Assistant Attorney General John P. Carlin Delivers Remarks at the U.S. Chamber of Commerce and the American Gaming Association’s 2015 Cybersecurity Summit

Thank you, Ann [Beauchesne], for your warm introduction and for inviting me to today’s event. 

The Chamber and its members are leaders in the national dialogue on cybersecurity challenges and solutions, demonstrating a strong commitment to educating executives about how to protect and defend businesses against cyber attacks.  And throughout its National Cybersecurity Awareness Campaign, launched in May 2014, the Chamber has emphasized the importance of cyber risk management and cyber incidents reporting. 

That is why I am here for my fourth Chamber of Commerce cybersecurity event in 18 months.  The Chamber brings together private sector and government leaders to share information, learn from one other and develop the relationships needed to facilitate cooperation.  When we work together, our nation and our cybersecurity are stronger. 

And we must work together.  The cybersecurity threats we face are varied in scope and sophistication.  They affect our privacy, our safety and our economic vitality.  They present collective risk; disrupting them is our shared responsibility – a responsibility that is growing in complexity as the world we live in changes. 

Together, we have worked to bring about some of that change.  Through public-private cooperation and an all-tools strategy, we have raised the cost of cyber attacks and economic espionage, and made it clear that we will not tolerate the status quo. 

Our actions altered the dialogue, as we predicted they would. 

As just one example, last spring, our indictment of uniformed members of the Chinese military was met with denials, but no commitments. 

Fast forwarding just over one year, during a historic state visit last week, Chinese President Xi Jinping for the first time publicly declared that, “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.”  And the United States and China agreed that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors. 

As the President noted, “the question now is, are words followed by actions?”  Only time will tell. 

Our commitment to deterrence has made a difference, but what lies ahead remains to be seen.  Cyber security threats are not going away.  We remain committed to deterrence through the use of all tools.  We will hold national security hackers to account, but we need your help. 

Sony and Sands

We have learned through experience the difference that cooperation makes.  Whether it is economic espionage or destructive malware, when your attacker has the power of a nation state, you need the power of a nation state to defend yourself.  And we, in return, need you.

The significance of today’s venue cannot be overlooked.  We are here at the site of the first major nation state-sponsored destructive cyber attack in the U.S. because the leadership of the Las Vegas Sands Corporation wants to share lessons learned.  To help others avoid falling victim to such an attack.  In February 2014, Sands Corporation was hit with a cyber attack that froze the company and scared customers.  Ultimately, the intelligence community implicated Iran in the intrusion.

In speaking to the management of Sands, they hoped that their misfortune would put the industry on notice that we are all targets.  Their hardship should be a wakeup call to others – to start preparing and building resilience now, before an attack takes place.

Just imagine – a call from your IT department telling you that you have minutes to decide whether to unplug your company’s network or risk that the damage will spread.  Once you cross that threshold, forget about whether you can reach your businesses in another country, state or city.  Do you know how to reach key employees who are a few floors away, once you have no electronic address book, no lookup function on your phone?  Do you have a hard copy phone directory?  Very few companies can do business without their network.

Also in 2014, while we were still investigating the unprecedented intrusion against Sands, the entertainment industry was hit again, when North Korean hackers attacked Sony Pictures Entertainment.  That attack got the world’s attention.  It should now be clear that we are in a new world where national security threats hit the entertainment industry.  Sectors that never thought about the world of national security now must do so.

But our response in these cases illustrates an important principle.  The government ought to help, and when victims come forward to work with us we can do just that. 

In both cases, the companies reported the incident promptly and worked closely with the FBI on a response.  Both companies have told us their decision to work with the FBI was the right one, and that it helped them weather trying events.

It took a year before the IC publicly implicated Iran in the Sands intrusion, but after Sony, in only a matter of weeks, we publicly named – for the first time – the nation-state responsible for a destructive attack on an American company. 

Attribution alone is significant, because attribution can be very difficult.  But it also allows us to take additional responsive actions with confidence.  These are national security problems.  With attribution, we can employ national security solutions.  That includes holding perpetrators accountable and increasing the cost until we reach the point where the costs outweigh the benefits of targeting our systems and stealing our data.

Whole-of-Government Strategy

The United States employs a comprehensive, all-tools approach to confront malicious actors who seek to harm critical infrastructure, damage computer systems and steal trade secrets and sensitive information.  We must hold attackers accountable and increase the cost of their activity.  Our work is designed to actively disrupt and deter nation states and terrorists until they stop stealing and waging bullying, destructive attacks. 

Whether you are the Syrian Electronic Army, North Korea, ISIL or a state-sponsored hacker, we can and will find you.  And when we do, there will be consequences.

For example, last year, we brought the first-ever charges against state-sponsored actors – five named members of the Chinese People’s Liberation Army Unit 61398 – for computer hacking, economic espionage and other offenses directed at six American companies in the U.S. nuclear power, metals and solar products industries.

It was true when we said it in May 2014 following the PLA indictment, and it remains true today: we are aware of no nation that publicly states that theft of information for commercial gain is acceptable.  To the contrary, China has now said for the first time that it will not conduct or knowingly support cyber-enabled theft of intellectual property for commercial gain.

The criminal justice system is one central and effective component of this disruption effort.  Indictments and prosecutions are a clear and powerful way, governed by the rule of law, to legitimize and prove allegations.  They are necessary but not sufficient tools to bring to the fight.  We must apply our criminal justice tools along with the full range of legally available options to communicate our expectations regarding acceptable online behavior.  We must be strategic; we must evaluate all available options – law enforcement, intelligence, diplomatic, military and economic as appropriate – and use the most appropriate tool to respond.

For example, in the Sony matter, less than two months after the attack, the United States imposed sanctions on North Korea. 

Similarly, earlier this year, President Obama signed an Executive Order that provides a new means to respond to other significant online threats.  The executive order authorizes the government to impose sanctions on individuals or entities that engage in “significant malicious cyber-enabled activities” – activities that could threaten the national security, foreign policy or economy of the United States. 

Some of the nations that steal from us also have obligations under international trade agreements to protect intellectual property rights.  Our colleagues in the office of the U.S. Trade Representative are currently exploring the tools at their disposal under those agreements, and whether the World Trade Organization and other rules could provide ways to challenge state-sponsored trade secret theft.

Value of Partnership

But our tools are only one half of the equation.  We need your help.  Private sector partnership – the kind the Chamber of Commerce emphasizes – is crucial to us.  Next week, I will be in California with Sony CEO Michael Lynton to discuss the value of private-public partnerships to make our nation more secure.  We must get the word out. 

Because the threats we face are blurring the lines between lone hackers and nation states, and between criminal and national security threats, we are facing a changing world order in which lone hackers, organized crime syndicates and nation states are all increasingly able to harm our shared networks and our livelihood.  Every sector of the economy is a target –infrastructure, financial institutions, entertainment, agriculture, energy and more – no one is safe. 

But none of you should have to face that threat on your own, and you don’t have to.  We are here to help.

We share sensitive information with you so you can defend against or disrupt attacks before they happen or in real time.  In the past year alone, the FBI presented over three dozen classified, sector-specific threat briefings to companies. 

In addition, we can compare what we see to other attacks to help us identify who is responsible and possible means of remediation.  Importantly, it also allows us to share information with other potential victims.  One company’s weakness is everyone’s weakness, and it is critical that we work together. 

Finally, law enforcement may be able to use legal authorities and tools that are not available to you.  Law enforcement can also enlist the assistance of international partners to locate stolen data or identify a perpetrator. 

These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data. 

At the National Security Division, we have the full range of national security expertise of the Department of Justice under one roof, and we bring this expertise to cyber issues.  To combat online threats to national security, we have a host of tools available, including criminal prosecution, sanctions, designations and diplomatic options, and we have the ability to work with our partners to pick the best tool or combination of tools to get the job done under the rule of law.  Among our top priorities is developing the public-private partnerships required to succeed in our disruption efforts. 

We have a national network of specially-trained National Security Cyber Specialists who focus on combating cyber threats to the national security.  They are available to you 24/7 to help you as you face intrusions and other online threats.   

We are also engaged in a national outreach program designed to deepen our relationship with you.  We understand that the decision whether to call law enforcement, in particular, is difficult.  Companies must weigh numerous considerations that can seem to cut in opposing directions.  What are the ramifications of publicizing this breach?  Will employees be embroiled in lengthy legal proceedings?  Will the government treat my confidential and proprietary information with the care and discretion it deserves? 

We understand these concerns, and we will roll up our sleeves and work with you to try to satisfy them.  We also understand that it can be easier to pick up the phone if you are calling a familiar face.  We are committed to lowering the barriers to cooperation.  I encourage you to talk to us now, before an intrusion.  We are prepared to meet one-on-one with you and your in-house legal teams, executives and security professionals, to develop a relationship and build trust.

No company is immune from malicious cyber activity, and no network wall is high enough to keep a determined, sophisticated actor out of your systems.  When attackers are linked to deep military budgets and resources, it is not a fair fight for the victim to face alone.  The pervasive mentality of blaming the victim of such an attack needs to change.  The focus should be on the response.  And we can work together on that response. 

When faced with a breach, your customers, employees and investors will want to know whether you did everything you could – including working with law enforcement.  Increasingly, they see that as a necessary step; they want to know that you are doing everything you can to address the breach, including informing law enforcement.  This conference is about managing risk and protecting yourselves.  We can help you manage your risk.

You can satisfy them by working closely with us, and in so doing, you will make our nation safer. 

The Chamber of Commerce and its members are uniquely positioned to drive corporate change; to ensure that your companies and your partners treat cyber breaches as more than mere technical problems; to recognize that security operations are not insulated from business operations; and to discuss with your boards, your employees and your industries the importance of cybersecurity risk management. 

As we face ever more threats in cyberspace, let’s incorporate public-private cooperation into our cyber tool kit.  The conversations we have at these events are critical to keeping our nation secure and to lowering barriers for American businesses to compete fairly in our global economy.   The threats are not letting up, and neither will we. 

Thank you very much for inviting me.