Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  May 28, 2015 7:00pm-8:01pm EDT

7:00 pm
internet, although the u.s. embassy site on air quality is one of the most frequently visited sites by china nationals, the only reliable information they can get about air quality. our engagement will bring faster connectivity and more quality connectivity to the people of cuba, i'm convinced of than the technology is there, senator rubio points out. it's a matter of making it available and the people of cuba will demand that. and let me just also point out in regards to the libertat act. it provides forlysining authority by the administration which is common in these types of legislation. there are certain authorities who are included in the act. i look forward to a robust discussion in the committee. chairman, i would yield the time to senator menendez.
7:01 pm
>> i see senator martin is here. i'll wait. >> senator martin. >> thank you. mr. chairman, very much, welcome and thank you for all of the good work which you have done. over the years there's been a clearly an isolation from our country that cuba has had to live with. and i very much appreciate this administration's attempts to normalize relations. i think it is important and step in the right direction. and i think the actions which you're taking beginning to make it possible for us to envision a day where we truly have normalized relations with cuba but it's not going to happen overnight and clearly cuba itself has to deal with behavioral changes that are not going to come easy.
7:02 pm
but that said, i think the process has opened and i think we're going to head in the right direction. i know senator udall has already talked about this and it's important to focus on it, the relationship that exists between information and freedom. i think there is a huge cultural compatibility we have with cuba. otherwise the red sox would not be paying all this money to be signing cuban players right now. they have mastered that part of our culture. and hopefully we'll be able to using better relationships to be able to broaden that even further. talking about internet and talking about telecommunications, can you just outline a little bit for me -- i
7:03 pm
may have missed the detail that you gave to senator udall, but what is your hope in the terms of transfer of sale of telecommunications technology into the human marketplace? >> thank so much, senator. the regulatory changes are fairly -- fairly broad in terms of what can now be sold and provided to cuba in the telecommunications and information area. that could be hardware, whether cell phones or other forms of computers that can now be sort of not just donated as they could be before but sold to cuba. people in cuba, and it also is services that are providing information such as the phone card and phone service that idt recently in new jersey signed with the cuban government to do other forms ever telecommunications work. i do want to be clear, it's true
7:04 pm
that all of this takes a decision by the cuban government to move forward with modernization in their telecom sector. that is certainly true. american companies can be able to under our changes participate in cuba but the cuban government has already said it wants to modernize and said things to the u.n. and we have to see if they really take those steps. we want to be part of it if and when they do. we want to encourage them to do so. i think as others have said, we think the cuban people want that as well. >> i think the more that we have american tourists down there, the more that we have a cultural exchanges and students in cuba, the more normalized to that extent is more likely that the cuban people, cuban students are going to be saying to themselves, why can't we have that technology?
7:05 pm
and it's -- it's a resistance by the way that existed in our own country. our own country did not want to move to the digital revolution. our cable and telephone companies did not move to it. there wasn't one home that had digital until we changed the laws. we had to incentivize those companies. we were going nowhere. same thing with cell phones, until 1994, the size of a brick and it cost 50 cents a minute and we didn't have one, ordinary people. some wealthy businessman, gordon gekko on wall street had one, but not ordinary people. in 2001 in africa, only 12 million people -- 12 million people had wireless devices. today it's 800 million. we move to these devices rapidly in america but they are doing in africa as well. the more it insinuates itself into the culture of individual
7:06 pm
countries, it changes the culture, the business relationships, it changes the entrepreneurial spirit of a country. we can see it in country after country. in africa, it's not uniform, no doubt about it but where it works, it works big time. i think the same thing is going to be true in cuba. the more we can move these devices in and the more the people in the country demand they have access to it so they are not the last country in the world without access to modern technologies. i think we're going to see dramatic telescoping of the changes that we're hoping that will happen in that country. and so that's why of all of the sectors, that's why radio and tv were always focused on by the reagan administration. they understood the importance of this. and the openings which you're talking about here, kind of puts it in the mind of many cubans,
7:07 pm
ordinary citizens, why not, why not us? so what is the level of negotiation or discussion that is going on in terms of these telecommunications technologies? who are we speaking to? who ultimately makes the decision inside cuba? >> all right, thank you, senator. we had -- there's basically two tracks if you will, one is government. that is beginning of conversations with the cuban government about telecommunications and the other obviously are many, many private sector conversations with the cuban government to which we're not party but we obviously know about that they are taking place. on the government side, we had our ambassador for international communications policy danny sepulveda two months ago now, that is the first time we had that conversation with the cuban government at an official level meeting both with their telecommunications ministry as
7:08 pm
well as their telecom provider, which is state run, to talk about sort of what kind of infrastructure they are interested in and how we have done things in the united states in terms of the regulation and access issues as well as obviously many, many u.s. companies have had conversations with the cuban government and they are beginning to think about the request for proposals if you will of their own telecom sector. >> the quicker we can move them in that direction, the quicker their whole society changes and it's happened all over the world, they will not be immune to you. thank you both for your great work. >> without objection i would like to enter into the record on behalf of senator rubio a letter to him dated february 18th. from the u.s. coast guard and if there's no objection i'll put it in the record. senator flake. >> thank you, mr. chairman. just wanted to clarify a few
7:09 pm
issues, we talk about telecommunications, saying the cuban government may not allow this and it's up to them and we may not control them, that's true, they will allow what they will allow. but we've had a policy for decades that has not yielded the results that we want. the question is, it's this policy or policy in a perfect world, it's this policy compared to nonengagement we've had before and we know what nonengagement has yielded. the cuban government may or may not keep their promise to make sure that 50% of the cuban people are wired by certain time. we have no control of that. we have control of what is in our national interest. and i think it's more likely that it will occur that under the former policy we had. also, with regard to a statement made that whenever american
7:10 pm
traveler goes to cuba every dollar ends up with a cuban government, that simply is not the case. that may be said by those who haven't traveled to cuba recently. but many americans travel to cuba. and it is true that you can't travel to cuba without some revenue going to government. that is certain. but the notion that every dollar spent ends up in the hands of cuban military is not the case. you have burgeoning entrepreneurship in cuba that is a testimony to the fact that some money does flow to ordinary cuban people. that is then particularly the case with the travel of cuban-americans over the past couple of years. i should mention, when that policy was announced a couple of years ago the cuban-americans could travel not just once every three years but as often as they like.
7:11 pm
remittance levels were increased. there was talk here in congress about reversing that, you can't have that, that's not good for the cuban people and not good for america. i can tell you there is no serious talk today about reversing that because why? because when americans get more freedom, we tend to enjoy that and want more. and i would suggest that a year from now, the notion that we would reverse this policy that is allowed more americans to travel to cuba and to help cuban people have access to more technology, more capital, more values and more contact with americans will seem as absurd as reversing the changes that were made with cuban american travel a couple of years ago. so again, i applaud you for what you're doing and look forward to working with the administration as this policy unfolds. >> thank you, senator menendez.
7:12 pm
>> thank you, mr. chairman. let me ask you when a cuban-american sends or visits their relatives in cuba and give them a little money, the onlyplice really to buy something is the dollar store, isn't that true? if you want to get something? >> i believe certainly there's -- there's more in those stores to buy. >> by the way, who owns the dollar stores? >> they are state run. >> okay. >> the government. and so if i want to send a remittance to my relative in cuba, the cuban government takes a slice, right? >> they do but the relatives probably want a part of that anyway. >> but the cuban government gets a slice? >> yes. >> so let's not deny the cuban government is greatly enriched by all these resources which is why it's been their number one foreign policy objective. let's talk about what full diplomatic relations are. you're going to having this discussion tomorrow i understand.
7:13 pm
what normalized relations are. after the summit of the americas the quat"washington post" ran a story suggesting that the talks to restore diplomatic relation said were held up because they were unwilling to allow us to send secure shipments to a future embassy, unwilling to let us have a number of staff necessary to operate a future embassy, and unwilling to remove the military presence around the future embassy. let me ask you would the state department actually agree to establish an embassy in havana if all our diplomats aren't able to travel freely throughout cuba? >> senator, what i can tell you, we have to have an embassy where diplomats can get out and travel and see the country and talk to people. we have restrictions on the way
7:14 pm
our embassy personnel travel in terms of notification to governments in many countries around the world that range from 24 hours to ten days. we are going to do everything possible to make sure that we have the least restrictions possible but our -- >> we will accept restrictions that all of our diplomats and embassy would be able to travel through the country? >> we will make sure that the embassy is on a par with the way we operate in other places that are restrictive environments but -- >> would you agree to conditions in which we can't send secure shipments to supply a future embassy without the regime rifling through them? >> senator, i'm not going to necessarily lay out all of the negotiations for -- >> why not? wait a minute. >> senator, let me -- >> do we not have a united states congress have the right to understand how you are trying
7:15 pm
to establish diplomatic relations. the nation needs to know in what conditions we're going to have or not have relationship. are you going to allow the cubans to rifle through your diplomatic -- with impunity or insist you can send something to the embassy as we do in other places in the world. >> we believe in the viability of the diplomatic pouch and it's critical to resupply a future embassy and important to supply the building now that has maintenance and upkeep. that's a critical part of our discussion. >> will you accept conditions less than that? >> we won't accept conditions in which we can't securely supply our facilities. >> would you agree to open an embassy if you aren't granted a number of staff you need to operate it efficiently? >> not if we can't have the number of staff we believe we need, no. >> are you willing to open an embassy of the castro regime doesn't remove its military cordon from around the building,
7:16 pm
which is basically a way to intimidate average cubans from approaching our facility? >> we will not open an embassy unless we believe that the security outside the embassy is appropriate to protect our installation but we will also make sure that it is welcoming of cubans into the installation as an embassy, the way we do around the world. >> let me ask you, you agreed with me ultimately that the castro regime statement as to relates to that they have never supported, never supported any act of international terrorism is not true. so if you agree that these statements by the castro regime are cat goricly false how can you explain to the committee why you would think you can believe any assurances about the regime's current or future conduct if they bald face lied in the first place?
7:17 pm
>> what we were looking at in the assurances is not necessarily whether or not their assertions on behalf of all reported history for the cuban government are -- we agree with every statement of the past, what we have to look at is what the requirements are under the law, which talk about the rejection of international terrorism, which they have made and lack of police support or any evidence for support -- international terrorism. >> partially lie to you but not fully lie -- >> senator, we have differences in what we -- they do not believe they have ever supported international terrorism. >> they sent you a letter and the state department quoted that specific section which basically you buy into, it's incredible that section of the letter you buy into. the red cross under the president's announcement was supposed to have access to cuban jails, has that taken place?
7:18 pm
>> we do not say the red cross would have access -- >> what -- you announced they would have -- i understand it was access to cuban jails. what is it they have access to? >> i don't believe we ever said that the cubans had agreed to that. what we said was that we were hoping that international organizations wouldry new their discussions with the cuban government about those issues, including the red cross and u.n. >> has the red cross been able to get in freely? >> not that i know. >> last question. we talk about telecom access and a lot has been discussed about that. in late february, the first vice president who senator boxer referred to as the -- looks like he would be the next heir in the election. first, there's no election in 2018, right? it's a selection. can we agree on that? >> we can agree that what the
7:19 pm
cuban government calls an election is not what we believe meets international standards. >> it's the cuban communist party and that's it. it's not an election. i don't want anyone to think we're working on an election in 2018. he gave a long rambling speech, the second highest official in the cuban government about the internet in cuba. one of the most revealing statements was the affirmation that the regime's internet strategy would be led by the communist party. given the communist party's half century long effort to deprive the cuban people of the most minimal standards of freedom of the press and information, would you have the committee believe that the communist party won't make every possible effort to block access to all content that it deems undesirable similar to what we have seen in other closed societies around the world? >> when more people have access to the internet, even if governments try to prevent them seeing things they don't want them to, they are remarkably
7:20 pm
inventive in finding ways to do so. >> let me ask you this. can we have your assurances that the state department and the united states government will take all possible steps to ensure that the cuban people have access to sirkm navigation technologies that would get around regime censorship. if we're going to say we want u.s. companies to develop this infrastructure in cuba, certainly we could have technologies so the cuban people are truly free to see any site they want. not only that hadwhich the regime wants them to see. >> certainly i hope that the majority and vast majority or all of the cuban people will have complete access to the internet. >> hope is not a policy achievement. i'm asking you, if we are going to license companies under the
7:21 pm
libertata to have companies, can't we make conditions of that license that they have navigation technologies so senator flake and udall and mark, everyone that wants access to the netinternet we're in common cause on that, actually get access to the internet? what's so difficult about suggesting the technology? >> i don't know we can do that but i know -- >> any condition we want as a condition of sale. >> i wrote that section of law when i was in house of representatives. i know what it says and you can put conditions on it. i hope to hear back from you whether you will insist on that as an ability to have u.s. companies -- if we want access for the cuban people to have the internet, which i do. >> i do as well, senator, but i also want them to be able to have those deals go through and to make it the most effective way that more on the island can have access -- >> a deal without full access to the internet is a deal to an end
7:22 pm
without access to the critical information that we think can help liberate the cuban people. thank you, mr. chairman. >> thank you. any other questions? i want to thank the committee again. i know there's a lot of adverse views about this proposed new policy. and actually a policy that's being implemented and i want to thank the witnesses for being here. if you would, the record will be open without objection to the close of business thursday if you'd answer promptly, we would appreciate it. we thank you for your service to our country. with that, we're adjourned.
7:23 pm
here are some of your featured programs for this weekend on the c-span networks. on c-span saturday starting at noon politicians, white house officials and business leaders offer advice and encouragement to the class of 2015. speakers include george w. bush and melanieodylody hobson, and former staff members reflect on the presidency of george h.w. bush and sunday at noon, more commencement speeches from across the country with former secretaries of state condoleezza rice and madeleine ulbright and michael nutter. on c-span2, saturday morning, book tv in new york city with events from this week's book expo america beginning at 10:00 and live call-in segments with
7:24 pm
publishers and authors throughout the day. sunday evening at 9:00 a professor looks at the case haulingsworth v. perry, which considered the constitutionally of the law that rescinded the right of same-sex couples to marry in california. and on american history tv on c-span3, a conversation with white house historian on first lady whose have had the most impact on the executive mansion, and sunday afternoon, just before 2:00 the life and death of our 20th president, james garfield, who served almost two decades as a congressman from ohio and was assassinated 200 days into his term as president. get our complete schedule at assistant attorney general for the criminal division leslie caldwell says reacting to cyberattacks is good but the focus needs to be on prevention. she spoke at georgetown law school's third annual suber
7:25 pm
security law institute in washington, d.c. hello. the georgetown cybersecurity law institute is honored to have with us a leading force in the prosecution of cybercrimes. assistant attorney general leslie caldwell, who serves as the head of the united states department of justice's criminal division. she over sees nearly 600 attorneys who prosecution cases across the country and help to develop law and criminal enforcement policy. in addition, aag grxg caldwell works closely with the attorneys offices in the investigation and prosecution of criminal matters in their dwirkts. the mat majority of her storied third 30-year career has been handling criminal cases as a prosecutor
7:26 pm
and as a defense counsel. he she spent her first 10 years in new york, and then as the chief of the criminal division at the u.s. attorney's office for the northern district of california. from 2002 to 2004, she served as director of the doj's enron task force, during which time her work was highly recognized and on several occasions won awards including the attorney general's award for exceptional service. caldwell spent nearly a decade in private practice of morgan lewis, and bachus where she was co-chair of corporate investigations and white collar practice group. on may 15th 2014, ms. caldwell was confirmed at the assistance attorney general. during her first year as head of the criminal division, aag caldwell has made prosecuting
7:27 pm
cybercrimes a top priority. she has innovated new initiatives that not only seek to investigate and put cybercriminals behind bars but also proactive strategies that aim to collaborate with the private sector and law enforcement around the world. one of the highlights of her first year was the creation of the cybersecurity unit within the division's section. please kindly join me in a warm welcome to assistant attorney general leslie caldwell. >> thank you, and also thank you for just not coming out and saying that i'm really old instead of saying the 10 years and 30 years, i was starting to think, my god, really. really, good afternoon, thank you so much for inviting me to speak here today. as all of you know, cybercrime and cybersecurity are very complicated and challenging
7:28 pm
issues. they raise concerns that really defy simple solutions. they off defy our traditional criminal investigative tools. there's no single technology or law or policy or practice that will magically guarantee the security of our data, the security of our information system. the victories in this area of prosecuting cybercrime and investigating cybercrime and setting up cybersecurity are very hard fought and not easily won. the same is true of our prosecutions of cybercrime. we have been in the business of fighting cybercrime for more than 20 years. the criminal division set up the computer crime and intellectual property division, which as you know, the department of justice and all of us in washington are fond of acronyms. i'm call it ccip as it was known. that section investigates and prosecutors high-tech crime of all types. they investigate and prosecutor economic espionage.
7:29 pm
they work along with the national security division, a network of 270 computer hacking prosecutors around the country, and they really work hand in hand, and ccip has become the department's linchpin in our efforts against cybercrime. they have really been involved in one capacity or another in pretty much every cybercrime case that you've heard of since the 1990s. over the years, we've developed a lot of different strategies to combat cybercrime and we tried to evolve the strategies as the threat itself has evolved. one of the things we have done and one of the things i want to talk about today is we really collaborate a lot with the private sector, as well as with our international law enforcement partners all over the world, as all of you know. cybercrime is probably the most international of criminal activity, so we've had to develop relationships and we have great relationships with law enforcement all over the world. we also have great relationships with the private sector who
7:30 pm
helps us in many of our sophisticated cases. frankly, we couldn't do it without the private sector and without foreign law enforcement. because of our collaboration we're really able to identify what are the biggest threats out there, people sometimes say to me isn't cybercrime prosecution really like playing whack-a-mole where you hit one and another will pop up? the criminal division is no longer to the extent we ever were focused on the guy in his basement in his pajamas in bulgaria. we probably are still focusing on some of those people, but if we are it's because they're part of a bigger network and a bigger organization. that's what we're focusing on. we're able to identify what threats should get our priorities and we're really only able to do that because of our collaboration with law enforcement agencies all over the world. we're also able to dismantle infrastructures cybercriminals use to victimize people all over the world. and that collaboration between the private sector, government and governments around the world
7:31 pm
is really critical to our success in this area more than any other area of criminal prosecution. i really want us to not only continue that collaboration but expand on it and enhance it as we go forward. today, i want to impress upon everyone in the room, we need to have a real sense of urgency when we talk about cybercrime. this is a huge problem that's getting bigger every day. cybersecurity weaknesses make all of our companies and many individuals vulnerable. every day, cybercriminals are getting more sophisticated. more organized. we see networks with overlapping personnel committing data breach after data breach. it's really a significant problem, as you all know. it's really robbing people of their sense of personal security, stealing their data, stealing their identities, stealing their intellectual property, and enriching themselves at the expense of people in the u.s., and also all around the world and at the expense of our companies here in
7:32 pm
the u.s. so i'm asking you to continue to work closely with us and to work even more closely with us because we are actually better positioned than we have ever been before to help fight in this problem. we can really bring the intruders on your networks to justice. we can help you better defend your networks. i'm going to talk in a minute about the cybersecurity division we have created to do just that. right now we're in a place where we can't tell you where the next data breach is going to be. we can't tell you who's going to be doing the next major cybercrime attack. we can't stop it so one of the things we're trying to emphasize more and more is we need to prevent it, and the department of justice in creating its cybersecurity unit is trying to be a strong voice in just that space. stepping back a minute, everyone in this room knows that cybercrime is a huge threat, as i just said and i know the director was just here saying it. a couple years ago, trade publications were calling 2013
7:33 pm
the year of the breach. because there were so many data breaches. and more recently publications and others have called 2014 the year of the mega breach. and i can't wait to see what they call 2015. but i don't think it's going to be the year that the breaches stop. in the last year we have seen a series of extraordinarily invasive and damaging data breaches that have targeted some of our largest businesses across the spectrum. they're focused on banks, on all sorts of companies. the victims have ranged from really any company that has personal identifying information that can be monetized and sold, is at risk. is in the cross hairs. that could be a mom and pop tax preparer business. that could be a huge bank. it could be a health care company that has personal health care data. these breaches are really anyone who has this kind of data is vulnerable because it's the data in most cases that the hackers
7:34 pm
are seeking so that they can sell it on the dark markets. one study last summer estimated that the annual loss now to the global economy from cybercrime is about $400 billion. last week, there was a study that said by 2019 that number is going to grow to $2 trillion. just think about that. this is all money that just is flowing out of our system, intellectual property that's being stolen. these numbers are huge and daunting, but it doesn't even count the damage that happens to individuals when their data gets stolen. i don't know if others in the room, but i got my letter from anthem blue cross saying that we're really sorry but we're worried that perhaps your data has been stolen and we were buying insurance for you for a couple years. it didn't make me feel that much better. against the whole backdrop, we have achieved some significant victories. and those victories serve as a reminder that although it's
7:35 pm
complicated and it's on a grand scale, cybercrime is not unsolvable. it's not an unsolvable type of crime. we shouldn't just put our heads down and not try to prosecutor it. in fact, cybercriminals have become more sophisticated around the world, so have we, so have our investigative agencies, so have investigative agencies around the world. we haveare using old fashioned types of investigative work with really cutting edge technical expertise and in collaboration with the private sector in almost all of our cases to really do some things that folks said couldn't be done. one thing that i have heard from a lot of people since i have been in this position is why do you bother to indict these people who are in vietnam or in russia or countries where we can't get the people? and we bother to do it because we actually do get the people. for example, a few weeks ago, we unsealed the indictment of two vietnamese hackers who were responsible for the theft of over a billion personal records
7:36 pm
over a three-year period. last year pursuant to our request from our office of international afears foreign partners arrested a famous -- i should say notorious russian hacker. one day, he was vacationing in the maldives, the next day, he was in jail in seattle awaiting trial. we also successfully extradited another russian hacker who traveled to the netherlands and was arrested by our partners in the netherlands. he was part of a group that was responsible for data breaches at retail stores. where more than 160 million credit cards' identifying information was stolen. in just the last year, we have extradited about a dozen high level cybercriminals from all over the world, including people like the ones i just mentioned who were from countries that we had no reason to expect we would ever get them unless they traveled. the people do travel. they're making a lot of money
7:37 pm
selling these things on the internet. it's a long winter in russia. i don't mean to single out russia, but there are a lot of runt ras we were collaboratively with. that's going to grow because we're not the only victims of cybercrime. all the countries are victims of cybercrime, so i think that the international cooperation is just going to grow because it's really in everyone's interest and this is something that affects everyone. we also are doing other things to try to disrupt the tools that criminals use to carry out their crimes. for example, last summer, with u.s. law enforcement working with foreign partners in more than ten countries, and also with numerous private sector partners, we were able to disrupt the crypto ransom ware game. we faced an extremely sophist kalted type of malware that was designed to steal banking and other credentials from the
7:38 pm
computers that it infected. unknown to the rightful owners of the computers the infected computers became part of a global network or a boughttnet of compromised computers and they were used by the cybercriminals for various purposes but in this instance mainly stealing confidential information and gaining access to financial information such as bank accounts. it was a network somewhere between 500,000 and a million computers worldwide. most of those were in the united states. the network was used to steal hundreds of millions of dollars from mostly relatively small businesses and individuals. a lot of those small businesses were -- had their entire bank accounts wiped out and because their business accounts, they weren't insured. so that's all their money. we saw that over and over again. it's really serious. so it was also a distribution mechanism for the crypto locker ransom ware, which is a form of
7:39 pm
safety ware which would encrypt files on user's computers until they paid a ransom. it affected more than 200,000 computers in a short amount of time, half of which were in the united states. in that short amount of time victims paid more than $27 million to get their computer files unencrypted. that's a lot of money, but it's a particularly staggering amount of money when you know each individual victim was paying about $750. adding up to $27 million in a short period of time shows how serious that was. those are the people who paid the ransom. so that operation was a success. and it was court supervised, as are all of our operations. and it was -- we couldn't have done it, though, without the law enforcement partners overseas and we certainly couldn't have done it without technical support from companies. i'm not going to name them all.
7:40 pm
and as an aside we didn't stop the day we announced the takedown and the shutdown of game over zeus botnet. we continued to pursue the people who are responsible. we have warrants for people's arrest. they announced a $3 million award for information leading to the arrest of a russian national who is the mastermind of the botnet. so it's a long winter in russia and there are also people in russia who might want the $3 million. so we're hoping that that reward will help us get him. again, there are not hundreds of thousands of people out there who are engaged in this kind of activity. there are a relatively small number. a lot of them are known to the fbi, and we are really focused on getting the big people, because as we have seen, and i don't know if the directors said this in his remarks but we see overlapping casts of characters in a lot of the different big data breaches and other problems
7:41 pm
online. so the collaboration we really achieved in game over zeus was the private sector and with law enforcement and many other countries was not an aberration. that is going to be, that is the new normal in our investigations. just a few weeks ago, we dismantled another botnet called b-bones. i don't know who comes up with the names but b-bone and game over zeus is all on the hackers. that particular botnet b-bone, installed fraudulent antivirus ware, and once again the private sector's assistance was critical to the dismantling of b-bone. so i think i've made it very clear that we really appreciate your help. we want your help. but we also want to help you. as anand mentioned last december at the georgetown law school
7:42 pm
campus where i announced the plan to act more closely with the private sector and to work more closely with other government officials in the private sector on the issue of cybersecurity. we recognized that prevention is really important because as i said earlier, we can't foresee when these things are going to happen, and right now at least, we can't stop them in advance. we have to really help people prevent these breaches from happening. so we created a new section called the cybersecurity unit, which was is part of ccips. our reasons were pretty simple, like i said cybercrime and cybersecurity are inextrekably linked to each other. vulnerabilities and hardware software, that's all what facilitates and enables cybercrime. so in creating the unit we hope to use the lessons we have learned and the skills that ccips has developed over the years from investigating and disrupting cybercrime to create useful, real guidance to
7:43 pm
support public and privatee cybersecurity efforts, and also by creating that unit, we were focused on cybersecurity, but this is a concentrated dedicated unit to make sure that cybersecurity gets the constant regular attention it really deserves and warrants. ccips has, as i said, extensive experience already in cybersecurity. this is really going to concentrate that experience in a relatively small group of people. what the cybersecurity unit will do we're already doing it. we have been in effect now for almost six months. they have been analyzing and providing legal guidance on cybersecurity issues. to the extent their implicate federal laws like the wire tap act, working with congress on cybersecurity related legislation priorities. they have been working with the national security council and others in the executive branch
7:44 pm
on various cybersecurity initiatives, and i think most importantly for this audience. they're actively engaged with the private sector and the public at large to address the kind of legal challenges relating to cybersecurity. i'm happy to announce even though it's only been in existence for a few months, the cybersecurity unit has broken a lot of ground. it's been a big hit, there's a big hunger for it. we've been conducting outreach with stakeholders like the private bar. we have been meeting with security researchers, industry groups, in-house counsel trade associations, financial institutions, others in the private sector. i'll give you a couple examples. we recently had a discussion with the center for strategic and international studies with some leading security experts to talk about the subject of active defense. what can companies do? when they're hacked? and we have on our cybersecurity unit's website a summary of that
7:45 pm
discussion, if anyone is nerdy enough to go look at it. i did, so that just says that i'm nerdy. we also learned a lot more as a result of that session about in-house counsel's challenges when they're faced with what really to most in-house counsel is an unfamiliar area, a cybersecurity breach or what to do to prevent a cybersecurity breach. and we, as a result of direct result of the session we've arranged to make a presentation to a group of in-house counsel from our particular sector of the economy. we also learned from that session which defensive measures cybersecurity experts think actually are most effective and actually work. and we're assessing now whether we can have a role in assisting companies in the implementation of some of those measures. we also recently held a roundtable with leading private seconder data breach response
7:46 pm
experts, many of whom were outside counsel representing various companies and it was mobbed and we had to turn people away because there's such a hunger for the issue and such a hunger to understand. we see a lot of in the case of data breaches we see a lot of in-house counsel who are bewilders and don't know what to do. so there's a real demand for that. we had a very robust discussion at the roundtable about various issues including the benefits of prompt reporting of data breaches to law enforcement, and our new attorney general loretta lynch gave the opening remarks at the conference and made clear one of her top priorities as attorney general is to address the problem of cybercrime. the cybersecurity unit has also begun collaborating with other agencies on various regulatory issues. one agency has been the ftc, and the ftc actually just today issued a statement on its website saying that it was i'll read you from the statement, a company that has reported a
7:47 pm
breach and is on the ftc's website, a company that has reported a breach to the proerment law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. therefore, in the course of conducting an investigation, it's likely we view that company more favorably than a company that hasn't cooperated. that's the ftc's statement. after consulting with and coordinating with doj and the cybersecurity unit and i won't speak for the ftc, but from our perspective, we view victims of data breaches as victims. and i think this statement will help show that other enforcement agencies are also willing to view data breach victims as victims. a public example of our work so far in the cybersecurity unit is also on our website, which is a document, a guidance document the best practices for reporting of cyber incidents. this is our first written contribution to the
7:48 pm
cybersecurity discourse, and it's been well received. we got a lot of inquiries about it. that guidance is consistent with our mission overall draws on the experience that our cybercrime experts have, and it draws on input from the private sector and organizations that have handled cyberintrusions and hacking. it also captures some pretty commonsense obvious things that are prudent measures that an organization should voluntarily undertake to prevent and react appropriately to a cybersecurity attack. it provides step by step advice on what a company should do or an organization should do before, during and after a cyberattack. some of the things might seem obvious, and probably will seem obvious to everyone in this room, but what might not be so obvious is many companies including very large companies didn't have these things. they didn't have a plan. they didn't know what to do. they were thinking, and i think
7:49 pm
i'll use sony as an example. i'm not involved in the sony case myself but i don't think sony really thought that they would be vulnerable to the kind of attack that was made on them. i think there are a lot of companies, a wake-up call to a lot of companies. thinking we aren't defense contractors. we don't have to worry. we're not financial institutions. we don't have to worry. every company has to worry. i think that that's really been something that i think has been surprising but helpful, so the plan says what you should do before a cyberattack occurs. it makes what probably seems like an obvious recommendation which again many companies didn't have. you should have a plan. you should have a plan about what you're going to do to prevent this and what you're going to do if it happens. your response plan should identify what are our most important cyber assets? adopt risk management practices within the company to protect the assets, and make sure that you have the right people with
7:50 pm
access to the assets and you've got people who are identified in advance of a breach who are going to be the responders to the breach. you should also develop relationship s relationships also develop relationships with -- before a cyber attack, and a lot of companies are scrambling to do this now. you should develop a relationship with law enforcement. you should probably have an outside counsel in mind who you'll call somebody with an expertise in cyber who you'll call if something happens. so that you'll be ready. the guidance and i'm not going to go into a lot of detail about this right now, but the guidance goes into some detail about what you do if you are attacked and what you do after the attack. one thing that we would say the most important thing from our perspective is that you notify and hopefully you already know that law enforcement person who you already made contact with, that you notify that person. and i know the director probably spoke of that too. but it's really important because we have tools that cyber security vendors don't have.
7:51 pm
we have information that they don't have. we have the ability to do certain things that they can't do. we can tell if we look at data breach a at retailer a, that it's the same people who did retailer b, which the cyber security companies might have more trouble doing because they don't have all the information that we have. these recommendations that are in this guidance are carefully thought out and really are the product are long experience, as well as input from others who have similar experience. and we really hope we see the end of the day where we're called in and we're called into a situation where we're meeting with a totally bewildered company, bewildered counsel who didn't have adequate authority to monitor the networks to help identify intruders didn't know what to do to preserve the data after there was a breach. might have taken measures on their own, which i'll talk about in a second in response to a breach that thwart our ability
7:52 pm
to investigative effectively. so we drafted the guidance. it applies to any organization, but it was really aimed at smaller organizations that are probably less likely to have current cyber security relationships and i think they're probably the most likely to benefit. but i really think it can benefit everyone. and we understand that in cyber security, just as in compliance generally, there's no one size fits all type of plan, you have to tailor everything to your company and your risks. but it's a good starting point. it's also the kind of document that's a living document. we'll be updating it as circumstances change and as we get additional input from others in the field. also, this is just the first document we're putting out. we'll be putting out additional guidance as we go forward. so in addition to what i just described in the guidance the guidance also says what organizations should not do. and consistent with the goals of
7:53 pm
the cyber security unit, we're hoping that the guidance will help steer companies away from what might be their first instinct, which is to engage in defensive measures including the hackback. and i know the director talked about that. hack back at who you think attacked you to harm them or retrieve your stolen data. based on our decades of experience, we think that hacking back can carry serious legal consequences, and also raises significant policy risks. and frankly probably won't get you anything more than just the satisfaction of thinking that you damaged somebody who damaged you. so first let me just talk about our legal position on hacking back. there are some commentators who say that hackback is lawful. that's not our view. our view is that it's not lawful. but even if it were lawful we
7:54 pm
would still recommend against it, because it creates a lot of risk and i think that sound policy considerations also militate against hackback. first, it poses significant risk to innocent third-parties. for example, in many of our investigations, we've seen sophisticated cyber criminals who hijack the infrastructure of innocent third-parties and use that infrastructure to commit their crimes. so when you're hacking back, you might be hacking back into an innocent third-party. cyber criminals also use multiple third-parties. somewhere they might keep their stolen data for later retrieval. so when you hack back you don't really know who you're hacking into. also, as i said earlier, hacking back can interfere with our investigations. it can interfere with our ability to gather data that's important to investigations. that's not a theoretical
7:55 pm
concern. that's happened several times where a company has taken its own actions and we've been unable to piece together the digital trail and we've been hampered in our ability to do that. there's also a very significant risk of dramatic escalation, if you hack back. you don't know who these people are. it could be a sophisticated cyber criminal. it could even be a foreign intelligence service that will have much more powerful, much more destructive capabilities than anything that you have when you attempt to hack back. another issue is that hacking back, first of all our view is it's not legal here, but it's also not legal in some other countries around the world. you may be hacking back into some person or entity who resides in a country so that you're violating the law of another country. and there's also the possibility that whoever you hack back into could mistake your action as an action of the united states government, which would create
7:56 pm
all sorts of other problems from a foreign policy perspective. we also think significantly, another reason why it's not worth it, because it doesn't usually work. it doesn't usually attain the desired result. that's not just us talking. there are a lot of commentators out there. there was recently a christian science monitor where they pooled a group of experts on whether companies should be allowed to hack back and 82% of those said no. we've also gotten similar feedback from cyber security experts at the csis meeting, there were a lot of experts there, and their view is that hacking back is a bad idea. i'm encouraged by the innovative cyber security proposals we've seen out there i think they're going a long way.
7:57 pm
they're increasing security through alternatives to passwords, improving private sector capability to devalue stolen data. so that it's not bad. that the person has it because there's nothing they can do with it. but anything that can defend a network, it's not necessarily a good idea because it might theeretically defend the network, and hacking back, we feel strongly it doesn't work, is a bad idea, and might expose you to legal risks here and overseas. so we're considering now the cyber security unit is considering now whether to offer guidance on defensive countermeasures, not hacking back but other defensive countermeasures that we've been told by cyber security experts are beneficial. and we're also increasing our efforts to make sure that we can act along with our law enforcement partners in a more
7:58 pm
timely fashion when there's a data breach we can respond more quickly. we can respond in realtime. we can respond -- we have international partners, a 24/7 network around the world, and we really want to help stop these data breaches and react to them appropriately when they happen. and we're working to make ourselves as fast and nimble and 24/7 as possible. so i want to finish my speech by just reiterating what i said earlier. everyone in this room everyone in the department of justice who works in cyber security feels the threat. we feel it breathing down our necks. we feel the sense of urgency. we want all of you to have that same sense of urgency. the status quo is not good enough. we've divot to keep up with these people and try to get ahead of them. cyber criminals are doing more and more every day to invade our lives and our homes and to steal our money and harm our businesses. and we really have to find ways to prevent that.
7:59 pm
reacting to it is great. prosecuting is great. we're going to continue to do that we'll continue to put red notices out all over the world if someone travels from russia to the mald eves over vacation. but that won't solve the problem. it can only be solved by prevention and education of companies so that they know what to do and how to prevent an attack and what to do when an attack happens. we have to really find new ways, other than hacking back, to alter the state of cyber security in this country. and i think we can do that, but it's a big job, and it's going to require all of us, the private sector, the public sector, experts from academia. it's going to require everyone for us to fight cyber crime and improve cyber security. i do think we can do it. i think we will do it. and i really look forwarded to working with allful of you to do it. so thank you very much for having me.
8:00 pm
[ applause ] >> thank you. >> may 4 marked the 150th anniversary of president abe ham lincoln's funeral in springfield, illinois. coming up on american history tv here on c-span3, a procession and ceremony reenactment in oak ridge cemetery, the site of lincoln's resting place. but first to springfield's train station where lincoln's funeral trape arrived on may 3rd 1865, after a seven-state journey from washington, d.c. we'll learn about the trip and the stops it made along the way. this is 15 minutes. >> we're here at the train station in springfield, illinois, where the trains run from -- to chicago, originally from chicago to st. louis through springfield. trains that frequently were used by lin


info Stream Only

Uploaded by TV Archive on