Attorney General Loretta E. Lynch Delivers Remarks at RSA Conference on Cybersecurity
San Francisco, CA United States ~ Tuesday, March 1, 2016
Remarks as prepared for delivery
Good afternoon, and thank you for that warm welcome. I want to thank the organizers of this conference for making this important gathering possible. It is a pleasure and a privilege to share this room with so many innovative professionals and knowledgeable security specialists. I am excited to have the opportunity to speak with you today. Twenty-five years ago – long before words like “smartphone” and “WiFi” became part of our everyday vocabulary – the RSA Conference was founded on the belief that technological innovation presents not only extraordinary opportunities, but also unprecedented challenges – and that overcoming those challenges would require bold thinking and close cooperation. In the quarter century since that inaugural meeting, the RSA Conference has played a key role in spurring groundbreaking conversations, catalyzing new ideas, and forging the lasting partnerships that ensure our capacity for developing technology is matched by our ability to protect it.
Of course, as long as humans have shared information with one another, other humans have sought to block, steal, and tamper with that data. But information – and the technology that stores and transports it – has never been more important to our society, and so the task of securing it has never been more urgent, or more challenging. Today, we rely on digital technology for functions as routine as watching movies and buying groceries, and as consequential as distributing electricity and directing our military – and in the years to come, our use of this technology will only grow and develop further. We are in the midst of an exciting and revolutionary transformation that is undoubtedly making our lives more convenient and our society more efficient. But it has also opened new avenues for a variety of wrongdoers, from thieves and hackers to terrorists, other violent extremists, and state-sponsored actors. These criminals rely on virtual methods to inflict material damage – and as several high-profile incidents have reminded us in recent years, online adversaries pose significant threats to our personal privacy, our economic property, and even our national security.
As the cabinet agency entrusted with the enforcement of America’s laws, the protection of the American people, and the defense of American ideals, the Department of Justice has a special responsibility to address these threats, and we’re working on a number of fronts to meet the law enforcement challenges of the 21st century. We have used a host of tools, including criminal prosecution, sanctions, designations, and diplomatic options. The FBI’s Cyber Division investigates and monitors digital intrusions and security risks around the clock, and each of its 56 field offices operates a Cyber Task Force to help bolster our resilience at the state and local levels. The bureau also leads the 19-agency National Cyber Investigative Joint Task Force, which President Obama established in 2009 to coordinate the government’s response to online dangers. Each of the 93 United States Attorneys – from every state and territory – prosecutes cyber crimes and interfaces with corporations and public assets on cybersecurity and preventing cyber intrusions. Our Criminal Division recently formed a cybersecurity unit staffed by experienced prosecutors knowledgeable in the law, policy, and practice of cybercrime prevention. The National Security Division has created the nation-wide NSCS Network, which consists of over 100 specially trained federal prosecutors in every jurisdiction, who combat online threats to our national security. And our Bureau of Alcohol, Tobacco, Firearms, and Explosives has created an Internet Investigations Center where federal agents and lawyers work to counter illegal online firearms trafficking.
These are just a few of the ways that we’re investigating and disrupting a wide range of cybercrimes and threats. But the Internet doesn’t stop at the water’s edge; it crosses borders and transcends boundaries, which is why we are committed to working closely with our partners overseas to promote global cybersecurity. One of our most invaluable allies in that effort is the European Cybercrime Center, or EC3 – the European Union’s central cybercrime coordinating body. In November 2014, we joined with EC3 to launch Operation Onymous, which shuttered a number of so-called “dark market websites” peddling drugs, weapons, stolen credit card data, fake passports, and computer-hacking tools. This past July, we joined with EC3 to shut down the Darkode hacking forum – an underground site where hackers bought, sold, and traded malicious software, botnets, intrusion tools, and stolen personal information. That operation, spearheaded by the U.S. Department of Justice and EC3, involved a coalition of 20 nations, and led to the charge, arrest, or search of 70 Darkode members and associates around the world. We continue to work with EC3 and other international organizations to root out dangerous hackers, data thieves, and other malicious actors who seek to breach secure spaces of the Internet for their own destructive purposes.
Beyond our focus on specific cases, we’re also working to adapt international criminal justice processes to function more efficiently and effectively in the digital age. Recently, for example, we have been working to find ways to streamline the way we and our allies can access electronic evidence across borders. When our allies investigate criminal activities abroad, they increasingly require access to electronic evidence from American companies that are providing internet communications services to their citizens and residents. Our companies may face conflicting legal obligations when those governments require them to disclose electronic information that U.S. law prevents them from disclosing. In addition to harming our allies’ efforts to investigate terrorism and other serious crimes, this puts our companies in a difficult position: either they comply with a foreign order, and risk a violation of American law – or they refuse to comply, and risk a violation of foreign law. We have given a great deal of thought to how we can alleviate these burdens, advance public safety, and protect privacy and civil liberties.
Today, I am pleased to report that we have begun negotiations with the United Kingdom to establish a new framework that would permit UK authorities to access electronic communications directly from American companies where the investigation targets accounts not used by Americans or people in the United States. To qualify, the UK government would have to agree to a number of provisions designed to protect privacy and fundamental rights, and a UK order would have to comply with UK law. This agreement would release American companies from conflicting legal obligations in clearly and carefully defined circumstances. It would help one of our oldest and closest allies perform high-priority criminal investigations that keep its citizens safe – and many of which, in our age of transnational crime and terrorism, also further American interests. It would provide reciprocal benefits for U.S. government requests to UK companies, which could help U.S. investigations in the years ahead. And, if it proves successful, it could be replicated with other countries, if – and only if – their laws adequately protect privacy and civil liberties, potentially encouraging other nations to improve their laws and enhance privacy protections in order to obtain the benefits of this arrangement.
This new framework would require action from Congress in order to take effect, and we will continue to engage with communications companies, civil society groups, and academics as we move forward. But based on our conversations and collaboration so far, I am hopeful that we can take an important step forward that benefits security, commerce, international cooperation, and privacy.
Of course, our partnerships are not limited to government agencies. In addition to standing alongside our global counterparts, we’re committed to working closely with the private sector – particularly tech leaders right here at home. Even over the last few years, we’ve used those partnerships to protect information systems and address cyber threats. From our groundbreaking Coreflood operation – in which we were able to free hundreds of thousands of computers from criminal control with the help of private experts and additional network security companies – to our takedown of the infamous financial botnet known as GameOver Zeus, we have consistently worked side-by-side with private-sector security experts like the people in this room to halt technologically sophisticated crimes and bring perpetrators to justice. We have also created new channels for information sharing and cooperation with the private sector to help us detect, deter, and disrupt cyber threats. Cases like the Sony intrusion, in which we publicly named – for the first time – the nation-state responsible for a destructive attack on an American company – demonstrate the power of reporting.
The Justice Department’s relationships in this area form an important part of our ability to do our best work. There is no doubt that America’s technology sector represents one of the greatest repositories of ingenuity and innovation in history, and those of us responsible for protecting the American people in a time of increasingly sophisticated threats would be remiss if we did not seek the assistance of experts like the ones gathered in this room. That’s why we’re reaching out and collaborating with you and your companies in a number of ways, including through the FBI’s InfraGard partnership; the National Cyber Investigative Joint Task Force’s regular consultations with the private sector; and my own frequent meetings with industry leaders to identify emerging threats, and, whenever possible, to devise productive solutions to pressing issues.
In fact, just last week, the Department of Justice hosted a group of experts from some of America’s foremost tech companies for a discussion about how we can work together to more effectively counter violent extremism. That conversation followed a number of other gatherings that examined ways to deny criminals and terrorists the safe harbors they seek in the recesses of the Internet and hidden corners of our networks. As you know, the Going Dark problem is a very real threat to law enforcement’s mission to protect public safety and ensure that criminals are caught and held accountable. We owe it to victims and to the public whose safety we must protect to ensure we have done everything under the law to fully investigate terrorist attacks and criminal activity on American soil.
That is a goal that I know we all share. I know that neither our technology companies nor their leaders have any sympathy for the terrorists or criminals who target Americans. And the Department of Justice will never sacrifice the safety of the American people or the ideals that we all cherish. As recent events have made clear, the stakes aren’t theoretical; they bear directly upon our public safety and our national security. That’s why conversations like this one are so important: they help us “connect to protect” American infrastructure, American networks, American values, and American lives. I want you to know how much I appreciate your support in that endeavor, and I look forward to continuing a frank dialogue and a fruitful partnership with this industry in the months ahead.
Of course, we won’t always find ourselves on the same side of every issue – after all, the challenges raised by modern technology are complex, and I have no illusions that they will soon become any simpler. As we venture further into the digital age, the questions we grapple with will only become more difficult, more intricate, and more intertwined. In order to surmount the obstacles we will surely encounter, we don’t necessarily have to be locked in perpetual and perfect agreement – but we do have to be engaged in open dialogue, so that we can draw upon each other’s resources, hear each other’s concerns, and learn from each other’s perspectives. That’s how we spur new ideas, forge better solutions, and find the way forward. That’s how we strengthen our defenses, prevent damaging crimes, and bring wrongdoers to justice. And that’s how we move closer to our shared goal of ensuring that as the American people reap the benefits of innovation, they continue to enjoy the full protection of the law.
That goal will remain one of my top priorities as long as I am Attorney General, and I will continue to rely on your vision, your commitment, and your cooperation in the months ahead. I am confident that together, we can achieve a future that is brighter, safer, and more prosperous for every American. Thank you.