Assistant Attorney General John P. Carlin Delivers Keynote Remarks at Intellectual Property Protection and Cybersecurity Roundtable at Iowa State University
Ames, IA United States ~ Wednesday, March 30, 2016
Remarks as prepared for delivery
Thank you for that introduction, [U.S. Attorney] Kevin [Techau].
And thank you for inviting me to speak today about the national security threats facing our nation. This event comes on the heels of a landmark week for the department’s national security cyber program, and I want to start by saying a few words about our strategy and recent successes in this space.
For many years, nation states and their affiliates enjoyed what they perceived to be a cloak of anonymity when acting in cyber space. A cloak they hid behind to break our laws through cyber intrusions and to threaten our security and economic well-being. They had this perceived cloak because they thought we couldn’t figure out who did it and, if we did figure it out, we would keep it a secret.
Last week, we proved yet again – through a number of law enforcement actions – that we will find and expose those who threaten our national security through cyber attacks or theft.
First and foremost, we unsealed an indictment charging seven experienced Iranian computer hackers for their roles in an extensive campaign of distributed denial of service attacks against the U.S. financial sector.
The damage was real: 46 major financial institutions attacked over 176 days, hit by as much as 140 Gigabits of data per second, costing the victims tens of millions of dollars.
In addition, one defendant is also charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition systems of the Bowman Dam, located in Rye, New York. The intrusion could have given the hacker control of the dam’s water levels and flow rates if it had not been disconnected from the system for maintenance.
These attacks threatened public health and safety, and our economy. And this indictment exposes the faces and names behind the keyboards in Iran used to orchestrate these attacks against us – the attackers were employed by two computer security companies that work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.
That same week, we unsealed a complaint against members of the Syrian Electronic Army, for activity that sought to harm the economic and national security of the United States in the name of Syria and sought to extort law-abiding people all over the world to line their own pockets.
And, following his waiver of extradition from Canada, a Chinese businessman in Los Angeles entered a guilty plea for his role in a conspiracy to hack into the computer networks of U.S. defense contractors, including Boeing, and stealing sensitive information, including data related to military transport aircraft and fighter jets.
Last week’s announcements prove, once again, there is no free pass for nation state affiliated computer intrusions.
The Role of the National Security Division
Disrupting these national security threats is among the highest priorities of the Department of Justice and the National Security Division. Let me share a bit of background on the National Security Division, and what our experience combatting the threat of terrorism has taught us about combating other national security threats, including threats to our national assets.
The September 11th terrorist attacks showed us that putting walls up between foreign intelligence and law enforcement makes connecting the dots of a plot very difficult. So a decade ago, Congress created the department’s first new litigating division in almost half a century, the National Security Division.
We ensure unity of purpose in the department’s number-one mission – to protect against terrorism and other threats to our national security. And we unite prosecutors and law enforcement officials with intelligence attorneys and the intelligence community, to ensure that we approach national security threats using every tool and resource available to the federal government.
In the years since National Security Division’s creation, it is increasingly clear that the factors that motivated our creation and guided our efforts to combat terrorism are equally true in our efforts to protect our valuable national assets.
As with counterterrorism, we realized that prosecution is only one of the many tools the U.S. government brings to bear. So the National Security Division restructured and adapted to support a whole-of-government approach to national security cyber threats. Criminal prosecutions, sanctions, trade pressure and diplomatic options are just some of the responses available to us as we combat online threats to the national security.
Underlying all of the government’s policy options is the need for attribution – to attribute online intrusions with confidence, down to the country, government agency, organization or even individuals involved.
Law enforcement agencies and the Department of Justice are uniquely well suited for these kinds of investigations. And these investigations are the bedrock of our whole-of-government approach because they facilitate the use of so many other tools that promote deterrence.
In some cases, attribution leads to public charges and a criminal prosecution. In other cases, a prosecution may not be the right option, but attribution opens the door for sanctions, disruption operations and bilateral diplomacy.
Our attorneys live by that whole-of-government approach. We work with our government partners to pick the best tool or combination of tools to get the job done under the rule of law.
We ensure that we have the necessary expertise no matter who is behind the threat, what their motivation is or what tool we need to use.
Under unified NSD leadership, we have integrated the department’s full range of national security expertise under one roof, bringing varied skills and knowledge to the full range of national security challenges.
The Threats to our National Assets
The threat landscape we face is ever-changing and evolving, and while our top priority remains combating terrorism, we have also sharpened our focus and increased our attention on the emerging threats to our national assets, including the threat of economic espionage.
And we have seen that these threats are not confined to banks in New York or defense contractors in California. Our entire nation, including America’s heartland here in Iowa, is under constant attack from foreign adversaries and competitors who try to steal trade secrets and other intellectual property, at the expense of our economy and national security.
When certain foreign entities eager for sensitive and valuable information can’t buy it, they may take another approach: they try to steal it. Corporate theft can occur through insiders employed by a company – or it can occur remotely, through cyber intrusions that exploit a vulnerability present in a company’s networks. Companies must be ready for all of these vectors of vulnerability.
Iowa is a fitting place to address these topics. Iowa’s agricultural and food production, renewable energy, biotechnology and advanced manufacturing are an integral part of the country’s economic engine. Between 2002 and 2011, Iowa’s agricultural production grew over 200 percent. This growth is attributable in part to the tremendous innovation that is taking place in the American agriculture sector. According to one government study, agricultural biotech accounts for $80 billion of a $260 billion biotechnology sector.
You are revolutionizing the way America grows crops. You invest in biotechnology research to develop higher-yielding, drought-resistant crops. You rely on data from sophisticated soil sensors, satellites and drones to optimize the use of water and pesticides.
But, while you spend your days innovating, others spend their days on campaigns to steal the fruits of Americans’ labor.
Just this year, here in Iowa, Mo Hailong, a lawful permanent resident and employee of a China-based seed company, was convicted of participating in a long-term conspiracy to steal trade secrets from DuPont Pioneer and Monsanto, for the purpose of covertly transferring the technology to China.
Hailong and his co-conspirators brazenly stole inbred corn seeds from production fields not far from here. Although he knew that this technology was the valuable and confidential intellectual property of DuPont Pioneer and Monsanto, he stole it for the benefit of his China-based company.
The threat of this kind of economic espionage is serious. Some estimate that, every year, the U.S. loses more than $300 billion from theft of our intellectual property. That figure is about equivalent to the current annual level of U.S. exports to Asia. Losses of that magnitude cost the American economy untold numbers of jobs.
They reduce the profit that American firms make from research and development, which in turn reduces the incentives and resources for innovation. And the activity undermines the trust between countries and companies that is necessary to do business in a globalized economy.
As companies move to digital storage, economic espionage increasingly occurs not just through insider threats but also through cyber activity. As a result of the proliferation of technology – and the myriad ways to exploit it – we face a changing world order in which lone hackers, organized crime syndicates and nation states are all increasingly able to harm our shared networks and our livelihood. Every sector of the economy is a target – agriculture, energy, financial institutions, infrastructure, entertainment and more.
And hackers come in all shapes and sizes. We have seen state and non-state actors using the Internet to steal our intellectual property and export-controlled information at unprecedented levels.
For example, in May 2014, after a lengthy investigation, the department indicted five Chinese military officers by name for computer hacking, economic espionage and other offenses directed at American companies. The indictment describes numerous and specific instances where uniformed officers of the People’s Liberation Army hacked into the computer systems of American nuclear power, metals and solar-products companies to steal trade secrets and sensitive, internal communications that could be used by Chinese companies to give them a commercial leg-up.
The investigation, and the public charges it led to, have had a lasting impact. At the time, our indictment was met with indignant denials. But a year later, after rumors circulated that additional costs might be imposed, Chinese President Xi Jinping publicly declared, during his state visit in September, that, “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.” The United States and China committed that neither country’s government will conduct, or knowingly support, cyber-enabled theft of trade secrets or confidential business information with the intent of providing competitive advantage to companies or commercial sectors.
And, at the G20 Summit last fall, leaders of the world’s most powerful nations pledged not to conduct or support cyber economic espionage. What began with denials ended, at least for now, with a shift in international norms and a commitment from China to change its behavior.
Of course, indictments of state-sponsored hackers will not, on their own, prevent all cyber theft. This is the very point of an all-tools, whole-of-government approach. We need to exert pressure on bad actors from every possible angle. Prosecutions are just one tool in the broader Justice Department approach, which is just one angle from which the U.S. can pressure nation-state actors. The ultimate success of this approach will depend on the ability of U.S. agencies and departments to strengthen and support one another’s actions.
We will not stand idly by as others attempt to steal from us. We will hold them accountable – no matter who they are, where they are or the means by which they steal.
But we cannot do it alone. Your companies – and thus, you, have a critical role to play.
In the case of Hailong, the investigation was initiated when DuPont Pioneer security staff detected suspicious activity and alerted the FBI. DuPont Pioneer and Monsanto cooperated fully throughout the investigation, and that cooperation was essential to disrupt the theft of American technology and hold the perpetrator accountable.
As leaders in your industries, you are on the front lines defending your companies’ valuable intellectual property against insider threats, cyber-attacks and other bad actors determined to erode America’s status as a global leader in those fields.
We know from experience that those seeking to do us harm will look for any available vulnerability to exploit. In many cases, your adversaries have the full backing of their foreign governments and so should you.
As a nation, we must work together to deter and disrupt these threats, and to change our adversaries’ calculus by increasing their cost. Our strategy must ensure there is no free pass.
But the government’s response is only one half of the equation. We need your help. Our nation’s crown jewels are overwhelmingly in private sector hands. And so we work with U.S. companies, across all industry sectors, to ensure that our national security interests are protected.
We have spent time and energy in face-to-face sit downs so that we may better understand the concerns and challenges facing U.S. companies, share guidance and information, and assist with protection, detection, attribution and response. We can warn companies that manufacture or sell targeted U.S. technology when certain bad actors are seeking the particular technology they make.
Corporate outreach sensitizes industry to the threat they face and helps to stem the flow of sensitive technology out of the United States.
This type of cooperation is especially important with respect to cyber-enabled threats. After all, the Internet runs on private infrastructure and the hardware and software that we all use – including in the government – is developed and maintained by the private sector.
After an attack, if an organization works with law enforcement, it puts both in the best possible position to find out exactly what happened and to remediate and prevent further damage. The evidence is often fleeting, so early notification and access to the data is extremely important.
In addition, we may have seen the same indicators of malicious activity in other attacks, so we can conclude who was responsible and identify possible impacts and means of remediation. Importantly, it also allows us to share information with other potential victims. One organization’s vulnerability is everyone’s vulnerability and it is critical that we work together.
Law enforcement may be able to use legal authorities and tools that are unavailable to non-governmental entities. Law enforcement can also enlist the assistance of international partners to locate stolen data or identify a perpetrator.
These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data. Finally, this cooperation is vital to successful prosecutions that, as I explained, can prevent criminals from causing further damage to victim companies and others.
A united front is critical because the threat you face includes hackers with the full backing of their governments or that are part of sophisticated, international criminal syndicates. They have backup, but so do you – because your government is here to help.
Last year, we announced a new position within the National Security Division focused on outreach to the private sector. This position was created in recognition of the importance of relationships and cooperation in cybersecurity. We understand the importance of prevention and of resilience. We want to support our private sector partners, whether they simply want to establish early lines of communication or call while under the strain of a continuing network breach.
The conversations we have at these events are essential to keep our nation secure, to protect the privacy of our citizens, to enable American businesses to compete fairly in our global economy and to ensure that U.S. businesses and institutions are resilient in the face of cyber threats. While we gather here in Iowa to work together to make this country safer, our adversaries likewise gather to strategize against us. The threats are not letting up and neither will we.
Thanks again for inviting me. I look forward to your questions.