Good afternoon, and thank you for inviting me here to share
a few words on the importance of collaboration in confronting the national
security cyber threat.
Protecting the nation from national security threats is the
mission of the National Security Division.
Although NSD was created in response to the September 11th terrorist
attacks, its mission goes well beyond terrorism. In the past years it has come increasingly to
include a focus on cyber as part of the threat posed by certain foreign
nations. And as we do with respect to
terrorism, NSD drives collaboration among prosecutors, law enforcement
officials, intelligence attorneys and the Intelligence Community to ensure that
we approach the national security cyber threat using every tool and resource
available to the federal government.
Some of you in this room come from the private sector —
companies both large and small.
Companies that consult and provide advice, and companies that
manufacture products. Others come from
federal, state and local governments — or from other countries. Your work may be diverse, but you all
appreciate one thing. You know that
there are countries in this world that want what we have. They want our sensitive information, our
technology, our intellectual property.
And they want to destroy any competitive advantage we enjoy. Around the world there are people who wake up
every morning thinking about how they’re going to destroy it. And they go to bed at night, much too often,
thinking about a job well done. One
thing they’re not spending much time thinking about is our laws and
international cyber norms.
You don’t have to be a defense contractor to be worried
about this. Recently, we prosecuted
cases involving the thefts of grains of rice and kernels of corn. No one is immune. If you’re in business, if you’re in
government, if you’re in medicine or academic research, you have something of
value to someone else. And to get it,
foreign countries will use all means, including computer intrusions.
You are not going to stop these countries on your own. No private company or institution has the
resources of a determined nation state.
Nor is any one part of the federal government going to stop these
adversaries on its own. We’ll only
succeed in defending the nation’s firepower and the fruits of its brain power
if we’re partnered together.
In recent years, NSD has furthered the government’s efforts
to deter and disrupt malicious national security cyber threats by charging
hackers acting on behalf of China, Russia, Iran and Islamic State of Iraq and
al-Sham (ISIS). But not every cyber disruption
needs to be a prosecution. In fact, just
last week, the Department announced it obtained a court order to disrupt a
global botnet known as the “VPNfilter” that had infected hundreds of thousands
of home and office routers controlled by the Sofacy Group, a well-known
malicious cyber-hacking organization.
The botnet provided the Sofacy Group ability to undertake all manner of
malicious cyber activity, from unlawful surveillance to theft of valuable
information to disruptive attacks. The
Department could not have begun to neutralize this threat alone. We worked closely with the private sector,
including private security researchers, and other government partners, such as
the Department of Homeland Security. If
we continue to work together, we will do much, much more.
Let me provide two other illustrations of the good that can
happen when the private sector and the government work together.
Let’s take the case of Yahoo. Yahoo was the victim of a breach in 2013,
only to discover three years later that it had been subject to a second,
massive breach in 2014. When this
information came to light, Yahoo notified the government and provided valuable
assistance to the FBI, fully cooperating at every stage of the investigation.
As a result of this effective collaboration, Yahoo and the
FBI determined that hackers, working both for financial gain and on behalf of
Russian intelligence officers, had stolen information from at least 500 million
Yahoo accounts, and used that stolen information to obtain access to the
contents of accounts hosted by Yahoo, Google and other providers. Russian journalists, U.S. and Russian
government officials, and private-sector employees of financial, transportation
and other companies had all been targeted.
Thanks to the close cooperation of Yahoo, Google and others,
DOJ prosecutors and the FBI were able to identify and expose the hackers
without further compromising the privacy of the account holders. Three of the defendants were Russian
nationals residing in Russia — two Federal Security Service or “FSB” agents and
a known Russian hacker, an FBI “Most Wanted Cyber Criminal,” Alexsey Belan.
The fourth defendant was a 22-year-old hacker named Karim
Baratov, who resided in Canada.
Following the U.S. indictment, Canada captured and arrested
Baratov. He was brought to the U.S. and
pleaded guilty to eight criminal counts, including conspiracy to commit
computer fraud and abuse and aggravated identity theft. Earlier this week, he was sentenced to five
years in jail.
The second case demonstrates that cooperating with the
government, and benefiting from its knowledge and tools, can help a company
that has been hacked, see things for what they really are.
A few years ago, a Midwestern consumer goods company was the
victim of what appeared to be a “run of the mill” intrusion. An intruder had obtained unauthorized access
to their customer database and had obtained personally identifiable information
for their customers. The company’s IT
personnel worked diligently to eject the hacker from their network, but he kept
coming back. Eventually, the hacker
threatened to expose the company’s customer information unless he was paid a
ransom.
Around that time, the company connected with the FBI.
The FBI determined that Ardit Ferizi, a Kosovo citizen
studying computer science in Malaysia, was one of the hackers who had gained
unauthorized access to the victim company’s PII.
Although the hacker had a financial motive in demanding a
ransom from the company, the customer PII Ferizi stole was not destined for the
black market; that data was of interest because, among the tens of thousands of
customer names and email accounts he stole, there were more than a thousand
email addresses that ended in “.gov” or “.mil.”
Ultimately, Ferizi used that information to produce a list
of PII for approximately 1,300 U.S. government civilian employees and U.S.
military personnel.
He provided this information to a Syrian-based ISIS member
named Junaid Hussain.
A few months earlier, Hussain, acting in the name of the
Islamic State Hacking Division, had posted a “kill list” that purported to
include the names and addresses of 100 members of the U.S. military. Ferizi wanted to help him create and
disseminate a second kill list.
And in fact, soon after he received the information from
Ferizi, Hussain used Twitter to publish the PII of all 1,300 U.S. government
and military customers of the company. In
his tweet, he threatened “the Crusaders” who were conducting a “bombing
campaign against the Muslims.”
The Department of Justice charged Ferizi with violations of
the Computer Fraud and Abuse Act, and with conspiring to provide material
support to ISIS. We were successful in
obtaining his extradition from Malaysia to the United States, and he ultimately
pleadded guilty.
In September 2016, Ferizi was sentenced to 20 years in
prison. He was also ordered to pay
$50,000 in restitution to the company.
Even though the prosecution of Ferizi was public, the name
of the company was never revealed.
We are often asked why we would bring a case against foreign
nationals located outside the U.S. Well
for one, as the Yahoo and Ferizi cases prove, we may well get one or more of
them. The U.S. government has
extradition agreements with more than 100 countries, so it is not enough for
these defendants to forego a visit to Disney World. For the rest of their lives they will be
unable to travel to more than half the countries in the world without fear of
arrest and extradition to the U.S.
Second, the investigation and charges can assist other parts
of the Government in bringing their authorities to bear. For instance, Treasury’s Office of Foreign
Assets Control can designate the charged individuals or entities under an
Executive Order that authorizes blocking the property of persons engaging in
significant malicious cyber-enabled activities — ensuring that the perpetrators
will be financially isolated from the world.
When we brought charges against the founders and employees of the
Iranian Mabna Institute that hacked more than 300 American and foreign
universities, and government agencies and institutions around the world,
Treasury also designated the Institute and ten Iranian individuals.
Third, charges raise awareness, both generally and
specifically, to this threat. In some
cases there may be additional victims that don’t know they’ve been hacked. To help the private sector identify malicious
activity and better protect itself, the FBI and DHS will often release
technical details to the public. FBI did that just last week, when it released
a Public Service Announcement about VPNFilter, advising you to reboot your
router and including signatures of the botnet’s malware, so network defenders
can identify its presence in their network.
And finally, we pursue these cases to strip these hackers of
anonymity and call them out. This
prevents nation state actors from hiding behind ritualized denials and feigned ignorance. The recent indictment of Mabna Institute
members and the prior indictment of the Chinese People’s Liberation Army are
cases in point.
So that’s what’s in it for the country. What’s in it for you? What are the benefits of working with law enforcement
— before, during and after a computer intrusion or attack?
We can help you
understand what happened when your organization has a cyber-incident.
We can share
context and information about related incidents or malware.
We can ensure
proper investigation and preservation of evidence for eventual. prosecution.
We can assist you
in dealing with regulators.
At the end of the day, the Government simply has many more
tools at its disposal to deal with the problem of national security cyber
intrusions. Tools that, working
together, we can use to respond to intrusions and deter future ones. Although we will always consider criminal
charges, pursuing prosecution may not be the best response in all cases. Accordingly, NSD attorneys work with their
interagency partners to determine whether our investigative information may be
used to support sanctions, trade pressure, technical alerts, diplomatic options
or other responses instead of, or in addition to, prosecution. All of these tools can impose real costs on
malicious activity, depriving hackers and their sponsors of the benefit of
their crimes and deterring future misbehavior.
Let me close on this note.
Everyone in this audience understands that we are in this together, and
we have an obligation to help one another.
The organization that reports a cyber intrusion doesn’t just help
itself, it also helps other targeted companies that may not even know they’ve
been victims of a hack, and it helps the country. It helps other organizations by raising their
awareness and sparking a check on their part for similar compromises. It also enables the government to work to
disrupt and deter intrusions of those other organizations. And it helps the
country by allowing the Government to piece together and respond to the
intentions and actions of antagonistic nations to better defend our nation’s
economic and military security.
It is the National Security Division’s job to disrupt and
deter national security cyber threats.
We will continue to work with other agencies to use all elements of
national power to meet this ever-changing and growing challenge. And to adequately protect our shared national
cyber security against persistent attack, we will need your help as well.
I look forward to working with you.
Posts
No comments:
Post a Comment