Good afternoon. I’m Matt Olsen and I am the Assistant Attorney General for National Security at the United States Department of Justice.
I’m very pleased to be here at CyCon. Thank you to Lucas for moderating this panel, to my esteemed fellow panelists, and to the NATO Cooperative Cyber Defense Center of Excellence for hosting this important conference.
This is a crucially important moment for us to gather together, as NATO allies and our partners beyond the alliance. I know for all of us the crisis in Ukraine is front of mind, in particular the inspiring bravery of the Ukrainian people who are fighting to defend their families, their homes, and their democracy.
It is a profound reminder of our shared values and commitments, as we discuss difficult and important legal and policy questions over the course of this conference.
I will begin with a brief background about the U.S. Justice Department and our role in the law enforcement and intelligence communities, focusing on cybersecurity. I will then talk about the cyber threat landscape from our perspective, and how the U.S. is responding.
As many of you know, the Department of Justice is the primary agency responsible for enforcing federal laws in the United States.
There are different parts to the Department of Justice. There is Main Justice in Washington, D.C., where I work, along with the Attorney General and department leadership. We also have 94 United States Attorneys’ Offices throughout the country, which are responsible for prosecuting cases within their districts. DOJ includes our leading investigative agency, the Federal Bureau of Investigation, as well.
Within DOJ, I am the head of the National Security Division. NSD was created in 2006 to lead and integrate DOJ’s core mission of combatting terrorism, espionage, and other threats to U.S. national security.
We play a key role in bridging the federal law enforcement and intelligence communities.
Today, many of our gravest national security threats manifest in cyberspace. The National Security Division is responsible for going after malicious cyber activity by nation-state actors and their proxies. This is an area where we have seen a dramatic increase in the complexity and intensity of threats.
I’ll talk a little bit about what we are seeing in terms of the threat landscape.
It will not come as a surprise to this audience that we see nation-states and their proxies increasingly use cyber-enabled means in ways that threaten our democratic and economic institutions. These include efforts:
- To steal technology, trade secrets and intellectual property,
- To amass personal information about U.S. citizens,
- To exert malign and covert influence over our democratic processes, and
- To hold our critical infrastructure at risk to destructive or disruptive attacks.
We face threats from multiple adversaries, including China, Iran, North Korea, and Russia.
Here are just a few examples:
Last year, the government of China engaged in a malicious cyber campaign exploiting vulnerabilities in the Microsoft Exchange Server in order to compromise victims in a massive operation that resulted in significant remediation costs for its mostly private sector victims.
Iranian government actors have interfered with the systems of a broad range of victims in critical infrastructure sectors.
And North Korean actors have robbed cryptocurrency exchanges and central banks alike, stealing hundreds of millions of dollars and evading international sanctions designed to limit their weapons programs.
At DOJ, we’re particularly focused right now on the cyber threat from Russia.
Take the recent cyberattack on satellite internet systems in Europe.
As Russian troops moved into Ukraine during the early hours of February 24, satellite internet connections were suddenly disrupted.
Russia’s cyberattack against the satellite’s ground infrastructure plunged tens of thousands of people in Europe into internet darkness. According to public reports, this hit part of Ukrainian defenses.
A month later, thousands of people in Europe were reportedly still offline, and this includes 2,000 wind turbines in Germany.
In the U.S., the FBI issued a warning that — given the geopolitical situation — satellite communications providers should take steps to increase their cyber defenses.
That’s just one of numerous recent examples. Russia’s Solar Winds attack last year compromised tens of thousands of networks globally, including those of U.S. federal, state, and local governments.
And we are bracing for the possibility of more attacks. The White House recently reiterated the warning of the potential for Russia “to conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners.”
The Department of Justice is working with law enforcement partners and the private sector to prevent and respond to threats. We are determined to hold accountable those who target and attempt to destroy the computer systems that support our critical infrastructure.
Our strategy is to use all the legal tools and authorities we have available.
One of our core authorities is the enforcement of U.S. criminal laws and we continue to aggressively investigate and prosecute individuals for malicious cyber activity.
We do this because it is essential to hold these individuals accountable, and because it is one way we can inform the public about the nature of the threats we face.
In March, we announced charges against four Russian nationals who worked for the Russian government for their involvement in two campaigns targeting critical infrastructure in the energy sector between 2012 and 2018.
One case charges a Russian national and member of a Russian military research institute with a multi-year effort to hack into the industrial control systems of companies overseas and in the United States. The goal was to physically damage the safety functions of these systems.
In the other case, the US charged three Russian intelligence officers with targeting software and hardware control systems of companies in the energy sector to gain surreptitious and persistent access.
This is the kind of activity that vividly demonstrates the intent and capability of the Russian government — it has global reach and ambition.
So that is one benefit of these indictments. It isn’t the only one. Just because we haven’t arrested anyone to date, doesn’t mean we won’t. We have very long memories at DOJ and the FBI, and we can be patient when necessary.
But we know that prosecutions are only part of what the DOJ can contribute and that we must utilize all our law enforcement tools to disrupt and deter cyber threats.
This is why even where arrest is unlikely, the department prioritizes the disruption of criminal activity that poses a threat to national security through other legal tools like search and seizure.
Recently, DOJ has taken more proactive steps to disrupt nation-state cyber threats before a significant attack or intrusion can occur and using tools beyond traditional criminal charges.
For example, I mentioned earlier the exploitation of the Microsoft Exchange Server zero-day vulnerabilities by a Chinese government hacking group known as Hafnium. That happened in March of last year.
Through the vulnerabilities, Hafnium actors were able to place web shells on mail servers, which allowed for access to the content of the mail servers as well as the ability to place further malicious files.
While private sector mitigation efforts had some success, nearly a month after the vulnerabilities were disclosed, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange Server software.
So, in April 2021, the Justice Department obtained authorization from a federal court to conduct an operation to remove Hafnium’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.
And a few weeks ago, we carried out a significant court-authorized operation to disrupt a global botnet that had infected thousands of computers.
We had identified malware connected to the Russian military intelligence organization, the GRU — malware known as Cyclops Blink.
We then obtained legal authorization to remove the malware from the command-and-control (C2) level infected devices and change their firewall rules to prevent remote access to manage the devices. This prevented the malicious actors from accessing the C2 devices which, in turn, prevented them from managing and using the bot level devices.
This technique did not involve any communications with the bot level devices, although it disrupted the malicious actors’ ability to communicate with them.
This operation is a very good example of how we are leveraging our existing legal authorities in new ways to empower operational activity with real impact.
Those are examples of how we seize criminal instrumentalities as part of our all-tools approach. We also rely on civil forfeiture authorities and targeted sharing of unclassified threat intelligence gathered as a result of our investigations.
We also recognize that law enforcement tools are only one part of a government-wide response. We see a force multiplier effect when we use DOJ’s unique authorities in conjunction with the specific tools of partner agencies – for example, pairing DOJ criminal charges with Treasury Department sanctions.
Similarly, the U.S. government response is most impactful when we coordinate our actions with the private sector and foreign partners to empower technical operations, leverage sanctions and trade remedies, and join in diplomatic efforts with like-minded countries.
Those examples really only scratch the surface of the work of the Justice Department in this space, and I would be happy to talk more about our approach later.
These remarks were delivered on June 2, 2022, by Matthew G. Olsen, assistant U.S. attorney general for national security at the NATO Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia.