Wednesday, December 14, 2016
Good morning, and thank you, Jim [Lewis], for that kind introduction. I am pleased to be here speaking to you today, and I want to thank the Center for Strategic and International Studies (CSIS) for having me.
Over the past two and a half years, I have had the honor of serving as the Justice Department’s Assistant Attorney General for the Criminal Division – and with that, the responsibility of ensuring that the division and its over 700 prosecutors have the support and authorities they need to fulfill their responsibilities to the American people. I have also had the opportunity to see first-hand the dedication, rigor, intelligence and respect that America’s prosecutors bring to their work every day. As my time as the Assistant Attorney General of the Criminal Division comes to a close, I am incredibly proud of where the division stands today and all that we have accomplished together.
One constant truth about investigating and prosecuting crime is that it is never without its challenges, although the precise nature of the difficulties and obstacles we face changes with the times. Today, some of the most significant hurdles we encounter relate to technology and the Internet.
Innovation in computing, the Internet, and related services has had tremendous benefits for our economy, our ability to connect with others, and the convenience, efficiency, and security of our everyday lives. It has also transformed how we in law enforcement do our jobs by expanding our ability to detect, investigate and prosecute criminal activity.
However, these same innovations permit criminals to more easily victimize Americans, including from afar, while concealing their identities and enabling destruction of evidence. We face an enormous task in responding to these new threats – ranging from botnets and ransomware to online child sexual exploitation and firearms trafficking, to name just a few – and that task is not getting any easier. This morning I will focus on four challenges that have been and must continue to be the center of our work if we intend to succeed:
• First, the growth of sophisticated, global cyber threats;
• Second, dangerous loopholes in our legal authorities;
• Third, the widespread use of warrant-proof encryption; and,
• Fourth, inefficient cross-border access to electronic evidence.
As I will explain in more detail, the past few years have marked some significant progress in some of these areas. We have grown more nimble and effective in cooperative international law enforcement efforts to bring cyber criminals to justice and remediate cybercrime. And we have managed to effect some targeted and common-sense improvements in legal authorities. But in other areas, the challenges remain, and in some cases have become more prominent. Let me begin with the threat. The global nature of the Internet means that criminals now can easily victimize more people within the United States in more dangerous ways, all without ever setting foot here. Some of the most significant criminal activity in recent years is the result of sophisticated criminal groups reaching across our borders from perceived safe harbors. As we rely more and more on network communications to handle virtually every aspect of our lives, the cost of cybercrime will only rise – to over two trillion globally by 2019, according to some estimates – and the United States is a uniquely attractive target.
We have responded first and foremost by aggressively identifying, apprehending, and prosecuting offenders. This past October, for example, the Russian cybercriminal Roman Seleznev was convicted by a jury in Seattle. Seleznev was a hacker who, from the other side of the world, pilfered data for millions of payment cards from the computer systems of small business owners across America – a crime that strikes at the trust and security of our everyday financial transactions. Seleznev was the son of a member of the Russian parliament, and the Russian government filed diplomatic protests and tried to pressure us into releasing him. But that’s not how justice in America works, and he is now in an American prison.
We recognize that we cannot prosecute our way out of cybercrime, but prosecution must remain an integral component of our response to global cyber threats. That is why foreign hackers like “Guccifer” – who hacked into the email and social media accounts of about a hundred Americans, including two former U.S. presidents – as well as Vladimir Drinkman and Dmitriy Smilianets – who, along with co-conspirators, conducted a worldwide hacking scheme that compromised more than 160 million credit card numbers – have likewise found themselves within the reach of American law enforcement. Thanks to the work of our colleagues in the National Security Division, the same holds true for individuals like Su Bin – who conspired with Chinese military hackers to steal cutting-edge U.S. aircraft designs – and Ardit Ferizi – who shared stolen PII belonging to 1,300 U.S. military and government personnel with a member of ISIL, for publication on a hit list. All have now been brought to the United States to face justice.
The department’s strong track record in this area is a critical deterrent to would-be attackers. Over the last twenty years, for example, our Computer Crime and Intellectual Property Section (CCIPS) – the centerpiece of our prosecutorial response to criminal cyber threats – has successfully prosecuted cases involving more than one billion stolen pieces of information, including payment card data, email addresses and social security numbers – more than three pieces of data for every American alive today.
Our international partnerships make this work possible. And they have been key in another way as well. Even when prosecution is not yet an option – for example, because we have been unable to identify or apprehend a criminal target – we have developed operational expertise in disrupting cybercriminal infrastructure in the United States and abroad. For example, we have worked hand-in-hand with our foreign partners to address technical threats like botnets, so-called “bulletproof” hosts, Darknet markets and international hacking forums.
Indeed, just last week, the department led a multinational operation to dismantle a vast network of dedicated criminal servers known as “Avalanche,” which allegedly hosted more than two dozen of the world’s most dangerous and persistent malware campaigns. The Avalanche network served clients operating as many as 500,000 infected computers on a daily basis and is associated with monetary losses in the hundreds of millions of dollars worldwide. We were joined in this effort by investigators and prosecutors from more than 40 jurisdictions across the globe. We must maintain existing international law enforcement cooperation – and develop new mechanisms to work with foreign partners – if we hope to continue these successes.
These efforts have also benefitted from growth in our technical and investigative capacity. The Criminal Division has steadily increased resources for CCIPS, along with its in-house Cybercrime Lab, over the last two years. The Cybercrime Lab has become the go-to resource across U.S. law enforcement for intractable problems in accessing and understanding digital evidence, whether that means uncovering evidence that a defendant accessed online terrorist radicalization materials to rebut a claim of entrapment, or cracking passwords to dozens of devices that hold key evidence of serious crimes.
We have also found that augmenting our own expertise and legal authorities with insight from private sector institutions allows us to identify and develop new, creative responses. For example, in 2014, the FBI, in conjunction with a coalition of nearly a dozen foreign countries and a group of elite computer security firms, dismantled the Gameover Zeus botnet. That botnet, which infected more than one million computers around the world, inflicted over $100 million in losses on American victims alone, and was responsible for the spread of the Cryptolocker ransomware. The Gameover Zeus operation represents what we can achieve when law enforcement agencies collaborate with private sector experts, and indeed, many private organizations provided similar assistance in the recent Avalanche take-down. I hope that it will continue to serve as a model for the department’s future work.
This relationship works in both directions. The investigative experience of our CCIPS prosecutors can offer important lessons for private sector entities. In addition, navigating the federal laws that govern network monitoring practices – laws in which CCIPS specializes – can be fraught for organizations seeking to improve their cybersecurity. That is why, two years ago, we created the Cybersecurity Unit, a group of CCIPS prosecutors who can leverage their case-related experience to develop and share practical cybersecurity advice with the private sector. The Unit has also played an integral role in implementation of the Cybersecurity Information Sharing Act (CISA). So not only have we benefitted from private sector experts for our operational needs, but we have made a practice of sharing our knowledge base as well.
Even as the department addresses technical obstacles to preventing and prosecuting cybercrime, however, we confront a second challenge: arbitrary gaps in the law that frustrate some of our most pressing investigations. One example of such a loophole was the venue provision of Rule 41 of the Federal Rules of Criminal Procedure.
As that Rule existed prior to Dec. 1, 2016, when law enforcement sought court approval for a search warrant, it generally was required to seek authorization from a court sitting in the same geographic district where the property to be searched was located. This Rule made perfect sense in dealing with the physical world. But in the cyber-world, we increasingly face scenarios where criminals use technology to hide the location of their computers, meaning that we could not know where the computers were located. In those circumstances, federal law did not clearly identify which judge could authorize a search.
Similarly, we regularly encounter crimes like mass hacking through botnets that are carried out in multiple districts at once, all across the country. But in order to respond in a timely, comprehensive manner, the prior version of the Rule arguably required authorities to obtain a warrant in each district – up to 94 in all, across 9 time zones, ranging from the Virgin Islands to Guam.
Last week, a three year effort, spearheaded by the Criminal Division, and approved by the U.S. Supreme Court, culminated in a targeted, procedural fix to the venue provisions of the Rule to ensure that technology does not render our investigative abilities obsolete. The update to the Rule does not alter the probable cause or other standards we must meet to obtain a search warrant. What the Rule does change is that now, when criminals hide the location of their computers through anonymizing technology, we don’t have to figure out in which federal district the computers are physically located before we can act to stop criminal activity. Likewise, when a criminal deploys a botnet that indiscriminately infects computers nationwide – as many botnets now do – we don’t have to go to as many as 94 different judges.
The need to update Rule 41 was not theoretical. Today, dozens of websites on Tor – a proxy network – openly distribute images of child rape and sexual exploitation, where they are frequented by tens of thousands of pedophiles. These sites can thrive in the open because proxy networks, like Tor, hide the locations of the criminals’ servers and the identities of their administrators and users. While law enforcement – and the general public – can easily find images of child sexual exploitation by visiting one of these sites, we often cannot locate and shut down the websites or identify and apprehend the abusers. More troubling, the child victims stand little chance of rescue.
The recent investigation of “Playpen,” a Tor site used by more than 100,000 pedophiles to encourage child sexual abuse and trade sexually explicit images of that abuse, illustrates why a Rule 41 fix was necessary. In that case, authorities were able to wrest control of the site from the administrators, and then obtained court approval to use a remote search tool to retrieve limited information, including the user’s IP address, only if a user accessed child pornography on the site. This enabled a traditional, real-world investigation, leading to more than 200 active prosecutions and the identification or rescue of at least 49 American children who were subject to sexual abuse.
Yet in some of the resulting cases, federal courts relying on the language of the prior version of Rule 41 found that even though the probable cause and other standards for obtaining a warrant were satisfied, evidence obtained in searches nevertheless had to be excluded because the judges who issued warrants lacked venue over the computers, which turned out to be physically located outside their geographic districts. This is a perverse result, as it would mean that criminals who are savvy enough to hide their locations – which is not difficult given current technologies – could place themselves beyond the reach of law enforcement.
This is a good example of why the amendments to Rule 41 are such a crucial step forward. They make clear which courts are available to consider whether a particular warrant application comports with the Fourth Amendment, without altering in any way the substantive requirements for – or privacy protections provided by – a warrant. This will ensure that criminals who use anonymizing technologies are not immune from justice, and that threats like botnets are not too big to investigate and remediate effectively.
This fix is a not a cure-all, however. Our response to cyber threats requires revisiting laws that simply did not anticipate and cannot adjust to modern technology. We must continue to move forward – not backward – to ensure that our laws protect Americans from criminals, and not the other way around.
I now want to turn to some challenges that, despite the best efforts of many, will continue to confront policymakers in the years to come. As society’s use of computers and the Internet has grown, so too has the importance of digital evidence in criminal investigations. In nearly every criminal investigation we undertake at the federal level – from homicides and kidnappings to drug trafficking, organized crime, financial fraud and child exploitation – critical information comes from smart phones, computers and online communications, often instead of physical evidence. Yet, these materials are increasingly unavailable to law enforcement as a result of certain implementations of encryption, even when we have a warrant to examine them.
This is because, in an attempt to market products and services as protective of personal privacy and data security, companies increasingly are offering products with built-in encryption technologies that preclude access to data even when a court has issued a search warrant. Service providers with more than a billion user accounts, that transmit tens of billions of messages per day around the world, now advertise themselves as unable to comply with warrants. And device manufacturers that have placed hundreds of millions of products in the market have embraced the same principle. We in law enforcement often describe this sort of encryption as “warrant-proof encryption.”
Let me be clear: the Criminal Division is on the front lines of the fight against cybercrime. We recognize that the development and adoption of strong encryption is essential to counteracting cyber threats and to promote our overall safety and privacy. But certain implementations of encryption pose an undeniable and growing threat to our ability to protect the American people. Our inability to access such data can stop our investigations and prosecutions in their tracks.
Inaction is not a suitable response. Our occasional success in accessing information protected by seemingly “warrant-proof encryption” is unpredictable and inadequate. There are devices in evidence lockers across the country that remain locked.
As the President reminded us recently, the Government has different responsibilities – a different “balance sheet” and different “stakeholders” – than a corporation. There is nothing wrong with companies pursuing profits and marketing strategies, but no one should expect that they will take into account all of the societal interests that are at stake. And that is especially true for our public safety mission. Our ability to protect Americans from crime has become dependent, in thousands of cases, on the business decisions of for-profit corporations. More troublingly, even when companies have the technical ability to reasonably assist us in accessing encrypted information, they have refused to do so for fear of “tarnishing” their image. Regardless of which side of this issue you are on, we can all agree that market-driven decisions are not and have never been a substitute for sound public safety policies.
Business decisions made by for-profit companies have had enormous effects on our public safety in other ways as well. Data held by major Internet service providers can be crucial to identifying and holding accountable the perpetrators of virtually every federal crime we handle. Increasingly, however, American providers and other providers subject to the jurisdiction of the United States are storing such information outside the United States, and not always at rest and in the same location. The data can be partitioned and stored in multiple locations, or moved about on an ongoing basis, and some providers may not even know where all data relating to a particular user is at a given time.
It is this last challenge – foreign-stored digital evidence – that I will close with today. The department has worked diligently to increase the cross-border availability of data, through mechanisms like the 24/7 Network, which facilitates the preservation of digital evidence, as well as mutual legal assistance treaties and the Budapest Convention on Cybercrime, which enhance international cooperation in obtaining that evidence. The Criminal Division has also directed additional resources toward a dedicated cyber mutual legal assistance unit in our Office of International Affairs, which has seen a 1,000 percent increase in incoming requests for computer records since 2000.
But while these are important crime-fighting tools, they have significant shortcomings. The United States has mutual legal assistance treaties with less than half the countries in the world, some of which place limitations on when assistance is available or the types of evidence that can be obtained. Even then, obtaining evidence can take months, if not years. Ireland, for example, reports that in routine cases it takes 15 to 18 months to execute a request for assistance from a foreign country. In less experienced or less cooperative countries, the process can take even longer. Sometimes we never receive a response at all.
Recently, the difficulties caused by foreign-stored data for public safety have become more acute. In July, the Second Circuit Court of Appeals, in the so-called “Microsoft Ireland” case, held that U.S. authorities cannot use a search warrant issued by a U.S. court pursuant to the Stored Communications Act (SCA) to compel a U.S. service provider, such as Microsoft, to produce data that it chooses to store for its own business purposes (and typically without the knowledge or input of its subscribers) outside the United States.
So, what is already a difficult and time-consuming process of gathering electronic evidence may now also become an impossible one, for both the United States and our partners. Since the Microsoft decision was handed down, U.S. providers such as Google, Microsoft and Yahoo! have refused to produce information that they have chosen to store abroad in response to search warrants issued by courts even outside the Second Circuit. This has been the case even in instances where the account-holder was an American citizen residing in the United States, and when the crime under investigation is carried out on American soil. And this includes warrants obtained on behalf of foreign countries pursuant to mutual legal assistant requests.
U.S. law generally does not require our providers to store this data in a particular location or make it accessible in any particular way. But as a result, the ability of law enforcement to effectively investigate serious crime may now be determined entirely by a provider’s data management practices, well-intentioned or not. One major American provider, for example, is unable to determine the country in which foreign-stored data is located; and even if it could, the data is frequently moved and may not be in the same country from day to day. Under the Second Circuit’s decision, a SCA warrant is not available. But sending an MLAT request to a foreign country could result – after months of delay – in a notification that the relevant data is no longer there.
It is for this reason that, in October, the department filed a petition for the case to be reheard by the entire Second Circuit en banc. It is also why we intend to submit legislation to Congress to address the decision’s significant public safety implications. This issue must be resolved before we move to other important initiatives, such as legislation to implement a cross-border data agreement with the United Kingdom.
Looking forward, I cannot predict how the rehearing petition, or the broader concerns implicated by the Microsoft decision, will play out. And I suspect that, whether the issue relates to warrant-proof encryption or cross-border access to evidence, reaching a resolution will be challenging. But these decisions must be made in the policy arena, not by the private sector alone. We cannot allow changing technologies or the economic interests of the private sector to overwhelm larger policy issues relating to the needs of public safety and national security. And we must let government fulfill its fundamental responsibilities to protect the American people.
I know that the panel to follow will focus on some of these challenges for the future, but let me offer my own thoughts here. In each of these areas, we must proceed thoughtfully and balance multiple different legitimate interests. Yet several basic principles should be obvious. First, sitting back and doing nothing is not an acceptable option. The world is changing around us, and those seeking to do harm are evolving with it; if those responsible for ensuring public safety do not have the same ability to adapt, public safety will suffer. Second, these changes pose policy challenges, and we need to develop policy responses. Rather than let evolutions in technology dictate our responses, we must think ahead as a society and develop appropriate frameworks to address new and upcoming challenges before they become crises. And finally, when there are multiple interests at stake – public safety, cybersecurity, international comity and civil rights and civil liberties – we cannot allow the most consequential decisions to be made by a single stakeholder, or leave them to the whim of the commercial marketplace. We would never tolerate that approach in other areas of importance to society, and we should not do so here.