I’m not sure how I missed this last month, but Lisa Monaco—assistant attorney general for national security—gave a speech on cybersecurity and NSD’s bureaucratic and substantive response to the problem. Better late than never, here’s the full text—along with a recent Justice Department blog post on efforts to stand up “a new, nationwide program focused on combating cyber-based terrorism and state sponsored computer intrusions”:
Assistant Attorney General for National Security Lisa Monaco Speaks at the “2012 Cybercrime Conference”Seattle ~ Thursday, October 25, 2012
Good afternoon. Thank you for having me here today. I am grateful to the U.S. Attorney’s Office for the Western District of Washington and to U.S. Attorney Jenny A. Durkan, for organizing a conference on this important topic. Thank you all for taking the time out of your schedules to discuss these issues. Events like these are critical to helping us succeed in combating cyber threats.
If there is one thing we all know from the presentations today and our work in the field, it is the seriousness of the cyber threat. The President has called it “one of the most serious economic and national security challenges we face as a nation.” It’s hard to quibble with that. Hardly a day goes by when cyber events don’t show up in the news. As many of you know, over the last several weeks, financial institutions in the United States have been hit by a series of Distributed Denial of Service (or DDOS) attacks. Such attacks are relatively easy to carry out, but they can cause serious harm by disrupting companies’ website services and preventing customer access. Although these disruptions have been temporary, their frequency and persistence underscores recent Intelligence Community warnings about the “breadth and sophistication of computer network operations . . . by both state and nonstate actors.” The cyber alarm bell has been rung. The Intelligence Community’s most recent Worldwide Threat Assessment confirms that U.S. networks have already been subject to “extensive illicit intrusions.” The head of the National Security Agency and the Pentagon’s Cyber Command, for one, believes such intrusions may have resulted in “the greatest transfer of wealth in history.”
We often think of national security threats, like that of a catastrophic terrorist attack, as questions about prevention. But the cyber threat is not simply looming – it is here. It is present and growing. Although we have not yet experienced a devastating cyber attack along the lines of the “cyber Pearl Harbor” that Defense Secretary Panetta recently mentioned – we are already facing the threat of a death by a thousand cuts. Outside the public eye, a slow hemorrhaging is occurring; a range of cyber activities is incrementally diminishing our security and siphoning off valuable economic assets. This present-day reality makes the threat of cyber-generated physical attacks, like those that might disrupt the power grid, appear no longer to be the stuff of science fiction. And all of this comes against the backdrop of sobering forecasts from the highest ranks of our national security community. FBI Director Mueller – a man not prone to overstatement – predicts that “the cyber threat will pose the number one threat to our country” in “the not too distant future.”
Despite all we know about intrusions against U.S. businesses and government agencies, what is more sobering still is the Intelligence Community’s assessment that “many intrusions . . . are not being detected.” Even with respect to those that are detected, identifying who is behind cyber activity can be uniquely challenging. Technologies can obscure perpetrators’ identities, wiping away digital footprints or leaving investigative trails that are as long as the web is wide. Cyber intrusions don’t announce themselves or their purpose at the threshold. Depending on the circumstances, the purpose or endgame of a particular intrusion may be anyone’s guess – is it espionage? Mere mischief? Theft? An act of war?
The threats are as varied as the actors who carry them out. A growing number of sophisticated state actors have both the desire and the capability to steal sensitive data, trade secrets, and intellectual property for military and competitive advantage. While most of the state-sponsored intrusions we are aware of remain classified, the onslaught of network intrusions believed to be state-sponsored is widely reported in the media. We know the Intelligence Community has noted that China and Russia are state actors of “particular concern,” and that “entities within these countries are responsible for extensive illicit intrusions into US computer networks and theft of US intellectual property.” Indeed, “Chinese actors are,” according to a public report of our top counterintelligence officials, “the world’s most active and persistent perpetrators of economic espionage.” And we know that Secretary of Defense Panetta has stated that “Iran has also undertaken a concerted effort to use cyberspace to its advantage.”
In cases involving state actors and others, trusted insiders pose particular risks. Those inside U.S. corporations and agencies may exploit their access to funnel information to foreign nation states. In these cases, perimeter defense isn’t worth much; the enemy is already inside the gates. The Justice Department has prosecuted a number of corporate insiders and others who obtained trade secrets or technical data from major U.S. companies and routed them to other nations via cyberspace.
Earlier this year, in the first indictment of foreign state-owned entities for economic espionage, several companies controlled by the government of China were charged in San Francisco for their alleged roles in stealing a proprietary chemical compound developed by a U.S. company for China’s benefit. While this particular theft was not cyber-enabled, cyberspace makes economic espionage that much easier. In an Internet age, it is no longer necessary to sneak goods out of the country in a suitcase; a single click of a mouse can transmit volumes of data overseas. Indeed, the Department has secured convictions of individuals who stole corporate trade secrets by simply e-mailing them overseas. In one recent case, a chemist downloaded a breakthrough chemical process just developed by his company in the United States and e-mailed it to a university in China where he had secretly accepted a new job.
The other major national security threat in cyberspace is cyber-enabled terrorism. Although we have not yet encountered terrorist organizations using the Internet to launch a full-scale cyber attack against the United States, we believe it is a question of when, not if, they will attempt to do so. Individuals affiliated with or sympathetic to terrorist organizations are seeking such capabilities. We have already seen terrorists exhorting their followers to engage in cyber attacks on America. Just this year, an al-Qaeda video released publicly by the Senate Homeland Security Committee encouraged al-Qaeda followers to engage in “electronic jihad” by carrying out cyber attacks against the West.
Terrorists have already begun using cyberspace to facilitate bomb plots and other operations. These activities go beyond the use of cyberspace to spread propaganda and recruit followers. For example, the individuals who planned the attempted Times Square bombing in May 2010 used public web cameras for reconnaissance, file sharing sites to share operational details, and remote conferencing software to communicate. Najibullah Zazi attempted to carry out suicide bomb attacks against the New York subways around the anniversary of 9/11 three years ago. After returning to the United States from terrorist travel, he used the Internet to access the bomb-making instructions he had received in Pakistan and tried to communicate via the Internet in code with his al-Qaeda handlers in Pakistan just prior to the planned attack. Khalid Aldawsari, who was convicted in June of this year in the Northern District of Texas, used the Internet extensively to research U.S. targets and to purchase chemicals and other bomb-making materials.
Evolving To Meet the Threat — Learning from the Counterterrorism Model
The threats we face in cyberspace are changing, and we must change with them. Of course, we have faced similar challenges before. After the devastating attacks eleven years ago, we learned some hard lessons. We have since put those lessons into practice: working across agencies to share information, and bringing down legal, structural, and cultural barriers. Law enforcement’s approach to terrorism has become intelligence-led and threat-driven. We have erected new structures, including the National Security Division, which I am privileged to lead. As the first new litigating division at the Justice Department in nearly fifty years, the National Security Division was created to bring together intelligence lawyers and operators on the one hand, and prosecutors and law enforcement agents on the other, to focus all talent on the threats before us.
Since September 11, we have made great progress against terrorism by developing effective partnerships that help us identify threats and choose the best tools available to disrupt them. Much of our success is attributable to the all-hands-on-deck approach we have adopted for countering terrorism. From where I sit, I can see this change reflected in our day-to-day operations. In our investigations, for instance, we actively seek to preserve the ability to prosecute even while using intelligence tools and vice versa. We must bring the same approach, a whole-of-government approach, an all-tools approach, to combat cyber threats to our national security. Investigations and prosecutions will be critical tools for deterrence and disruption, ones that we have a responsibility to use. But they are not the only options available. The diversity of cyber threats and cyber threat actors demands a diverse response. This nation has many tools – intelligence, law enforcement, military, diplomatic, and economic – at its collective disposal as well as deep, and diverse, expertise. The trick is in harnessing our collective resources to work effectively together.
Those of us charged with investigating and disrupting cyber threats to national security and advising operators and agents must be creative and forward-looking in our approach. First, we must consider – in conjunction with our partners – what cyber threats will look like in the coming years. Only by knowing what is on the horizon can we ensure that the right tools exist to address cyber threats before they materialize. Second, we must be vigilant to prevent the formation of what the WMD Commission after 9/11 called “legal myths” that have led to “uncertainty” in the past “about real legal prohibitions” among operators. And, together with operators, we must consider what kinds of tools, investigations, and outreach we can launch now to lay the groundwork for future cyber efforts. These may be relatively simple things, like standardized protocols and established points of contact to make reporting intrusions easier. Or they may take the form of institutional relationships between the government and the private sector for sharing information.
On an operational level, both public and private sector attorneys need to be able to tell clients what options they have available to deal with cyber threats. If cyberspace is an “information super-highway,” then lawyers are the GPS system in a client’s car: It is our job to tell the client how to get there. When obstacles get in the way, we should tell the client how to avoid them. We must look ahead, anticipate jams, and route clients around them.
This metaphor is particularly applicable in the cyber realm. As cyber events unfold in real time, we learn more about our adversary, the means available to him or her, and the vulnerabilities in our own systems. Our advice must adapt accordingly. For those of us in government who act as operational lawyers, it is important in this environment to be clear about where the legal debate stops and the policy debate begins. For those of you in the private sector, I imagine one concern is that your clients not be left vulnerable in a shifting legal landscape. And for those of you in academia, we need your help testing boundaries and pushing forward with questions that need to be asked and answered by all of us as we navigate this legal space together.
One of the significant operational challenges we face is the same one the Intelligence Community confronted in reorganizing itself after the attacks of September 11. The cyber threat demands ready and fluid means of sharing information and coordinating our actions. At the National Security Division, we have made this evolution, and combating this threat, a top priority. Working with our partners – including the FBI, the U.S. Attorney community, and the Computer Crime and Intellectual Property Section (one of their leaders, Richard Downing is here today) – we are ensuring that all resources are brought to bear against national security cyber threats.
To help accomplish these goals, the National Security Division established earlier this year a National Security Cyber Specialists’ Network to serve as a one-stop shop in the Justice Department for national security-related cyber matters. The network brings together experts from across the National Security Division and the Criminal Division and serves as a centralized resource for the private sector, prosecutors, and agents around the country when they learn of national security-related computer intrusions. Each U.S. Attorney’s office around the country has designated a point of contact for the network. These skilled Assistant U.S. Attorneys will act as force multipliers, broadening the network’s reach and ensuring a link back to their counterparts at headquarters. Drawing upon the Joint Terrorism Task Force model, which has been successful in the terrorism realm, the network seeks to improve the flow of national security cyber information to offices throughout the country. This means more information, earlier on, in national security cyber incidents. Thanks to the contribution of other parts of the Department, especially CCIPS, the FBI, and the U.S. Attorney’s offices, the network has helped us to focus nationwide on bringing more national security cyber investigations. Through this nationwide network, we are consolidating and deepening the Department’s expertise, institutionalizing information sharing, ensuring coordination, and pursuing investigations.
We have also trained our attention on the diverse cyber capabilities that reside throughout the government. The U.S. Secret Service, the Department of Commerce, and the Department of Defense, not to mention the FBI, are all common partners in this fight, each using their distinct tools to achieve a common goal. We have enhanced our joint work with the FBI’s National Cyber Investigative Joint Task Force, where we now have a dedicated National Security Division liaison.
Within DOJ, we are putting more prosecutors against the threat and focusing on how to best equip and educate our cyber cadre. Through the National Security Cyber Specialists’ Network, we are training prosecutors around the country. Next month, more than 100 prosecutors will gather in Washington, D.C. to share expertise on everything from digital evidence to the Foreign Intelligence Surveillance Act. No matter who the perpetrator is, being an effective adviser today requires an understanding of the technologies at hand. Perhaps we should all take a page from Estonia—where I understand they’re beginning a system of teaching first graders how to program! As courts confront these technologies, we also have a role in helping them grapple with what these changes mean for the development of the law and interpretations of existing legal authorities.
Partnership with the Private Sector
Of course, the need for collaboration does not end there. While interaction with the private sector is something that does not always come easily to the national security community, which is accustomed to operating in secrecy, it is absolutely necessary here. The Intelligence Community has noted the considerable portion of U.S. companies that report they have been the victims of cybersecurity breaches as well as the increased volume of malware on U.S. networks. Private companies are on the front lines. Individual defenses, as well as broader efforts to reform – like the legislation proposed by the Administration last year – will require our joint efforts.
To succeed in these efforts, we must develop a greater understanding of the concerns and pressures under which our private sector partners operate. A home computer user, whose machine is used in a botnet attack might not have much incentive to remove or check for malware. But a company targeted by such an attack has considerable incentive to do so. When dealing with corporate victims, the government must understand the competing interests at play. Companies may have shareholders, reputational concerns, and sometimes legal limitations. Yet we cannot fight the current or the future threat with old mindsets on either side. My colleague, the U.S. Attorney for the Southern District of New York, has spoken compellingly about the need for a “culture of security” and a “culture of disclosure” in industry. For our part, we need to understand the private sector’s concerns; we need to understand that it is not just the red tape of government that industry fears. They also fear that the disclosure of computer intrusions will bring yellow tape as well – that it will disrupt business by converting the corporate suite into a crime scene. Reporting breaches and thefts of information is the first step toward preventing future harm. For our part, we will work with industry. We will share information where we can and use protective orders and other tools to protect confidential and proprietary information.
How we respond to cyber intrusions and attacks, and how we organize and equip ourselves going forward, will have lasting effects on our government and its relationship with the private sector. Particularly in these early moments, in what will no doubt be a sustained endeavor, it is incumbent upon us to take notes – to identify impediments, legal questions, technical challenges, and address them together. All the while we must bear in mind the great potential of these technologies and the importance of not stifling them as we find better ways to make them secure.
We have heard the warnings about the potential for a cyber 9/11, but we are, for the moment, in a position to do something to prevent it. The cyber threat poses the next test of the imperative that we see law enforcement and national security as joint endeavors. Our work offers an opportunity to demonstrate the strength and adaptability of the lessons we have learned over the last eleven years in the fight against terrorism. U.S. Attorney’s Offices – and all of you sitting in this room – are at the forefront of these issues. I look forward to pursuing the threats we face in partnership. Thank you for being with us today.