pose to public
entities and private businesses is substantial.
A single intrusion could mean economic loss, bankruptcy, and in some
cases, loss of human life.
A recent report predicts that the monetary costs of global
annual cybercrime will double from $3 trillion in 2015 to $6 trillion in 2021.
Those numbers are staggering; and recent events demonstrate why we need to work
together to address the growing threat.
Cyber criminals know that a company’s lifeblood is contained
in its networks and the information flowing through those systems. The last few years have witnessed a
significant increase in criminals using ransomware.
On average, more than 4,000 ransomware attacks have occurred
daily since January 1, 2016. That is a
300% increase over the approximately 1,000 attacks per day in 2015. According to FBI estimates, ransomware
infects more than 100,000 computers a day around the world.
A few years ago, ransomware attacks were unsophisticated and
haphazard attempts by novice hackers to gain a few hundred dollars, mostly from
individual users who happened to be affected.
Today, the attacks are concerted efforts by sophisticated individuals,
criminal enterprises, or nation-states that can target a range of home users,
businesses, networks, or critical infrastructure with laser-like precision to
cause widespread damage.
The damage is economically significant. Estimates of the
amount of ransom paid to criminals approach $1 billion annually. It can also be life threatening. Earlier this
year, the “WannaCry” ransomware infected hundreds of thousands of computers
around the globe, and paralyzed Britain’s National Health Service.
In 2016, here in Michigan, the Board of Water & Light
fell victim to a ransomware attack when an employee erroneously opened an
e-mail attachment containing the virus.
Although the virus affected only the utility’s e-mail and
accounting systems, the Board paid a $25,000 ransom and spent approximately $2
million on other remedial measures. The
Board was lucky — many cyber thieves are happy to pocket ransom payments
without unlocking their victims’ computers.
Moreover, if the virus had actually impacted electric or water systems,
consumers could have lost services for days or weeks.
Three months ago, Michigan’s Caro Community Hospital and its
related facilities lost access for approximately two weeks to computers,
phones, patient records, and e-mail services because of a ransomware
attack. Fortunately, no medical devices
were directly affected.
But imagine how much more serious the attack could have
been. Many types of machines critical to
emergency treatment are computers. MRI
machines and ventilators may run software and be connected to networks. A targeted and widespread attack on medical
service providers could endanger lives.
State and local law enforcement are not immune from
ransomware attacks, either. Earlier this
year, a Texas police department reportedly lost eight years’ worth of digital
evidence after falling victim to a ransomware attack.
Luckily, the department retained copies of most of the lost
evidence, so it appears the number of affected prosecutions should be
relatively small. The situation could
have been substantially worse.
Ransomware is not the only form of cyber threat that we must
safeguard our critical infrastructure against. In 2013, a foreign adversary
gained access to a dam in New York. If
the dam’s sluice gate, which controls water levels and flow rates, had not
happened to be manually disconnected for maintenance, the adversary may have
been able to remotely operate and manipulate the gate.
Cyber criminals also frequently use distributed denial of
service attacks to grind normal network operations to a halt. The DDoS threat is particularly noteworthy
because it will only grow as criminals continue to leverage Internet of Things
devices against us.
A June 2016 attack launched against domain name servers used
simple Internet-connected devices, such as cameras and digital video
recorders. The attack vividly
illustrates how our digital infrastructure can be used against us. Cisco recently predicted a continuing
increase in DDoS attacks, and noted that they can represent up to 18% of a
country’s total Internet traffic.
Speaking of traffic, driverless automobiles are already on
the road. As vehicles become increasingly smarter, interconnected, and
automated, the risk of their use in a cyber-attack significantly rises.
A March 2016 Government Accountability Office report finds
that “remote attacks” on cars could “involve multiple vehicles and cause
widespread impacts including passenger injuries or fatalities.” That type of attack is especially worrisome
because it is scalable. “[C]yber attackers could theoretically achieve massive
attacks of multiple vehicles simultaneously.”
Companies must prepare for this threat and ensure that the automobiles
of tomorrow are built today with good cyber-defenses.
Every business is responsible for protecting its own systems
against cyber-attacks, and individual efforts are unquestionably
important. But unilateral action is not
sufficient to address the growing global cyber threat. That is why
public-private partnerships are critical to combatting this problem.
Law enforcement can help before, during, and after a
cyber-incident. The first step in safeguarding against cyber-attacks is a good
defense, and the best time to formulate your response is before the incident
occurs.
The Department of Justice is here to help. On our website, you will find pamphlets about
how to “Protect[] Your Networks from Ransomware” and “Best Practices for Victim
Response and Reporting of Cyber Incidents.”
Reflecting the lessons federal prosecutors and agents have
learned while handling cyber investigations, the documents explain how you can
safeguard your organization’s computer systems and networks. They also describe best practices for
responding to a real-time cyber-incident.
Securing your critical infrastructure against cyber-attack
helps both your organization, and the public. When cyber defenses prevent
criminal infiltration, the public wins because critical systems remain
operational and available for use.
Similarly, whether your organization is a large multi-national company
or a small start-up that creates web-connected devices like doorbells,
thermostats, or kitchen appliances, you can play a critical role in thwarting
cyber-attacks by building into your devices mechanisms that secure them against
hijacking by criminals.
But even if you take all reasonable precautions, your
organization may still fall victim to a cyber-incident. If that happens, I urge you to immediately
notify law enforcement.
I occasionally hear that business executives do not feel
comfortable reporting cyber incidents to law enforcement. Undoubtedly, the decision to notify law
enforcement of a cyber-attack and to cooperate fully in an investigation
involves a certain risk-reward calculation weighing the anticipated benefits of
a pro-active approach against potential legal, reputational, and other costs.
But I want to emphasize how important it is to report cyber
incidents as quickly as possible. Your
actions, together with law enforcement’s help, could disrupt and deter those
who would launch the next attack. A
collaborative approach will be more effective than merely trying to avoid
becoming the next victim.
Law enforcement provides substantial benefits to victims of
cyber intrusions and attacks. We can help you understand what happened; we can
share contextual information about related incidents, thereby helping you to
create defenses in case the intruders return; we can ensure proper
investigation and preservation of evidence; we can inform regulators about your
cooperation; and we are uniquely situated to pursue the perpetrators, through
criminal investigation and prosecution. In appropriate cases, we also can
pursue economic sanctions, diplomatic pressure, and intelligence operations.
Law enforcement agencies employ investigative tools not
available to the private sector, and we strive to work cooperatively with
victims to ensure they are not further victimized during our
investigation. We also maintain
relationships throughout the world that can help us track down perpetrators,
and bring them to justice.
Even where we may be unable to arrest or prosecute the
hackers, we can tap into the expertise of other agencies, and deploy tools that
reach beyond our borders.
Many cyberattacks are directed by foreign governments.
When you are up against the military or intelligence
services of a foreign nation-state, you should have our federal government in
your corner.
By alerting law enforcement about a cyber incident, your
organization performs a public service; it helps strengthen the cyber defenses
of others. When law enforcement
understands the details of an attack, we can promptly work on trying to
apprehend the perpetrator, potentially before the next attack.
Even if we cannot quickly arrest the hacker, law enforcement
can warn other organizations about a potential impending attack, and include
details about the perpetrator’s modus operandi.
Other entities can take additional precautions to safeguard their
critical infrastructure.
Law enforcement can also partner with private industry to
address a problem we call “Going Dark.”
Technology increasingly frustrates traditional law enforcement efforts
to collect evidence needed to protect public safety and solve crime. For example, many instant-messaging services
now encrypt messages by default. The prevent the police from reading those
messages, even if an impartial judge approves their interception.
The problem is especially critical because electronic
evidence is necessary for both the investigation of a cyber incident and the
prosecution of the perpetrator. If we
cannot access data even with lawful process, we are unable to do our job. Our
ability to secure systems and prosecute criminals depends on our ability to
gather evidence.
I encourage you to carefully consider your company’s
interests and how you can work cooperatively with us. Although encryption can help secure your
data, it may also prevent law enforcement agencies from protecting your data.
Encryption serves a valuable purpose. It is a foundational
element of data security and essential to safeguarding data against
cyber-attacks. It is critical to the growth and flourishing of the digital economy,
and we support it. I support strong and responsible encryption.
I simply maintain that companies should retain the
capability to provide the government unencrypted copies of communications and
data stored on devices, when a court orders them to do so.
Responsible encryption is effective secure encryption,
coupled with access capabilities. We know encryption can include safeguards.
For example, there are systems that include central management of security keys
and operating system updates; scanning of content, like your e-mails, for
advertising purposes; simulcast of messages to multiple destinations at once;
and key recovery when a user forgets the password to decrypt a laptop. No one calls any of those functions a
“backdoor.” In fact, those very capabilities are marketed and sought out.
I do not believe that the government should mandate a
specific means of ensuring access. The government does not need to micromanage
the engineering.
The question is whether to require a particular goal: When a
court issues a search warrant or wiretap order to collect evidence of crime,
the company should be able to help. The
government does not need to hold the key.
Let me close by thanking you for inviting me to speak, and
for your commitment to improving cybersecurity.
The cyber threats that we face cry out for effective
public-private partnerships. You have my commitment that the Department of
Justice will work with you to confront them.
I hope that we can count on each of you to do the same.
Posts
