ebook img

Sujit Raman, Associate Deputy Attorney General, Statement for the Record for the Senate Committee on the Judiciary, “Cyber Threats to our Nation’s Critical Infrastructure.” August 21, 2018. Unclassified. PDF

0.08 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Sujit Raman, Associate Deputy Attorney General, Statement for the Record for the Senate Committee on the Judiciary, “Cyber Threats to our Nation’s Critical Infrastructure.” August 21, 2018. Unclassified.

STATEMENT OF SUJIT RAMAN ASSOCIATE DEPUTY ATTORNEY GENERAL DEPARTMENT OF JUSTICE BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM COMMITTEE ON THE JUDICIARY UNITED STATES SENATE AT A HEARING ENTITLED “CYBER THREATS TO OUR NATION’S CRITICAL INFRASTRUCTURE” PRESENTED AUGUST 21, 2018 STATEMENT OF SUJIT RAMAN ASSOCIATE DEPUTY ATTORNEY GENERAL DEPARTMENT OF JUSTICE BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM COMMITTEE ON THE JUDICIARY UNITED STATES SENATE AT A HEARING ENTITLED “CYBER THREATS TO OUR NATION’S CRITICAL INFRASTRUCTURE” PRESENTED AUGUST 21, 2018 Good afternoon Chairman Graham, Ranking Member Whitehouse, and distinguished Members of the Subcommittee. Thank you for the opportunity to testify on behalf of the Department of Justice regarding our efforts to combat cyber threats. The Attorney General identified this issue as a priority when he created a Cyber-Digital Task Force within the Department earlier this year. I have the privilege of chairing this Task Force, and as you know, last month the Task Force issued a public report that provides a comprehensive assessment of the cyber-enabled threats confronting our Nation. The Department appreciates the Subcommittee’s interest in making sure that the Department has the tools it needs to disrupt and deter cyber actors who seek to do our Nation harm. As I describe below, the Department’s principal role in responding to cyber threats is the investigation and prosecution of federal crimes, but our investigations can yield more than criminal charges. The Department is committed to using all of the tools at our disposal, including civil injunctions, information sharing, and technical operations, to counter malicious cyber activity, as well as to support our federal partners’ tools, like economic sanctions, diplomatic pressure, intelligence operations, and military action. Successfully protecting the Nation from cyberattacks also requires robust information sharing with the private sector, which is why we work with other departments and agencies to share cybersecurity information beyond the federal government. I will cover three areas in my testimony today. First, I will describe the seriousness of the cyber threats to our critical infrastructure, which includes our election systems. Second, I will discuss how the Department of Justice is responding to those threats, as described in our recent Task Force report. Finally, I will address some of the ways in which Congress can promote the Department’s mission to combat cyber threats, including those aimed at the Nation’s critical infrastructure. I. Cyber Threats to U.S. Critical Infrastructure Cyber threats to critical infrastructure deserve particular attention, because our Nation’s critical infrastructure provides the essential services that underpin American society and serves as the backbone of our economy, security, and health systems. Critical infrastructure includes the financial services sector, the electrical grid, dams, electoral systems, and over a dozen other sectors of society. Those assets, systems, and networks are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our national security, national economic security, or our national public health or safety — or any combination thereof.1 Our adversaries seek to identify and exploit vulnerabilities in the sophisticated computer networks that these sectors employ. It is important to note that private entities own and operate the vast majority of the Nation’s critical infrastructure. Therefore, securing U.S. critical infrastructure is a shared responsibility. The Department recognizes that the private sector requires timely cyber threat information to secure its systems. Accordingly, the Federal Bureau of Investigation (“FBI”) makes threat information available to affected sectors through briefings and widely distributed technical alerts developed jointly with the Department of Homeland Security (“DHS”). In March 2018, for example, the FBI and DHS announced that Russian government cyber actors had “targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”2 The technical alert described a multistage Russian intrusion campaign that compromised small commercial facilities’ networks. Russian cyber actors used the networks to stage malware and to conduct spear-phishing attacks, which allowed the Russians to gain remote access into energy sector networks. The Russian cyber actors then explored those networks and moved across the networks to collect information pertaining to Industrial Control Systems. To respond to this nefarious cyber activity, information uncovered as part of this investigation led, at least in part, to economic sanctions against Russia when the Treasury Department announced sanctions against five Russian entities and nineteen Russian individuals on March 15, 2018.3 142 U.S.C. § 5195c(e). 2Alert TA18-074A, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure,” U.S. COMPUTER EMERGENCY READINESS TEAM, U.S. DEPT. OF HOMELAND SECURITY (March 15, 2018), available at: https://www.us-cert.gov/ncas/alerts/TA18-074A (last accessed August 7, 2018). For information regarding more recent Russian cyber threats, see, e.g., Press Release, “Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices,” U.S. DEPT. OF JUSTICE (May 23, 2018), available at: https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet- infected (last accessed August 7, 2018). 3Press Release, “Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-Attacks,” U.S. DEPT. OF TREASURY (March 15, 2018), available at: https://home.treasury.gov/index.php/news/press-releases/sm0312 (last accessed August 7, 2018). - 2 - Cyber operations could also target our election systems. For example, adversaries could use cyber-enabled means to target voter registration databases and voting machines. In fact, the Intelligence Community assessed in 2017 that Russian intelligence “accessed elements of multiple state or local electoral boards” during the 2016 U.S. presidential election.4 DHS has assessed that the types of systems the Russian cyber actors targeted or compromised were not involved in vote tallying,5 and to our knowledge, no foreign government has succeeded in perpetrating ballot fraud. Nonetheless, the risk is real. Securing these systems and ensuring the integrity of our elections is one of our utmost priorities. Russia is not the only state sponsor of malicious cyber activity. To take one prominent publicly available example, we know that the Iranian government has targeted our critical infrastructure, specifically our financial sector, with cyberattacks. In response, in March 2016, a federal grand jury indicted seven Iranian hackers belonging to two companies that worked for Iran’s Islamic Revolutionary Guard Corps for their role in Distributed Denial of Service (“DDoS”) attacks targeting the public-facing websites of nearly fifty U.S. banks. These DDoS attacks against the U.S. financial sector began in approximately December 2011, and occurred sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis. At their peak, the attacks disrupted hundreds of thousands of customers’ ability to access their accounts online and conduct transactions, and the affected banks’ remediation costs ran into the tens of millions of dollars. Furthermore, one of the hackers also repeatedly gained access to the Supervisory Control and Data Acquisition (“SCADA”) system of a dam in New York, allowing him to obtain information regarding the dam’s status and operation.6 To take another example — this one involving North Korea — in May 2018, the FBI and DHS issued a technical alert notifying the public about the FBI’s high confidence that malicious North Korean government cyber actors have been using malware since at least 2009 “to target multiple victims globally and in the United States,” across various sectors — including critical infrastructure sectors.7 These examples highlight the varied nature of the cyber threats to our Nation’s critical infrastructure. Preventing and responding to cyber intrusions and attacks requires a strong defense using a coordinated government approach, with the support of the private sector. The Department of Justice plays an important role in this combined effort. 4Office of the Director of National Intelligence, Background to “Assessing Russian Activities and Intentions in Recent U.S. Elections”: The Analytic Process and Cyber Incident Attribution 2 (Jan. 2017) (“ODNI Report”), available at: https://www.dni.gov/files/documents/ICA_2017_01.pdf (last accessed August 7, 2018). 5Id. 6See Indictment in United States v. Ahmad Fathi, et al., No. 16-CRM-48 (S.D.N.Y., March 24, 2016), available at: https://www.justice.gov/opa/fle/834996/download (last accessed August 7, 2018). 7Alert TA18-149A, “HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm,” U.S. COMPUTER EMERGENCY READINESS TEAM, U.S. DEPT. OF HOMELAND SECURITY (last revised May 31, 2018), available at: https://www.us-cert.gov/ncas/alerts/TA18-149A (last accessed August 7, 2018). - 3 - II. The Department of Justice’s Role in Combating Cyber Threats The Department of Justice’s core mission is to investigate and prosecute federal crimes, including computer intrusions and attacks, whether perpetrated by a transnational criminal group, a lone hacker, or an officer of a foreign military or intelligence service. Our primary role is to investigate those incidents, determine who was responsible, prosecute them where the evidence supports it, and share intelligence we gather in connection with our investigations. We work closely with our partners across the Government and around the world to arrest such actors, extradite them, prosecute them, and obtain restitution for victims whenever possible. Further, through our Office of Justice Programs, we also support training law enforcement, prosecutors, and public safety officers in cyber-related crimes, both through online and classroom training. This training assists in identifying cyber crimes and infrastructure intrusions, in preparation for either possible State or federal prosecution. These partnerships across the Government are important. To take election infrastructure as an example, other Departments, like DHS, are primarily responsible for designing security standards, helping protect private and government networks, and assisting victims in their recovery from cyberattacks. By contrast, we are responsible for investigating intrusions and attacks, figuring out who perpetrated them, and bringing those malicious actors to justice. Based on our cyber investigations, we also share cybersecurity threat information to help victims protect themselves. As I mentioned at the outset, the Attorney General has prioritized the Department’s efforts to combat cyber-enabled threats. The report that the Attorney General’s Cyber-Digital Task Force issued last month discusses in detail our extensive efforts to help secure the Nation. The report begins in chapter 1 by focusing on the threat posed by malign foreign influence operations. We define such operations as covert actions by foreign governments that are intended to sow division in our society, undermine confidence in our democratic institutions, and otherwise affect political sentiment and public discourse to achieve strategic geopolitical objectives. While cyber operations that target election systems (such as voting machines and voter databases) and related infrastructure represent one aspect of the problem, foreign malign influence operations also are designed to affect the views of American voters, depress voter turnout, or undermine confidence in election results. Chapter 1 of the Task Force report categorizes these operations and outlines the Department’s framework to counter them ahead of the 2018 midterm elections. The chapter also describes the work of the FBI’s Foreign Influence Task Force, which integrates the FBI’s cyber, counterintelligence, counterterrorism, and criminal law enforcement resources to better counter malign foreign influence operations. Finally, chapter 1 announces a new disclosure policy pursuant to which the Department will notify victims, social media providers, or the public, as appropriate, regarding efforts by foreign adversaries to target them in connection with a malign foreign influence operation. - 4 - As the Cyber-Digital Task Force report observes, the Department of Justice plays an important role in combating foreign efforts to interfere in our elections, but the Department is only one part of an effective response. Combating foreign influence operations requires a whole- of-society approach involving coordinated actions by federal, State, and local government agencies, including State and local agencies that are responsible for election systems; cooperation from victims and the private sector, including social media companies; and the active engagement of an informed public. In chapters 2 and 3, the Task Force report discusses other significant cyber-enabled threats confronting our Nation, including attacks intended to damage computer systems; data theft; fraud schemes; crimes threatening personal privacy, such as sextortion and other forms of blackmail and harassment; and attacks on critical infrastructure. These chapters detail the important work that the Department of Justice is doing to keep America safe in the face of these complex and evolving threats. Chapter 4 focuses on a critical aspect of the Department’s mission in which the FBI plays a lead role, namely, responding to cyber incidents. Chapter 5 then turns inward, focusing on the Department’s efforts to recruit and train our own personnel on cyber matters. Finally, the report concludes in chapter 6 with observations about certain priority policy matters, including how the global nature of cyber-enabled crime brings with it technological and legal impediments to the Department’s ability to identify and locate malicious actors and bring them to justice, as well as other ideas discussed below. We hope that the report provides the Subcommittee and the public with a better understanding of the Department’s role in combating cyber threats; the tools we rely on to confront these threats; how we support other government efforts to address these threats; and the challenges we continue to face. III. New Ideas to Combat Cyber Threats In the face of these disturbing and ever-increasing threats, I know the Subcommittee has on its mind a key question: How can Congress help, today? The Department continues to explore how to respond to today’s threat of malign foreign influence and whether additional enforcement and disclosure tools would be useful and appropriate. In the meantime, as our Task Force concluded, there are several key changes to federal law that would greatly aid our work to combat threats online. I first want to thank this Subcommittee and, specifically, the Chair and Ranking Member, for their leadership in shepherding the passage of the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act earlier this year. This important piece of legislation will greatly advance the Department’s work and will enhance both security and privacy around the world. We appreciate that Congress has made clear that U.S. law-enforcement orders issued under the Stored Communications Act require the disclosure of data wherever a provider chooses to store that data. The impact of this clarification was immediate and dramatic, making Americans safer and investigations more efficient. As you know, the CLOUD Act also creates incentives for bilateral - 5 - agreements that enable investigators to seek data without causing unnecessary conflicts of laws. These bilateral agreements will help create more efficient processes among rights-respecting countries for solving crime, and will ease the burden on our Nation’s mutual legal assistance procedures. The CLOUD ACT has helped address one of the key challenges facing law enforcement in the area of cybercrime, but many others still exist. I would like to spend most of my time today focusing on areas of concern in the Computer Fraud and Abuse Act (“CFAA”) and related statutes that currently hamper our work to combat threats online. The CFAA is the primary federal law against hacking. It protects the public against criminals who intrude into computers to steal information, install malicious software, and delete files. It was also intended to criminalize malicious conduct by insiders who abuse their right of access to computer systems and networks to commit online crime. The CFAA, in short, reflects our baseline expectation that people are entitled to have control over their own computers and are entitled to trust that the information they store in their computers remains safe. The CFAA was enacted in 1986, at a time when the problem of online crime was still in its infancy. Over the years, Congress has enacted a series of measured, modest changes to the CFAA to encompass new technologies and to equip law enforcement to respond to changing threats. The CFAA has not been amended since 2008, however, and the intervening years have again witnessed the need for the enactment of modest, incremental changes. The CFAA needs to be updated to make sure that it continues to appropriately deter violations of Americans’ privacy and security. A. Deterring insider threats The CFAA is a privacy statute. It deters criminals from stealing peoples’ information. Yet, the CFAA’s privacy protections now contain a significant gap. The statute was meant to apply both to hackers who gain access to victim computers without authorization from halfway around the world, and to so-called “insiders” who have some authorization to access a computer — like company employees entitled to access a sensitive database for specified work purposes — but who intentionally abuse that access. The part of the CFAA that covers the conduct of those who have some authorization to access a computer is the tool that Department prosecutors have used to charge, for example, police officers who misuse their access to confidential criminal records databases in order to look up sensitive information about a boyfriend or girlfriend, who sell access to private records to others, or who provide confidential law enforcement information to a charged drug trafficker. As a recent survey of 472 cybersecurity professionals indicated, 90% percent of organizations feel vulnerable to insider attacks, and 53% have confirmed insider attacks against their organization in the previous 12 months. The survey also found that the type of data most vulnerable to insider attacks is - 6 - confidential business information, and that a plurality of those surveyed estimated that the potential cost/loss of an insider attack was between $100,000 and $500,000.8 Unfortunately, recent judicial decisions have limited the Government’s ability to prosecute such cases. As a result of these decisions, insiders cannot be charged under the CFAA — even where the insider has intentionally exceeded the bounds of his legitimate access to confidential information and has caused significant harm to his employer and to the people, often everyday Americans, whose data he has improperly accessed. The insider threat is relevant to voting security. Currently, for example, if a foreign hacker accessed a State’s voter registration database over the Internet, that could be charged under the CFAA as an access “without authorization.” But if an insider, such as a State government employee, used his privileges to access the same information, that insider could not be prosecuted under the CFAA, at least as several courts have interpreted the statute. The narrow judicial interpretation of the term “exceeds authorized access” in the CFAA stems from concerns that the statute potentially makes relatively trivial conduct a federal crime. One frequently cited hypothetical along these lines is the theoretical threat of prosecution faced by an employee who uses the Internet to check baseball scores at lunchtime in violation of his employer’s strict business-only Internet use policy. We understand the concerns of the courts, and I would like to reiterate that the Department of Justice has no interest in prosecuting harmless violations of use restrictions like these. However, by essentially barring all CFAA prosecutions of insiders, these court decisions have constrained our ability to bring certain cybercriminals to justice. Over the last several years, numerous Department of Justice officials have called on Congress to address this issue in a manner that would maintain the law’s key privacy-protecting function, while ensuring that trivial violations of things like a website’s terms of service do not constitute federal crimes. The Department supports efforts that would accomplish this task. This can be done by clarifying that the definition of “exceeds authorized access” includes the situation where the person accesses the computer for a purpose that he knows is not authorized by the computer owner. This clarification is necessary to permit the prosecution of, for example, a law enforcement officer who is permitted access to criminal records databases, but only for official business purposes. At the same time, a legislative fix could add new limitations to make clear that trivial conduct does not constitute a crime. For example, a limitation could be put into the CFAA making clear that in order to constitute a crime under the new insider provision, not only must an offender access a protected computer in excess of authorization and obtain information, but the information must be worth $5,000 or more, the access must be in furtherance of a separate felony offense, or the information must be stored on a government computer. 8Crowd Research Partners, “Insider Threat: 2018 Report,” available at: http://crowdresearchpartners.com/wp-content/uploads/2017/07/Insider-Threat-Report-2018.pdf (last accessed August 7, 2018). - 7 - We strongly believe that the insider threat problem in the CFAA can be fixed in a way that ensures the CFAA does not inadvertently cover trivial conduct, while empowering the Department to prosecute and deter significant threats to privacy and security. Of all of the reforms to the CFAA under consideration by this Subcommittee, addressing this problem would have the most immediate, significant impact in improving our ability to punish and deter cybercriminals. We would like to work closely with Congress and, specifically, this Subcommittee, to find a way forward on this pressing issue. B. Certain malicious activities as RICO predicates We support the efforts in the proposed International Cybercrime Prevention Act (“ICPA”), sponsored by the Chair and Ranking Member, to update the Racketeering Influenced and Corrupt Organizations Act (“RICO”) to make CFAA offenses and certain Wiretap Act offenses subject to RICO. As computer technology has evolved, it has become a key tool of organized crime. Criminal organizations operating around the world hack into public and private computer systems, including systems key to America’s national security and defense. They hijack computers to steal Americans’ identity and financial information; they extort American businesses with threats to disrupt computers; and they commit a range of other online crimes. Accordingly, much of the fight against transnational organized crime has moved online. federal prosecutors have used RICO for over forty years to prosecute organized criminals ranging from mob bosses to Hells Angels to members of MS-13. Just as RICO has proven to be an effective tool to prosecute the leaders of these organizations who may not have been directly involved in committing the underlying crimes, it should be a tool to fight criminal organizations that use computer intrusions and other CFAA violations to further their schemes. These changes, as proposed in ICPA, would simply make clear that all types of CFAA violations should be considered criminal activities under the RICO statute, with the associated heavy penalties. C. Protecting election computers from attack Protecting election infrastructure from attack is another important goal. Yet, as the Department’s recent Cyber-Digital Task Force report noted, “should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.” The CFAA’s current definition of “protected computer” includes computers “affecting interstate or foreign commerce,” a definition that attempts to encompass the breadth of congressional power under the Commerce Clause. We are concerned that courts might conclude that the Commerce Clause power, alone, does not reach voting machine computers that are not used in a commercial setting, are not used in interstate communication, and are typically never connected to the Internet or to any other network. We believe, however, that Congress could reach such hacking by other means, such as its power to regulate federal elections in Article I, Section 4, of the Constitution. - 8 - Expanding the definition of a protected computer to include electronic voting machines will strengthen confidence in the integrity of our electoral system and ensure that any attempts to manipulate the results of an election can be prosecuted to the fullest extent under federal law. We therefore applaud the introduction of S. 3311, which would accomplish this important goal. D. Botnets Another striking example of online crime that victimizes Americans is the threat from botnets — networks of victim computers surreptitiously infected with malicious software, or “malware.” Once a computer is infected with malware, it can be controlled remotely from another computer with a so-called “command and control” server. Using that control, criminals can steal usernames, passwords, and other personal and financial information from the computer user, or hold computers and computer systems for ransom. Criminals can also use armies of infected computers to commit other crimes, such as DDoS attacks, or to conceal their identities and locations while perpetrating crimes ranging from drug dealing to online child sexual exploitation. The scale and sophistication of the threat posed by botnets is increasing every day. Individual hackers and organized criminal groups are using state-of-the-art techniques to infect hundreds of thousands — sometimes millions — of computers and cause massive financial losses, all while becoming increasingly difficult to detect. If we want security to keep pace with criminals’ technological innovations, we need to ensure that we have a variety of effective tools to combat rapidly evolving cyber threats like these. One powerful tool that the Department has used to disrupt botnets and free victim computers from criminal malware is the civil injunction process. Current law gives federal courts the authority to issue injunctions to stop the ongoing commission of certain crimes by authorizing actions that prevent a continuing and substantial injury. This authority played a critical role in the Department’s successful disruption of the Coreflood botnet in 2011 and of the Gameover Zeus botnet in 2014. (The Gameover Zeus botnet, which infected computers worldwide, inflicted over $100 million in losses on American victims alone, many of them small- and medium-sized businesses.) Because the criminals behind these particular botnets used them to commit fraud against banks and bank customers, existing law allowed the Department to obtain court authority to disrupt the botnets by taking actions such as disabling communications between infected computers and the command and control servers. The problem is that current law permits courts to consider injunctions only for limited categories of crimes, including certain frauds and illegal wiretapping. Botnets, however, can be used for many different types of illegal activity. They can be used to steal sensitive corporate information, to harvest email account addresses, to hack other computers, or to execute denial of service attacks against websites or other computers. Yet — depending on the facts of any given case — these crimes may not constitute fraud or illegal wiretapping. In those cases, courts may lack the statutory authority to consider an application by prosecutors for an injunction to disrupt - 9 -

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.