Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the Cambridge Cyber Summit

Boston, MA

~ Wednesday, October 4, 2017

Remarks as prepared for delivery

Good morning.  Thank you, Tyler, for that very kind introduction.

It is a privilege for me to be here, among many of our nation’s leading policymakers and corporate executives.  I want to share some thoughts with you.  But I am reminded of a story about a young schoolboy who was assigned to describe Socrates.  The boy wrote, “Socrates walked around giving people advice.  So they poisoned him.” I hope to avoid the same fate. But at the risk of causing offense, I want to take this opportunity to speak to you about three issues: (1) the scope of the cybersecurity threat that confronts our nation; (2) the challenges we face in countering the threat; and (3) the ways that law enforcement can help, before, during, and after a cyber incident.

First, let me discuss the scope of the threat.  The fact that so many of you who have such important responsibilities within your organizations are here, demonstrates how critical cybersecurity has become.  Attempts to quantify just how big a problem we face vary widely, but everyone agrees that it is significant and growing.  One estimate of the annual cost of global cybercrime predicts a doubling from $3 trillion in 2015 to $6 trillion in 2021.  Those numbers are staggering.  But recent public events make the types of problems we are facing more concrete.

Right now, we are dealing with one of the largest breaches ever of a private company holding sensitive financial data.  Public reports indicate that as many as 145 million people may have been affected - that would equate to nearly one of every two Americans.  Citizens of other countries also were affected according to the target of the attack, hackers may have accessed names, social security numbers, birth dates, addresses, and driver’s license information, as well as credit card numbers, for hundreds of thousands of U.S. consumers: basically everything a criminal needs to steal a person’s identity.

This breach is similar to thousands of others where financially-motivated criminals targeted businesses.  If you think it won’t happen to your company, you are probably wrong.  A private report put the risk of suffering a material data breach at better than one in four — and the odds continue to rise.

Published reports reveal that one major web service provider suffered a breach that affected every one of its 3 billion web accounts. Mass data breaches can be extremely costly to victims.  Private reports peg the average cost of a data breach at over $3.6 million.  But of course that is an average.  One large retailer reported spending $291 million for breach-related expenses, related to one attack on its network.  In some cases, smaller businesses declare bankruptcy after a breach.

Even if your company does not hold large quantities of financial information, it almost certainly has valuable intellectual  property in its computer systems.  The Justice Department has indicted foreign cyber criminals who have broken into systems in the United States looking to steal ideas that make our nation strong and competitive in the global marketplace.  The issue is so important that it has become the subject of agreements among the largest nations.  The G20 leaders agreed in 2015 that no country should steal trade secrets or other confidential business information with the intent of advantaging its companies or commercial sectors.  One of the cases we prosecuted involved the theft of technology that allegedly caused $800 million in losses.  That is more than ten times the largest bank robbery.

Breaches that target financial data and intellectual property are serious concerns. But protecting American companies’ data is not the only thing we worry about.  Cyber criminals know that many companies cannot do business without access to their networks. As a result, a new business model for cybercrime has emerged.  Ransomware is now a global phenomenon.

The FBI estimates that ransomware infected more than 100,000 computers a day around the world.  That number continues to grow. The total amount of ransom payments approaches $1 billion annually.  Attacks used to be indiscriminate, scattershot attempts to squeeze a few hundred dollars from anyone who happened to be affected.  Today, we see more sophisticated and targeted attacks that focus on particular businesses or sectors. 

Even if you do everything right and your systems are impregnable you are not necessarily safe.  Attackers have used Distributed Denial of Service attacks to go after everything from banks to critical Internet infrastructure.  Moreover, the Internet of Things exponentially increases the number of devices connected to the networks we all rely on every day.  These devices, too, can be used against us.

Computer disruptions do more than simply grind a business to a halt; they can endanger lives. Even MRI machines and ventilators may run software and be connected to networks.

Individual efforts, while unquestionably important, simply are not enough.  Law enforcement is a necessary part of combatting cyber threats.  Disrupting and deterring the next attack is far more effective than merely trying to avoid becoming the next victim.

That brings me to what the Department of Justice is doing about the cyber threat.  Federal law enforcement focuses primarily on transnational, organized cyber criminals.  We have had significant successes.  Earlier this year, we dismantled the largest dark market, AlphaBay. It operated for more than two years and was used to sell a host of illicit items, including deadly illegal drugs; stolen and fraudulent identification documents; counterfeit goods; malware and other computer hacking tools; firearms; and even toxic chemicals.  Also in 2017, we worked with foreign authorities to arrest the alleged creator of the Kelihos botnet. Over several years, that network was used to steal login credentials, distribute hundreds of millions of spam e-mails, and install ransomware and other malicious software across the globe. We dismantled that pernicious network of tens of thousands of infected computers.

Some of the criminals we pursue around the globe are acting at the behest, or for the benefit, of foreign governments.  In March, we indicted four individuals, including two officers of the Russian state security service. They are charged with stealing information from at least 500 million e-mail accounts, conducting economic espionage, and engaging in other criminal offenses in connection with a years-long conspiracy to access a major web service provider's network and the contents of webmail accounts.  And within the past few weeks, our government announced significant actions to deter and punish Iranians who used cyberspace to imperil our national security.  Drawing on the Justice Department’s criminal investigation, the Treasury Department sanctioned seven hackers and their Revolutionary Guard-affiliated employers for attacking the global financial system. The Justice Department also unsealed charges against other Iranian nationals, accusing them of stealing software and selling it to Iranian military and government entities. Some of the software had military applications and was export-controlled.

So, 2017 has been a busy year for the Department of Justice in the fight against cybercrime.  But those successes did not come easily.  We face significant challenges.

For one thing, foreign governments use computer intrusions and attacks to advance their foreign policy goals, often at the expense of American companies and individuals.  The federal government is not the only target of malicious, state-sponsored activity. And that activity has included damaging cyber attacks that cost millions of dollars to repair — not merely the theft of data. The targeting of private citizens and companies by foreign governments is especially disturbing.

Another disturbing trend that helps explain why data breaches keep occurring is the continued growth of dark markets that facilitate all manner of crime — from narcotics trafficking, to illegal firearms sales, identity theft, child exploitation and computer hacking.  Even an unskilled hacker can purchase malware.  Almost the entire supply chain for cybercrime can be outsourced, from the coding of malware, to the products that help malware evade security software, to the ultimate delivery of the malware.  Dark markets continue to support the sale of data after it is stolen so that others can buy it to perpetrate fraud.  Criminals then launder the ill-gotten gains through networks available on the same dark markets.  We have to do more to stop dark markets if we want to disrupt the sophisticated underground economy that supports transnational organized cybercrime.

Dark markets are one of the worst examples of a broader problem we call “Going Dark.” Increasingly, technology frustrates traditional law enforcement efforts to collect evidence needed to protect public safety and solve crime.  For example, many instant-messaging services now encrypt messages by default, thereby blocking the police from reading those messages — even if an impartial judge authorizes their interception.  Or, to take another important example: for years, companies that make smartphones maintained the ability to access data stored on those phones, when ordered by a court to do so.  But some of those companies made a conscious decision to engineer that critical capability away.

Encryption is valuable. It is a foundational element of data security and authentication.  It is essential to the growth and flourishing of the digital economy.  We in law enforcement have no desire to undermine encryption.  But the advent of “warrant-proof” encryption is a serious problem. It threatens to destabilize the constitutional balance between privacy and security that has existed  for over two centuries.  Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtain a court-authorized warrant.  But that is the world that technology companies are creating.  Those companies create jobs, design valuable products, and innovate in amazing ways.  But, in a democratic society, the decision to reset the constitutional balance should involve review by citizens and their elected representatives.  We should have a candid public debate about the pros and cons of allowing companies to create lock boxes that cannot be opened by police and judges. 

You should think broadly about your companies’ interests in this area, not only in how to secure your data, but also whether the means of doing so can prevent you from seeing what is happening on your networks, and preclude law enforcement from effectively protecting you and your data.  Security is not necessarily binary.  Something need not be either absolutely secure or hopelessly insecure.  We can have managed security that permits fair and effective enforcement of laws rather than absolute, black box security that conceals criminal activity.

Finally, let me turn to how law enforcement can help.  Despite all of our tools and relationships and efforts, some companies are reluctant to report cyber incidents to law enforcement.  When deciding whether to notify law enforcement about a cyber incident or whether to cooperate fully in an investigation, organizations weigh the anticipated benefits of a pro-active approach against legal, business, reputational, and other practical concerns.  I know there are many considerations in making these decisions, but I want to emphasize how important it is to report cyber incidents as quickly as possible.

Law enforcement provides many benefits to victims of cyber intrusions and attacks.  We can help you understand what happened; we can share context and information about related incidents or malware, thereby helping you shore up your defenses should the actors return; we can ensure proper investigation and preservation of evidence; we can inform regulators about cooperation, which the FTC and SEC view favorably; and we are uniquely situated to pursue the perpetrators, through criminal investigation and prosecution. In appropriate cases, we also can pursue economic sanctions, diplomatic pressure, and intelligence operations.

Let me address one myth in particular.  It is not pointless to report cybercrime.  Law enforcement has tools not available to the private sector to investigate crime, and we strive to work cooperatively with victim companies to ensure they are not further victimized during our investigation.  We also maintain relationships throughout the world that can help us find perpetrators, and bring them to justice.

Even where we may be unable to arrest or prosecute the hackers, we leverage our criminal investigations by supporting the tools of other agencies, many of which can reach beyond our borders.  When you are up against the military or intelligence services of a foreign nation-state, you should have the federal government in your corner.

Before I conclude, I want to offer a concrete recommendation that you can take back to your colleagues.  Software and hardware vulnerabilities are one means by which your networks are compromised.  Finding and eradicating those vulnerabilities is an important aspect of cybersecurity.  All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system. Many organizations find that the amount you can learn from “crowdsourcing” your search for vulnerabilities in a controlled way is well worth it.  The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises. Within the Department of Justice, our Criminal Division’s Cybersecurity Unit recently put out a paper to help companies think through creating such a program. It is available on our website.   I encourage you to ask your team to look at that document and consider implementing its suggestions.

I want to thank you for your attention.  I know that my job here is to talk, and your job is to listen.  I need to finish my job before you finish yours!

Let me close by saying thank you very much for having me, and thank you for your commitment to improving our collective cyber security.  We can maximize our security only if we continue to work together.  You have my commitment that the Department of Justice will work with you to that end.  I hope that we can count on each of you to do the same.