Remarks as Delivered
Thank you so much, Gordon, and it’s great to be back with you. Thank you all for having me here today. I am honored to be a part of this conference again this year.
You know, for eight years now, this conference has provided a forum for policy makers and experts alike to gather from around the world to look to the future of our collective, global cybersecurity. The Munich Cyber Security Conference has always focused on how to out-innovate a constantly evolving cyber threat. This year, as conventional weapons and cyber threats stare down Ukraine, we are reminded that cybersecurity is global security — and we can’t afford to consider one without the other.
Now, last year at this conference, as you mentioned Gordon, I warned of a pivot point in the cyber threat, a blended threat of nation-states and criminal gangs forming alliances of convenience and working together to exploit our own infrastructure against us. Unfortunately, as you mentioned, we continue to confront cyber criminals who enjoy safe haven in authoritarian countries and who wreak havoc in both the digital and physical worlds. In fact, just this morning, the FBI along with our partners at CISA and the NSA issued a fresh warning that Russian, state-sponsored cyber actors continue to regularly target U.S. defense contractors.
Now, this is a challenge that no country can tackle alone. And today I will outline new steps the Department of Justice is taking to combat this unprecedented threat.
Increasing Our Investigative and Deterrent Capabilities
Following the comprehensive cyber review, that you mentioned Gordon — that I launched last year — that review was led by my principal deputy John Carlin, we are now building on the department’s history of success, across multiple administrations, and we’re adapting old tools to use in new ways — while also designing novel techniques to use in our major cyber investigations. In the last year for the first time ever, we used a traditional search warrant to execute code and erase digital backdoors, making hundreds of victim computers safe; and in an unprecedented cooperative effort, the FBI and international partners — including Canada, France, Germany, the Netherlands, the United Kingdom, Lithuania, Sweden and Ukraine — all worked together and dismantled the Emotet botnet and released its grip on victim computers; we also took down the world’s largest illegal marketplace on the darknet and arrested at least 150 darknet traffickers, thanks to the Joint Criminal Opioid and Darknet Enforcement Team, and thanks to our Europol and Eurojust partners.
We must keep pace with the threat actors who exploit innovations as fast as the marketplace produces them. Case in point: the explosion of ransomware and the abuse of cryptocurrency. Today, the FBI is investigating more than 100 different ransomware variants, and prosecutors and law enforcement are targeting dozens of ransomware groups estimated to have caused billions of dollars in damage to victims.
So last year, we launched the Ransomware and Digital Extortion Task Force to develop new ways to attack the ecosystem that allows ransomware to flourish. And because arrests are simply not enough, we seized back from criminally controlled wallets $2.3 million of the ransom paid after the Colonial Pipeline attack. And in the wake of the attack on Kaseya, the FBI obtained decryptor keys so victims could unlock ransomed systems.
We coupled these innovations with arrests and with criminal charges. And in November, together with several of our international partners, we disrupted the R-Evil ransomware group with five arrests and the seizure of $6.1 million in alleged ransom payments.
Ransomware and digital extortion — like many other crimes fueled by cryptocurrency — only work if the bad guys get paid — which means we have to bust their business model.
Last week, I announced the largest ever financial seizure in the Justice Department’s history. The seizure of over $3.6 billion in stolen bitcoin — and the money laundering and conspiracy charges along with it — demonstrates that even in cyberspace, the Department of Justice is able to use a tried and true investigative technique: following the money. It’s what led us to Al Capone in the 30s, it helped us destroy La Cosa Nostra in the 60s, and it took down terrorist financing networks in the early 2000s.
The currency might be virtual but the message to companies is concrete: if you report to us, we can follow the money and not only help you, but hopefully prevent the next victim.
Now, these success stories are just the beginning of what the department can do.
That’s why the FBI is forming a specialized team dedicated to cryptocurrency: the Virtual Asset Exploitation Unit (VAXU). This FBI unit will combine cryptocurrency experts into one nerve center that can provide equipment, blockchain analysis, virtual asset seizure and training to the rest of the FBI.
This unit will join the work of the National Cryptocurrency Enforcement Team (NCET), which I announced last fall. This team combines prosecutors with expertise in money laundering, computer crimes, forfeiture and regulatory policy to go after those who abuse cryptocurrency to commit crime. Today, that team is staffed with a dozen prosecutors, several of whom were integral to last week’s record-breaking seizure, and today it gains its first Director, Eun Young Choi, a seasoned computer crimes prosecutor and a leader in the field.
What this last year tells us is that the cyber threats of today demand that we stay nimble and creative to counter the threats of tomorrow.
International Partnerships
Now, as we evolve to meet this threat, we cannot — and do not — want to fight this threat alone. This audience knows better than anybody that cyber threats do not respect borders. And it’s just like the alliances we formed to fight the battles of the past, our efforts are so much more powerful when combined with those of our international partners. Evolving to match the cyber threat does not only mean new tools and teams within the Department of Justice — it means finding innovative ways to work with our international partners.
Now, it’s the rare cyber investigation that doesn’t have an international dimension. That is why prosecutors handling significant cyber investigations will now be required to consult with the department’s international and cybercrime specialists to identify international actions that might be able to help stop a threat. International cooperation will not be an afterthought.
Personifying this international focus, we are creating a new Cyber Operations International Liaison, that person’s responsibility will be to work with U.S. prosecutors and European partners to up the tempo of international operations against top-tier cyber actors. We will embed this capability in Europe to ensure more connectivity between our law-enforcement groups.
We are also launching an International Virtual Currency Initiative to combat the abuse of virtual currency. This initiative will allow for more joint, international law enforcement operations — more eyes from multiple law enforcement agencies around the world — to track money through the blockchain. It will also foster responsible regulation and anti-money laundering requirements to root out the abuse of these technologies.
We are issuing a clear warning to criminals who use cryptocurrency to fuel their schemes. We also call on all companies dealing with cryptocurrency: we need you to root out cryptocurrency abuses. To those who do not, we will hold you accountable where we can.
Prioritizing Cyber Disruption
Now one of the key things I learned after September 11 when I was at both the FBI and as head of the National Security Division, it’s that success is not prosecuting terrorists after an attack when families are grieving and their loved ones have been lost. It may be necessary to be sure, but success is preventing that attack in the first place. We need to apply that same thinking to our cyber investigations.
So, moving forward, prosecutors, agents and analysts will now assess — at each stage of a cyber investigation — whether to use disruptive actions against cyber threats, even if they might otherwise tip the cybercriminals off and jeopardize the potential for charges and arrests. In other words, before we bring charges, we will assess whether there are steps we can take to prevent or reduce the risk to victims, steps like providing decryptor keys or seizing servers used to further cyberattacks.
We should consider the use of all available tools. When I say all tools, I mean disruptive capabilities, sanctions and export controls. I mean not just those at the disposal of our government but also those of our international and private sector partners. I mean earlier coordination, so that our partners can position themselves to take their own actions against these threats. And I mean deploying forward Justice Department personnel to work directly with our partners, such as at U.S. Cyber Command and elsewhere, to achieve unity of purpose and unity of action.
Now let me be clear: charging and apprehending cybercriminals will still be a priority in cybercrime cases, just as it is in all of our cases. Arrests, convictions and incarcerations provide a serious and personal deterrent to criminals, and they are the unique responsibility of the Department of Justice. But combining these with other tools you have heard me describe today makes us nimbler in disrupting the cyber threat. This is especially true when threat actors seek safe haven in rogue countries or work on behalf of a foreign government.
Now, as a former prosecutor, I can tell you that this approach is not the first instinct for trial lawyers who live in the courtroom. But my message to the department is clear: we should be looking for success both inside and outside the courtroom.
And my message to cybercriminals is equally clear: the long arm of the law can — and now will — stretch much farther into cyberspace than you think. If you continue to come for us, we will come for you.
I am proud of all the work underway at the Department of Justice to address the growing range of cyber threats. And I appreciate the opportunity to share all of this with you today, and I’m looking forward to answering some questions.