In light of the growing concern over cybersecurity, the United Stated Department of Justice (“DOJ”) issued guidance last week on how to prepare for and respond to cyber attacks.  Taking lessons learned by federal prosecutors while handling cyber investigations, and input from private sector companies that have managed cyber incidents, the guidance contains a step-by-step guide on what to do before, during and after a cyber incident.

Specifically, the DOJ recommends having a plan in place before any cyber attacks occur.  That plan should include identifying critical data and assets that warrant increased security, having the technology and services needed to respond to a cyber incident in place, having legal counsel that is familiar with legal issues associated with cyber incidents, and ensuring that your team knows who is responsible for what tasks in the event of an attack.   

If an attack happens, the DOJ recommends assessing the scope of the incident and working quickly to prevent any on-going damage, collecting and preserving data related to the attack, and notifying law enforcement.  The DOJ cautions against using any systems that have been compromised and trying to “hack back” against the system involved in the attack.

The guidance was unveiled at a roundtable discussion on cybersecurity, during which Assistant Attorney General Leslie Caldwell explained in prepared remarks  that “Cyber criminals commit their crimes because they see hacking as a low-risk, high-reward proposition.”  The DOJ’s goal is to “alter that assessment.” Caldwell said the United States is number one in data breaches world wide, at an estimated annual cost of no less than $400 billion.  Thus, it is important for businesses to be prepared in order to minimize the damage from any attack.

Although not cited in the DOJ guidance, Data Security and Privacy Liability (“Cyberliability”) insurance should be considered as part of an organization’s plan in order to protect against some of the costs associated with a cyber attack.  Companies considering placing or renewing cyberliability coverage should contact any Reed Smith Insurance Recovery Group attorney for advice.



///-----------------///


Assistant Attorney General Leslie R. Caldwell Delivers Remarks at the Criminal Division's Cybersecurity Industry Roundtable
 
Washington, DC
 
United States
 
Wednesday, April 29, 2015
 
Thank you, Attorney General Lynch, for taking the time today to be here with us.  I know that you have to leave.  We are truly honored that you joined us.   

    
I would also like to thank my law enforcement partners around the table for their participation today including: John Carlin, Assistant Attorney General for the National Security Division, and Luke Dembosky, one of his deputies; David Hickton, U.S. Attorney of the Western District of Pennsylvania; Jim Trainor, Acting Assistant Director of the FBI’s Cyber Division; and Stuart Tryon, Special Agent in Charge of the Secret Service’s Criminal Investigative Division.
I’d also like to introduce the Criminal Division participants: Marshall Miller, my Chief of Staff and the Principal Deputy Assistant Attorney General; David Bitkower, the Deputy Assistant Attorney General who oversees the Computer Crime and Intellectual Property Section—or CCIPS; John Lynch, the Chief of CCIPS; Rich Downing, the Principal Deputy Chief of CCIPS; and Mick Stawasz, Deputy Chief for Computer Crime at CCIPS and Head of the Cybersecurity Unit. 
White House Cybersecurity Coordinator Michael Daniel will be joining us later this afternoon as well. 

In addition, five U.S. Attorneys are participating via phone: John Horn of the Northern District of Georgia; Alicia Limtiaco of the Districts of Guam and the Northern Mariana Islands; Carter Stewart of the Southern District of Ohio; Malcolm Bales of the Eastern District of Texas; and Annette Hayes of the Western District of Washington.

I am thrilled to see such a cross-section of data breach experts in this room.  Collectively, this audience includes many of the nation’s leading private-sector practitioners in the field of data breach response.  With such assembled talent, I have no doubt that we will have a vibrant exchange of ideas during this afternoon’s sessions.  Before we get to those events, however, let me offer a few thoughts to set the stage.

As the Attorney General noted, cybercrime is not new and neither is the Criminal Division’s engagement with it.  The Computer Crime and Intellectual Property Section has been investigating and prosecuting high-tech crimes for nearly twenty years and has developed unparalleled expertise in investigating and prosecuting cybercriminals.

CCIPS attorneys are the Department’s experts in laws like: the Computer Fraud and Abuse Act; electronic surveillance laws related to monitoring or gathering information from computers; and the constitutional framework for the collection and use of electronic evidence. 

Drawing on this expertise, CCIPS partners with U.S. Attorneys’ Offices, prosecutors at the National Security Division and investigative agencies throughout the country on federal cybercrime investigations, many of which span not only our country but extend throughout the world.  From takedowns of botnets made up of hundreds of thousands of computers, to massive online identity theft operations, to other crimes facilitated by complex technologies like TOR, CCIPS is involved when law enforcement is confronting the top criminal threats online.   

But even as we’ve developed this deep well of institutional knowledge in cybercrime and cutting-edge technology, the threat environment has only grown more challenging.  One study earlier this year found that the United States is number one in data breaches world-wide – accounting for about 76 percent of all incidents in 2014.  Another study last summer estimated the annual cost of cybercrime at no less than $400 billion.  That figure, while itself daunting, still doesn’t completely capture the very real, but less quantifiable, harms suffered by victims of online crime on a personal level. 

Nowhere is this more evident than in the recent trend of major data breaches that is the focus of this afternoon’s roundtable.  These breaches have involved transnational organized criminals, who are experts in exploiting technology to conceal their activities, causing crimes of unprecedented scale and sophistication—often invading the privacy and jeopardizing the security of information belonging to millions of individual victims. 

And yet, for all its scope and complexity, cybercrime is not an unsolvable species of crime.  Cyber criminals commit their crimes because they see hacking as a low-risk, high-reward proposition.  Accordingly, our goal must be to alter that assessment. 

We at the Criminal Division have found that old-fashioned investigative work, coupled with a long institutional memory and technical expertise can pay dividends against even sophisticated foreign cybercriminals.  For example: last month, we unsealed the indictment and guilty pleas of two Vietnamese hackers responsible for the theft of over 1 billion personal records from 2009 to 2012. 

 That case was investigated by both the FBI and the Secret Service.  Just weeks ago, we worked with the Secret Service to extradite Russian hacker Vladimir Drinkman from the Netherlands.  Drinkman is alleged to have been part of a group responsible for the theft of 160 million credit card numbers.

In fact, during approximately the past year, we have extradited about a dozen high-level cyber criminals from around the world.

As notable as these prosecutorial successes are, we recognize that we need to be developing and using innovative tools and strategies for battling cybercrime as well.  Just this month, President Obama issued an Executive Order authorizing the Secretary of the Treasury, in consultation with the Departments of Justice and State, to impose sanctions on individuals or entities that engage in certain “significant malicious cyber-enabled activities.”  Importantly, the Executive Order also authorizes the imposition of sanctions against foreign corporations and entities that knowingly profit from stolen trade secrets.  The Criminal Division intends to consult closely with our colleagues at the Treasury and State Departments on situations in which this authority might be appropriately employed.

We are also continuing to develop and use creative strategies to disrupt criminal activity, particularly when criminals operate from overseas beyond the immediate reach of American law enforcement.  For example, last spring the department used a combination of civil and criminal tools to disrupt the Gameover Zeus botnet and the Cryptolocker extortion scheme, removing control of infected computers from their overseas operators.  And we have successfully employed asset forfeiture tools to seize and forfeit millions of dollars in profits from individuals who have been charged with operating the Megaupload website, which provided easy access to pirated intellectual property.

Beyond our prosecutions and involvement with the new Executive Order, we also have taken another significant step toward combatting cybercrime by focusing the Criminal Division’s legal expertise and investigatory experience on ways we can help to prevent criminal acts like data breaches from happening in the first place.  To this end, we created the Cybersecurity Unit, within CCIPS, to better focus and structure our cybersecurity efforts, which include: working with Congress on cybersecurity-related legislative priorities; working with the National Security Council and other U.S. government partners on executive branch cybersecurity initiatives; analyzing, and where appropriate, providing legal guidance on, situations where cybersecurity issues implicate criminal statutes such as the Wiretap Act, ECPA and the computer hacking statute; and actively engaging with the private sector and the public to address legal challenges related to cybersecurity.

It is this last point that I want to focus on today.  We in government know that we cannot go it alone in fighting cybercrime.  We need a strong partnership with you in the private sector.  So I specifically asked the Cybersecurity Unit to collaborate with you on cybersecurity issues in which they have expertise to share and, in return, to draw upon your valuable experience to do our work even better.  Today is just part of that effort.

I am happy to announce that, as part of today’s event, the Cybersecurity Unit is also releasing new guidance providing what we see as best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber attacks and intrusions.  This guidance is built on our experience prosecuting and investigating cybercrime, and incorporates knowledge and input from private sector entities that have managed cyber incidents.  It is a living document, which we will continue to update as the challenges and solutions change over time.  It is an example of the type of assistance that we plan to continue to provide to elevate cybersecurity efforts and to build better channels of communication with law enforcement. 

We are preparing to assemble further legal guidance on other subjects that may be helpful to potential victims of cybercrime, and we are looking forward to discussing in this and other forums which subjects are the most important to address.

Our engagement with the private sector has already included targeted cybersecurity consultations with many stakeholders, including the private bar, computer security researchers, industry groups and trade associations, financial institutions, other private-sector companies and think tanks.

For example, the Cybersecurity Unit, in conjunction with the Center for Strategic and International Studies, hosted a discussion last month with leading security experts from a variety of backgrounds – ranging from cyber incident response firms to retail and banking companies – on the subject of active defense.  We plan to release a summary of the findings from that event.

In a similar vein, the Cybersecurity Unit participated in recent “tabletop” exercises held jointly between the U.S. government and the financial sector to simulate cyber incident response.

What we have learned through such discussions, engagements and exercises has also helped shape the Cybersecurity Unit’s agenda.  For instance, we have learned that in-house counsel at victim companies are often unfamiliar with laws implicated by cyber defensive measures.  To help address this problem, we have already scheduled an initial discussion with in-house attorneys who work in a vital sector of our critical infrastructure to help them better prepare for addressing the legal issues surrounding defending their networks and handling cyber incidents.

Similarly, we have begun work with the Treasury Department and in-house counsel at various financial institutions, which are frequent targets for data breach efforts, to identify additional legal issues and potential responses with the ultimate goal of empowering such companies to better respond to cyber attacks and intrusions. 

Put simply, at the Criminal Division we see ourselves as engaged in a long-term battle against cybercrime – a battle that we will only meet with success if we collaborate with all of you as we surmount obstacles and design innovative solutions.

With that introduction, let me thank you all again for joining me here today.  I’m looking forward to hearing your thoughts on some key topics and hearing feedback from you as to what you think are the important issues and where the department and law enforcement can play key roles.