I’ve been in this job a little over a year and a half. Every day I sit with the Attorney General and FBI Director for the morning threat briefing and each day I read the Presidential Daily Brief. Day-after-day, week-after-week, the intelligence reporting details the astonishing pace, scale and sophistication of cyber threats to the United States.
Hostile nations are accelerating their use of cyber-enabled means to carry out a range of threatening activity. These countries are stealing sensitive technologies, trade secrets, intellectual property and personally identifying information; exerting malign influence and exporting repression; and holding our critical infrastructure at risk to destructive or disruptive attacks.
You don’t need access to classified intelligence to understand what we are up against from countries like China, Russia, Iran and North Korea.
Take just a few snippets from the Intelligence Community (IC)’s public Annual Threat Assessment for this year.
China has compromised telecommunications firms. It conducts cyber intrusions targeting journalists and dissidents in order to suppress the free flow of information. And the PRC is capable of launching cyberattacks that could disrupt U.S. critical infrastructure.
Russia is bolstering its ability to compromise critical infrastructure, such as industrial control systems, in part to demonstrate it has the ability to inflict damage during a crisis. Iran, too, continues to be an aggressive cyber actor, taking advantage of the asymmetric nature of cyberattacks.
And North Korea is turning to illicit cyber activities to steal the funds and technical knowledge it needs to further its military aspirations and Weapons of Mass Destruction (WMD) programs.
Our adversaries also imperil the United States by acting as safe havens for cyber criminals who carry out ransomware attacks and digital extortion for personal profit.
That’s what the intelligence community is willing to say in public about what we are up against – and it’s not a pretty picture.
The good news is that our response to national security cyber threats has gotten more effective in recent years. We are putting hard-earned lessons into practice.
One lesson we’ve learned from our counterterrorism efforts after 9/11 is the importance of ensuring agencies like FBI, Department of Homeland Security (DHS), the IC and Department of Defense (DoD), are working as one team, sharing information and deploying authorities in a coordinated manner.
We are also coordinating government actions with foreign partners and the private sector to empower technical operations, leverage sanctions and trade remedies, and join in diplomatic efforts with like-minded countries. And we are applying the key lesson that effectively combating nation-state cyber threats requires shoring up private sector cybersecurity to make us collectively less vulnerable.
In March, the White House released the National Cybersecurity Strategy in order to drive a “more intentional, more coordinated, and more well-resourced approach to cyber defense.” At the Department of Justice, we are putting that vision into practice. Federal law enforcement wields some of the most powerful tools in our arsenal. In recent years, we have achieved successes in deploying those tools – and we can build on this success.
The Justice Department has never been more effective in identifying, addressing and eliminating cyber threats affecting our nation’s security.
Here is the playbook that’s working. First, as you’d expect of prosecutors, we enforce U.S. criminal law – investigating and prosecuting individuals for illegal cyber activity, imposing costs on them and deterring others. Just a few examples from last year:
We charged three Iranians with conducting a ransomware campaign that targeted hospitals, local governments and organizations all over the world.
We secured a 20-year prison sentence for an individual who leveraged teams of hackers and insiders in a multi-faceted espionage campaign targeting American and European aviation companies on behalf of PRC intelligence.
Shortly after the Russian invasion of Ukraine, we unsealed indictments that publicly demonstrated how two different sets of Russian state-sponsored actors compromised devices at hundreds of critical infrastructure providers around the world, deploying malware designed to enable future physical damage.
We are holding individuals accountable, imposing consequences, and using our indictments to inform the public about the nature of the threats we face, and our adversaries that their actions are not as deniable as they’d like to think.
Second, we are proactive – using the full range of our authorities to disrupt national security cyber threats before a significant attack or intrusion can occur. This includes the innovative use of our legal tools beyond traditional criminal charges.
Just last month, the Justice Department and FBI conducted “Operation Medusa.” This was a technical operation to dismantle and effectively neutralize the “Snake” malware, one of the Russian government’s most sophisticated computer intrusion tools. The FSB had used versions of the Snake malware for nearly 20 years to steal sensitive information from hundreds of computer systems in at least 50 countries, including NATO governments. Through innovative use of our Rule 41 search warrant authority, as well as collaboration with private sector partners and numerous foreign governments, the Justice Department disabled one of the FSB’s most sensitive, complex espionage tools.
Last year, we conducted a court-approved operation to dismantle a GRU botnet that relied on compromised firewall security appliances. Working with the company that manufactured those devices, the FBI developed a court-authorized technical solution to delete the GRU’s malware and close the vulnerabilities in compromised devices.
We have also used our cryptocurrency tracing abilities and our seizure authorities to prevent over $100 million in ill-gotten crypto from being used by North Korea to support its missile programs. These efforts have focused both on hackers, who have stolen hundreds of millions of dollars’ worth of cryptocurrency, and on IT workers who use online platforms to earn illegal revenue. By coordinating asset freezes and sanctions, the U.S. government has stopped the DPRK from accessing a huge portion of their illicit gains, much of which remains stranded on the blockchain.
Finally, we coordinate our efforts with interagency partners, foreign governments and the private sector to use the full force of tools – technical operations, sanctions, trade remedies and diplomatic efforts. For example, in the Iran indictments I mentioned a minute ago, we enhanced the impact of the public indictment by working with Treasury to impose sanctions connecting those defendants to the Islamic Revolutionary Guard Corps.
Intelligence also plays a key role. We share targeted threat intelligence gathered as a result of our investigations to empower private sector companies to defend themselves. For example, following the Colonial Pipeline attack, we were able to acquire information – using Section 702 of FISA – that verified the hacker’s identity and enabled the government to recover the majority of the ransom.
Our commitment to combating these threats using every tool we’ve got is making an impact. We are making it harder for hostile nations to maneuver and recruit by imposing accountability. We are denying our adversaries access to technical infrastructure and cutting off their funding. We’re disrupting the criminal ecosystem by making cybercrime and ransomware less lucrative and higher risk. We are helping the private sector defend itself more effectively with key intelligence and threat information. We’re marshaling the efforts of like-minded nations around the world on both diplomatic and law enforcement fronts.
As determined as our adversaries might be in escalating their brazen activities, they are learning that we are even more determined to protect the United States and our allies.
Since we first charged five members of the PLA in 2014, NSD has been leading the charge with just a handful of dedicated cyber prosecutors, operating on grit, coffee and a shoestring budget. And none of these cases would be possible without the close partnership of enterprising U.S. Attorneys’ Offices. So, I am proud of the work being done in the National Security Division, in U.S. Attorneys’ Offices around the country, at the FBI, and across the Department of Justice.
The cases and disruptions I discussed earlier did not come easy. They’re often fast-paced and span international boundaries; they involve highly technical data and often classified data and demand innovative legal approaches. These are actions that require dedicated time, attention, and expertise. Now, we are aggressively growing our national security cyber program.
Today, I am announcing that we are establishing a new National Security Cyber Section – NatSec Cyber, for short – within the National Security Division. This new, full litigating section – which now has the approval of Congress – will place our work on cyber threats on equal footing with NSD’s Counterterrorism Section and the Counterintelligence and Export Control Section.
This new section will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.
The creation of a new section responds to the core findings in Deputy Attorney General Monaco’s Comprehensive Cyber Review, released in July 2022, that charted the evolving nature of the cyber threat. It will help fulfill a core pillar of the Biden Administration’s National Cybersecurity Strategy: to disrupt and dismantle threat actors by working across federal agencies.
NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena. NatSec Cyber prosecutors will be positioned to act quickly, as soon as the FBI or an IC partner identifies a cyber-enabled threat, and to support investigations and disruptions from the earliest stages.
Having prosecutors that are fully dedicated to national security cyber cases will deepen our expertise. It will enable us to better collaborate with our key partners, especially our colleagues in the Criminal Division’s Computer Crimes and Intellectual Property Section, which plays a particularly crucial role in ransomware and other criminal cases. And, in order to more closely integrate with the FBI’s Cyber Division, the NatSec Cyber Section will mirror that structure, organizing leadership by geographical threat actor.
The new section will also serve as a resource for prosecutors in U.S. Attorneys’ Offices around the country. U.S. Attorneys’ Offices, along with FBI field offices, represent the tip of the spear in confronting many of the threats in their districts. Responding to highly technical cyber threats often requires significant time and resources, which aren’t always possible with the demands on individual offices. NatSec Cyber will serve as an incubator, able to invest in the time-intensive and complex investigative work for early-stage cases.
The section will also allow prosecutors to work seamlessly with colleagues focused on the interagency policy process in the National Security Council. That process has become increasingly central to the effective deployment of the government’s cyber capabilities under the leadership of Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger.
Here’s the bottom line: Cybersecurity is a matter of national security. Our cyber adversaries are innovative and constantly adjusting their tactics to hide from our investigators and to overcome our network defenders.
NSD is committed to matching our adversaries by adjusting our tactics and organization to bring all of our tools, authorities and expertise to this fight.
Speaker: Matthew G. Olsen, Assistant Attorney GeneralTopic(s): Countering Nation-State ThreatsNational SecurityCybercrimeComponent(s): National Security Division (NSD)
Updated June 20, 2023 Original Article