Teecht. Deputy Attorney Full General Rosenstein Delivers Remarks At The 2017 Due North American International Cyber Summit

 Detroit, MI

Monday, Oct 30, 2017

Remarks every bit prepared for delivery

Good afternoon.  Thank you, Mr. DeVries, for that really form introduction.

I attended an undergraduate describe of piece of work organisation school, earlier I became a lawyer. So, I sympathize how describe of piece of work organisation people stance attorneys.

One of the most oftentimes quoted remarks mocking lawyers is from William Shakespeare’s play, Henry VI.  You know the line: “The get-go thing nosotros do, let’s kill all the lawyers.”

Fortunately, Shakespeare did non hateful for it to live on taken literally. On the contrary, the remark is intended to live on ironic. The speaker is non a human of affairs upset nearly overregulation. He is a criminal scheming to accept over the government.

Shakespeare’s signal is that without lawyers, nobody would postulate to follow the law. That would live on goodness for criminals. But it would live on bad for business!

The dominion of law is essential to commerce. It allows businesses to motion into contracts, brand investments in addition to projection revenue alongside some assurance nearly the future. It establishes a machinery to resolve disputes, in addition to it provides some grade of protection from arbitrary regime action.

The dominion of law is non exactly nearly words on paper. It depends upon the grapheme of the people who enforce the law. If they uphold it faithfully, the outcome volition live on a high grade of consistency in addition to predictability. Those features create populace confidence, in addition to allow our acre to thrive.

The wishing to alive nether the dominion of law is what motivated the patriots who wrote our Constitution inward 1787.

The dominion of law is non exactly a characteristic of America. The dominion of law is the foundation of America.

One of the finest defenses of the dominion of law appears inward Robert Bolt’s vivid play nearly Sir Thomas More, H5N1 Man for All Seasons. In Bolt’s version, More defends the dominion of law inward an declaration alongside his son-in-law, William Roper.

Roper is angry because More would allow the Devil to create goodness from the protection provided yesteryear the dominion of law.

Roper insists that inward society to destroy the Devil, he would cutting downward every law, if necessary.

More replies, “Oh? And when the concluding law was down, in addition to the Devil turned circular on y'all – where would y'all hide, Roper, the laws all beingness flat?

The signal is that if nosotros permit the dominion of law to erode when it does non direct harm our personal interests, the erosion may eventually eat us every bit well. The dominion of law is non self-executing. If the people lose faith inward it, in addition to hence everyone volition suffer.

I am proud to piece of work alongside Attorney General Jeff Sessions inward the Department of Justice, the executive branch establishment that bears the greatest responsibleness to protect the dominion of law.

President Trump demonstrates his honor for our Department yesteryear appointing officials who defend the dominion of law.

Oct is National Cybersecurity Awareness Month.  This maiden was created a few years agone every bit a collaborative travail betwixt regime in addition to manufacture to enhance awareness nearly the electrical flow in addition to futurity cyber threat landscape.

Summits similar this i are tremendously of import inward edifice relationships of trust betwixt the regime in addition to industry.  I salute Governor Snyder for his leadership inward this critical area.

The urban core of Detroit is synonymous alongside American conception in addition to excellence. It is a privilege to live on hither alongside province in addition to local officials, law enforcement personnel, businesspeople, in addition to entrepreneurs.

You are hither today because of a mutual involvement inward cybersecurity. I would similar to speak to y'all today nearly (1) the compass of the cybersecurity threat that confronts us, in addition to (2) the benefits that nosotros all tin gain from public-private partnerships. I volition also beak over some of the challenges that law enforcement faces inward the electrical flow cyber environment.

First, permit me beak over the compass of the threat.

Whether y'all piece of work for local law enforcement, a utility provider, a hospital, or a pocket-size or large company, y'all postulate to protect your critical infrastructure against cyber infiltration.  The threat that cybercriminals pose to populace entities in addition to private businesses is substantial.  A unmarried intrusion could hateful economical loss, bankruptcy, in addition to inward some cases, loss of human life.

H5N1 recent study predicts that the monetary costs of global annual cybercrime volition double from $3 trillion inward 2015 to $6 trillion inward 2021. Those numbers are staggering; in addition to recent events demonstrate why nosotros postulate to piece of work together to address the growing threat.

Cyber criminals know that a company’s lifeblood is contained inward its networks in addition to the information flowing through those systems.  The concluding few years receive got witnessed a pregnant increase inward criminals using ransomware.

On average, to a greater extent than than 4,000 ransomware attacks receive got occurred daily since Jan 1, 2016.  That is a 300% increase over the exactly about 1,000 attacks per twenty-four hours inward 2015.  According to FBI estimates, ransomware infects to a greater extent than than 100,000 computers a twenty-four hours about the world.

H5N1 few years ago, ransomware attacks were unsophisticated in addition to haphazard attempts yesteryear novice hackers to gain a few hundred dollars, by in addition to large from private users who happened to live on affected.  Today, the attacks are concerted efforts yesteryear sophisticated individuals, criminal enterprises, or nation-states that tin target a hit of habitation users, businesses, networks, or critical infrastructure alongside laser-like precision to crusade widespread damage.

The impairment is economically significant. Estimates of the amount of ransom paid to criminals approach $1 billion annually.  It tin also live on life threatening. Earlier this year, the “WannaCry” ransomware infected hundreds of thousands of computers about the globe, in addition to paralyzed Britain’s National Health Service.

In 2016, hither inward Michigan, the Board of Water & Light brutal victim to a ransomware laid on when an employee erroneously opened an electronic mail attachment containing the virus.

Although the virus affected exclusively the utility’s electronic mail in addition to accounting systems, the Board paid a $25,000 ransom in addition to spent exactly about $2 meg on other remedial measures.  The Board was lucky — many cyber thieves are happy to bag ransom payments without unlocking their victims’ computers.  Moreover, if the virus had genuinely impacted electrical or H2O systems, consumers could receive got lost services for days or weeks.

Three months ago, Michigan’s Caro Community Hospital in addition to its related facilities lost access for exactly about 2 weeks to computers, phones, patient records, in addition to electronic mail services because of a ransomware attack.  Fortunately, no medical devices were direct affected.

But imagine how much to a greater extent than serious the laid on could receive got been.  Many types of machines critical to emergency handling are computers.  MRI machines in addition to ventilators may run software in addition to live on connected to networks.  A targeted in addition to widespread laid on on medical service providers could endanger lives.

State in addition to local law enforcement are non immune from ransomware attacks, either.  Earlier this year, a Texas constabulary subdivision reportedly lost 8 years’ worth of digital evidence after falling victim to a ransomware attack.

Luckily, the subdivision retained copies of most of the lost evidence, hence it appears the number of affected prosecutions should live on relatively small.  The province of affairs could receive got been substantially worse.

Ransomware is non the exclusively cast of cyber threat that nosotros must safeguard our critical infrastructure against. In 2013, a unusual adversary gained access to a dam inward New York.  If the dam’s sluice gate, which controls H2O levels in addition to catamenia rates, had non happened to live on manually disconnected for maintenance, the adversary may receive got been able to remotely operate in addition to manipulate the gate.

Cyber criminals also oftentimes occupation distributed denial of service attacks to grind normal network operations to a halt.  The DDoS threat is specially noteworthy because it volition exclusively grow every bit criminals maintain to leverage Internet of Things devices against us.

H5N1 June 2016 laid on launched against domain call servers used unproblematic Internet-connected devices, such every bit cameras in addition to digital video recorders.  The laid on vividly illustrates how our digital infrastructure tin live on used against us.  Cisco lately predicted a continuing increase inward DDoS attacks, in addition to noted that they tin stand upward for upward to 18% of a country’s total Internet traffic.

Speaking of traffic, driverless automobiles are already on the road. As vehicles drib dead increasingly smarter, interconnected, in addition to automated, the gamble of their occupation inward a cyber-attack significantly rises.

H5N1 March 2016 Government Accountability Office study finds that “remote attacks” on cars could “involve multiple vehicles in addition to crusade widespread impacts including rider injuries or fatalities.”  That type of laid on is especially worrisome because it is scalable. “[C]yber attackers could theoretically accomplish massive attacks of multiple vehicles simultaneously.”  Companies must gear upward for this threat in addition to ensure that the automobiles of tomorrow are built today alongside goodness cyber-defenses.

Every describe of piece of work organisation is responsible for protecting its ain systems against cyber-attacks, in addition to private efforts are unquestionably important.  But unilateral activity is non sufficient to address the growing global cyber threat. That is why public-private partnerships are critical to combatting this problem.

Law enforcement tin assist before, during, in addition to after a cyber-incident. The get-go stair inward safeguarding against cyber-attacks is a goodness defense, in addition to the best fourth dimension to formulate your answer is earlier the incident occurs.

The Department of Justice is hither to help.  On our website, y'all volition detect pamphlets nearly how to “Protect[] Your Networks from Ransomware” in addition to “Best Practices for Victim Response in addition to Reporting of Cyber Incidents.”

Reflecting the lessons federal prosecutors in addition to agents receive got learned piece handling cyber investigations, the documents explicate how y'all tin safeguard your organization’s reckoner systems in addition to networks.  They also depict best practices for responding to a real-time cyber-incident. 

Securing your critical infrastructure against cyber-attack helps both your organization, in addition to the public. When cyber defenses forbid criminal infiltration, the populace wins because critical systems stay operational in addition to available for use.  Similarly, whether your organisation is a large multi-national fellowship or a pocket-size start-up that creates web-connected devices similar doorbells, thermostats, or kitchen appliances, y'all tin play a critical role inward thwarting cyber-attacks yesteryear edifice into your devices mechanisms that secure them against hijacking yesteryear criminals.

But fifty-fifty if y'all accept all reasonable precautions, your organisation may nonetheless autumn victim to a cyber-incident.  If that happens, I urge y'all to instantly notify law enforcement.

I occasionally take away heed that describe of piece of work organisation executives create non experience comfortable reporting cyber incidents to law enforcement.  Undoubtedly, the determination to notify law enforcement of a cyber-attack in addition to to cooperate fully inward an investigation involves a sure as shooting risk-reward calculation weighing the anticipated benefits of a pro-active approach against potential legal, reputational, in addition to other costs.

But I wishing to emphasize how of import it is to study cyber incidents every bit chop-chop every bit possible.  Your actions, together alongside law enforcement’s help, could disrupt in addition to deter those who would launch the adjacent attack.  A collaborative approach volition live on to a greater extent than effective than only trying to avoid becoming the adjacent victim.

Law enforcement provides substantial benefits to victims of cyber intrusions in addition to attacks. We tin assist y'all sympathize what happened; nosotros tin portion contextual information nearly related incidents, thereby helping y'all to create defenses inward instance the intruders return; nosotros tin ensure proper investigation in addition to preservation of evidence; nosotros tin inform regulators nearly your cooperation; in addition to nosotros are uniquely situated to pursue the perpetrators, through criminal investigation in addition to prosecution. In appropriate cases, nosotros also tin pursue economical sanctions, diplomatic pressure, in addition to tidings operations.

Law enforcement agencies employ investigative tools non available to the private sector, in addition to nosotros strive to piece of work cooperatively alongside victims to ensure they are non farther victimized during our investigation.  We also maintain relationships throughout the basis that tin assist us rails downward perpetrators, in addition to convey them to justice.

Even where nosotros may live on unable to arrest or prosecute the hackers, nosotros tin tap into the expertise of other agencies, in addition to deploy tools that hit beyond our borders.

Many cyberattacks are directed yesteryear unusual governments.

When y'all are upward against the armed services or tidings services of a unusual nation-state, y'all should receive got our federal regime inward your corner.

By alerting law enforcement nearly a cyber incident, your organisation performs a populace service; it helps strengthen the cyber defenses of others.  When law enforcement understands the details of an attack, nosotros tin promptly piece of work on trying to apprehend the perpetrator, potentially earlier the adjacent attack.

Even if nosotros cannot chop-chop arrest the hacker, law enforcement tin warn other organizations nearly a potential impending attack, in addition to include details nearly the perpetrator’s modus operandi.  Other entities tin accept additional precautions to safeguard their critical infrastructure.

Law enforcement tin also partner alongside private manufacture to address a job nosotros telephone telephone “Going Dark.”  Technology increasingly frustrates traditional law enforcement efforts to collect evidence needed to protect populace security in addition to solve crime.  For example, many instant-messaging services at nowadays encrypt messages yesteryear default. The forbid the constabulary from reading those messages, fifty-fifty if an impartial justice approves their interception.

The job is especially critical because electronic evidence is necessary for both the investigation of a cyber incident in addition to the prosecution of the perpetrator.  If nosotros cannot access information fifty-fifty alongside lawful process, nosotros are unable to create our job. Our mightiness to secure systems in addition to prosecute criminals depends on our mightiness to assemble evidence.

I encourage y'all to carefully catch your company’s interests in addition to how y'all tin piece of work cooperatively alongside us.  Although encryption tin assist secure your data, it may also forbid law enforcement agencies from protecting your data.

Encryption serves a valuable purpose. It is a foundational chemical cistron of information security in addition to essential to safeguarding information against cyber-attacks. It is critical to the growth in addition to flourishing of the digital economy, in addition to nosotros back upward it. I back upward strong in addition to responsible encryption.

I simply maintain that companies should retain the capability to render the regime unencrypted copies of communications in addition to information stored on devices, when a courtroom orders them to create so.

Responsible encryption is effective secure encryption, coupled alongside access capabilities. We know encryption tin include safeguards. For example, at that spot are systems that include primal administration of security keys in addition to operating scheme updates; scanning of content, similar your e-mails, for advertising purposes; simulcast of messages to multiple destinations at once; in addition to key recovery when a user forgets the password to decrypt a laptop.  No i calls whatever of those functions a “backdoor.” In fact, those really capabilities are marketed in addition to sought out.

I create non believe that the regime should mandate a specific agency of ensuring access. The regime does non postulate to micromanage the engineering.

The inquiry is whether to require a particular goal: When a courtroom issues a search warrant or wiretap society to collect evidence of crime, the fellowship should live on able to help.  The regime does non postulate to concur the key.

Let me closed yesteryear thanking y'all for inviting me to speak, in addition to for your commitment to improving cybersecurity.

The cyber threats that nosotros aspect outcry out for effective public-private partnerships. You receive got my commitment that the Department of Justice volition piece of work alongside y'all to aspect upward them.  I promise that nosotros tin count on each of y'all to create the same.