Just in time for Russia’s invasion of Ukraine and the cyber attacks that inevitably will follow, the Justice Department is promising to use “disruptive action” against cyber criminals, even if those actions jeopardize the department’s chance for future charges and arrests.
So said deputy attorney general Lisa Monaco on Thursday, speaking at the annual Munich Cybersecurity Conference. Monaco gave a wide-ranging speech talking about how the Justice Department is expanding its ability to address cyber attacks, with ample attention paid to holding attackers accountable. Her remarks about efforts to prevent attacks, however, were the show-stopper:
Moving forward, prosecutors, agents and analysts will now assess — at each stage of a cyber investigation — whether to use disruptive actions against cyber threats, even if they might otherwise tip the cybercriminals off and jeopardize the potential for charges and arrests … We should consider the use of all available tools. When I say all tools, I mean disruptive capabilities, sanctions and export controls. I mean not just those at the disposal of our government but also those of our international and private sector partners.
She went on to say that the Justice Department will “deploy forward Justice Department personnel to work directly with our partners, such as at the U.S. Cyber Command and elsewhere, to achieve unity of purpose and unity of action.” She compared the damage from cyber attacks to that of a terrorist attack like Sept. 11.
“Success is not prosecuting terrorists after an attack when families are grieving and their loved ones have been lost,” Monaco said. “It may be necessary, to be sure; but success is preventing that attack in the first place. We need to apply that same thinking to our cyber investigations.”
Um, wow. I applaud the bold promises, and more aggressive action against cyber attackers is both welcome and long overdue. That said, compliance and risk management professionals need to remember that when Monaco says the department will include “private sector partners” as part of the effort to intercept cyber attacks — she means you. She’s talking about enlisting Corporate America into service against this scourge.
Monaco also spoke about the Justice Department’s efforts against ransomware. This is another area where corporate compliance and legal departments need to pay attention, since you’re the victims of those attacks and you’re the ones paying the ransoms.
“Ransomware and digital extortion, like many other crimes fueled by cryptocurrency, only work if the bad guys get paid — which means we have to bust their business model,” Monaco said.
That does not mean the Justice Department will start taking action against companies that pay ransomware attackers, although clearly the department is not thrilled that many victims do indeed pay up. Instead, Monaco continued the department’s long-term charm offensive, asking companies to report the attacks and work with law enforcement — both to chase down the attackers, and perhaps even to get your money back.
“The currency might be virtual but the message to companies is concrete,” Monaco said. “If you report to us, we can follow the money and not only help you, but hopefully prevent the next victim.”
That’s very much in step with other messages we’ve heard from the Biden Administration. For example, last year the White House issued an executive order on cybersecurity that requires government contractors to report ransomware attacks. Other Justice Department officials have warned the corporate sector that if the ransom you pay is later found to have gone to terrorists or economic no-fly zones such as North Korea or Iran, then yes, you may indeed face liability for paying the ransom.
Most of Monaco’s ransomware remarks, however, were about how the Justice Department is building up its ransomware enforcement skill. The department has busted up several ransomware operations overseas within the last year, and also formed a National Cryptocurrency Enforcement Team last year. (The department just named one of Monaco’s aides as the first full-time director of that team.)
Compliance Program Implications
Compliance and legal teams have a few points to ponder here. Above all, companies need to consider the changing relationship they might have with law enforcement, as law enforcement pursues cyber criminals more forcefully — because you are the pawns in that larger struggle.
For example, when Monaco talks about using export or sanctions controls to thwart cyber criminals, that could mean tighter restrictions on export and sale of your products; you’d need to assure that your export compliance capabilities can rise to that task. When the Administration talks about ransomware victims cooperating with law enforcement, that will mean cooperating all the way to the end, perhaps providing evidence and testimony to support indictments against the perpetrators.
Cooperation is not a bad thing, but a company should be clear-eyed about what “cooperation” really means and have policies and procedures in place to act in an efficient, intelligent manner. You don’t want some IT manager in a far-flung operating unit calling the feds without telling senior managers, and you only discover that act many months later when the Justice Department asks for forensics and depositions.
The bottom line is that these Justice Department pronouncements, as welcome as they might be, are changes to cybersecurity practice that could consequently change your compliance, operational, and litigation risks. You’ll need to anticipate that, rather than be caught flat-footed.