Assistant Attorney General John Carlin Delivers Remarks at the National Cyber-Forensics and Training Alliance

Wednesday, September 23, 2015

And thank you to the National Cyber-Forensics and Training Alliance (NCFTA) for organizing this Executive Summit.  Since 1997 – long before the cybersecurity conversation was in the forefront of American minds and back when one of the biggest threats to industry was spam – NCFTA has been a leader in bringing together law enforcement, private industry and academia to share information to stop emerging cyber threats and mitigate existing ones.  Today, nearly two decades later, as the threats we face have grown to include malware, nation state-sponsored theft and critical infrastructure attacks, among many others, your work has become only more important.

You should be commended – not only for the work you do each and every day, but for your foresight.  You recognized long ago that we are most secure when the government and private sector share strategies and best practices on secure information access, threat detection and incident response.  As a result, you created the model that others should follow.

Discussions like this one today, and the collaboration you undertake on a daily basis, allow us to learn from one another, so that the same actors, using the exact same tools and signatures, cannot simply move to a new victim when they have been kicked out of another organization’s network.

And that is both critically important and incredibly urgent.  Because while we gather here in Pittsburgh to work together to make this country safer, our adversaries likewise gather together to strategize against us.  Nation states have developed entire economic espionage campaigns against us and our corporations – relying on their own kind of public-private partnerships to do us harm.  Right now, other nations’ governments issue their own calls to action, threatening our livelihood, our economic security and our safety.

That is why this conversation is so important.  To keep our nation secure, to enable American businesses to compete fairly in our global economy and to ensure we have an early warning system to help mitigate threats, we need to work together.  When a foreign government attacks, private industry cannot and should not go it alone.  Your own government ought to help you.  And we will.

The Role of the National Security Division

That is precisely why the Department of Justice’s National Security Division – or NSD, for short – was created.

After the devastating attacks of September 11th, it became clear that the Justice Department needed to reorganize to tackle terrorism and national security threats more effectively.

We needed a single division to integrate the work of prosecutors and law enforcement officials with attorneys and analysts in the Intelligence Community.  So, nearly a decade ago, Congress created the department’s first new litigating division in almost half a century: NSD.

In the years since NSD was created, it has become increasingly clear that the same things that motivated our creation and guided our efforts to combat terrorism were equally true in the cybersecurity realm.  We have a host of tools available to us to combat online threats to the national security – criminal prosecution, sanctions, designations and diplomatic options – and we have the ability to pick the best tool or combination of tools to get the job done under the rule of law.

Our attorneys live by that approach.  We use all available tools to combat online threats to the national security and have ensured that we have the necessary expertise no matter who is behind the threat, what their motivation is, or what tool we need to use.  Under unified NSD leadership, we have integrated the full range of national security expertise of the department under one roof and we bring broad and varied skills and expertise to cyber issues.  And we created the nation-wide NSCS Network, which consists of over 100 specially-trained federal prosecutors in every jurisdiction, who focus on combating online threats to the national security.

The Threats We Face

That integration is critical as we face an onslaught of new threats and intrusions that raise national security concerns.

In the Sony hack late last year, we saw a foreign, state-sponsored actor wage a destructive attack intended to chill the speech of a company in the United States and U.S. citizens.  The Sony attack was perpetrated by North Korean-sponsored hackers who destroyed computer systems, stole valuable information, released corporate data and intellectual property at significant cost and threatened employees and customers.

As a hybrid threat, presenting national security and criminal concerns, we see both state and non-state actors using the Internet to steal our intellectual property and export-controlled information at unprecedented levels.  As the President said recently, industrial espionage and the theft of trade secrets is fundamentally different from the traditional intelligence-gathering functions that all states engage in.  China’s campaign to steal trade secrets and other proprietary information is “an act of aggression that has to stop.”  As the world’s two largest economies, the United States and China have a vested interest in working together on this issue.  President Obama is prepared to address these issues with the Chinese, recently saying that “this will probably be one of the biggest topics that [he will] discuss with President Xi” during the upcoming visit.  Just this week the Wall Street Journal published a transcript of an interview with Chinese President Xi Jinping in which he agreed that cyber theft of commercial secrets and hacking attacks against government networks are both illegal.

Similarly, we have also seen an uptick in the theft of personally identifiable information in bulk quantities.  A concerted series of malicious cyber activity targeting OPM – the agency that manages personnel records for federal employees – resulted in the compromise of millions of sensitive records, including background investigation files for national security clearances.

Similar intrusions over the past two years have targeted several major health insurers’ customer financial and medical information and even airline passenger travel reservation records.  Just this month, a New York Blue Cross Blue Shield provider revealed that it was the victim of a massive breach, exposing the data of more than 10 million people.

The challenge transcends this rampant information theft, as malicious actors are seeking to build the capabilities and develop the access necessary to disrupt United States critical infrastructure.

In short, online threats of all types are increasing in frequency, sophistication and scope.  And these threats are occurring against a background of increasing worry about the nation’s overall network security.  The past year has seen the announcement of several significant software vulnerabilities – some now so famous that they have their own brand names, such as Heartbleed, Shellshock and Stagefright.

This year, the Department of Homeland Security’s Computer Emergency Readiness Team published a list of 30 “high risk vulnerabilities” that, according to DHS, are exploited in “[a]s many as 85 percent” of attacks on critical infrastructure organizations.  These included several software vulnerabilities that were disclosed years ago, including one as far back as 2006.  This means that companies are not falling victim to new and unidentified exploits, but rather, to vulnerabilities that have been known for almost a decade.

Finally, new threats appear on the horizon.  We know that terrorists seek to exploit our reliance on weak or outdated network security to harm our way of life.  To date, terrorist groups are largely experimenting with hacking, but this could serve as the foundation for developing more advanced capabilities.  We’ve also seen calls to action through Internet jihad by both Al Qaeda and ISIL and our international partners have experienced attacks conducted by purported jihadists.  We are concerned those groups will not hesitate to deploy offensive capabilities if they are able to acquire them.

The threat from these terrorist organizations has a second and equally troubling dimension: unprecedented and sophisticated use of social media to radicalize and recruit new associates for heinous attacks.

Al Qaeda was very guarded with its brand and selective in its recruiting; by contrast, ISIL blasts out tens of thousands of social media messages daily, calling for sympathizers worldwide to act in ISIL’s name – at a time, place and method of the attacker’s choosing.  ISIL claims credit, whether successful or not.

Although ISIL uses social media and open platforms for recruitment, they conduct their operational planning through encrypted communications using mainstream technology.  It is important that those providing the services take responsibility for how their services can be abused.  Responsible providers need to understand what the threats are and to take action to prevent terrorist groups from abusing their services to induce recruits to commit terrorist acts.

Our Response: U.S. Government All-Tools Approach

This audience knows all too well that adversaries with extensive resources can pose a serious threat to anyone’s network.  Our collective response must extend beyond awareness campaigns and scanning e-mail for phishing attacks.  We also need the ability – after a sophisticated hacker has gotten in – to detect and disrupt that attacker.  Then, we need to respond to the attack in a way that will deter future foes.

The government must take concrete and decisive action to respond to these threats.  Along with our partners in other federal, state, and local agencies, we intend to raise the costs of state-sponsored offenses against our nation, both for targets in government and the private sector.  We want to reach the point where the costs outweigh the benefits of targeting our systems and stealing our data.

For example, last year, here in Pittsburgh, we brought the first-ever charges against state-sponsored actors – the five named members of the Chinese People’s Liberation Army Unit 61398 – for computer hacking, economic espionage and other offenses directed at six American companies in the U.S. nuclear power, metals and solar products industries.   

It was true when we said it in May 2014 following the PLA indictment, and it remains true today: we are aware of no nation that publicly states that theft of information for commercial gain is acceptable.  It is time for us to, once and for all, come to a common agreement about acceptable state behavior on the Internet.  Ambassador Susan Rice recently reiterated this point in a speech at the George Washington University, stating that, “Cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation and it needs to stop.”

And, when those norms are not abided by, we must hold responsible individuals and entities accountable and increase the costs of their activity.

The need to increase the costs of malicious activity online is especially obvious in light of the destructive acts targeting Sony Pictures.  North Korea’s use of computer network attacks to destroy computer systems and deter and punish Americans from exercising their First Amendment rights is unacceptable and indefensible.

Only weeks after the attack, we were able to publicly attribute that a nation-state was responsible.  That, alone, is significant, because attribution can be very difficult.  Unlike terrorists, who claim credit for attacks, our online adversaries often try to hide their conduct.  Of course, naming those responsible publicly is only the first step.

This is a national security problem, and it demands a national security solution.  That includes holding perpetrators accountable and increasing the cost of their activity in other ways as well.  Until nation states and terrorists stop stealing and waging bullying, destructive attacks, we must actively disrupt and deter them.

Whether you are the Syrian Electronic Army, North Korea, ISIL or a state-sponsored hacker, we must demonstrate that we can and will find you.  And when we do, there will be consequences.

The United States is pursuing a comprehensive, whole-of-government strategy to confront malicious actors who seek to harm critical infrastructure, damage computer systems and steal trade secrets and sensitive information.

The criminal justice system is a central and effective component of this disruption effort.  Indictments and prosecutions are a clear and powerful way, governed by the rule of law, to legitimize and prove allegations.  It is a necessary but not sufficient tool to bring to the fight.

But it is not the only tool we possess to communicate our expectations regarding acceptable online behavior.  We must be strategic; we must evaluate the full range of options – law enforcement, intelligence, diplomatic, military and economic – and use the most appropriate tool to respond.

Earlier this year, President Obama signed an Executive Order that provides a new means to respond to significant online threats.  The executive order authorizes the Secretary of the Treasury, in consultation with the Secretary of State and the Attorney General, to impose sanctions on individuals or entities that engage in significant malicious cyber-enabled activities – that could threaten the national security, foreign policy, or economic health or financial stability of the United States.

Of particular interest, the order will allow us to hold accountable companies that knowingly receive or use trade secrets stolen through cyber-enabled means.  These beneficiary companies are taking advantage of the hard work of Americans and harming our competitiveness.

This executive order – and the profound consequences for entities sanctioned under it – should make companies think twice before hiring hackers or making use of information that they know was stolen.  If they don’t, we will take appropriate actions, which can include sanctioning those companies and cutting off their access to U.S. markets.  This is the same approach we have taken in counterterrorism and counter-proliferation.

Some of the nations that steal from us also have obligations under international trade agreements, committing to protect intellectual property rights.  Our colleagues in the office of the U.S. Trade Representative are currently exploring the tools at their disposal under those agreements, and whether the World Trade Organization and other rules could provide ways to challenge state-sponsored trade secret theft. 

Importance of Private-Public Sector Partnership

Despite our ability and willingness to deter this conduct, no one is immune from malicious cyber activity.  We know that we will never achieve impenetrable defenses – no network wall is high enough to keep a determined, sophisticated actor out of our systems.

But you can take steps to mitigate the risk, and protect yourselves and your companies.  Part of the response must be to ensure that that your systems are resilient to attacks.

And, it is crucial that you not go it alone.  This challenge requires a new kind of partnership between the government and industry – such efforts will be crucial to defending our companies and our citizens from these threats.  For the government’s part, we are committed to building this partnership.

We currently share sensitive information with you so you can defend against attacks in real time and engage in disruption efforts.  In the past year alone, the FBI presented over three dozen classified, sector-specific threat briefings to companies, but we need to keep getting better.

We’re working to lower the barriers to information sharing even further.  At the Department of Justice, for example, we’ve clarified that certain laws are not impediments to sharing information with the government to protect against cyber threats.

The Department’s Antitrust Division published guidance reaffirming that companies who engage in properly designed threat information sharing will not run afoul of antitrust laws and the Criminal Division published guidance to help clarify that companies can and should share certain aggregated threat information with the government.

We also continue to work with Congress to improve and update the legal framework for sharing threat information.

After an intrusion or attack, if a company works with law enforcement, it puts us both in the best possible position to find out exactly what happened and to remediate and prevent further damage.  The evidence is often fleeting, so early notification and access to the data is extremely important.

In addition, we may have seen the same indicators of malicious activity in other incidents, so we can conclude who was responsible and identify possible impacts and means of remediation.  Importantly, it also allows us to share information with other potential victims.  One company’s vulnerability is everyone’s vulnerability and it is critical that we work together.

The Department of Justice may be able to use legal authorities and tools that are unavailable to non-governmental entities.  As a government, we can also enlist the assistance of international partners to locate stolen data or identify a perpetrator.

These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data.  Finally, this cooperation is vital to successful prosecutions or other enforcement actions that can prevent criminals from causing further damage to victim companies and others.  Prosecutions, sanctions and other steps will help deter would-be hackers.

A united front is critical because the threat you face includes hackers with the full backing of their governments and hackers that are part of sophisticated, international criminal syndicates.  You shouldn’t have to face those threats on your own and you don’t have to.  We are here to help.  At the same time, it is increasingly clear that dealing with expanding cyber threats must be a team effort.  You bring vital expertise and information to the effort, just as the government brings essential resources and capabilities.

There are many good sources of recommendations concerning how to respond to breaches across the U.S. government, including DHS and NIST.  Within the Department of Justice, our Criminal Division recently issued “Best Practices for Victim Response and Reporting of Cyber Incidents.”  It covers a number of subjects, but let me highlight one of its key takeaways: When companies suffer a breach, they immediately face a host of difficult choices, and that reality is not lost on us.

We understand that the decision whether to call law enforcement, in particular, is difficult.  Companies must weigh numerous considerations that can seem to cut in opposing directions.  What are the ramifications of publicizing this breach?  Will employees be embroiled in lengthy legal proceedings?  Will the government treat my confidential and proprietary information with the care and discretion it deserves?

We understand these concerns, and we can assure you that we will roll up our sleeves and work with you to try to satisfy them.  We understand also that your customers, employees and investors, when they finally do learn of a breach, will also ask you whether you worked with law enforcement.  Increasingly, they see that as a necessary step; they want to know that you are doing everything you can to address the breach, including informing law enforcement.

To repeat what I said at the outset: We are in this fight together.  As you work to make your organizations succeed and to protect their assets from adversaries – both state-sponsored and otherwise – always keep in mind that we in government stand ready to assist your efforts.

Thank you again for having me.  I look forward to your questions.