U.S. Attorney Geoffrey S. Berman Delivers Keynote Address at Cyber Crime Symposium Hosted by Homeland Security Investigations New York

Thank you very much for inviting me to speak today on such an important subject.  My office has committed substantial resources to investigating and prosecuting cybercrime.  Our efforts have resulted in significant investigations and prosecutions a number of which I will discuss today.  Before I do any of that I want to stress that the successes we have had in this area are the result of the successful partnerships that we have with you and your colleagues and your counterparts at other agencies.  

We recognize the importance of our collaboration with our law enforcement partners in every area.  Nowhere is that collaboration more important than in the rapidly evolving area of cyber investigations – an area that was in its infancy when I left the U.S. Attorney’s Office the first time.  I would like to spend a few minutes this morning discussing our work in this area and the particular challenges and opportunities it presents. 

The development of the cyber universe may represent the most fundamental change we have experienced in our lifetimes.  There is not a single aspect of our lives that is not governed (or at least heavily influenced) by cyber technology, by which I mean computers, the internet and the worldwide web.  And, for my office and for this group, there is not a single aspect of our work that is not affected to some extent by cyber technology.  This was not the case even a relatively few years ago.  When I served as an Assistant United States Attorney in the 1990s, the worldwide web was newly created.  Few of us in the U.S. Attorney’s Office had much familiarity with it, and I think that that it is safe to say that few law enforcement agencies had any significant cyber expertise.  The change from that environment to the present environment could not be more profound. 

Today, everything that we do as investigators and prosecutors has been transformed by technological change.  Because developments in cyber technology have altered the nature of human interaction in fundamental ways, the way in which much criminal conduct occurs has also been altered fundamentally.  The way that we investigate that conduct has changed too.  The speed required to conduct those investigations has changed.  The manner in which we store data and use data has changed.  Conduct that was formerly localized is now international in scope meaning, that the places that we have to go to do our work and the overseas partners with whom we must work have changed.  The way in which we interact with the private sector has changed.  And because we operate in a world that is evolving quickly, in order for us to work effectively in this world and to work together as partners, we are continually having to develop new capabilities and new ways of thinking.  

I plan to discuss cybercrime generally, including some of the prosecutions that we have brought, as well as the characteristics that make cybercrime unique.  I want to place special emphasis this morning on the need to develop our relationships with the private sector.  In that regard, I will discuss how we overcome certain myths that are prevalent in the private sector and that impede investigations. 

Some -- maybe even much – of what I will say may be familiar to you.  In any case, I hope that the perspective I provide will help you to better understand my office’s work and help us find new that we can collaborate together to meet the new criminal threats we face.

When we talk about cybercrime, we are really talking about both cybercrime and cyber-enabled crime.  Cybercrime, strictly speaking, refers to various forms of “hacking” into computer systems and databases.  Cyber-enabled crime refers to traditional criminal conduct that has been enabled by cyber technology.  Examples include the use of the “dark web” to sell narcotics or to transmit child pornography. 

Historically, cybercrime could be categorized broadly as follows:

1. Conduct related to National Security – i.e., hacking sponsored by foreign governments
2. For Profit Hacking – i.e., hacking – often conducted by organized criminal groups -- designed to generate a profit through the sale of stolen data.  An example would be “ransom ware” attacks in which hackers steal information from a computer system and threaten to release that information or to destroy it unless a ransom is paid.
3. “Hacktivism” – hacking -- like that conducted by the well-known and amorphous group “Anonymous” -- which purports to hack in support of a cause.
4. Dark Web (and the use of cryptocurrency) – which offer a hidden and protected venue for criminal behaviors like the sale of narcotics, the laundering of money or the transmission of child pornography.

As befits an area that is so dynamic, cybercrime now routinely touches on more than one of these categories.  Put another way, recognizing that the data held in institutional or personal computer systems is very valuable, hackers will steal that data and then offer to sell it to other actors (nation states, other criminal groups or even Hacktivists).  And that is a fundamental point.  We are dealing with all manner of actors who are using cyber technologies to commit all manner of crime.  In fact, one of the trends that we see in our investigations is the use of Dark Web marketplaces for hiring hackers and selling user-friendly tool kits for hacking into computer systems.  In either case, the person seeking to hire a hacker or to purchase hacking tools does not themselves have to be sophisticated.  They simply have to want to engage in cybercrime.  The upshot is that Dark Web is making it easier for more criminals to become cyber criminals.

My office has prosecuted conduct that would fall under each of the categories I mentioned.  I would like to review some of those matters with you because they are illustrative of the criminal conduct we are fighting and on which you are focusing today at this symposium. 

The priority that my office gives to cybercrime investigations is reflected in the name that we have given the unit that conducts the investigations:  Cybercrime and Complex Frauds.  This afternoon, you will be hearing from one of the chiefs of that unit, Tim Howard.  Tim is a remarkably talented investigator and prosecutor with impressive expertise in cyber matters. 

Over the last decade, my office has handled many, many cyber investigations.  Here are a few that reflect the scope of our work:

1. United States v . Alonzo Knowles.  In 2016, working with HSI, my office convicted Alonzo Knowles on charges of criminal copyright infringement of scripts of movies and television shows that had not yet aired and identity theft of personal information.  Knowles hacked the private emails of celebrities in entertainment and professional sports.  Knowles then sought to sell what he had sold, including unreleased movie and television scripts.  Knowles received a sentence of five years’ imprisonment – a term that was lengthened because Knowles boasted while he was incarcerated and awaiting sentence that upon his release he was going to write a book that would “shake up Hollywood.” 

The Knowles prosecution is an obvious example of the kind of hacking for profit that seems to have become epidemic.  We have prosecuted many other such cases.  For instance, in United States v. Gary Shalon, we convicted five individuals for stealing the data of 80 million bank customers – at the time, the largest theft of customer data from a U.S. financial institution in history -- and using that data to engage in an extensive “pump-and-dump” scheme targeting the customers whose personal information was compromised as a result of the hack.  In addition, the co-conspirators engaged in a number of other online criminal schemes, including operating unlawful internet gambling businesses and acting as payment processors for illegal pharmaceutical companies and malware distributors.  They even owned and operated an illegal Bitcoin exchange that operated in violation of federal anti-money laundering laws.

I could spend the rest of my time this morning regaling you with cases of hacking for profit – including a case in which HBO was targeted and one in which employees of Facebook and Google were targeted. But cybercrime is much broader in scope than simply hacking for profit.

2. As I just mentioned, the Dark Web is an expanding source of criminal conduct.  One of the most highly publicized cybercrime prosecutions involving the Dark Web was the prosecution of Ross Ulbricht for operating the Silk Road underground website, which, between 2011 and 2013, distributed over $200 million of contraband narcotics, fraudulent identification documents, computer hacking tools and services and money laundering services.  The case was brought by my office with the extraordinary assistance of HSI, the IRS and the FBI. 

Remarkably, HSI was able to arrange for an undercover agent to infiltrate the staff of Silk Road website.   HSI’s work was so groundbreaking that it is currently used as a model for running undercover operations on the Dark Web.  (Tim Howard, whom you will hear later, was one of the prosecutors who handled that case.)  Ulbricht, the defendant, was sentenced to life in prison.  As successful as the prosecution of Ulbricht was and other, similar prosecutions have been, the use of the Dark Web and the use of cryptocurrencies by criminals seeking to hide illegal conduct continues to grow.

3. As you know, hacking can involve matters of national security.  My office has handled and continues to handle a number a national security cyber investigations.  I will mention three recent prosecutions.  In 2018, we announced charges against nine owners, employees and hackers for hire associated with the Iran-based Mabna Institute, which, according to the charges in the indictment, conducted extensive computer hacking campaigns on behalf of Iran’s Islamic Revolutionary Guard Corps.  The Mabna Institute hacking campaigns included:  (i) a campaign to hack universities to steal academic materials and research, which resulted in the compromise of over 8,000 professor accounts across 144 U.S.-based universities, and 176 foreign universities in 20 countries; and (ii) a campaign to hack into private sector companies, government institutions and NGOs to steal proprietary data, which resulted in the compromise of data from 47 domestic and foreign companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund (better known as UNICEF). 
4. In another cyber investigation involving national security, also in 2018, my office charged two China-based hackers associated with a hacking group known in the cybersecurity community as “APT 10” (APT standing for “Advanced Persistent Threat”), whom we allege conducted cyber intrusions on behalf of the Chinese Ministry of State Security for over a decade.  Among other things, these defendants (Zhu Hua and Zhang Shilong) are alleged to have targeted and compromised systems belonging to over 45 technology companies, and U.S. Government agencies, and also to have compromised Managed Service Providers to leverage access to computers and computer networks of the Managed Service Providers’ clients in order to steal their intellectual property.  The meticulous investigation underlying this case represents an outstanding example of our work to combat persistent and ongoing Chinese government-sponsored efforts to conduct commercial espionage through the use of computer hacking and other unlawful means.
5. I would be remiss if I did not mention one more investigation related to national security, the Financial Industry DDoS (or Distributed Denial of Service) Case.  In 2016, my office charged seven Iranian nationals for conducting a state-sponsored coordinated sustained series of DDoS attacks against the U.S. Financial Sector between 2011 and 2013.  The seven defendants were associated with two Iran-based cybersecurity companies, ITSecTeam and Mersad, which operated as fronts for the Iranian government’s offense cyber operations.  During the campaign, the defendants leveraged large botnets consisting of thousands of compromised servers around the world to systematically send malicious Internet traffic to servers belonging to 46 U.S.-banks, which resulted in disabling the servers and costing the banks tens of millions of dollars to remediate.  In a particularly disturbing part of the case, the indictment separately charged one of the ITSecTeam defendants, Hamid Firoozi, with the 2013 compromise of the Supervisory Control and Data Acquisition systems of the Bowman Dam in Rye, New York.  Had the sluice gate (the gate that controls the flow of water released through the dam) not been disconnected from the system for maintenance – which was a coincidence – the compromise would have allowed the Iranian government to remotely control the operations of the dam.
6. Finally, let me mention an example of a “hacktivist” prosecution.  (These kinds of prosecutions have been in the news recently because of the recent arrest in London of WikiLeaks founder Julian Assange.)  In 2013, my office convicted Jeremy Hammond, a/k/a “Anarchos” for conducting a number of hacks for AntiSec, the hacktivist subset of the hacker group Anonymous.  Among other things, Hammond hacked into computer systems belonging to the FBI, the Arizona Department of Public Safety and other police departments around the country as well as into the system of a global intelligence firm (named Strategic Forecasting, Inc.).  Hammond would regularly leak the fruits of his hacking online, including home addresses of law enforcement officers, and financial information such as credit card data for thousands of individuals.  Hammond received a prison sentence of 10 years.
7. Speaking of Julian Assange and WikiLeaks, my office is prosecuting a former CIA employee named Jason Schulte for unlawfully obtaining classified information from CIA networks and providing it to WikiLeaks. 

As the description of these cases makes clear – and as this group knows all too well – cybercrime is serious and widespread.  And, it’s increasing.

There are several ways in which cybercrime differs materially from other types of criminal conduct.   These differences affect how we handle cybercrime investigations and how we work with you.

1. Speed. Cybercrimes occur rapidly and the need for speedy action is paramount.
2. Constant Evolution.  Cybercrime is continually evolving as new programs, new security protections and new forms of malware develop.
3. International.  Cybercrime is international in scope and requires much more work with foreign governments and foreign law enforcement partners.
4. Different Relationship with Private Sector. Our relationship with private sector actors (often the victims of misconduct) differs markedly in cybercrime investigations.

I will discuss each one of these characteristics in turn.

The need for speed.  Responding expeditiously to suspected criminal conduct is always important.  That is especially true in the case of cyber investigations.  Because of the speed with which electronic transactions occur and because electronic evidence dissipates over time, we must always be prepared to move quickly.  Doing so maximizes the chances of a successful investigation or prosecution and also allows us to take other steps that will disrupt the hacking activity.  In fact, in some instances, you and we have been advised of hacking while the hackers were still “live” on the system – a situation that requires nearly instantaneous action and that also provides with considerable investigative opportunities, including the ability to issue domestic and international preservation orders through the 24/7 Network to capture critical forensic footprints before they are deleted by hackers.  (The 24/7 Network as this group knows is an international arrangement through the Budapest Convention that requires member states to preserve computer network infrastructure within 24 hours if notified by other member countries.)

Constant Evolution.  In the context of warfare, it has been said that generals are always preparing to fight the last war.  That is the danger that we face with cybercrime, which evolves at lightning speed.  We cannot rest on our laurels or rely on our ability to combat the malware and hacking techniques that exist today.  Tomorrow, it will be different and more dangerous.  That is why this symposium is so important.  By getting together and sharing ideas and thinking collaboratively, we increase our capabilities and the seeds of future cybercrime fighting strategies are planted.

That collaboration must include overseas partners, and it must include the private sector.

International in scope.  Cybercrime is international in scope.  Stating the obvious, because cyber activities occur across borders, so, does, criminal conduct.  Some of that trans-border activity is simply opportunistic.  That is, a hacker simply hacks into a server in another country because that server presents a good target.  However, in many instances, the international character of cybercrime is the result of other factors.  For starters, in some parts of the world, launching cyber-attacks on Western governments and businesses is viewed positively and hackers are celebrities and are cast in a heroic light.  Other considerations are at play too.  Regardless of where they operate, hackers will frequently route attacks through multiple jurisdictions in order to make their conduct harder to investigate.  Sometimes, they will route their attacks through jurisdictions that they know will not work with U.S. law enforcement authorities.

The international character of cybercrime requires that we develop partnerships with foreign law enforcement authorities.  We have done so successfully many times, but much more will need to be done to combat cyber threats. 

          Private Sector Collaboration.  The successful investigation and prosecution of cybercrime requires far closer collaboration with the private sector than is typical in other types of investigations.  As is clear from the recitation of cases that I provided earlier, private sector actors are frequently the targets of hacking and the related criminal activity that follows from that hacking.  Their servers are compromised and looted of the valuable data that they contain.  As the victims of this criminal behavior and the source of our evidence, we need their prompt and complete cooperation. Too often, the private sector resists cooperating fully with us.  I would like to devote some extra time this morning to identifying and discussing three myths that inhibit public-private cooperation in the investigation of cybercrime.

          First, private sector victims of cyber-attacks often believe that law enforcement authorities will take over the victim’s network and demand access to sensitive company materials.  As you know, that is simply wrong:

• We do not require or demand direct access to company servers; data that is required to advance a cyber investigation outside the boundaries of the company’s network often consists of non-content log data reflecting access and malicious activity on the network.
• We can work efficiently with IT personnel to carve out the data we actually need, and with company counsel to cover the requested data with appropriate legal process.
• Where an outside third-party vendor is brought in to assist a company with investigating an incident, the vendor frequently collect the logs and other forensic data that we need.  As I mentioned, and as you know, granting quick access to law enforcement can frequently satisfy our initial needs for data to help advance an investigation into the perpetrators of an attack.

Second, private sector actors often believe, understandably but mistakenly, that law enforcement authorities will share information that we collect regarding a cyber-breach with regulators.  This misconception is understandable because there are an ever-increasing number of regulators investigating data breaches, including State Attorneys General, the Federal Trade Commission, and the New York State Department of Financial Services.  And, in many other types of investigations, there is considerable sharing of data among agencies – so long as that data is not subject to some limitation on disclosure – like grand jury material protected by Federal Rule of Criminal Procedure 6(e) or trade secret information protected by statute.   However, cyber investigations differ from other investigations in material ways.

• For one thing, federal law enforcement agencies view companies recovering from intrusions as victims that deserve protection.  We do not share information that we gather in an intrusion with regulators, and, when approached by regulators, we refer regulators to the victim itself for more information.
• That said, when a private sector actor, say, a company, asks us to do so, we are willing to validate to regulators that company’s cooperation with our ongoing criminal investigation.  Such validation is valuable.  The FTC has issued guidance indicating that it “likely” will view a company that has suffered a data breach more favorably if that company “cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion.”  It is worth pointing out that cooperation also often strengthens the company’s position before shareholders, insures, law makers, the media and others.

In other words, far from exposing a company to other hostile investigation, our work with that company in response to a data breach can turn out to be extremely helpful. 

Third, the private sector often views information flow as a “one-way street.”  In their view, law enforcement authorities will not share information collected by the investigation with victims.  That is not accurate.  We do not want our partnership with the private sector to be a one-way street.

• As everyone here should know, where it is allowed, we make our best efforts to provide information to private sector victims.  Admittedly, there is likely to be information that we cannot share.  However, we can often tell victims more about what data was stolen.  We may also be able to provide information, including providing indicators of compromise detected from other similarly-situated victims (without identifying those victims) that will assist companies in remediating and protecting themselves against future intrusions.
• In certain instances, we can provide context for the threat, and educate senior management (sometimes in classified settings to cleared personnel) about the threat, so that they can better understand the adversary.  Where done in a classified setting, we strive to provide unclassified tear lines, providing clear direction as to what information can be shared more broadly with network defenders at the company.
• We also work to provide information collected through our investigation – which does not identify particular victims from which data was collected – to the public to help defend and mitigate threats.  Among other things:
  • Where a particular threat impacts a particular industry, we coordinate to have information disseminated through designated Information Sharing Analysis Centers (or ISACs) with their constituencies.
  • We work to provide information to Internet service providers to allow them to issue technical fixes and patches to address vulnerabilities that our investigations discover to be exploited by adversaries.
  • We can coordinate with the FBI to use their FLASH message system to issue public advisories regarding cyber threats, with indicators of compromise that victims can use to help detect and mitigate threats to their networks.

Two of the cases that I mentioned earlier – the Financial Industry DDoS case and the Mabna Institute prosecution – reflect the kind of two-way cooperation with the private sector that is essential for us to carry out our work. 

• During the 2012-2013 DDoS campaign against the U.S. financial sector, my office and our law enforcement partner (the FBI) helped dozens of victim banks by coordinating weekly meetings during the height of the activity with pre-cleared representatives of victim banks.  Those meetings included classified briefings regarding the Iranian cyber threat.  Additionally, information obtained from victims of the attacks allowed us to gain additional data regarding upstream command and control computer network attack infrastructure through legal process.  Information that was obtained though those efforts was passed back to the victim institutions, through the FS-ISAC (the  ISAC covering the financial services sector) and through the FBI FLASH message system.  Prior to the unsealing of the Indictment, my office worked with a major Internet service provider to neutralize malware on compromised customer servers that comprised the botnets used to attack the victim banks. 
• Similarly, during the investigation of the widespread hacks by the Mabna Institute into U.S.-based universities, data obtained from a handful of U.S.-universities allowed us to understand the computer network infrastructure used by the Mabna Institute to facilitate the attacks.  Legal process on that infrastructure (including both domestic legal process and MLAT requests) allowed us to find evidence of other servers used by the Mabna Institute to facilitate their attacks, as well as indications that the attacks were far more widespread, impacting thousands of other specific professor accounts at 144 U.S.-based universities in total.

We worked to provide: (a) specific notice to impacted universities regarding accounts that were detected as being compromised at their institutions; (b) general notice to the university community at large with information regarding malicious domains and IP addresses that were used by the Mabna Institute for their attacks; and, (c) general information about the tactics, techniques and procedures used by the Mabna Institute to assist IT departments at those universities.

In addition, the investigation revealed widespread hacks of private sector companies and governmental entities that were conducted through a specific technique called “password spraying” and targeted a specific configuration of Windows Office 365.  Prior to the indictment being unsealed, we coordinated with Microsoft to help them release their own security advisory to their customers, and released an FBI FLASH message to warn the public about the specific tactics and threat.                  

We must overcome these myths in order to improve our ability to our work.  That means that part of our job must be to educate the private sector about the important and unique benefits of cooperating promptly with law enforcement authorities when a breach is discovered.  The private sector must understand that sharing information benefits the private sector just as much as it does us.  Close collaboration allows private sector actors to better protect their networks and allows us to identify and warn them (and others) of future malicious activities. 

In closing, let me reiterate what I have said and what you already know.  The threat from cybercrime is growing in scope and sophistication.  Together we have made many, many successful cases.  For us to continue to do so, we will need to improve our capabilities, which is precisely what you are doing here today.  Part of that effort will require closer collaboration overseas, and part will require us to work more effectively with the private sector.  Thank you again for inviting me to join you today.  My colleagues and I look forward to continuing to work with you on the important work that you are doing.