John Carlin’s Speech at Brookings on “Defending Our Nation by Prosecuting State-Sponsored Cyber Theft”
Watch the event with Assistant Attorney General John Carlin here:
And here are his remarks as prepared for delivery:
Defending Our Nation by Prosecuting State-Sponsored Cyber Theft
Thanks for that kind introduction. I’m grateful to be here at Brookings today discussing emerging national security threats. On Monday, the Department of Justice announced charges against five members of the Chinese military for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals, and solar products industries. Today, I’ll focus on this growing threat: state-sponsored cyber intrusions targeting, for profit, sensitive and proprietary information of U.S. companies.
These charges against uniformed members of the Chinese military were the first of their kind. Some said they could not be brought. At the Department, we follow the facts and evidence where they lead. Sometimes, the facts and evidence lead us to a lone hacker in a basement in the U.S., or an organized crime syndicate in Russia. And sometimes, they lead us to a uniformed member of the Chinese military. But, no matter where they lead, there can be no free passes. We should not stand idly by, tacitly giving permission to anyone to steal from us. We will hold accountable those who steal – no matter who they are, where they are, or whether they steal in person or through the Internet. Because cybercrime has real victims.
While cases like the one brought in Pittsburgh are extremely challenging, this week we proved that they are possible. The criminal justice system must be a critical component of our nation’s cybersecurity strategy. As long as criminals continue stealing from American businesses, we will continue pursuing those criminals. The charges announced on Monday were groundbreaking. They represent a significant step forward in our cyber approach. And they were many years in the making.
The National Security Division
Within the Justice Department, the National Security Division – or NSD – focuses on cyber threats to the national security – those posed by terrorists and nation states. Our approach to these threats is deeply rooted in our Division’s history, and our success in the cyber arena builds upon a solid foundation. NSD was created in response to the grave threat of terrorism. After the devastating attacks of September 11, it became clear that the Justice Department needed to reorganize to tackle terrorism and national security threats more effectively.
We needed a single Division to integrate the work of prosecutors and law enforcement officials with intelligence attorneys and the Intelligence Community. So, in 2006, Congress created the Department’s first new litigating division in almost half a century: NSD. NSD works closely with partners throughout the government to ensure we leverage all available tools to combat the terrorism threat. And we’ve proven, in that context, that the criminal justice system is a vital part of our nation’s counterterrorism strategy.
Just this week, Abu Hamza al-Masri was convicted by a jury in New York on eleven counts. He was involved in an attack in Yemen in December 1998 that resulted in the deaths of four hostages and provided material support to terrorists, including al Qaeda and the Taliban. In March, Sulaiman Abu Ghaith was convicted of conspiring to kill Americans and other terrorism charges. Abu Ghaith was the son-in-law of Usama bin Laden and a senior member of al Qaeda. He was the face and voice of al Qaeda in the days and weeks after the 9/11 attacks. In both of these cases, it took more than a decade, but as a result of our integrated approach to combating terrorism, these men were brought to justice. These cases are the two most recent in a long line of successful terrorism prosecutions.
Recently, we took the lessons we learned from counterterrorism and applied them to our work on national security cyber threats. In the face of escalating threats, we recognized the need to reorganize. To integrate. When I was chief of staff for Director Bob Mueller, the FBI undertook a transformation to meet the growing cyber threat. In 2011, NSD did the same. In late fall of 2011, ten years after 9/11, we established a review group to evaluate NSD’s existing work on national security threats and chart out a plan for the future. Six months later, that team issued recommendations that shaped what NSD’s national security cyber program looks like today.
Most significantly, in 2012, we created and trained the National Security Cyber Specialists’ Network to focus on combating cyber threats to the national security. This Network – known as NSCS – includes prosecutors from every U.S. Attorney’s Office around the country, along with experts from the Department’s Computer Crime and Intellectual Property Section and attorneys from across all parts of NSD. Adopting the successful counterterrorism model, we now have prosecutors nationwide routinely meeting with the FBI to review intelligence and investigative files. The creation of the NSCS Network was motivated by a desire to make a tangible impact on U.S. cybersecurity efforts through criminal investigation and prosecution. By December 2012, we made public predictions that with the establishment of the NSCS – by empowering more than a hundred prosecutors in the field working with the FBI on these cases – one would be brought.
The Pittsburgh Case
And this week, we made good on that promise. It is this new, integrated approach that made the Pittsburgh case possible. As part of the creation of the NSCS, we brought prosecutors from around the country – Wisconsin, New York, and Georgia – to help NSD build this case. We partnered with the Western District of Pennsylvania, where victims were repeatedly hit. And we worked with offices across the FBI – from California, to Oregon, to Oklahoma, and back here in D.C. Our team thought creatively. They worked collaboratively. They explored all available options for stopping this activity. That’s how we were able to indict five members of the Third Department of the People’s Liberation Army, or “3PLA,” and its “Unit 61398.” These men stand accused of cyber intrusions targeting a range of U.S. industries.
The indictment alleges, with particularity, specific actions on specific days by specific actors to use their computers to steal information from across our economy. It alleges that while the men and women of our American businesses spent their business days innovating, creating, and developing strategies to compete in the global marketplace, these members of Unit 61398 spent their business days in Shanghai stealing the fruits of Americans’ labor. It alleges that they stole information particularly beneficial to Chinese companies, and took communications that would provide competitors with key insight into the strategy and vulnerabilities of the victims.
Now, some question this law enforcement action. Generally speaking, these questions fall into three categories: First, whether there is a clear line between what these individuals have been accused of, and what the U.S. or other nations do; Second, whether charges like these can truly impact cybersecurity, particularly when there may be significant challenges to arresting and ultimately trying these individuals in criminal court; And third, whether the government should instead focus on hardening defenses rather than pursuing charges.
Stealing Is Stealing
As to the first question: while some commentators may ask whether this is a new line to draw, in fact we are aware of no nation that publicly states that theft of information for commercial gain is acceptable. Even in this case, China has not attempted to justify the allegations. Instead, they deny them. And this has been a consistent response. A little over a year ago, the Chinese Government flatly denied reports that Unit 61398 was hacking U.S. companies. A spokesman for China’s Ministry of National Defense said, “Chinese military forces have never supported any hacking activities.”
China also challenged the United States to present “hard evidence, evidence that could stand up in court,” that cyber attacks against American targets are connected to the Chinese military. Well, we did. The response? Hours after Monday’s announcement, the Chinese Foreign Ministry called the accusations “purely fictitious, extremely absurd.” Now, we are confident that we have the evidence to back up these accusations in a court of law. Read the indictment. For the first time, we have exposed the real faces and names behind the keyboards in Shanghai used to steal from American businesses. This is not conduct that responsible nations within the global economic community should tolerate.
In the United States, we believe that individuals and companies are entitled to the results of our creativity, including our property—and intellectual property. And we believe their work should not simply be taken from them and given to others. This is not a uniquely American value. Individuals around the world believe that people shouldn’t take what others make. Responsible nations do conduct intelligence activities. And nations openly acknowledge that they have intelligence services. Like others, our intelligence activities are focused on the national security needs of our country. That is why the President, earlier this year, reaffirmed in PPD-28 that “[i]t is not an authorized foreign intelligence . . . purpose to collect such information to afford a competitive advantage to U.S. companies and U.S. business sectors commercially.”
U.S. foreign intelligence collection occurs under the framework of the rule of law, involving oversight by all three branches of Government. As the Church Committee Report recognized back in 1976, “the Constitution provides for a system of checks and balances and interdependent power as between the Congress and the executive branch with respect to foreign intelligence activity.” The very protections built into that legal framework subject that information to rigorous oversight, and prevent sharing it with private companies for their private gain. But let’s be clear: those same protections do not exist in certain other countries that are targeting, every day, American trade secrets, sensitive business information, and intellectual property in order to steal specific information and pass it along to their domestic companies in order to give them a competitive edge. To pretend otherwise is to promote a narrative of false equivalency.
Even though we know of no nation that stands up publicly to defend corporate theft for the profit of state-owned enterprises, in the shadows, some appear to encourage and support it. In short, we allege the members of Unit 61398 committed theft, pure and simple. So although this case is the first of a kind, it is also, in some respects, just business as usual. As they have for decades, prosecutors in the field and at CCIPS use criminal investigation and prosecution to disrupt cyber crime. CCIPS is one of our most important partners in the fight against cyber threats.
Law enforcement has long been used to combat cyber threats and, as recently as this week, has made a tremendous impact on our nation’s cybersecurity. As you have likely seen, on Monday, the Department of Justice announced charges in connection with Blackshades malicious software. These charges were part of the largest-ever global cyber law enforcement operation, involving more than 90 arrests and other law enforcement actions in 19 countries. Likewise, in the national security arena, when criminal law enforcement is the most effective tool we have to disrupt a terrorist threat, we employ it no matter how far away or shielded from prosecution the defendants may seem today. When criminal enterprises steal our intellectual property and personal information, or threaten our security, we investigate and prosecute them. These are not the first charges that we have lodged against individuals who steal from Americans to benefit state-owned enterprises.
As just one example, in March, we successfully obtained a significant conviction for economic espionage. Walter Liew, an electrical engineer, obtained one of DuPont’s secrets – a process, honed over many decades, for making a multi-purpose white pigment – and passed it to a large Chinese state-owned company. What Liew stole was something Americans see and use daily. Something that does not have a national security implication. Something that simply brings a profit. Liew stole the formula for the color white. He was brought to justice in the U.S. criminal justice system. Like Liew, we allege that the members of Unit 61398 stole to benefit Chinese state-owned enterprises. The thefts are similar. They both took place here. The difference is that Unit 61398 operated remotely, from the previously safe spaces in Shanghai.
We will no longer permit safe havens. Individuals cannot avoid the consequences of their actions simply by capitalizing on 21st century tools and operating from the comfort of their desks half a world away.
Meeting the Threat of Cyber Economic Espionage
These crimes are the same as many crimes that we have investigated and prosecuted before. Only the method or means is different. But the threat we face is increasingly moving out of the physical world and into cyberspace, and thus, prosecutions of those who steal from us remotely must and will become the new normal. We will continue to pursue this option, along with others available to us.
The threat of economic espionage is serious, and the threat of cyber economic espionage is mounting. Some estimate that, every year, the U.S. loses more than $300 billion from theft of our intellectual property. That figure is about equivalent to the current annual level of U.S. exports to Asia. Losses of that magnitude cost the American economy untold numbers of jobs. They reduce the profit that American firms make from research and development, which in turn reduces the incentives and resources for innovation. As U.S. Attorney David Hickton said on Monday, “When these cyber-intrusions occur, production slows, plants close, workers get laid off and lose their homes.” Such activity also undermines the trust between countries and companies that is necessary to do business in a globalized economy. And our companies cannot face it alone. Companies cannot depend solely on their antivirus software to defend against attackers linked to deep state military budgets. It’s not a fair fight. To defend against those empowered by a government, we need our government on our side.
We must support our entrepreneurs by using every tool we have, to prevent, deter, and disrupt this conduct in any way we can. And likewise, we need you. Just as the local police can’t control crime without victims calling in those crimes, our law enforcement officials, too, need cooperation from victims. It’s our hope that the more cases we bring and the more perpetrators we bring to justice, the higher the level of cooperation we’re likely to receive. We cannot let this conduct go undeterred. Doing so would threaten our nation’s security.
Deterring Cyber-Enabled Economic Espionage
Cases like the Pittsburgh case will have a deterrent effect. To those critics who raise questions about whether these charges will have any impact in light of the challenges associated with arresting and trying these individuals – the deterrent effect of charges can be significant. General Keith Alexander, former NSA Director, explained that “the only way to deter cyber attack is to work to catch perpetrators and take strong and public action when we do.” FBI Director Mueller called for figuring out who is targeting us and going after them, saying: “We must remember that behind every intrusion is a person responsible for that intrusion—a warm body behind the keyboard, whether he or she sits in Tehran or Tucson; Shanghai or Seattle; Bucharest or the Bronx. Our ultimate goal must be to identify and deter the persons behind the keyboards.”
The government and private sector alike are increasing the call for prosecuting cyber theft of trade secrets. We need to prevent attacks. And deterrence helps. Prosecutions can simultaneously punish those who have already committed bad acts and deter those who might otherwise commit bad acts in the future. In other words, by going after these crimes, we can help to stop the next group of criminals. It is, of course, possible that we will never obtain custody. But even if these five defendants evade arrest, laying bare this criminal activity takes it out of the shadows.
Law Enforcement: One Piece of the Puzzle
Law enforcement investigations can also support other valuable tools. Criminal charges can justify economic sanctions from our colleagues in the Treasury Department, sanctions that prevent criminals from engaging in financial transactions with U.S. entities and deny access to the U.S. financial system. They can facilitate diplomacy by the State Department, as our nation’s diplomats lay out evidence of state-sponsored cyber theft to foreign government officials and force them to answer for those actions, or coordinate with other victimized countries. Furthermore, the investigations themselves can lead other governments to take action, even when the United States doesn’t end up doing so. So, we will continue to bring these kinds of cases. However, it is not easy.
Prosecutions like this present unique challenges. Cases can take years to investigate, and it can sometimes be tough to attribute the unlawful activity to particular individuals. They involve difficult decisions regarding how to protect sensitive sources and methods. And even after charging, it can be challenging to obtain custody of the defendants and bring them to justice. But difficult does not mean impossible, and the status quo simply will not do. As the Attorney General said earlier this week in announcing these charges, “enough is enough.” We would not stand idly by as people hauled away our wealth in trucks. Likewise, we cannot allow it to be sucked out through the Internet.
The indictment I’ve been discussing is an important first step. But it must be just that – the first. Prosecutions will not do it alone. We need to build on this success and keep responding—with prosecutions where possible and with all of the other tools in our toolkit. We need to keep at it, and we appreciate the bipartisan support we’ve received from Congress, including particularly supportive words from Senators King and Whitehouse as well as from the House Intelligence and Homeland Security Committees. Many of these individuals provided resources and encouragement as we undertook transformation. We must continue until our adversaries realize that the costs of stealing from our companies outweigh the benefits.
Cyber Defense – Empowering victims
So far, we talked primarily about criminal prosecution and other tools. But we recognize that stopping attacks before they ever take place is the ultimate goal. We will have succeeded when there are no more criminal charges to bring. To that end, we also worked hard to improve cyber defenses, both in Government and with the private sector. The FBI works closely with companies that have been the victims of hackers through, among other things, its InfraGard program. That program, which has more than 25,000 active members, brings together individuals in law enforcement, government, the private sector, and academia to talk about how to protect our critical infrastructure. Likewise, the Department of Homeland Security, the Department of Energy, and other departments and agencies routinely work closely with companies to protect critical infrastructure.
The Department heard from you and is taking steps to respond to the concerns of the private sector. Just last month, we teamed up with the Federal Trade Commission to issue a policy statement making it clear that antitrust law is not and should not be a bar to legitimate cyber security information sharing. And earlier this month, the Justice Department issued a white paper, which clarifies that the Stored Communications Act doesn’t ordinarily restrict network operators from sharing certain data with the Government to guard information. This guidance will help the private sector collaborate more freely to protect itself. All of this is just a start. Going forward, we need legislation to facilitate greater information sharing between the private sector and the government.
Educating the Public
The charges announced earlier this week benefit not only victims but also the broader American people, and others worldwide. Chief Justice Burger once noted that criminal prosecutions, as a general matter, have an “educative effect” on the public. While we may appreciate, on a theoretical level, that hacking to steal corporate secrets poses a major national security threat, there’s no substitute for the educative effect that an indictment has. Putting a face at the keyboard, and quantifying the damage done, may help to galvanize all of us to improve our cyber security. It may also make us more vigilant to the economic, military, and geopolitical dangers associated with cyber space. For example, it might lead companies and other entities to examine their connection logs a little bit more closely to see what activities those reveal, and from where.
To wrap up, I want to applaud the dedicated investigators and prosecutors whose hard work produced this week’s important indictment. It’s only a first step but it’s a big step, and it’s part of our growing effort to hold accountable those who steal American innovation. At the same time, we must acknowledge that prosecution alone is, ultimately, just one tool in the broader toolset for addressing the cyber threat. Prosecutions alone will not solve the problem. Trust in government depends, in part, on our ability to defend, protect, and obtain justice for our citizens. Indictments and prosecutions are one clear and powerful way in which we the people, governed by the rule of law, legitimize and prove our allegations. And those actions have real consequences for the criminals they target, and deter those who might otherwise become criminals in the future. We continue to protect Americans from being victimized through cyberspace, and we need your support.
Thank you for your attention. I look forward to questions.