Assistant Attorney General John P. Carlin Delivers Remarks on Directing, Disrupting and Deterring National Security Cyber Threats at the “Cybersecurity and Law Enforcement: the Cutting Edge” Symposium at Roger Williams University Law School

Remarks as prepared for delivery

Thank you to Peter [Neronha], for your warm introduction and to the Roger Williams University School of Law, for inviting me to today’s event.  And thank you to all those in the audience – academics, students, policymakers, journalists and civil society – for your work in helping solve some of our most pressing cybersecurity issues. 

Today’s event is well timed.  Last night, we unsealed a complaint charging Ardit Ferizi with hacking in support of ISIL.  We have long warned about the convergence of terrorism and the cyber threat, but this case is a first of its kind.  The complaint lays out probable cause to believe that Ferizi provided ISIL with the PII for over 1,000 U.S. government personnel, so that it could be used by ISIL against those individuals. 

But this case also illustrates how the threat continues to blend and blur.  As alleged, Ferizi provided material support to terrorism.  But the complaint also alleges conduct including hacking, identity theft and threats that basically amounted to extortion.

The complaint contains twitter screenshots, emails and logs that connect Ferizi not only to ISIL generally, but to Junaid Hussain specifically.  Hussain was involved in recruiting for ISIL and encouraged lone offenders to attack in the West until he was killed by a U.S. airstrike in August.  Hussain’s tactics were not propaganda, not messaging – but a call to violence. 

As alleged, using the PII provided to him by Ferizi, Junaid Hussain tweeted the names, e-mail addresses, e-mail passwords, locations and phone numbers for approximately 1,351 U.S. military and other government personnel, with the threat that “we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!” 

Hackers a world away can intrude into our homes with the push of a button to steal from us, to gather intelligence that can be used against us and even to try hurt or kill us.  Stopping them requires cooperation, not only public-private, but also international.  This case required the assistance, close partnership and cooperation of authorities in Malaysia, for which we are grateful. 

This case is the first of its kind, but it is not unique.  Time after time, we have proven that the anonymity of the Internet is no safe haven.  No matter who poses the cyber threat – be it a terrorist today, the North Koreans in the Sony intrusion, the PLA in the Pittsburgh case, or the looming threats of tomorrow, we can and will find you.  And when we do, there will be consequences.  The all-tools approach we embrace allows us to be nimble – to bring the right tools to the fight that allow us to disrupt these threats. 

It is good to be in Rhode Island on a day like today.  This state is home to many cutting-edge cybersecurity practices.  Just this month, the Rhode Island Cybersecurity Commission released its first report and action plan for the development of cyber protection and resiliency in state government operations – a move that rightly recognizes that the answer to cyber threats does not lie solely at the federal level or with the private sector.  States play an integral role to keeping our nation’s infrastructure and assets safe.   

Rhode Island also benefits from a determined congressional delegation that champions cybersecurity and national defense issues.  The department has the privilege to work closely with Senator Sheldon Whitehouse in his role on the Judiciary Committee.  He has been a leader in this field, advocating for greater public-private information sharing and working to ensure that the Department of Justice has the legal tools necessary to combat national security cyber threats.  He also had tremendous foresight, long ago predicting that terrorist organizations would turn to online tactics to support or commit terrorism.  We have also been privileged to work closely with Senator Jack Reed on the Intelligence Committee and Congressman James Langevin, member of both Homeland Security and Armed Services Committees and a former member of the House Permanent Select Committee on Intelligence, both of whom have shown strong leadership on issues of tremendous importance to the Department of Justice.

Today, as the threats we previously forecasted manifest themselves, and as future threats loom large, our collective work to deter and disrupt those who wish to do us harm becomes ever more important.  The threats we face today blur the lines between lone hackers and nation states and between criminal and national security threats.  And the threats we face tomorrow – including increasing threats from terrorists intent on using our own technology against us – illustrate why prevention is so important.

The Threats We Face

As a result of the proliferation of technology – and the myriad ways to exploit it – we face a changing world order in which lone hackers, organized crime syndicates and nation states are all increasingly able to harm our shared networks and our livelihood.  Every sector of the economy is a target – infrastructure, financial institutions, entertainment, agriculture, energy and more.

And hackers come in all shapes and sizes.  We have seen foreign, state-sponsored actors wage destructive attacks intended to coerce and intimidate.  For example, in the Sony attack, North Korean-sponsored hackers damaged computer systems, compromised valuable information, released corporate data and intellectual property at significant cost and threatened employees and customers.

We have also seen state and non-state actors using the Internet to steal our intellectual property and export-controlled information at unprecedented levels.  Similarly, we have seen an uptick in the theft of personally identifiable information in bulk quantities. 

A concerted series of malicious activity targeting OPM – the agency that manages personnel records for federal employees – resulted in the compromise of millions of sensitive records, including background investigation files for national security clearances.

Similar intrusions over the past two years have targeted several major health insurers’ customer financial and medical information and even airline passenger travel reservation records.  Just last month, a New York Blue Cross Blue Shield provider revealed that it was the victim of a massive breach, exposing the data of more than ten million people.

And now, we see ISIL crowdsourcing terrorism – using cyber intrusions to obtain information that, when placed in the hands of terrorists, could prove deadly.  But more than that, they use online tools to their advantage – leveraging social media to call for sympathizers worldwide to conduct attacks and conducting their operational planning through encrypted communications using mainstream technology.

All of this is to say we are on notice.  We are all targets. 

What lies around the corner?  Only time will tell, but where there is data, there is potential for dangerous manipulation, destruction and even death. 

In short, online threats of all types are increasing in frequency, sophistication and scope. 

As a result, we are most secure when the government, the private sector and academia work together to develop the strategies and best practices we can use on secure information access, threat detection and incident response.  Early incident reporting helps ensure we can identify who is behind an intrusion and impose consequences for their actions.  Sharing information helps us harden our defenses.  And when service providers understand how their services can be abused, they can take action to prevent it.  It is the responsible thing to do.  They can help prevent terrorist groups from abusing their services to induce recruits to commit terrorist acts.

This ongoing conversation is essential to keep our nation secure, to protect the privacy of our citizens, to enable American businesses to compete fairly in our global economy and to ensure that U.S. businesses and institutions are resilient in the face of cyber threats.  Because, while we gather here in Rhode Island to work together to make this country safer, our adversaries likewise gather to strategize against us. 

The Role of the National Security Division

Within the Justice Department, the National Security Division – or NSD – focuses on cyber threats to the national security – those posed by terrorists and nation states.

Our approach to these threats is rooted in our division’s history.  NSD was created in response to the grave threat of terrorism.  After the devastating attacks of September 11^th, it became clear that the Justice Department needed to reorganize to tackle terrorism and national security threats more effectively.

We needed a single division to integrate the work of prosecutors and law enforcement officials with attorneys and analysts in the Intelligence Community.  So, nearly a decade ago, Congress created the department’s first new litigating division in almost half a century: NSD.

In the years after NSD was created, it became increasingly clear that the same things that motivated our creation and guided our efforts to combat terrorism were equally true in cybersecurity. 

In late fall of 2011, ten years after 9/11, we established a review group to evaluate NSD’s existing work on national security threats and chart out a plan for the future.  Six months later, that team issued recommendations that shaped what NSD’s national security cyber program looks like today.

One of our first actions, in 2012, was to create and train the National Security Cyber Specialists’ Network to focus on combating cyber threats to the national security.   This Network – known as NSCS – includes prosecutors from every U.S. Attorney’s Office around the country, along with experts from the department’s Computer Crime and Intellectual Property Section and attorneys from across all parts of NSD.

We created the Network to bring criminal investigation and prosecution tools to bear on U.S. cybersecurity efforts.  And, in May 2014, the investment paid off.  The department announced unprecedented charges against five members of the Chinese military for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.

But we also realized that prosecution is only one of the many tools the U.S. government brings to bear.  So NSD restructured and adapted to support a whole-of-government approach to national security cyber threats.  Criminal prosecution, sanctions, trade pressure and diplomatic options are just some of the responses available to us as we combat online threats to the national security.

Our attorneys live by that whole-of-government approach.  We work with our government partners to pick the best tool or combination of tools to get the job done under the rule of law. 

We ensure that we have the necessary expertise no matter who is behind the threat, what their motivation is, or what tool we need to use. 

Under unified NSD leadership, we have integrated the department’s full range of national security expertise under one roof and we bring broad and varied skills and knowledge to cyber challenges. 

Our Response: U.S. Government All-Tools Approach

Our whole-of-government approach is calibrated to raise the costs of state-sponsored offenses against our nation.  We want to reach the point where the costs outweigh the benefits of targeting our systems and stealing our data. 

And we have recently seen encouraging developments in this area.  As just one example, last spring, our indictment of uniformed members of the Chinese military was met with denials, but no commitments.

China similarly objected when President Barack Obama signed an executive order that provides a new means to impose sanctions on individuals or entities that engage in significant malicious cyber-enabled activities that could threaten the national security, foreign policy, or economic health or financial stability of the United States.

But, during the historic state visit last month, Chinese President Xi Jinping for the first time publicly declared that, “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.”  And the United States and China agreed that neither country’s government will conduct, or knowingly support, cyber-enabled theft of trade secrets or confidential business information with the intent of providing competitive advantage to companies or commercial sectors. 

Our commitment to deterrence made a difference.  It was true when we said it in May 2014 following the PLA indictment and it remains true today: we are aware of no nation that publicly states that theft of information for commercial gain is acceptable.  And now, China has said for the first time that it will not conduct or knowingly support cyber-enabled theft of intellectual property for commercial gain.

What lies ahead remains to be seen.  As the President said, “the question now is, are words followed by actions?”  

But, cyber security threats are not going away, and, when diplomacy fails, we remain committed to deterrence through the use of all available tools.

The criminal justice system will continue to be part of that strategy.  Even when indictments do not lead to defendants in courtrooms, they are valuable.  Indictments deter future would-be wrongdoers and reassure victims of online attacks that the U.S. government vindicates their rights.  Just as importantly, they help crystallize norms against this kind of behavior. 

The cyber executive order, which President Obama signed in April of this year, similarly helps us deter wrongdoers.  Of particular interest, the order will allow us to hold accountable companies that knowingly receive or use trade secrets stolen through cyber-enabled means.  These beneficiary companies are taking advantage of the hard work of Americans and harming our competitiveness.

This executive order – and the consequences for entities sanctioned under it – should make companies think twice before hiring hackers or making use of information that they know was stolen.  If they don’t, we will take appropriate actions, which can include sanctioning those companies and cutting off their access to U.S. markets.  This is the same approach we have taken in counterterrorism and counter-proliferation.

Some of the nations that steal from us also have obligations under international trade agreements, committing them to protect intellectual property rights.  Our colleagues in the office of the U.S. Trade Representative are currently exploring the tools at their disposal under those agreements, and whether the World Trade Organization and other forums could provide ways to challenge state-sponsored trade secret theft.  

Public Private Partnership

Just as important as what the government does is the collaboration between government and the private sector.  After all, the Internet runs on private infrastructure and the hardware and software that we all use – including in the government – is developed and maintained by the private sector.

After an attack, if an organization works with law enforcement, it puts both in the best possible position to find out exactly what happened and to remediate and prevent further damage.  The evidence is often fleeting, so early notification and access to the data is extremely important.

In addition, we may have seen the same indicators of malicious activity in other attacks, so we can conclude who was responsible and identify possible impacts and means of remediation.  Importantly, it also allows us to share information with other potential victims.  One organization’s vulnerability is everyone’s vulnerability and it is critical that we work together. 

Law enforcement may be able to use legal authorities and tools that are unavailable to non-governmental entities.  Law enforcement can also enlist the assistance of international partners to locate stolen data or identify a perpetrator. 

These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data.  Finally, this cooperation is vital to successful prosecutions that, as I explained, can prevent criminals from causing further damage to victim companies and others.

A united front is critical because the threat you face includes hackers with the full backing of their governments or that are part of sophisticated, international criminal syndicates.  They have backup, but so do you—because your government is here to help.

We recently announced a new position within NSD focused on outreach to the private sector.  This position was created in recognition of the importance of relationships and cooperation in cybersecurity.  We understand the importance of prevention and of resilience.  We want to support our private sector partners, whether they simply want to establish early lines of communication or call while under the strain of a continuing network breach.

As we face ever more threats in cyberspace, we must do more to ensure this public-private cooperation.  The conversations we have at these events are critical to keeping our nation secure and to protecting our privacy, our safety and our economic vitality.  The threats are not letting up and neither will we. 

Thanks again for inviting me. I look forward to your questions.