DOJ’s Cyber-Digital Task Force Report Touches IoT, Critical Infrastructure, Supply Chain Risk, and More
On July 19, 2018, Deputy Attorney General Rod Rosenstein gave remarks at the Aspen Security Forum. He announced the release of the Report of the Attorney General’s Cyber-Digital Task Force.[1] To combat “malign foreign influence operations” the Department of Justice (DOJ) announced a new policy framework for determining how to alert Americans of foreign influence campaigns. In the Report the Department outlines its authorities and challenges and makes recommendations which will raise expectations for the private sector including companies in the Internet of Things (IoT) ecosystem.
Background:
On February 16, 2018, Attorney General Jeff Sessions released a memorandum establishing the Cyber-Digital Task Force.[2] The Task Force was directed to review DOJ’s role in defending against global cyber threats and propose strategies to secure and strengthen the digital ecosystem. The Report included collaboration with relevant federal agencies.
In his memorandum, the Attorney General noted, “[w]hile computers, smart devices, and other chip-enabled machines—as well as the networks that connect them—have enriched our lives and have driven our economy, the malign use of these technologies harms our government, victimizes consumers and businesses, and endangers public safety and national security.”[3]
Wiley Rein has watched this effort closely and commented on[4] what the Task Force’s priorities could be.[5]
Remarks on The Cyber-Digital Task Force Report:
The Deputy Attorney General reaffirmed that the digital infrastructure of the United States is under attack. Malicious actors target government, critical infrastructure, businesses, and individuals. He emphasized that combatting cybercrime is a top priority for DOJ. From a high-level, the 144-page Report notes that it is essential for the Department to adapt continually—in strategy, collaboration, and with its authorities—to prevent, respond to, and recover from cyber attacks impacting the nation.
The Task Force’s Report described the threats facing America, including:
-
DDoS and ransomware;
-
Theft and weaponization of data (personal information and intellectual property);
-
Cyber-enabled fraud;
-
Threats to personal privacy;
-
Attacks on critical infrastructure—including energy and transportation systems and telecommunications networks; and
-
Malign foreign influence operations.
Rosenstein’s remarks focused on the sixth topic.[6] Citing recent public statements from the Director of National Intelligence, Rosenstein emphasized that threats to our country are “persistent, pervasive, and meant to undermine democracy on a daily basis.” He noted that malign foreign influence operations—like Russian interference in the 2016 election—can consist of five different types of operations, including:
-
Targeting election infrastructure – such as voter registration and tallying systems.
-
Targeting political organizations, campaigns, and political officials.
-
Offering to assist political campaigns or officials.
-
Covert influence – using disinformation and propaganda to sow political discord and civil unrest.
-
Overt influence – using foreign media outlets or lobbying efforts.
This sort of threat requires a uniform and strategic approach across all federal government agencies. But other sectors must also engage in their response: state and local governments must secure and harden the election infrastructure; technology companies need to protect their platforms; public officials and campaigns need to respond; and citizens need to understand the playing field.
Rosenstein highlighted ways in which law enforcement investigations and intelligence play a major and increasing role in tracking, arresting, and prosecuting cyber criminals. He also outlined efforts and strategies various sectors can use to combat malign foreign influence operations. Technology companies, for example, can consider the voluntary removal of accounts and content that violates their terms of service and targets their users.
The Report emphasizes the resources that DOJ is deploying to combat cyber-enabled threats and cybercrime. It features recent cases as examples of enhanced prosecution and takedowns, noting that DOJ has and will continue to “pursue[] charges not only against criminals seeking monetary gain, but also against nation-state actors engaged in economic espionage through cyber means.”[7]
Private Sector Takeaways:
The Costs of Cybercrime. The Report highlights the enormous economic losses attributable to the theft of intellectual property. “The Commission on the Theft of American Intellectual Property has estimated that the annual cost to the U.S. economy through the thef of trade secrets, and through counterfeit goods and pirated software, exceeds $225 billion and could be as high as $600 billion.”[8]
Threats to Critical Infrastructure. The Task Force outlines cyber-enabled threats to critical infrastructure and the role of the private sector. Critical infrastructure “sectors[9] are highly reliant on IT systems and networks. As such, threats targeting critical infrastructure deserve particular attention.” While “[i]ncreased connectivity has helped U.S. companies manage and monitor their businesses…it also has made critical infrastructure vulnerable to cyberattack.” “Because private entities own and operate the vast majority of the Nation’s critical infrastructure, the FBI works to make threat information available to affected sectors through briefings and widely distributed technical alerts developed jointly with DHS.”[10]
Calls for Greater Collaboration from the Private Sector. The private sector as a whole will experience increased expectations to participate in information sharing programs and collaborate with government on cyber incidents. The Report states that “[i]n the coming months, the Department should engage in a more extensive evaluation of our work with the private sector by seeking specific input from private sector participants. Where appropriate, we will make recommendations to enhance these collaborative efforts, including with regard to information-sharing, threat and incident notification, data breach notification standards, and frameworks for joint disruptive efforts, such as botnet takedowns.”[11] Looking ahead, “the Department must deepen these relationships, particularly as technology evolves and the cast of service providers and technology manufacturers continues to change.”[12]
Incentivizing Information Sharing. Noting that information sharing is “most effective when it flows two ways,”[13] DOJ does recognize some existing challenges. “Victims—especially businesses—often decide not to report cyber incidents for a variety of reasons, including concerns about publicity and potential harm to the company’s reputation or profits, and even concerns of retaliation by a nation state where they wish to do business.”[14] “To facilitate reporting, the Department should consider not only how to build deeper trust with the private sector, but also understand and address the private sector’s needs and concerns related to reporting. This assessment should include understanding how best to incentivize reporting as well as how to eliminate obstacles or barriers.”[15] Further, “the Department should continue to work with the agencies that regulate the private sector to evaluate expectations and encourage clear thresholds for reporting.”[16] DOJ suggests that national data breach standard, would simplify the current patchwork of more than 50 state and territorial reporting requirements.
The IoT Ecosystem Needs to be More Secure. The Report notes that “recent staggering growth in Internet-connected consumer devices—the so-called ‘Internet of Things’—has allowed malicious actors to build botnets from under-protected IoT devices to launch DDoS attacks.”[17] It also states some difficulties for DOJ in combating these networks, “criminals running botnets often are located abroad, which further protects them due to the numerous challenges the Department faces in investigating foreign threats: limited access to digital evidence; delays caused by reliance on mutual legal assistance processes; and the possibility of safe haven from arrest or prosecution in their country of residence.”[18] DOJ has had successes in taking down and disabling botnets, through arrests and prosecutions. It also leverages other civil, criminal, and administrative authorities, including civil injunctions, temporary restraining orders, and informing owners about an infection.[19] But the Department also identifies several authorities which could be expanded to enhance their capabilities.
Emerging Technology Issues: Connected-Cars, UAVs, and Cryptocurrency. “The Department must ensure that its continued recalibration of efforts and resources not only aims at the major threats of today, but also prepares it for the emerging threats of tomorrow…For example, the Department should continue evaluating the emerging threats posed by rapidly developing cryptocurrencies that malicious cyber actors often use, and autonomous vehicle technology, which has both ground and aerial applications (e.g., unmanned aircraft systems).”[20]
Reducing Barriers for Security Researchers and Organizations. Increased collaboration is expected across the entire ecosystem, but DOJ recognizes that there are some limits and concerns when cooperating with law enforcement. “To ensure the Department maintains and fosters a positive, collaborative working relationship with computer security researchers [including organizations with expertise in computer security], the Department should consider potential legal options to encourage and protect legitimate computer security research.”[21] It notes that DOJ has “submitted input to the Copyright Office in support of extending and expanding the current security research exemption, with caveats intended to protect public safety and avoid confusion over legal research activities.”[22]
Addressing Foreign Investment and Supply Chain Risk. DOJ reviews foreign investment and acquisitions through the Committee on Foreign Investment in the United States (CFIUS). The “enforcement of existing technology transfer controls, and other interagency efforts will be necessary to tackle risks from foreign investment in sensitive industries and technologies.”[23] DOJ is also “concerned with hardening supply chains. Technology supply chains are especially vulnerable, because the hardware components and software code that go into technology products often come from foreign sources, including developers in Russia and China.”[24] To mitigate these threats DOJ participates in Team Telecom, to “consider the law enforcement, national security, and public safety implications of applications for licenses from the Federal Communications Commission.”[25] Moving forward, DOJ states it “should continue to engage with these and other interagency efforts to determine the best ways to strengthen defenses against national security risks.” We expect national security reviews of international investments and supply chain components to rise.
Conclusion:
The Cyber-Digital Task Force Report outlines DOJ’s role in securing the digital ecosystem, but it also emphasizes the important role that all sectors play in responding to emerging cyber threats. Expectations are on the rise for the private sector. The Report indicates DOJ leadership is open to collaboration on policy and tactical issues including legal barriers and cooperation on particular incidents and cases. Offices within DOJ have expressed interest in working with the private sector to address remaining obstacles to cooperation.
[1] Available at: https://www.justice.gov/ag/page/file/1076696/download.
[2] Office of the Attorney General, DOJ, Memorandum for Heads of Department Components: Cyber-Digital Task Force (Feb. 12, 2018), https://www.justice.gov/opa/press-release/file/1035457/download.
[3] Id. at 1.
[4] See Megan Brown: DOJ plays ‘important role’ in cyber security, partnerships with agencies, Federal News Radio (Mar. 22, 2018), https://federalnewsradio.com/federal-drive/2018/03/megan-brown/.
[5] Megan Brown & Michael Diakiwski, What The DOJ Cyber Task Force Can Do, Law360 (Feb. 23, 2018), available at https://www.wiley.law/article-What-The-DOJ-Cyber-Task-Force-Can-Do.
[6] Full remarks are available at: https://aspensecurityforum.org/media/live-video/
[7] Report at 30.
[8] Report at 28.
[9] Presidential Policy Directive 21: Critical Infrastructure Security and Resilience identifies 16 sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Power, Transportation Systems, and Water and Wastewater Systems. See https://www.dhs.gov/critical-infrastructure-sectors.
[10] Report at 34.
[11] Report at 125.
[12] Report at 109.
[13] Report at 111.
[14] Id.
[15] Id.
[16] Report at 111-112.
[17] Report at 37.
[18] Id.
[19] See Report at 70-71.
[20] Report at 126.
[21] Report at 110
[22] Id.
[23] Report at 113.
[24] Id.
[25] Id.