FROM: U.S. JUSTICE DEPARTMENT
Remarks by Assistant Attorney General John Carlin at the U.S. Chamber of Commerce Third Annual Cybersecurity Summit
Washington, DCUnited States ~ Tuesday, October 28, 2014
Remarks as Prepared for Delivery
In establishing an annual gathering focused on cybersecurity challenges, the Chamber of Commerce continues to demonstrate its commitment to keeping our nation secure, and to lowering barriers for American businesses to compete fairly in our global economy. The fact that this is your third annual cybersecurity summit is a testament to the growing magnitude of these threats and your commitment to make cybersecurity central to your business plans.
This is an important issue, and one I know the Chamber has emphasized as part of its National Cybersecurity Awareness Campaign, which kicked off in May. In the campaign roundtable events leading up to today’s summit, the Chamber stressed the importance of cyber risk management and reporting cyber incidents to law enforcement. I couldn’t agree with these two recommendations more. Today’s event is our opportunity to discuss how we can take these steps and others to best protect ourselves and our nation.
Cybersecurity threats affect us all – and they affect our privacy, our safety, and our economic vitality. They present collective risk; disrupting them is our collective responsibility. The attackers we face range in sophistication. And when it comes to nation states and terrorists, it is not fair to let the private sector face these threats alone. The government ought to help, and we do.
At the National Security Division, we focus on tackling cyber threats to the national security – in other words, those posed by terrorists and state-sponsored actors. As I will talk about a bit later, we have restructured our division to focus on bringing all tools to bear against these threats.
Likewise, Chamber members have a particularly important role to play in our strategy.
You are living through these consequences with alarming frequency: according to Brookings, 97 percent of Fortune 500 companies have been hacked. PwC released a report this week finding that the number of detected cyberattacks in 2014 increased 48 percent over 2013. As FBI Director James Comey said, “there are two kinds of big companies in America: those who have been hacked . . . and those who don't know they've been hacked.”
We are on notice. We are all targets. I would venture to say everyone in this room has, in their professional or private life, been affected by a cybersecurity breach. At best – a minor inconvenience. A re-issued credit card. At worst – devastation to your company’s reputation, loss of customer trust, and injury to your bottom line.
Without taking proper steps – it is a question of when, not if, a major public breach will happen to you. And with that will come questions about whether you did enough to protect your company, your customers, and your information.
Have you thought ahead to the day when you will have to face your customers, your employees, your board, and your shareholders. When you will have to notify them that someone has infiltrated your company and stolen your most valuable or private information? If that day was today, could you tell them that you’ve done everything in your power to protect your company’s future? Had you warned them of the risks? Would you be able to say that you minimized the damage?
Do you have a plan?
It’s a pretty daunting scenario. So it is no surprise that surveys of general counsels identify cybersecurity as the number one issue on their minds today. But surveys show that over a quarter of Fortune 500 companies still don’t have an established response to cyber intrusions.
This is risky business. We know that we will never achieve impenetrable defenses. That we will remain vulnerable. But you can take steps to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States.
We have identified four essential components of corporate cyber risk management.
First – equip and educate yourself. Make sure you have a comprehensive—and comprehensible— cyber incident response plan.
And review it. I have spoken with many CEOs and general counsels who have said they have not reviewed, or cannot decipher, their company’s plan. We must do better. These are C-suite decisions. You cannot manage your corporate risk if you do not understand it.
Make sure it addresses the “who,” the “what,” and the “when.”
Who is involved and who needs to be notified?
What will you disclose?
When will you notify clients, law enforcement, and the general public?
Second – know that your business contacts create risk. Malicious actors can exploit your outside vendors—no matter how resilient you think your defenses may be. Consider guidelines to govern third-party access to your network and ensure that your contracts require vendors to adopt appropriate cybersecurity practices.
Third – protect your bottom line. Companies are increasingly considering cyber insurance, and you should consider how this may fit into your risk management strategy. Cyber insurance may offer financial protection, and may also incentivize companies to audit their system’s defenses.
Finally – do not go it alone. Some of our attackers are linked to deep state military budgets. And when they are, it’s not a fair fight for you to take on alone. We must work together.
So working with us can be one more component of your risk-management strategy. As more breaches are publicly acknowledged, the public will ask how quickly and effectively you responded.
As leaders, you will have to answer to your shareholders, board members, customers, the media and the public. You will want to say you did everything you could to mitigate your financial loss. Your company’s bottom line, and your financial reputation, will depend on it. And we can help. We can provide you with information to protect your networks, and we may be able to take actions to disrupt and deter the attackers that you cannot take by yourself. So you are on the front lines of these battles, but we are with you. We are committed to working with you to protect your networks, identify perpetrators, disrupt their efforts, and hold them accountable. At the Department of Justice, this is among our top priorities.
At the National Security Division, we recently appointed new senior leadership to strengthen our capacity to protect national assets from cyberattacks and economic espionage. We created and trained the nation-wide National Security Cyber Specialists’ – or NSCS – Network to focus on combating cyber threats to the national security.
At DOJ, we follow the facts and evidence where they lead – whether to a disgruntled employee or lone hacker working in obscurity; to an organized crime syndicate in Russia; or even to a uniformed member of the Chinese military.
And indictments and prosecutions are a public and powerful way in which we the people, governed by the rule of law, legitimize and prove our allegations. As Attorney General Holder said in May, “enough is enough.” We are aware of no nation that publicly states that theft of information for commercial gain is acceptable. And that’s because it’s not. Nevertheless, in the shadows of their flags, some may encourage and support corporate theft for the profit of state-owned enterprises. We will continue to denounce these actions, including by bringing criminal charges. And we won’t stop until the crimes stop. A core part of the government’s response must be disruption and deterrence, in order to raise the costs to people who commit these thefts and to deter others from emulating their actions.
Of course, we recognize that the criminal justice system is just one tool in our toolbox. In addition to prosecutions, we are working in conjunction with key government partners to explore how to apply designations, sanctions, trade pressure, and other options, to confront new cyber challenges.
These changes will help us fulfill our collective responsibility. And they will help us work with you.
Which is important because we rely on cooperation from the private sector to bring many of these cases, from identifying the malware and its functions, to pinpointing the location of servers commanding botnets, to assisting victims in removing the malicious software from their computers.
Take as one example the take-down of Gameover Zeus and disruption of the Cryptolocker ransomware – a big success for our colleagues in the Criminal Division’s Computer Crimes and Intellectual Property Section and the Western District of Pennsylvania. This take-down would not have been possible without close cooperation. The FBI’s Robert Anderson called it the “the largest fusion of law enforcement and industry partner cooperation ever undertaken in support of an FBI cyber operation.”
We recognize that one of the best ways to protect the nation is to support you in your own efforts. In 2013, federal agents informed over 3,000 companies that their computer systems were hacked. And every day, the FBI works with companies targeted by malicious activity, ranging from low-tech denial of service attacks to sophisticated intrusions by elite, state-supported military hacking units.
But, we’re not limited to helping you solely in the aftermath of an intrusion.
Nor do we see our role as only a collector of information.
We also share sensitive information with you so you can defend against attacks in real time, and engage in disruption efforts. In the past year alone, the FBI presented over three dozen classified, sector-specific threat briefings to companies like yours.
The information we share with you may enhance your ability to deter future intrusions. And your engagement with law enforcement can help us connect the dots between your breach and a broader threat.
We may be able to help identify what was stolen from you, locate the perpetrator of the attack, and in certain cases, be able to disrupt planned attacks or mitigate the effects of past intrusions.
Given the importance of this cooperation, the Department of Justice is committed to lowering the barriers to sharing information. Through extensive one-on-one meetings with in-house legal teams, we learned what you perceive to be the legal hurdles to cooperation, and are addressing them.
We’ve clarified that certain laws - such as the Stored Communications Act and antitrust statutes – are not impediments to sharing information with the government in certain situations.
We understand that trust is an essential predicate to voluntary reporting. And in our work with you, we strive to protect your sensitive data – including trade secrets, details of network architecture, and PII.
Bottom line, we can help you manage your risk, and you can help us keep our nation safe.
The 9/11 Commission recently concluded that “we are at September 10th levels in terms of cyber preparedness,” and warned that “history may be repeating itself in the cyber realm.” We must band together to keep that from happening.
At the department, we want to arm ourselves for the threats of today, but prepare ourselves for those that are just over the horizon.
Think about the tools that cyber criminals use – intrusion software, ransomware, and botnets. When used by cyber criminals, these tools are generally used for financial gain. But these tools can also be used to disrupt and destroy. Terrorists have stated they want to exploit cybersecurity vulnerabilities to harm our way of life. Al Qaeda announced its intent to conduct cyberattacks against civilian targets such as the electric grid and financial system.
The Department of Homeland Security recently confirmed it is investigating two dozen cybersecurity flaws in medical devices and hospital equipment that could be exploited to injure or kill a patient with a few strokes on a keyboard. The threats are real.
We must acknowledge that terrorists want to acquire these cyber capabilities and, if they succeed, will not hesitate to deploy them. It is a race against time, and one with high-stakes consequences.
At the department, we are also looking at the gaps that may exist in our authorities. Many of our laws – long on the books – were not written with cyberspace in mind. They don’t necessarily contemplate remote access or extraterritorial crimes, they don’t facilitate multi-jurisdictional investigation, and they don’t always empower us to bring our authorities to bear swiftly and effectively. But we are committed to working with the relevant law- and rule-makers who support modernizing these laws. New cyber legislation, in several different areas, is needed.
I want to conclude my remarks by discussing the changing perceptions of being hacked. Among consumers and industry, there is a growing understanding that companies are going to get breached. But that doesn’t mean you should turn the other way. There is an enormous downside to taking an “ostrich approach” to cyber threats. Consumers expect that companies will adopt industry standards for cybersecurity. And when intrusions happen, consumers expect companies to respond promptly, acknowledge the intrusion publicly, and cooperate with law enforcement to mitigate the damage.
The Chamber of Commerce and its members are uniquely positioned to drive corporate change; to ensure that your companies and your partners treat cyber breaches as more than mere technical problems; to recognize that security operations are not insulated from business operations; and to discuss with your boards, your employees, and your industries the importance of cybersecurity risk management.
As we face ever more threats in cyberspace, let’s incorporate public-private cooperation into our cyber tool kit. The threats aren’t letting up, and neither will we. Thank you very much for inviting me.