sign in sign up
<<
Home , 2018 Atlanta cyberattack, AlphaBay, Brambul, Bribery, BrickerBot, Carding (fraud)

U.S. Department of Justice

REPORT OF THE ATTORNEY GENERAL’S CYBER DIGITAL TASK FORCE U. S. Department of Justice

Office of the Deputy Attorney General

The Deputy Attorney General Washington, D.C. 20530

July 2, 2018

Dear Mr. Attorney General:

You have emphasized that "upholding the Constitution and protecting the rule of is the fo undation ofeverything we do" at the Department ofJustice. Our impo11ant duties include keeping America safe by fighting and preserving the Nation' s security.

As President Trump has observed, "The faces an extraordinarily dangerous world, filled with a wide range ofthreats that have intensified in recent years." Director of National Intelligence Dan Coats explained earlier this year that the cyber threat "is one of[our] greatest concerns and top priorities." The Department ofJustice shares that assessment.

Every day, malicious cyber actors target our citizens, our businesses, our military, and all levels ofour government. They cause billions ofdollars in losses and to undermine our democratic values. Combating and cyber-enabled threats to our Nation' s security must remain among the Department's highest priorities.

In February 2018, you directed the formation ofa Cyber-Digital Task Force to undertake a comprehensive assessment ofthe Department' s work in the cyber area, and to identify how federal law enforcement can even more effectively accomplish its mission in this vital and evolving area.

The initial assessment is complete. It is my privilege to present this report ofthe Attorney General's Cyber-Digital Task Force.

I hope this report will assist as all Americans keep moving forward to protect our people, promote our economy, and preserve our values.

Sincerely, REPORT OF THE ATTORNEY GENERAL’S CYBER DIGITAL TASK FORCE United States Department of Justice Ofce of the Deputy Attorney General Cyber-Digital Task Force 950 Pennsylvania Avenue, N.W. Washington, D.C. 20530 https://www.justice.gov/cyberreport INTRODUCTION

Table of Contents

Letter from the Deputy Attorney General ...... i

Attorney General’s Cyber-Digital Task Force ...... vii

Introduction ...... xi

Chapter 1 Countering Malign Foreign Influence Operations ...... 1

Chapter 2 Categorizing Sophisticated Cyber Schemes ...... 23

Chapter 3 Detecting, Deterring, and Disrupting Cyber Threats ...... 9

Chapter 4 Responding to Cyber Incidents ...... 83

Chapter Training and Managing Our Workforce ...... 95

Chapter 6 Looking Ahead ...... 109

Appendices Appendix 1: Memorandum Establishing the Task Force ...... 131 Appendix 2: Recent Successful Disruptions ...... 133 Appendix 3: Recent Successful Disruptions ...... 137 Appendix : Glossary of Key Terms ...... 1 1

v TASK FORCE MEMBERS

ATTORNEY GENERAL’S CYBER-DIGITAL TASK FORCE

Task Force Members

Sujit Raman, Chair Associate Deputy Attorney General Ofce of the Deputy Attorney General

John P. Cronan Andrew E. Lelling Assistant Attorney General (Acting) United States Attorney Criminal Division District of Massachusetts

John C. Demers David T. Resch Assistant Attorney General Executive Assistant Director National Security Division Federal Bureau of Investigation

Carl Ghattas Beth A. Williams Executive Assistant Director Assistant Attorney General Federal Bureau of Investigation Ofce of Legal Policy

John M. Gore Peter A. Winn Assistant Attorney General (Acting) Chief & Civil Liberties Ofcer (Acting) Civil Rights Division Director, Ofce of Privacy & Civil Liberties CYBER-DIGITAL TASK FORCE REPORT

Task Force Contributors

Matthew J. Sheehan Counsel to the Deputy Attorney General Staf Director

Elizabeth Aloi Brendan Groves Richard Pilger Leonard Bailey Aarash Haghighat Jason Poole Michael F. Buchwald William Hall Andrew Proia Mark Champoux Christopher Hardee Kimberley Raleigh Tomas Dettore Adam Hickey Peter Roman Richard Downing Ray Hulser Opher Shweiki Benjamin Fitzpatrick Anitha Ibrahim Michael Stawasz Lindsey Freeman Matthew Kluge AnnaLou Tirol Tashina Gauhar John T. Lynch, Jr. Andrew Warden Josh Goldfoot Katrina Mulligan J. Brad Wiegmann Bonnie Greenberg Sean Newell Cory Wilson Erica O’Neil

And representatives from: Bureau of Alcohol, Tobacco, Firearms, and Explosives Ofce of Strategic Intelligence & Information Drug Enforcement Administration Ofce of Investigative Technology Federal Bureau of Investigation Counterintelligence Division Federal Bureau of Investigation Counterterrorism Division Federal Bureau of Investigation Criminal Investigative Division Federal Bureau of Investigation Cyber Division Federal Bureau of Investigation Digital Transformation Ofce Federal Bureau of Investigation Branch Federal Bureau of Investigation Ofce of Private Sector Federal Bureau of Investigation Ofce of the Chief Information Ofcer Federal Bureau of Investigation Ofce of the Director Federal Bureau of Investigation Ofce of the General Counsel Federal Bureau of Investigation Operational Technology Division Washington, the U.S. National Central Bureau Justice Management Division Ofce of the Chief Information Ofcer/ Cybersecurity Services Staf United States Marshals Service Investigative Operations Division United States Marshals Service Judicial Security Division

viii

INTRODUCTION

Introduction

Cyber-enabled attacks are exacting an enormous toll on American busi- nesses, government agencies, and families. intrusions, cy- bercrime schemes, and the covert misuse of digital infrastructure have bankrupted frms, destroyed billions of dollars in investments, and helped hostile foreign governments launch infuence operations de- signed to undermine fundamental American institutions.

Te Department of Justice’s primary mission is to keep the American people safe. We play a critical role in the federal government’s shared efort to combat malicious, cyber-enabled threats.

n February 2018, the Attorney General policy—grounded in our longstanding prin- established a Cyber-Digital Task Force ciples of political neutrality, adherence to within the Department and directed the the , and safeguarding the public ITask Force to answer two basic, foundational trust—that governs the disclosure of foreign questions: How is the Department respond- infuence operations. ing to cyber threats? And how can federal law enforcement more efectively accomplish its Chapters 2 and 3 discuss other cyber-enabled mission in this important and rapidly evolv- threats our Nation faces, particularly those ing area? connected with . Tese chapters describe the resources the Department is de- Tis report addresses the frst question. It be- ploying to confront those threats, and how our gins by focusing on one of the most press- eforts further the rule of law in this country ing cyber-enabled threats our Nation faces: and around the world. Chapter 4 focuses on the threat posed by malign foreign infuence a critical aspect of the Department’s mission, operations. Chapter 1 explains what foreign in which the Federal Bureau of Investigation infuence operations are, and how hostile for- plays a lead role: responding to cyber inci- eign actors have used these operations to tar- dents. Chapter 5 then turns the lens inward, get our Nation’s democratic processes, includ- focusing on the Department’s eforts to recruit ing our elections. Tis chapter concludes by and train our own personnel on cyber mat- describing the Department’s protective eforts ters. Finally, the report concludes in Chapter with respect to the upcoming 2018 midterm 6 with thoughts and observations about cer- elections, and announces a new Department tain priority policy matters, and charts a path

xi CYBER-DIGITAL TASK FORCE REPORT for the Task Force’s future work. Over the criminals rely upon to penetrate our borders. next few months, the Department will build We use legal authorities to take control of upon this initial report’s fndings, and will virtual infrastructure—such as networks of provide recommendations to the Attorney compromised called “”— General for how the Department can even to prevent future victimization. We share in- more efciently manage the growing global formation gathered during our investigations cyber challenge. to help victims protect themselves. And we do all of these things to fght modern threats Te Department’s Cyber Mission while remaining faithful to our Nation’s re- spect for personal freedom, civil liberties, Computer intrusions and attacks are , and the rule of law. and the Department of Justice fghts crime. Tat is true regardless of whether the crimi- Where appropriate, we also work closely nal is a transnational group, with our interagency partners to support f- a lone , or an ofcer of a foreign mil- nancial, diplomatic, and military measures itary or intelligence organization. In addi- to bring all possible instruments of national tion, the Department has unique and indis- power to bear against cyber threats. Other pensable cybersecurity roles in the realm of departments have the primary responsibil- foreign intelligence and counterintelligence. ity for helping victims recover from cyber- attacks; we have the primary responsibility In fghting criminal computer intrusions and for conducting the investigation into who is attacks, the Department identifes, disman- responsible. We do not have the federal gov- tles, and disrupts cyber threats. In doing so, ernment lead for assisting election ofcials we provide justice to victims and deter others in securing their systems, but we do have the from committing similar ofenses. To fulfll primary responsibility for investigating our our mission, we deploy and foreign adversaries’ eforts to target election intelligence tools to fnd malicious , arrest them, incarcerate them, and require infrastructure. them to pay restitution to their victims. We shut down the dark markets criminals de- Similarly, we do not have the government’s pend upon to buy and sell stolen informa- lead role in protecting private or government tion. We deprive criminals of the tools and networks, in designing security standards, services they use to attack American families or in regulating how the private sector must and businesses. Working with private sec- defend itself. Tose are important functions partners, we seek to deny foreign gov- for which other government departments ernments the infrastructure they would use take responsibility—ofen, with our support to conduct illegal infuence operations. We and assistance. Our mission is to enforce the seize or disable the servers, domain names, law, to ensure public safety, and to seek just and other infrastructure that transnational .

xii INTRODUCTION

How We Succeed crimes and to help identify cyber threats; and upon the assistance of international partners By faithfully executing the Department’s to gather foreign , apprehend crimi- crime-fghting mission, we have produced nals, and extradite suspects. Ofen, those au- tangible and positive results for the Ameri- thorities are exclusive to the Department of can people. Tese results are refected by the Justice and other law enforcement agencies. caliber of criminals we have taken ofine and For example, the Department has the author- taken of the streets; the millions of comput- ity to obtain the subpoenas, court orders, and ers we have liberated from botnets that har- search warrants that the law requires in order ness their processing power for and to compel online service providers to pro- thef; the web cameras that no longer spy on duce crucial records that can reveal criminal unwitting victims; the dark markets selling il- activity. licit drugs, weapons, and we have disrupted and shuttered; the virtual currency we have seized from criminals; and the malicious sofware that is no longer of- “Our mission is to enforce the law, fered for sale. to ensure public safety, and to seek just punishment.” Tese tangible results have a secondary efect: deterrence. Deterrence is one of the primary objectives of , and it is a key fac- tor in improving our Nation’s cybersecurity. An efective deterrence policy requires us to Preserving these investigative authorities and have a credible capability to enforce the law, capabilities, and using them responsibly and and therefore to deter ofenders. A credible consistent with law, is therefore vital to the capability to enforce the law, in turn, requires Nation’s cybersecurity. It is also a Depart- the Department to be able to credibly inves- ment priority. Te Department’s agents and tigate cybercrime. Without evidence, there prosecutors need the authority and tools to is no attribution. Without attribution, there obtain evidence; the technical skill to un- will be no consequences for ofenders, and derstand it; and the ability to introduce that thus no deterrence. evidence at trial and explain what it means. Maintaining these capabilities is, in part, a Yet, the reality is that identity-masking tech- question of making sure investigators retain nologies and international investigative bar- the lawful authority to access evidence in a riers pose unique challenges for deterring changing digital landscape. It is also a ques- cyber threats. Tis report details the ways tion of building and maintaining a talented in which we approach those challenges. We and dedicated workforce. depend upon legal authorities to investigate computer crimes; upon the cooperation of Te Department—along with the entire U.S. the public and of the private sector to report government—wants Americans to be able to

xiii CYBER-DIGITAL TASK FORCE REPORT use their devices and computers secure in As Americans have shifed much of our the knowledge that their data is safe. Many economy, our communications, our news government departments and agencies are media, and our daily lives to the , working toward that cybersecurity goal. we are now discovering how vulnerable that And while this report catalogs the many shif makes us. To defend against cyberat- ways that the Department is at the cut- tacks from nation states and from equally so- ting edge of keeping Americans safe from phisticated criminals, the American public cyber threats, we are also keenly aware should be able to turn to the government for that our tools and authorities are not suf- leadership. Tis report details how the De- cient by themselves to accomplish that goal. partment of Justice is responding to that call. Our work is critical to cybersecurity, but our work, alone, is not enough to secure the – Sujit Raman, Chair, Nation. Attorney General’s Cyber-Digital Task Force Amy Mathers, U.S. Department of Justice Justice of Department U.S. Mathers, Amy

Credit: Attorney General Jef Sessions announces law enforcement’s July 2017 seizure of AlphaBay, what was then the world’s largest “Dark Market.” In addition to traditional criminal enforce- ment actions, disrupting and dismantling the illicit underworld’s digital infrastructure is a major facet of the Department of Justice’s broader fght against cybercrime.

xiv

COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS

Chapter 1 Countering Malign Foreign Influence Operations

ostile foreign actors have long sought announce a Department policy regarding the to infuence, and to subvert, our Na- factors to be considered in disclosing malign tion’s democratic institutions. Mod- foreign infuence operations to victims, other Hern technology—including the Internet and afected individuals, and the public. Tis poli- platforms—has both empowered cy provides guideposts for Department action and emboldened foreign governments and to expose and thereby counter foreign infu- their agents in their to afect U.S. at- ence threats—consistent with the fundamen- titudes, behaviors, and decisions in new and tal principle that we always must seek to act troubling ways. in ways that are politically neutral, compliant with the First Amendment, and designed to Te Department of Justice plays an import- maintain the . ant role in protecting the Nation’s democratic processes from malign foreign infuence op- Ultimately, one of the most efective ways to erations. While the States, under the Con- counter malign foreign infuence operations stitution, have primary jurisdiction over the is to shine a light on the activity and raise administration of elections,1 the Department awareness of the threat. In order to prevail for has enforced federal criminal against our adversaries, all of society must involving certain forms of ballot fraud.2 We work together: from government at all levels; will continue our traditional commitment to to social media providers and others in the combating such , including any that private sector; to political candidates and or- foreign governments or their agents may at- ganizations; to, perhaps most signifcantly, an tempt to perpetrate. (See page 4). active and informed citizenry.

Foreign cyber-enabled and other active ef- Malign Foreign Infuence forts to infuence our democratic processes, Operations including our elections, demand an urgent response. In the following pages, we provide Foreign infuence operations include covert background on malign foreign infuence op- actions by foreign governments intended to erations generally; outline fve distinct types sow division in our society, undermine con- of foreign infuence operations aimed at our fdence in our democratic institutions, and elections or at broader political issues in the otherwise afect political sentiment and pub- United States; and describe the Department’s lic discourse to achieve strategic geopolitical protective eforts with respect to such opera- objectives. Foreign infuence operations can tions, including eforts designed to protect the pose a threat to national security—and they upcoming 2018 midterm elections. We also can violate federal criminal law.3 Operations

1 CYBER-DIGITAL TASK FORCE REPORT aimed at the United States are not new. Tese tent on multiple sides of controversial issues eforts have taken many forms across the de- including race relations and gun control. cades, from funding communist newspapers and fnancing ostensibly independent non- As one component of this strategy, foreign proft groups to promote favored policies, to infuence operations have targeted U.S. elec- more recent eforts at creating and operating tions. Elections are a particularly attractive false U.S. personas on Internet sites designed target for foreign infuence campaigns be- to attract U.S. audiences and spread divisive cause they provide an opportunity to under- messages. Te nature of the problem, how- mine confdence in a core element of our de- ever—and how the U.S. government must mocracy: the process by which we select our combat it—is changing, as advances in tech- leaders. As explained in a January 2017 In- nology allow foreign actors to reach unprec- telligence Community Assessment published edented numbers of Americans covertly and by the Ofce of the Director of National In- without setting foot on U.S. soil. Fabricated telligence (“ODNI”) addressing Russian in- news stories and sensational headlines like terference in the 2016 U.S. presidential elec- those sometimes found on social media plat- tion, has had a “longstanding desire forms are just the latest iteration of a practice to undermine the U.S.-led liberal democratic foreign adversaries have long employed in an order,” and that nation’s recent election-fo- efort to discredit and undermine individuals cused “activities demonstrated a signifcant and organizations in the United States. Al- escalation in directness, level of activity, and though the tactics have evolved, the goals of scope of efort compared to previous opera- these activities generally remain the same: to tions.”4 Russia’s foreign infuence campaign, spread and to sow discord on according to this assessment, “followed a a mass scale in order to weaken the U.S. dem- longstanding Russian messaging strategy ocratic process, and ultimately to undermine that blends covert intelligence operations— the appeal of democracy itself. such as cyber activity—with overt eforts by Russian Government agencies, state-funded Malign foreign infuence operations need not media, third-party intermediaries, and paid favor one political fgure, party, or point of social media users or ‘trolls.’” 5 view. Foreign adversaries can take advan- tage of social media platforms to send con- Malign foreign infuence operations did not trary (and sometimes false) messages simul- begin in 2016, but the Internet-facilitated taneously to diferent groups of users based operations in that year were unprecedented on those users’ political and demographic in scale. Te threat such operations pose to characteristics, with the goal of heightening our society is unlikely to diminish. As the tensions between diferent groups in our so- Director of National Intelligence recently ciety. By exacerbating and infaming existing observed, “Infuence operations, especially divisions, foreign-promoted narratives seek through cyber means, will remain a signif- to spread turmoil, mistrust, and acrimony. cant threat to U.S. interests as they are low- For example, Russian-afliated social media cost, relatively low-risk, and deniable ways to activities have been detected promoting con- retaliate against adversaries, to shape foreign

2 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS perceptions, and to infuence populations.”6 sia’s strategy for conducting foreign infuence “Russia probably will be the most capable operations against the United States, which and aggressive source of this threat in 2018, may well inspire other countries to pursue although many countries and some nonstate similar operations, includes a broad spec- actors are exploring ways to use infuence trum of activity targeting U.S. democratic operations, both domestically and abroad.”7 and electoral processes. We categorize such Tese actions require a strong and sustained activity as follows: response. 1. Cyber operations targeting election

infrastructure. Cyber operations could seek Types of Foreign Infuence to undermine the integrity or availability of Operations Targeting Democratic election-related data. For example, adver- and Electoral Processes saries could employ cyber-enabled or other means to target election-associated infra- In advance of the 2018 midterm elections, structure, such as voter registration databases the Department is mindful of ODNI’s as- and voting machines, or to target the power sessment that “Moscow will apply lessons grid or other critical infrastructure in order learned from its campaign aimed at the to impair an election. Operations aimed at U.S. presidential election to future infuence removing otherwise eligible voters from the eforts in the United States and worldwide, rolls or attempting to manipulate the results including against U.S. allies and their election of an election (or even simply spreading dis- processes.”8 Te Intelligence Community information suggesting that such manipu- (“IC”) has recently assessed that Russia views lation has occurred) could undermine the the 2018 midterm elections as a potential tar- integrity and legitimacy of our free and fair get for continued infuence operations.9 Rus- elections, as well as public confdence in elec-

Identifying Potential Targets of Election Interference

Potential Targets Related to Potential Targets Related to Potential Targets Related to Potential Targets Related to Voter Infuence Campaigns Political Entities Elections Infrastructure Campaigns

Credit: Cyber Treat Intelligence Integration Center

Foreign adversaries could target these categories of potential targets—or others—to interfere in U.S. elections through cyber operations.

3 CYBER-DIGITAL TASK FORCE REPORT

DEPARTMENT OF JUSTICE PROGRAM FOR COMBATING BALLOT FRAUD

“Every voter in a federal . . . election, . . . whether he votes for a candidate with little chance of winning or for one with little chance of losing, has a right under the Constitution to have his vote fairly counted, without its being distorted by fraudulently cast votes.” Anderson v. United States, 417 U.S. 211, 227 (1974). Te Department has a longstanding program for predicating, investigating, and prosecuting ballot fraud schemes—which may overlap with a criminal or national security investigation into a foreign infuence operation. Te De- partment’s ballot fraud program brings together several components, including the Federal Bureau of Investigation (“FBI”); the Criminal Division’s Public Integrity Section (“PIN”); United States Attorney’s Ofces around the nation; the Civil Rights Division (“CRT”); and the Department of Homeland Security (“DHS”). (Each component’s specifc role in the program is described in the endnotes.16)

In the weeks and months leading up to the 2018 midterm elections, these components will plan responses to election-related issues and identify lines of coordination and communi- cation. On Election Day, they and a commissioner from the U.S. Election Assistance Com- mission will arrange regular secure video teleconferences with Department leadership and other agencies, including the National Security Council. Other PIN and CRT managers and personnel also will be available throughout the period to answer telephone calls about suspected ballot fraud activity and to respond to questions from federal prosecutors and law enforcement agents, who in turn will be in close communication with state and local partners.

tion results. To our knowledge, no foreign to discredit or embarrass candidates, un- government has succeeded in perpetrating dermine political organizations, or impugn ballot fraud, but the risk is real. the integrity of public ofcials. Te IC has assessed that, during the 2016 election cycle, 2. Cyber operations targeting political “Russia’s intelligence services conducted cy- organizations, campaigns, and public of- ber operations against targets associated with fcials. Cyber operations could also seek to the 2016 U.S. presidential election, including compromise the confdentiality or integrity targets associated with both major U.S. polit- of targeted groups’ or targeted individuals’ ical parties.”10 private information. For example, adversar- ies could conduct cyber or other operations 3. Covert infuence operations to assist against U.S. political organizations and cam- or harm political organizations, campaigns, paigns to steal confdential information and and public ofcials. Adversaries could also use that information, or alterations thereof, conduct covert infuence operations to pro-

4 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS vide assistance that is prohibited from foreign 4. Covert infuence operations, includ- sources to American political organizations, ing disinformation operations, to infuence campaigns, and government ofcials. Tese public opinion and sow division. Using false operations might involve covert ofers of f- U.S. personas, adversaries could covertly nancial, logistical, or other campaign support and operate social media pages and to—or covert attempts to infuence the pol- other forums designed to attract U.S. audi- icies, positions, or opinions of—unwitting ences and spread disinformation or divisive politicians, party leaders, campaign ofcials, messages. Tis could happen in isolation or or the public. For example, a federal grand in combination with other operations, and indictment in February 2018 of thirteen could be intended to foster specifc narra- Russian nationals recounts, among other tives that advance foreign political objectives, things, instances in which Russians alleged- or could be intended simply to turn citizens ly provided covert assistance and fnancial against each other. Tese messages need not support to unwitting U.S. persons, unwitting relate directly to political campaigns. Tey individuals associated with a presidential could seek to depress voter turnout among campaign, and other unwitting political ac- particular groups, encourage third-party tivists seeking to coordinate political activi- voting, or convince the public of widespread ties.11 Te indictment also alleges that the voter fraud to undermine confdence in elec- Russians sought to discourage some Amer- tion results. Tese messages could target dis- icans from voting in the 2016 presidential crete U.S. populations based on their political election, and denigrated certain candidates and demographic characteristics. Tey may while supporting others. Russian actors also mobilize Americans to sign online petitions allegedly staged political rallies inside the and join issue-related rallies and protests, or United States while posing as U.S. grassroots even to incite violence. For example, adver- entities and organized rallies inside the Unit- tisements from at least 2015 to 2017 linked ed States afer the presidential election, both to a Russian organization called the Internet in protest of the election results and in sup- Research Agency focused on divisive issues, port of the results.12 Such covert infuence including illegal immigration and gun rights, operations could be reinforced by the use of among others, and targeted those messages “bots,” which are automated programs that to groups most likely to react. can expand and amplify social media mes- saging and bolster desired narratives. Tese 5. Overt infuence eforts, such as the use operations can also be amplifed by stolen of lobbyists, foreign media outlets, and oth- information illicitly acquired through illegal er organizations, to infuence policymakers cyber operations targeting government insti- and the public. Finally, adversaries could use tutions, media, and political organizations or state-owned or state-infuenced media out- campaigns. Foreign agents could then use lets, or employ lobbyists or frms, to this stolen information to reinforce divisive reach U.S. policymakers or the public. For- narratives through systematic, controlled eign governments can disguise these eforts leaks timed to maximize political damage. as independent while using them to promote

5 CYBER-DIGITAL TASK FORCE REPORT divisive narratives and political positions relating to , sabotage, subversive helpful to foreign objectives. Overt infuence activities, and related matters. eforts by foreign governments—including by our adversaries—may not be illegal, pro- • Various federal statutes authorize the FBI vided they comply with the Foreign Agents to conduct investigations of federal crimes, Registration Act (“FARA”),13 and with Fed- make seizures and arrests, and serve war- eral Communications Commission regula- rants, both under national security author- tions. However, the American people should ities (title 50 of the U.S. Code) and law en- be fully aware of any foreign government forcement authorities (title 18 of the U.S. source of information so they can evaluate Code). For example, the FBI has primary that source’s credibility and signifcance for investigative authority for all computer net- themselves. work intrusions relating to threats to na- tional security, including “cases involving Te Department of Justice’s Role espionage, foreign counterintelligence, [and] information protected against unauthorized in Countering Malign Foreign disclosure for reasons of national defense or Infuence Operations foreign relations . . .” 18 U.S.C. § 1030(d)(2).

Te Department of Justice has a signifcant • Executive Order (“E.O.”) 12333, as amend- role in investigating and disrupting foreign ed, establishes the FBI as the lead counterin- government activity in the United States that telligence agency within the United States, threatens U.S. national security. In partic- and authorizes the FBI to conduct counter- ular, the Department has an important role intelligence activities, collect foreign intelli- in identifying and combating malign foreign gence, or support foreign intelligence collec- infuence operations, and in enforcing feder- tion requirements of other agencies within al laws that foreign agents may violate when the IC, and produce and disseminate foreign engaging in such operations. intelligence and counterintelligence. See E.O. 12333, § 1.7(g). Consistent with its longstanding mission, the Department has broad authorities in this area • Tese lead responsibilities are also refect- that encompass both its law enforcement and ed in presidential policies, such as Presiden- counterintelligence responsibilities: tial Policy Directive (“PPD”)-41 and PPD-21.

• Te FBI is the primary investigative agency Working closely with our IC partners, the of the federal government and is authorized Department uses these authorities to identi- to investigate all violations of federal laws fy, analyze, and disrupt the most signifcant that are not exclusively assigned to another threats from foreign infuence operations. federal agency. See 28 U.S.C. § 533. In addi- As explained below, the Department can act tion, 28 C.F.R. § 0.85(d) designates the FBI to against these threats in several ways, either take charge of investigative work in matters using its own authorities or supporting the

6 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS actions of other agencies. Te Department ies, to build consensus with other nations to also uses its investigative authority to devel- condemn such activities, and to build coali- op information that can inform private sector tions to counter such activities. Likewise, we eforts to guard against or deter foreign infu- work closely with DHS to share information ence operations. about foreign infuence operations in fur- therance of DHS’s election security mission. First, the Department’s investigations may re- veal conduct that warrants criminal charges. Tird, the Department’s investigations pro- Criminal charges not only are a tool the De- duce information about threats and vulnera- partment uses to pursue justice, but also can bilities that we can share with State and local help deter similar conduct in the future. We election ofcials, political organizations, and will work with our international partners to other potential victims. Because these enti- obtain custody of foreign defendants when- ties lack the FBI’s investigative resources and ever possible. Tose who seek to avoid jus- legal authorities, sharing investigative infor- tice in U.S. courts will fnd their freedom mation about the nature of the threat posed of travel signifcantly restricted. Criminal by foreign infuence operations can help charges also provide the public with infor- these entities detect and prevent operations mation about the illegal activities of foreign that target them. actors we seek to hold accountable. Fourth, the Department maintains strategic Second, in some cases, the Department’s relationships with social media providers investigations can support other U.S. gov- that refect the private sector’s critical role in ernment agencies’ actions, such as fnancial addressing this threat. Social media provid- sanctions or diplomatic and intelligence ef- ers have unique insight into their own net- forts. Afer a federal grand jury indicted works and bear the primary responsibility for thirteen Russians in connection with their securing their own products, platforms, and alleged infuence activities, for example, the services. Te FBI can assist the providers’ Secretary of the Treasury imposed fnancial voluntary eforts to identify foreign infuence sanctions against those individuals under an activity and to enforce terms of service that executive order that authorizes sanctions for prohibit the use of their platforms for such malicious cyber-enabled activity. Te De- activities. Tis approach is similar to the partment of the Treasury’s actions blocked all Department’s recent approaches in working and interests in property of the des- with providers to address terrorist use of so- ignated persons subject to U.S. jurisdiction, cial media, and more traditional collabora- and prohibited U.S. persons from engaging tion to combat child pornography, botnets, in transactions with the sanctioned individ- , and other misuse of digital in- uals. In addition, the State Department ofen frastructure. By providing information about uses information from our investigations and potential threats, the Department can help criminal indictments in diplomatic eforts to social media providers respond to malign use attribute malign conduct to foreign adversar- of their platforms, identify foreign infuence

7 CYBER-DIGITAL TASK FORCE REPORT operations on those platforms, share infor- coordinating the Department’s counter-for- mation across diverse products and services, eign infuence eforts with other federal agen- and better ensure their users are not exposed cies, including DHS, the State Department, to unlawful foreign infuence. the , and the Central Intelligence Agency. Te FBI is also responsi- Finally, information developed in our inves- ble for developing strategic relationships with tigations can be used—either by the Depart- state and local authorities, international part- ment or in coordination with the Intelligence ners, and the private sector, including social Community and other government part- media and other technology companies, as ners—to help protect the public by exposing part of a comprehensive approach to combat- the nature of the foreign infuence threat. ing the foreign infuence problem. Te Department may alert victims or targets about foreign infuence operations consistent Armed with a deeper understanding of our with its longstanding policies and practices. foreign adversaries’ operational methods and As discussed below, in certain circumstances, committed to leveraging the full range of our public disclosure and attribution can also be authorities, the Department has developed a an important means of countering the threat strategic framework for countering foreign and rendering those operations less efective. infuence operations. See Fig. 1. Tis frame- work seeks to employ the Department’s long- Te Department of Justice’s standing authorities proactively to pursue ag- gressive countermeasures—using traditional Framework to Counter Malign law enforcement tools, sharing information Foreign Infuence Operations with potential victims and the private sector where appropriate, and exposing and attrib- Te Department is preparing ahead of the uting foreign infuence operations where do- 2018 midterm elections to ensure that we ing so is in the national interest. Te Depart- address as efectively as possible the fve dis- ment’s strategy aims to increase the resilience tinct types of foreign infuence operations of democratic and election processes against described above. To underscore this priori- the foreign infuence threat, while recogniz- ty, the FBI in November 2017 established the ing that we cannot expect to eliminate those Foreign Infuence Task Force (“FITF”), which activities unless the responsible foreign gov- serves as the central coordinating authority ernments alter their behavior. within the FBI for investigations concerning foreign infuence operations. Te FITF in- 1. Cyber operations targeting election tegrates the FBI’s cyber, counterintelligence, infrastructure. Although the States are re- counterterrorism, and criminal law enforce- sponsible for administering elections, and ment resources to ensure that the Depart- DHS has the federal government lead for ment better understands the threat presented assisting election ofcials in securing their by malign foreign infuence operations. An systems, the FBI has the primary responsibil- important part of the FITF’s responsibility is ity for investigating our foreign adversaries’

8 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS

be

Activities violations to efforts to actors.

Actions Their

FBI

foreign responds

Considerations State Dept. conduct

by and the public

Dept. Key

DOJ andDOJ influence policymakers influence norms

Overt influence Overt Investigate Investigate possible FARA violations. Prosecute where possible. Compel registration as appropriate. DHS and outreach on trends in influence operations to domestic and foreign audiences. State of Open communications Open by registered foreign media may lawful.

Other Agencies Other Agencies and • • • • • •

Operations

and

Activities

for for

opinion Actions Their operations to

as appropriate,

services. FBI division

media, other providers of their platforms. companies bear

responses.

public

where possible.

Considerations and

State Dept. conduct

sow to protect against malign responsibility

social Key

DOJ andDOJ Investigate Investigate and, disrupt foreign influence operations. Attribute and expose activity, consistent with applicable guidance. Prosecute Notify of foreign influence operations and other DHS and outreach on trends in influence operations to domestic and foreign audiences. DHS provides to tools private industry influence. Possible diplomat ic, financial, or operational Technology primary securing their own products, platforms, influence Covert influence Covert

Other Agencies Other Agencies and • • • • • • • • to

MalignForeign Influence by

Activities

consistent with

operations Actions Their

goals.

FBI

responses. Considerations

State Dept. conduct public officials influence Key

operations, mitigation, and engagements with foreign

require require cooperation of affected DOJ andDOJ

assist or harm political harm or assist produces on foreign intelligence

Investigate Investigate and disrupt activity unregistered foreign agents. Brief potential targets, applicable guidance. Prosecute where possible. Raise awareness about malicious cyber maintaining “cyber hygiene.” IC influence efforts, DHS and outreach on trends in influence operations to domestic and foreign audiences. Possible diplomat ic, financial, or operational May individuals and organizations to counter the threat. Many governments are legitimate. organizations, campaigns and organizations, campaigns Covert

Other Agencies Other Agencies and • • • • • • • • •

after

Activities against

efforts th victims and

of data)

Actions Their

campaigns, FBI protect to

alerting victims victims alerting DHS. (if requested).

responses.

Considerations

parties,

with

threats and warn potential parties own systems and

operations, mitigation, and Key

DOJ andDOJ and public officials public and intrusion

(confidentiality Identify targets, Investigate and disrupt intrusions and attacks, consistent with applicable guidance. Prosecute where possible. Raise awareness about malicious cyber maintaining “cyber hygiene.” produces IC on intelligence malicious cyber operations. DHS shares intelligence (warnings) and best practices wi assists with recovery an Possible diplomat ic, financial, or operational Private data and are responsible for their security. Limited ability misuse of stolen information. Cyber operations targeting operations Cyber political

Other Agencies Other Agencies and • • • • • • • • •

Department of Justice of Framework Department Counter to

after DHS.

Activities systems their their

efforts th victims and

Actions Their

ic, financial, or FBI and security.

data) officials), with computer

alerting victims victims alerting (if requested).

and availability responses. the election

where possible. of Considerations

threats and warn potential

own

Key DOJ andDOJ crimes (e.g. crimesvoter

intrusion

election infrastructure Figure 1: Figure (integrity and are responsible for administration States Possible diplomat assists with recovery an operational IC produces IC on intelligence malicious cyber operations. DHS shares intelligence (warnings) and best practices wi Identify targets (state intrusions). Investigate Investigate and disrupt intrusions and attacks, consistent with applicable guidance. Prosecute to reports of election Respond day suppression, Cyber operations targeting

Other Agencies Other Agencies and • • • • • • • •

9 CYBER-DIGITAL TASK FORCE REPORT eforts to target election infrastructure. In over 20 partnering agencies from across law the event of a known or suspected cyber in- enforcement, the IC, and the Department of cident, the FBI will investigate the intrusion Defense, with representatives who are co-lo- and will alert targets of the intrusions where cated and work jointly to accomplish the appropriate. Prosecutors will follow the Prin- organization’s mission from a whole-of-gov- ciples of Federal Prosecution14 in determining ernment perspective. whether federal criminal charges are appro- priate. Te FBI also may identify threats and Establishing close relationships with State vulnerabilities to election infrastructure in and local ofcials is also important to en- the course of other criminal or intelligence able the Department to respond quickly to investigations. Consistent with the Depart- a major cyber intrusion before or during an ment’s disclosure policy (described below), it election. Te Department works closely with will attempt to warn State and local ofcials DHS in connection with such incidents. Te who operate election systems about attempts Department will continue to work with DHS to penetrate their systems and to share ap- and State and local ofcials to plan what they propriate information about vulnerabilities should do, whom they should contact, and they should patch or mitigate. In this regard, what assistance they may seek in the event the FBI works closely with DHS and with the of a signifcant intrusion into their systems. U.S. Election Assistance Commission, which Te FBI’s general incident response activities certifes voting systems and establishes vot- are described in greater detail in Chapter 4. ing system guidelines. 2. Cyber operations targeting political To that end, in February 2018, the FBI, to- organizations, campaigns, and public of- gether with DHS and the IC, provided classi- fcials. Te FBI investigates computer in- fed briefngs to election ofcials from all 50 trusions and attacks against U.S. victims, States to help increase awareness of foreign using its broad investigative authority and adversary intent and capabilities against the leveraging its close relationship with other States’ election infrastructure, as well as ac- IC agencies that have the authority to col- tions State and local ofcials can undertake lect foreign intelligence outside the United to mitigate those threats. Establishing close States. Federal prosecutors may then charge relationships with those ofcials, in partner- the perpetrators, as appropriate. Te FBI also ship with DHS, is critical because the De- alerts victims where possible and helps them partment’s ability to identify and disrupt cy- respond to intrusions, ofen working closely ber actors who target election infrastructure with DHS, and provides threat information requires the ofcials who operate that infra- when necessary to address a specifc threat or structure to promptly share threat informa- incident. tion with the FBI. Te Department has em- phasized the need for State and local ofcials Te FBI is working with DHS to ensure that promptly to share threat information with political organizations and individuals within the FBI’s National Cyber Investigative Joint such organizations whom foreign adversar- Task Force (“NCIJTF”). NCIJTF includes ies may target are aware of the specifc cyber

10 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS

DEPARTMENT OF JUSTICE POLICY REGARDING NON-INTERFERENCE WITH ELECTIONS

Te Department of Justice has a strong interest in the prosecution of election-related crimes, such as those involving federal and State campaign fnance laws, federal patronage laws, and of the election process, and Department employees must safeguard the Department’s reputation for fairness, neutrality, and non-partisanship.

Partisan political considersations must play no role in the decisions of federal investigators or prosecutors regarding any investigations or criminal charges. Law enforcement ofcers and prosecutors may never select the timing of investigative steps or criminal charges for the purpose of giving an advantage or dis- advantage to any candidate or political party.

For further guidance, prosecutors and law enforcement ofcers may contact the Criminal Division’s Public Integrity Section. More detailed guidance is also available in sections 1-4.000 and 9-85.000 of the United States Attorneys’ Manual, and in a treatise published by the Department called Federal Prose- cution of Election Offenses (8th ed. 2017).17

threats and vulnerabilities we are monitoring. Te Department will aggressively enforce Tese eforts have included providing defen- federal laws that require foreign agents to sive briefngs to major political organizations register with the U.S. government and that such as the Republican and Democratic Na- prohibit foreign nationals from tricking un- witting Americans into participating in, or tional Committees. accepting support from, foreign infuence eforts. Along those lines, the Department 3. Covert infuence operations to assist has stepped up enforcement eforts against or harm political organizations, campaigns, individuals and entities that had not fulflled and government ofcials. Te FBI counters their obligations under the Foreign Agents the activities of foreign governments and Registration Act (“FARA”), including by ed- their proxies by proactively investigating ucating prosecutors and agents nationwide unregistered foreign agents in the United about the importance of the statute and how States, alerting these foreign agents’ targets to investigate it; expanding our outreach to (or intended targets) where appropriate, and individuals and entities who may be required to register; and achieving the registrations of raising public awareness of foreign infuence sophisticated individuals and entities that had methods and efective countermeasures both not fulflled their legal obligations, including through appropriate enforcement actions the American agents of Russian state-fund- and through assistance to other federal agen- ed media networks (RT and Sputnik). Going cies and State or local authorities with en- forward, we will increase FARA awareness forcement authority. and compliance through increased outreach,

11 CYBER-DIGITAL TASK FORCE REPORT by making additional advisory opinions pub- success of a foreign infuence campaign via lic, and by issuing guidance if appropriate the Internet and social media depends heav- under Department policy. In addition, we ily on the adversary’s ability to obscure the will investigate and prosecute criminal viola- true motivation and origin of its activities— tions of FARA and other laws that restrict the something the Internet can facilitate—the activities of foreign agents acting within the infrastructure of online accounts required United States. to carry out such a campaign also provides the Department with opportunities for iden- Te Department also will seek to increase tifcation and disruption. For example, the understanding of the foreign intelligence FBI and IC partners may be able to identi- threat in order to reduce the efectiveness of fy and track foreign agents as they establish covert activities and eforts to obscure the their infrastructure and mature their online true motivation and origin of foreign infu- presence, in which case authorities can work ence operations. Te FBI can provide defen- with social media companies to illuminate sive counterintelligence briefngs to political and ultimately disrupt those agents’ activi- organizations and campaigns as necessary to ties, including through voluntary removal protect against and improve awareness of the of accounts that violate a company’s terms of foreign infuence threat. In addition, the FBI service. continues to pursue criminal and traditional counterintelligence investigations to address In addition to these activities, in some cir- the range of potential covert operations tar- cumstances, public exposure and attribu- geting political organizations. tion of foreign infuence operations, and of foreign governments’ goals and methods 4. Covert infuence operations, includ- in conducting them, can be an important ing disinformation operations, to infuence means of countering the threat and render- public opinion and sow division. Depending ing those operations less efective. Of course, on the facts, a foreign government’s eforts to partisan must play no role in the de- use the Internet as part of a hostile efort to cision whether to disclose the existence of a multiply its ’s malign infuence foreign infuence operation, and such dis- on the American public may violate a num- closures must not be made for the purpose ber of federal laws on which the Department of conferring any advantage or disadvantage may base criminal investigations and prose- on any political or social group. In addition, cutions. Te Department is also considering the Department must seek to protect intelli- whether new criminal statutes aimed more gence sources and methods and operational directly at this type of activity are needed. equities, and attribution itself may present challenges. It is also important not to take Te Department has crafed a strategy to actions that merely exacerbate the impact of counter each phase of the foreign malign in- a foreign infuence operation, or that re-vic- fuence campaign cycle. See Fig. 2. While the timize its victims. Given the competing in-

12 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS Figure 2: Te Malign Foreign Inf uence Campaign Cycle Inf 2: Te Malign Foreign Figure

13 CYBER-DIGITAL TASK FORCE REPORT terests sometimes at stake, the Department in addressing foreign infuence operations has established a formal policy on the disclo- aimed at sowing discord and undermining sure of foreign infuence operations to guide our Nation’s institutions. Combating foreign its actions in this critically important area. infuence operations requires a whole-of-so- Tat policy is found at pages 16–17. ciety approach that relies on coordinated ac- tions by federal, State, and local government 5. Overt infuence eforts, such as the use agencies; support from potential victims and of foreign media outlets to infuence policy- the private sector; and the active engagement makers and the public. Overt foreign gov- of an informed public. ernment eforts to infuence the American public or policymakers may be lawful so long Even so, investigating and prosecuting those as the relevant government complies with who violate our laws, disrupting particular U.S. laws requiring public disclosure, along operations, and exposing covert foreign ac- with other applicable laws. When foreign tivities can be useful in defending against media outlets or lobbyists act as agents of for- this threat. It is therefore critical that the eign governments, they may be required to Department consistently evaluate existing register as foreign agents under FARA. Me- law and policy governing its actions, as well dia outlets with links to , Japan, Russia, as its strategic approach to the problem. In and have done so. Apart from the short term, the Department must use all enforcing such laws, the Department—in current authorities to counter the foreign concert with the U.S. government as a whole, infuence threat, working closely with the as well as with American society more broad- IC, DHS, State and local governments, and ly—can help increase public understanding where appropriate, the private sector. of foreign infuence operations. We also must ensure that we are sharing in- formation about the threat with potential Conclusion victims, other afected individuals, and the public, consistent with our policies and our Te nature of foreign infuence operations national security interests. In the longer will continue to change as technology and term, we must consider what additional au- our foreign adversaries’ tactics change. Our thorities or policies would be useful and ap- adversaries will persist in seeking to exploit propriate to enable us to respond as efective- the diversity of today’s information space, ly as possible to the foreign infuence threat. and the tactics and technology they employ will continue to evolve. * * * Te Department plays an important role in Te story is told that a woman named Eliz- combating foreign eforts to interfere in our abeth Powel approached Benjamin Franklin elections, but it cannot alone solve the prob- when he was walking home afer the Consti- lem. Tere are limits to the Department’s tutional Convention in the summer of 1787. role—and the role of the U.S. government— Powel asked Franklin what type of govern-

14 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS ment the Founders had created. Franklin Our Nation’s democratic processes are strong. replied: “A republic, madam, if you can keep But the Constitution comes with a condition: it.” Powel’s question illustrates that it was not we need to keep it. We are all keepers of the inevitable that our Nation would begin as a republic, and it is incumbent upon all of us, democratic republic. Franklin’s answer re- as a society, to counter the foreign infuence minds us that it is not inevitable that we will threat. Te Department of Justice will cer- remain a democratic republic.15 tainly play its part.

15 CYBER-DIGITAL TASK FORCE REPORT

DEPARTMENT OF JUSTICE POLICY ON DISCLOSURE OF FOREIGN INFLUENCE OPERATIONS

Foreign infuence operations include covert actions by foreign governments intended to sow divisions in our society, undermine confdence in our democratic institutions, and otherwise afect political sentiment and public discourse to achieve strategic geopolitical objectives. Such operations are ofen empowered by modern technology that facilitates malicious cyber activity and covert or communications with U.S. audiences on a mass scale from abroad.

Our Nation’s democratic processes and institutions are strong and must remain resilient in the face of this threat. It is the policy of the Department of Justice to investigate, disrupt, and prosecute the perpetrators of illegal foreign infuence activities where feasible. It is also the Department’s policy to alert the victims and unwitting targets of foreign infuence ac- tivities, when appropriate and consistent with the Department’s policies and practices, and with our national security interests.

It may not be possible or prudent to disclose foreign infuence operations in certain con- texts because of investigative or operational considerations, or other constraints. In some circumstances, however, public exposure and attribution of foreign infuence operations can be an important means of countering the threat and rendering those operations less efective.

Information the Department of Justice collects concerning foreign infuence operations may be disclosed as follows:

• To support arrests and charges for federal crimes arising out of foreign infuence operations, such as hacking or malicious cyber activity, identity thef, and fraud.

• To alert victims of federal crimes arising out of foreign infuence operations, consistent with Department guidelines on victim notifcation and assistance.18

• To alert unwitting recipients of foreign government-sponsored covert support, as necessary to assist in countering the threat.

• To alert technology companies or other private sector entities to foreign infu- ence operations where their services are used to disseminate covert foreign gov- ernment propaganda or disinformation, or to provide other covert support to political organizations or groups.

16 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS

DEPARTMENT OF JUSTICE POLICY ON DISCLOSURE OF FOREIGN INFLUENCE OPERATIONS, Continued

• To alert relevant Congressional committees to signifcant intelligence activities, consistent with statutory reporting requirements and Executive Branch policies.

• To alert the public or other afected individuals, where the federal or national interests in doing so outweigh any countervailing considerations.19

In performing these functions, the Department will be mindful of the following principles and policies:

• Partisan political considerations must play no role in eforts to alert victims, oth- er afected individuals, or the American public to foreign infuence operations against the United States. Such eforts must not be for the purpose of conferring any advantage or disadvantage on any political or social group or any individual or organization.

• In considering whether and how to disclose foreign infuence operations, or the details thereof, the Department will seek to protect intelligence sources and methods, investigations, and other U.S. government operations.

• Foreign infuence operations will be publicly identifed as such only when the De- partment can attribute those activities to a foreign government with high conf- dence. Disinformation or other support or infuence by unknown or domestic sources not acting on behalf of a foreign government is beyond the scope of this policy.

• Where a criminal or national security investigation during an election cycle is at issue, the Department must also be careful to adhere to longstanding policies regarding the timing of charges or taking overt investigative steps.20

Te Department (including the FBI) will not necessarily be the appropriate entity to disclose information publicly concerning a foreign infuence operation. Where a Department com- ponent is considering whether to alert the general public to a specifc foreign infuence oper- ation, consultation with the National Security Division is required. Nothing in this policy is intended to impair information sharing undertaken by Department components for investi- gative or intelligence purposes.

17 CYBER-DIGITAL TASK FORCE REPORT

NOTES

1 See U.S. Const. art. I, § 4 (Congressional elec- process.”), available at: https://intelligence.house. tions) & art. II, § 4 (Presidential elections). gov/uploadedfles/fnal_russia_investigation_re- port.pdf (last accessed June 29, 2018); Minorit 2 Te term “ballot fraud” in this context in- Members of the House Permanent Select cludes fraud in the processes by which voters are Committee on Intelligence, Report on Rus- registered or by which votes are cast or tabulated. sian Active Measures 12 (March 2018), avail- able at: https://democrats-intelligence.house.gov/ 3 Foreign infuence operations, while not always uploadedfiles/20180411_-_final_-_hpsci_mi- illegal, can implicate several U.S. federal criminal nority_views_on_majority_report.pdf (last ac- statutes, including (but not limited to): 18 U.S.C. cessed June 29, 2018) (summarizing Russian co- § 371 (); 18 U.S.C. § 951 (acting in the vert cyber eforts and other intelligence and social United States as an agent of a foreign government media operations during the 2016 elections); U.S. without prior notifcation to the Attorney Gener- Senate Select Committee on Intelligence, al); 18 U.S.C. § 1001 (false statements); 18 U.S.C. Russian Targeting of Election Infrastruc- § 1028A (aggravated identity thef); 18 U.S.C. § ture During the 2016 Election: Summar 1030 ( and abuse); 18 U.S.C. §§ of Initial Findings and Recommendations 1 1343, 1344 (wire fraud and ); 18 U.S.C. (May 2018) (“In 2016, cyber actors afliated with § 1519 (destruction of evidence); 18 U.S.C. § 1546 the Russian Government conducted an unprece- (visa fraud); 22 U.S.C. § 618 (Foreign Agents Reg- dented, coordinated cyber campaign against state istration Act); 52 U.S.C. §§ 30109, 30121 (solicit- election infrastructure . . . Tis activity was part of ing or making foreign contributions to infuence a larger campaign to prepare to undermine conf- federal elections, or to infuence State dence in the voting process. Te Committee has or local elections). not seen any evidence that vote tallies were ma- nipulated or that voter registration information 4 Office of the Director of National In- was deleted or modifed.”), available at: https:// telligence, Background to “Assessing Rus- www.burr.senate.gov/imo/media/doc/Russ- sian Activities and Intentions in Recent RptInstlmt1-%20ElecSec%20Findings,Recs2.pdf U.S. Elections”: The Anal tic Process and (last accessed June 29, 2018). C ber Incident Attribution ii (Jan. 2017) (“ODNI Report”), available at: https://www.dni. 6 Daniel R. Coats, Dir. of National Intelligence, gov/fles/documents/ICA_2017_01.pdf (last ac- “Statement for the Record: Worldwide Treat cessed June 29, 2018). Assessment of the U.S. Intelligence Community,” at 11 (Feb. 13, 2018), available at: https://www. 5 ODNI Report at 2; see also U.S. House of dni.gov/files/documents/Newsroom/Testimo- Representatives Permanent Select Com- nies/2018-ATA---Unclassifed-SSCI.pdf (last ac- mittee on Intelligence, Report on Russian cessed June 29, 2018). Active Measures viii (March 2018) (“In 2015, Russia began engaging in a covert infuence cam- 7 Id. paign aimed at the U.S. presidential election. Te Russian government, at the direction of Vladimir 8 ODNI Report at 5. Putin, sought to sow discord in American soci- ety and undermine our faith in the democratic 9 Daniel R. Coats, Dir. of National Intelligence,

18 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS

“Annual Treat Assessment: Opening Statement,” gations from non-government groups or individ- Worldwide Treats: Hearing Before the Senate Se- uals. Te FBI then investigates properly-predi- lect Comm. on Intelligence, 115th Cong. (Feb. cated ballot fraud cases, in coordination with a 13, 2018), at 18, available at: https://www.dni. local U.S. Attorney’s Ofce (“USAO”). Te FBI gov/files/documents/Newsroom/Testimonies/ and USAO are free to exercise their discretion to ATA2018-asprepared.pdf (last accessed June 29, conduct a preliminary investigation afer assess- 2018). ing the case and ensuring non-interference with the election process. Tey may pursue a full feld 10 ODNI Report at 2. and grand jury investigation, and seek charges, afer consultation with the Criminal Division’s 11 Indictment in United States v. Internet Re- Public Integry Section (“PIN”). However, the search Agency, et al., No. 18-cr-32-DLF (D.D.C. FBI and other federal law enforcement agencies Feb. 16, 2018), available at: https://www.justice. may not conduct investigations that would in- gov/fle/1035477/download (last accessed June fringe the Department’s non-interference with 29, 2018). elections policy (see page 11), or that would un- lawfully result in an armed federal presence at a 12 Id. polling site. See 18 U.S.C. § 592. For almost forty years, PIN has provided the feld with an Elec- 13 22 U.S.C. § 611 et seq. tion Crimes Branch Director. Pursuant to the United States Attorneys’ Manual, the Director, 14 See “Principles of Federal Prosecution,” U.S. assisted as needed by other managers and staf at Attorne s’ Manual, Title 9, Section 27.000, PIN, functions as a mandatory consultant for the available at: https://www.justice.gov/usam/us- USAOs on all ballot fraud matters that progress am-9-27000-principles-federal-prosecution (last beyond a preliminary investigation, see U.S.A.M. accessed June 29, 2018). § 9-85.210, and as a subject matter expert avail- able to provide advice and assistance to USAOs 15 Tis story and its associated lessons are re- and the FBI. Te Director coordinates and con- counted in Rod J. Rosenstein, Deputy Attorney ducts mandatory live training with designated General, “Constitution Day Address,” National feld personnel of the USAOs and FBI. Te Di- Constitution Center (Sept. 18, 2017), available at: rector also leads an Election Day Watch program https://www.justice.gov/opa/speech/deputy-at- during federal election seasons to monitor and torney-general-rod-j-rosenstein-delivers-consti- coordinate responses to election events while the tution-day-address (last accessed June 29, 2018). polls are open on each federal election day. Te Election Day Watch program is the Department’s 16 As part of the Department’s ballot fraud pro- mechanism for ensuring consistent and efcient gram, the FBI must maintain an Election Crimes communication and coordination between in- Coordinator (“ECC”) in each of its Divisions. teragency representatives, federal prosecutors Te ECCs are the Department’s primary liaison and investigators in the feld, and State and lo- with State and local agencies, and election cal partners. Each USAO must maintain a Dis- administrators, as well as with other federal agen- trict Election Ofcer (“DEO”) among its cadre cies, in the feld. Tey attend regular trainings, of Assistant United States Attorneys. Te DEOs coordinate local task force communications with are the Department’s primary liaison with State State and local counterparts during elections, and local counterparts in the feld. Tey attend and handle intake reporting of ballot fraud alle- regular trainings, and as part of the Election Day

19 CYBER-DIGITAL TASK FORCE REPORT

Watch program, coordinate local task force com- does not have a role in determining which can- munications with State and local counterparts didate won a particular election, or whether an- leading up to and during the elections. DEOs other election should be held because of the im- also coordinate press releases concerning elec- pact of the alleged fraud on the election . . . . In tion-day procedures to facilitate reporting to the investigating an election fraud matter, federal law federal government of ballot fraud allegations enforcement personnel should carefully evaluate from non-government groups or individuals. whether an investigative step under consider- Te Voting Section and Criminal Section of the ation has the potential to afect the election itself. Department’s Civil Rights Division (“CRT”) co- Starting a public criminal investigation of alleged ordinates regularly with PIN to ensure that ballot election fraud before the election to which the fraud allegations are routed to the best response allegations pertain has been concluded runs the entity. CRT maintains a hotline that operates all obvious risk of chilling legitimate voting and year, including throughout federal election days, campaign activities. It also runs the signifcant to facilitate reporting of allegations of potential risk of interjecting the investigation itself as an is- voting-related federal law violations. CRT’s Vot- sue, both in the campaign and in the adjudication ing Section also enforces the civil provisions of of any ensuing election contest . . . . Accordingly, a wide range of federal statutes that protect the overt criminal investigative measures ordinarily right to vote, including the Voting Rights Act; the should not be taken in matters involving alleged National Voter Registration Act; the Uniformed fraud in the manner in which votes were cast or and Overseas Citizens Absentee Voting Act; the counted until the election in question has been Help America Vote Act; and the Civil Rights Act. concluded, its results certifed, and all recounts CRT’s Criminal Section enforces federal crimi- and election contests concluded. Not only does nal statutes that prohibit voter and such investigative restraint avoid interjecting the based on race, color, national federal government into election campaigns, the origin, or religion. Finally, the Department of voting process, and the adjudication of ensuing Homeland Security (“DHS”) recently has joined recounts and election contest litigation, but it also existing eforts to combat ballot fraud in the spe- ensures that evidence developed during any elec- cifc area of cyber threats. In particular, DHS tion litigation is available to investigators, there- provides advice and resources to State and local by minimizing the need to duplicate investigative counterparts to assess the risks to their computer eforts. Many election fraud issues are developed systems for voter registration, balloting, and tab- to the standards of factual predication for a fed- ulation. DHS also has certain resources for inci- eral criminal investigation during post-election dent response, though the FBI has greater local litigation.” resources and, under PPD-41, retains the lead on incident response. 18 See Attorney General Guidelines for Victim and Witness Assistance (May 2012), available at: 17 Tis treatise is available online at: https://www. https://www.justice.gov/sites/default/files/olp/ justice.gov/criminal/fle/1029066/download (last docs/ag guidelines2012.pdf (last accessed June accessed June 29, 2018). Te most relevant dis- 29, 2018); see also 42 U.S.C. § 10607 (Victims’ cussion can be found at pages 84-85: “Te Justice Rights and Restitution Act). Department’s goals in the area of election crime are to prosecute those who violate federal crim- 19 For example, there may be an important fed- inal law and, through such prosecutions, deter eral or national interest in publicly disclosing a corruption of future elections. Te Department foreign infuence operation that threatens to un-

20 COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS dermine confdence in the government or pub- acerbate the foreign government’s messaging, or lic institutions; risks inciting violence or other may re-victimize the victim. illegal actions; or may cause substantial harm, alarm, or confusion if lef unaddressed. On the 20 See, e.g., U.S. Dept. of Justice, Federal other hand, in some cases, public disclosure of a Prosecution of Election Offenses 8-9, 84- foreign infuence operation may be counterpro- 85 (8th ed. 2017), quoted in supra note 17. ductive because it may amplify or otherwise ex-

21

CATEGORIZING SOPHISTICATED CYBER SCHEMES

Chapter 2 Categorizing Sophisticated Cyber Schemes

align foreign infuence operations schemes; (4) crimes threatening personal pri- represent a signifcant cyber-enabled vacy; and (5) crimes threatening critical in- threat to American society and na- frastructure. Mtional security. But they are not the only one. Every day, criminals and other hackers with- 1. Damage to computer systems in the United States and around the world seek to use computers, smart devices, and Many cyber threats directly target comput- other chip-enabled technology—as well as er systems and networks, seeking to damage the networks that connect them—to victim- the integrity or availability of data and ser- ize American consumers and businesses, or vices housed on those systems. For example, to do our government harm. a Distributed of Service (“DDoS”) attack involves the orchestrated transmis- In this chapter, we describe some of the most sion of communications engineered to over- prevalent and dangerous types of cybercrime whelm the victim network’s connection to schemes our Nation currently faces. Various the Internet in order to impair or disrupt actors, with varying motivations, perpetrate that network’s ability to send or receive com- these schemes, targeting various categories munications. Because they require the near of victims. All of these schemes, however, simultaneous and sustained sending of com- rely on the malicious, unauthorized use of munications against a discrete target, DDoS computers to penetrate into another person’s attacks usually are launched by a large net- computer or network. Tis technical base- work of hijacked computers called a botnet. line provides a set of common operational (For further discussion of botnets, see page techniques across the range of complicated 41.) Common targets of DDoS attacks in- cybercriminal plots. Indeed, in a threat land- clude websites that the criminals wish to dis- scape that constantly evolves and features a able and push of-line, either because they diverse set of actors, motivations, and targets, disagree with the content, or because they the prevalence of certain key techniques is a wish to drive trafc to sites they prefer. signifcant and rare constant. DDoS attacks can have crippling, far-reach- Cybercrime Schemes ing efects. In October 2016, for example, a massive DDoS attack targeting a U.S.-based In the current landscape, cyber-enabled company that controls much of the Internet’s schemes tend to fall into one or more of infrastructure brought fve basic categories: (1) damage to comput- down many of the world’s best-known web- er systems; (2) data thef; (3) fraud/ sites for several hours, including sites belong-

23 CYBER-DIGITAL TASK FORCE REPORT ing to , Pinterest, CNN, , and as they worked to neutralize and mitigate the Netfix. Te botnet used to launch this attack attacks on their servers. In 2017, the Depart- was originally created a few years before. Te ment of the Treasury added the seven hack- Department recently convicted the botnet’s ers to the Ofce of Foreign Assets Control creators afer the leader of the group admit- (“OFAC”) Specially Designated National and ted that he and his conspirators developed Blocked Persons List.5 it in part to initiate powerful DDoS attacks “against business competitors and others Malign actors also use to in- against whom [they] held grudges.”1 Tey fict damage to a victim’s computer systems. also used the botnet—which, in an alarm- Ransomware is malicious computer code ing new , enlisted everyday so-called (or “”) that blocks a victim’s access “Internet of Tings” devices into its network to data on its systems, typically by encrypt- of hijacked machines, thereby amplifying its ing the data and demanding that the victim strength by orders of magnitude2—to pro- pay a ransom, ofen in the form of a dif- vide a source of revenue, either by renting it cult-to-trace virtual currency, to restore the out to third-parties in exchange for payment, data. See Fig. 1. or by employing it to “extort hosting compa- nies and others into paying protection mon- Ransomware can be delivered in a variety of ey in order to avoid being targeted” by DDoS ways, including through fraudulent e-mails. attacks.3 Such e-mails can be drafed to look like they are from trustworthy senders, containing Hostile governments, too, may employ DDoS malicious attachments or links that, once attacks to advance their geopolitical goals and opened or clicked, activate the ransomware. undermine our national security. In March Some variants also try, once they have gained 2016, for example, a federal grand jury in New a foothold in a victim’s network, to spread York indicted seven Iranian hackers belong- laterally across the network to encrypt fles ing to two companies that worked for Iran’s on other computers or servers to which the Islamic Revolutionary Guard Corps for their victim’s device has access. A second com- role in DDoS attacks targeting the public-fac- mon method involves planting ransomware ing websites of nearly ffy U.S. banks.4 Tese in hacked websites, which infect the comput- DDoS attacks against the U.S. fnancial sector ers of visitors to the sites. In addition, it is began in approximately December 2011, and not uncommon for criminals to use botnet occurred sporadically until September 2012, infrastructure and code to facilitate the wide- at which point they escalated in frequency to spread delivery of ransomware. a near-weekly basis. On certain days during the DDoS campaign, victim computer serv- Like DDoS attacks, ransomware attacks ers were hit with massive amounts of traf- can impose immense costs. For example, in fc, which cut of hundreds of thousands of 2017, the “WannaCry” ransomware attack customers from online access to their bank spread rapidly and indiscriminately around accounts. Tese attacks collectively cost the the world over a mere four days. Tis cam- banks tens of millions of dollars to remediate paign—which ultimately was attributed to

24 CATEGORIZING SOPHISTICATED CYBER SCHEMES

Figure 1: Te Anatomy of a Ransomware Attack

Credit: FBI Cyber Division the North Korean government—rendered with nation states and other entities that have useless “hundreds of thousands of comput- broader motivations. To be sure, destructive ers in hospitals, schools, businesses, and attacks may come disguised as ransomware homes in over 150 countries.”7 Total dam- campaigns; the malware linked to the no- ages likely ran into the hundreds of millions torious “NotPetya” attack launched by the of dollars. High-profle incidents such as Russian military in June 2017, for example, the March 2018 attack that crippled ’s locked up its victims’ fles and purported city government make clear that ransomware to demand a ransom. It soon became clear, schemes remain a threat. however, that this was “meant to paralyze, not proft,” as victims who tried Typically, cybercriminals run ransomware to pay found it almost impossible to do so.9 campaigns: the goal is to damage the victim’s Tis attack, which was “part of the Krem- computer system in the short-term in order lin’s ongoing efort to destabilize Ukraine,” to get the victim to pay. If the scheme is to resulted in “the most destructive and costly succeed, in other words, the victim needs to cyberattack in history,” “causing billions of get their fles back. By contrast, destructive dollars in damage across Europe, Asia, and attacks—another type of cyber threat that the Americas.”10 Similarly, the “WannaCry” directly targets computer systems and net- attack described above did not prove to be works—destroy the victim’s data. For that very lucrative to the attackers. Rather, it was reason, these attacks ofen are associated a reckless attack that resulted in havoc and

25 CYBER-DIGITAL TASK FORCE REPORT

Credit: FBI Cyber Division destruction; any that was raised was In response to the cyberattack on SPE, the purely a side beneft.11 U.S. government publicly attributed the inci- dent to the North Korean government, and Perhaps the most notorious example of a de- then sanctioned a North Korean government structive attack launched against a U.S. com- agency, two trading companies, and ten pany was the November 2014 cyberattack by North Korean individuals.13 North Korea on Sony Pictures Entertainment (“SPE”). Tis attack destroyed much of SPE’s 2. Data Tef computer systems, compromised private in- formation, released valuable corporate data As the world grows increasingly reliant on and intellectual property, and threatened em- digital technology, and as companies store ployees, customers, and flm distributers with ever larger quantities of data about their cus- violence. Te attackers stole a large number tomers and other individuals, criminals have of fles—which included private correspon- sought to steal and proft from control over dence, unreleased flms, salary records, and that data. Te past decade has witnessed social security numbers—and released much numerous publicly reported instances of of the information to the public, imposing criminals hacking into computer systems and signifcant fnancial and other consequenc- stealing personally identifying information es. Te attack forced SPE to take its compa- (“PII”) about hundreds of millions of indi- ny-wide ofine and lef viduals. thousands of its computers inoperable.

26 CATEGORIZING SOPHISTICATED CYBER SCHEMES

According to one report, there were at least general public, but also their own employees. 686 data breaches reported in the frst quar- Tis fact makes them valuable targets. For ter of 2018, resulting in the thef of as many as example, the U.S. Ofce of Personnel Man- 1.4 billion records.14 Stolen PII can include agement announced in 2015 it had been vic- dates of birth, social security numbers, cred- timized through two separate but related cy- it card numbers, e-mail addresses, drivers’ berattacks that resulted in the thef of highly license numbers, payroll and tax informa- sensitive background investigation records of tion, and even answers to security questions current, former, and prospective federal em- used to log into systems—namely, everything ployees and contractors, as well as the thef needed to misappropriate victims’ identities, of personnel data of over 21 million people.17 make fraudulent purchases (including fling Data breaches like these degrade public trust fraudulent claims for tax refunds), and craf in government agencies. and other social engineering attacks on specifc targets. Breaches of major retail- Sometimes, nation states facilitate the work ers can reveal transaction information and of criminals who seek to steal and proft from expose these companies to massive fnancial user data. In March 2017, the Department losses, while imposing upon members of the announced criminal charges against two of- public the risk that their identities will be fcers of the Russian Federal Security Service used to commit other fnancial crimes, with (“FSB”) and two additional conspirators in- all of the associated impacts. Crimes of this volving computer hacking, economic espio- sort are tremendously costly to all involved. nage, and other ofenses in connection with a According to one estimate, the average to- conspiracy to access Yahoo’s network as well tal cost in 2017 to a victim company from as information concerning millions of indi- a was approximately $7.35 mil- vidual webmail accounts.18 Tose charges lion.15 Te Internet Crime Complaint Cen- revealed that ofcers from the FSB unit that ter (“IC3”), the FBI unit that receives and serves as the FBI’s point of contact in Mos- tracks cybercrime complaints from victims, cow on cybercrime matters were using crim- received a total of 3,785 complaints of corpo- inal hackers—one of whom already had been rate data breach in 2017, with reported losses publicly charged in two separate investiga- exceeding $60 million.16 tions in the United States—to target Ameri- can webmail providers and technology com- Government agencies face similar threats. As panies, among others. agencies try to use new information technol- ogies to make it easier for individuals and en- Te public revelation that FSB ofcers for tities to submit and obtain information nec- years had worked with a wanted cybercrimi- essary for paying taxes, obtaining benefts, or nal, and had allowed him to further victimize providing services, the avenues for potential his targets (for example, by searching com- breaches dramatically increase. Of course, promised accounts for and other government agencies collect and store sen- information that could be monetized), laid sitive information concerning not only the bare for the public and international com-

27 CYBER-DIGITAL TASK FORCE REPORT munity the nexus between the Russian state we are extracting confdential data and pass- apparatus and the Russian criminal under- ing on your personal information to the sol- world. Tese charges also demonstrated that diers of the khilafah, who soon with the per- the Russian government has not always been mission of Allah will strike at your necks in a responsible stakeholder in the fght against your own lands!” Malaysian authorities de- . One of the in- tained Ferizi, who subsequently consented to dicted hackers was arrested in and extradition to the United States. He pleaded brought to the United States; he pled guilty guilty and was sentenced to 20 years in pris- to eight criminal counts in U.S. federal court on for providing material support to ISIL, in November 2017, and was sentenced to a and for accessing a with- fve-year term in May 2018.19 In De- out and obtaining information cember 2016, OFAC designated the FSB un- in order to provide material support to a des- der a new executive order issued to expand ignated foreign terrorist organization.21 the authority under E.O. 13694, which em- powers the President to block the property of persons who engage in signifcant mali- cious cyber-enabled activities.20 On March 15, 2018, the Department of the Treasury THE COSTS OF INTELLECTUAL also designated the FSB pursuant to section 224 of the Countering America’s Adversaries Estimates vary regarding the size of eco- Trough Sanctions Act, which targets cyber nomic loss that can be attributed to the actors operating on behalf of the Russian thef of intellectual property and government in particular. secrets. Te Commission on the Tef of American Intellectual Property has es- Malign actors can also use data thefs to fur- timated that the annual cost to the U.S. ther terrorist acts. In June 2015, an ISIL- economy through the thef of trade se- linked hacker named Ardit Ferizi stole PII crets, and through counterfeit goods and belonging to tens of thousands of customers pirated sofware, exceeds $225 billion of a U.S. company, including members of the and could be as high as $600 billion.22 military and other government personnel. According to a cybersecurity industry Ferizi subsequently culled the PII belong- report, the direct costs of cyber thef in ing to 1,300 particular individuals employed 2014 for over 50 U.S.-based private and by the U.S. government and provided that public sector organizations ranged from information to , a now-de- just under $2 million to $65 million each ceased ISIL recruiter and attack facilitator. year per company, an increase of 82 per- In August 2015, Hussain posted the names cent over six years.23 Pricewaterhouse on Twitter in the name of the Islamic State Coopers estimated in 2014 that the Unit- Hacking Division with a message saying, in ed States lost between one and three per- part: “We are in your and computer cent of its gross domestic product each systems, watching and recording your every year due to trade secret thef.24 move, we have your names and addresses, we are in your emails and social media accounts, 28 CATEGORIZING SOPHISTICATED CYBER SCHEMES

Te thef of intellectual property represents and the others were arrested in 2012 in New another signifcant data thef problem. Te Zealand, but their extraditions to the United two most notable types of cyber-enabled States still remain on appeal in that nation. intellectual property crime are the infringe- Despite delays in the criminal case, the De- ment of copyrighted material over the Inter- partment of Justice has prevailed in a civil net and the of trade secrets forfeiture action in U.S. federal court to for- stored in a digital format. Internet sites that feit the proceeds of the criminal conspiracy. proft from the unauthorized distribution of copyrighted movies, music, sofware, and Following the takedown of Megaupload.com, other digital works can have a global reach, other online piracy sites grew in . generate millions of dollars of illicit revenue On July 20, 2016, Artem Vaulin of Ukraine for the operators, and cause extensive fnan- was arrested in Poland based on U.S. feder- cial harm to the owners of the works being al charges for conspiracy to commit crim- shared. While copyrighted works generally inal , conspiracy to are intended to be accessible to the public un- commit , and criminal der terms set by the copyright owner, trade copyright infringement.26 Vaulin is alleged secrets receive criminal protection specifcal- to have run one of the world’s most visited ly because they involve knowledge that is not illegal fle-sharing websites, Kickass Torrents known to the public and derive value from (“KAT”), which was seized as part of the op- remaining secret. eration. KAT enabled users to illegally repro- duce and distribute hundreds of millions of Kim Dotcom, Finn Batato, Mathias Ort- copyrighted motion pictures, video games, mann, Bram van der Kolk, and others are television programs, musical recordings, and members of a worldwide criminal organi- other electronic media. Initial investigation zation whose members allegedly engaged indicates that the copyrighted material was in criminal copyright infringement with es- collectively valued at well over $1 billion, and timated harm to copyright holders well in that the site, which was in the top 100 most excess of $400 million, and which yielded frequently visited sites on the Internet, re- over $175 million in illicit proceeds.25 Te ceived more than 50 million unique visitors conspirators operated a commercial website each month. and service called Megaupload.com, which reproduced and distributed copies of popular On the trade secret front, the Department copyrighted content without authorization obtained a conviction in January 2018 in U.S. and claimed at one time to account for four federal court against a China-based manu- percent of total Internet trafc—including facturer and exporter of wind turbines that more than one billion total visits, 150 million stole trade secrets from a U.S.-based com- registered users, and 50 million daily visitors. pany. Te Chinese company, Sinovel Wind A federal grand jury charged members of Group Co. Ltd., conspired with others to steal the conspiracy with a number of conspiracy, proprietary wind turbine technology from , copyright infringement, mon- the American corporate victim in order to ey laundering, and fraud ofenses. Dotcom produce its own wind turbines and to retroft

29 CYBER-DIGITAL TASK FORCE REPORT existing wind turbines with stolen technolo- ample, a federal grand jury indicted fve uni- gy. Tese crimes cost the victim more than formed members of the Chinese military on $1 billion in shareholder equity and almost charges of hacking and conducting econom- 700 jobs—over half its global workforce.27 ic espionage against large U.S. entities in the nuclear power, metal, and solar energy in- In addition, the Department has pursued dustries. Te lengthy statement of charges charges not only against criminals seeking described numerous specifc instances where monetary gain, but also against nation-state ofcers of the People’s Liberation Army actors engaged in economic espionage (“PLA”) were alleged to have hacked into through cyber means. In May 2014, for ex- the computer systems of U.S. victims to steal

Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code and Commands; Aggravated Identity ; Economic Espionage; Theft of Trade Secrets

WANG DONG SUN KAILIANG WEN XINYU Aliases: Jack Wang, " UglyGorilla" Aliases: Sun Kai Liang, Jack Sun Aliases: Wen Xin Yu, “ WinXYHappy” , “_Win XY”, Lao Wen

HUANG ZHENYU GU CHUNHUI Aliases: Huang Zhen Yu, “ hzy _ lhx” Aliases: Gu Chun Hui, “ KandyGoo ”

DETAILS On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People ’s Liberation Army (PLA) of the People’ s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated ; economic espionage; and theft of trade secrets.

The subjects, Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, were officers of the PRC’ s Third Department of the General Staff Department of the People’ s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state- owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e- mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs.

If you have any information concerning these individuals, please contact your local FBI office or the nearest American Embassy or Consulate.

Figure 2: Chinese Military Ofcers Charged with Hacking and Economic Espionage

30 CATEGORIZING SOPHISTICATED CYBER SCHEMES trade secrets and sensitive, internal commu- no meaningful response,”32 the Department nications for commercial advantage or pri- acknowledged as much and unsealed the in- vate fnancial gain. See Fig. 2. Although the dictment, providing insight into the status of fve charged PLA ofcers remain at large, this China’s adherence to norms it purportedly case illustrated how the Department’s inde- had embraced. pendent investigations and actions can play an important role as part of a broader, coor- 3. Fraud/Carding Schemes dinated approach designed to support Amer- ican companies, deter our adversaries, and At the core of fraud deceit. It can man- otherwise change their behavior. ifest in an intent to deceive by those one knows and trusts, or, as is ofen the case with Te indictment sent a clear message that the cybercrime, by criminals defrauding victims state-sponsored thef of trade secrets or oth- by abusing the Internet’s lack of a trusted er confdential business information, with and efective means to authenticate another’s the intent of providing competitive advan- identity. Online systems with weak authen- tages to companies or commercial sectors, is tication and few indications for determining unacceptable. Tis norm thereafer gained another’s true identity have opened the door widespread acceptance, most notably in a bi- for fraudsters to commit numerous crimes by lateral agreement between the United States faking their online identities or fraudulently and China in September 2015,28 and among adopting the identities of others. Cyber fraud the G20 at the Antalya Summit in Turkey schemes take many forms, including Nigeri- in November 2015.29 Although some U.S. an-letter scams in which fraudsters e-mail cybersecurity frms indicate that computer victims claiming to be Nigerian government intrusions by Chinese state-sponsored hack- ofcials in need of assistance in transferring ers targeting U.S. frms have decreased since stolen funds out of . Recipients who then,30 the U.S. government continues to respond are encouraged to cover upfront the monitor China’s compliance with the norm, supposed expenses for the transfers them- and with that nation’s September 2015 com- selves, upon the fraudulent promise of later mitment to cooperate on investigations of repayment, and to provide personal banking crimes emanating from its territory. To that information and other identifying informa- end, in late 2017, the Department charged tion—which is later used to drain victims’ three Chinese nationals who worked for the bank accounts.33 Other forms include frauds purported frm known as that convince victims to donate to fake char- Boyusec with stealing trade secrets and oth- ities, especially afer natural disasters, and er confdential information from American fraudulent online transactions or exchanges frms until as recently as May 2017—long in which no payment is made to, or no good afer the Chinese commitments of Septem- or service is received by, the victim.34 ber 2015.31 Afer the Department sought assistance from the Chinese authorities in Other schemes entice victims to purchase investigating the allegations and “received investment and fnancial instruments, ofen

31 CYBER-DIGITAL TASK FORCE REPORT marketed with misleading claims of ofering hacking, phishing attacks, and social media low-risk, high-reward guaranteed returns or manipulation—to gain access to sensitive, of- overly consistent returns. Examples include ten sexually explicit information that they use Ponzi schemes, advance fee frauds, pyramid to extort, harass, or stalk all types of people, schemes, and market manipulation frauds. including vulnerable youth and young adults. Tese schemes can target members of afn- ity groups, such as groups with a common fact patterns vary, but some typi- religion or ethnicity, in order to exploit that cal scenarios have emerged. A common fact supposed connection to build trust and oper- pattern involves a perpetrator demanding ate the investment fraud against the victim.35 something of value, typically sexually explicit Carding schemes are another major fnan- images, from a victim. Te perpetrator en- cial threat. Tese schemes involve criminals forces these demands through threats to dis- selling and purchasing hacked credit card tribute material that the victim seeks to keep information, typically through dark markets private, such as embarrassing or sexually ex- devoted to criminal activity, that is then used plicit images involving the victim, or through to commit fraudulent ATM transactions, threats to harm the victim’s friends or family, purchase pre-paid gif cards, and buy goods for example by using stolen account infor- that are then re-shipped to criminal organi- mation to bankrupt them. A primary tactic zations. In just one example, a group of Rus- that sextortionists use is to lure the victim to sian criminals hacked into systems at credit share a compromising image or information, card processors, banks, retailers, and other which, once obtained, the criminal can use companies, and stole over 160 million credit to the victim into providing addi- card numbers.36 tional images or videos. Ofen, criminals use social engineering tactics to target victims. A 4. Cyber-enabled crimes threatening common approach is to misrepresent them- personal privacy selves as peers—for example, using profle photos or avatars on social media websites Criminals regularly abuse the global reach, bearing images close in age to the victim— connectivity, and of information to convince victims they are communicating technology services to commit a wide range with an age-appropriate individual who is of crimes targeting specifc individuals. actually interested in them. By fraudulent- Many of these behaviors represent reprehen- ly building a rapport using fattery, romance, sible and ofen dangerous violations of the and manipulation, criminals are able to be- victim’s privacy rights, and can have lasting, friend victims and entice them to share sensi- damaging impact. Examples of these crimes tive images or information. Other criminals include sextortion and non-consensual por- have presented themselves as representatives nography (sometimes colloquially called from a modeling agency that is interested “”), as well as cyber-enabled ha- in representing the victim; still others have rassment and stalking of victims. Criminals successfully impersonated the victim’s part- are using online tactics—including computer ner in order to trick the victim. In addition,

32 CATEGORIZING SOPHISTICATED CYBER SCHEMES criminals also obtain material from victims’ includes any course of conduct or series of online social media accounts, such as per- acts taken by the perpetrator that places the sonal information and “friends lists,” which victim in reasonable fear of death or serious the criminals exploit to present themselves bodily injury, or causes, attempts to cause, or as acquaintances or someone with similar in- would reasonably be expected to cause sub- terests. Finally, some criminals simply hack stantial emotional distress to the victim or into a victim’s computer and install malware the victim’s immediate family. Prohibited that controls the device’s cameras, thereby acts include repeated, unwanted, intrusive, surreptitiously capturing compromising or and frightening communications from the personal video footage of the victim. As ma- perpetrator by phone, e-mail, or other forms jor consumers of social media, children and of communication; and threats young adults are particularly vulnerable to communicated through the Internet, such as these types of ofenses. social media sites; and the posting of infor- mation or spreading rumors about the vic- Non-consensual pornography describes tim on the Internet. Cyber-enabled harass- the distribution of nude or sexually explicit ment, by contrast, involves more generalized images and videos of an individual without threats to victims, and includes swatting and the victim’s . Images taken consen- doxxing. Swatting involves deceiving emer- sually during an intimate relationship are gency responders to dispatch a SWAT team released once the relationship ends. Other or other police unit to the victim’s home or times, perpetrators obtain consensually pro- location, purportedly because the victim has duced images by hacking into systems, or taken hostages or is otherwise armed and obtain non-consensually produced imagery dangerous, which tragically has resulted in through hidden cameras or by recording sex- deadly outcomes. Doxxing involves broad- ual . Te images may be posted on- casting personal information about the vic- line, ofen with identifying information and tim on the Internet, exposing him or her to links to social media profles, or may be sent further harassment by others. directly to the victim’s co-workers, friends, and family.37 Non-consensual pornography Te Department vigorously pursues these sometimes overlaps with sextortion, particu- acts when they rise to the level of federal larly when the perpetrator threatens to dis- crimes. As just one example, we prosecut- tribute sexually explicit images of the victim ed a Department of State employee at the unless the victim provides additional images U.S. Embassy in London for engaging in a or some other thing of value. widespread international computer hacking, , and sextortion campaign.39 Cyber-enabled stalking and harassment are Tis defendant’s scheme involved, among other particularly pernicious cyber threats other steps, sending e-mails to thousands against individuals. Tese terms cover sim- of potential victims pretending to be from ilar criminal activity that threatens victims, his targets’ e-mail provider. Te defendant though only cyberstalking is explicitly de- then used these e-mails to trick victims into fned in federal criminal law.38 Cyberstalking revealing their account passwords, which

33 CYBER-DIGITAL TASK FORCE REPORT he then used to hack into the accounts and that can be used in the future to disrupt op- search for sexually explicit photographs. erations or to steal valuable proprietary in- Once the defendant located private photos, formation. In addition, perpetrators of ran- he searched for additional personal informa- somware schemes, as described above, have tion about his victims, such as addresses and sought to exploit society’s need for critical family member names. Using this informa- infrastructure to remain continuously op- tion and the stolen explicit images, he then erational by targeting (and extorting) hospi- engaged in a cyberstalking campaign, threat- tals, and other vital institutions, that cannot ening to release the photos if victims did not aford any downtime. comply with his demands. Tis defendant ultimately was sentenced to 57 months in Increased connectivity has helped U.S. com- federal prison.40 panies manage and monitor their businesses, but it also has made critical infrastructure 5. Cyber-enabled crimes threatening vulnerable to cyberattack. Modernization critical infrastructure has been a double-edged sword: while it has unlocked new potential for efciency and Our Nation’s critical infrastructure provides performance, the resulting increased con- the essential services that underpin Amer- nectivity between devices and systems, and ican society and serves as the backbone of especially vital systems like the electrical grid our economy, security, and health systems.41 and water treatment facilities, have also creat- Critical infrastructure includes the fnan- ed new vulnerabilities and attack vectors that cial services sector, the electrical grid, dams, must be defended.43 As a result, the indus- electoral systems, and over a dozen oth- trial-control systems that manage and mon- er sectors of society whose assets, systems, itor many of our most important industrial and networks are considered so vital to the facilities and systems are increasingly being United States that their incapacitation or targeted by adversaries intent on wreaking destruction would have a debilitating efect havoc.44 Tis is not a hypothetical threat: on our national security, national economic one of the Iranian hackers indicted for the security, national public health or safety, or DDoS attacks against the U.S. fnancial sector any combination thereof.42 Tese sectors are is also alleged repeatedly to have gained ac- highly reliant on IT systems and networks. cess to the Supervisory Control and Data Ac- As such, threats targeting critical infrastruc- quisition (“SCADA”) system of a dam in New ture deserve particular attention. For exam- York, allowing him to obtain information re- ple, major energy systems, such as pipelines garding the dam’s status and operation. Had and refneries, operate using networked the system not been under maintenance at industrial control systems that permit re- the time, the hacker would have been able to mote operation of massive, geographical- control the dam’s sluice gate.45 ly dispersed facilities and machines. Tese systems rely on sophisticated computer and Because private entities own and operate communication networks that adversaries the vast majority of the Nation’s critical in- target by seeking to identify vulnerabilities frastructure, the FBI works to make threat

34 CATEGORIZING SOPHISTICATED CYBER SCHEMES information available to afected sectors most important responsibility is to keep through briefngs and widely distributed Americans safe, it must continue combating technical alerts developed jointly with DHS. these threats and aggressively monitoring In March 2018, for example, the FBI and DHS how they evolve. One of the most important announced that for at least two years, Russian ways we can stay abreast (if not ahead) of cy- government cyber actors had “targeted gov- bercriminals is to fully understand the tech- ernment entities and multiple U.S. critical niques they use to cause harm. Te threats infrastructure sectors, including the energy, themselves will likely change, but the meth- nuclear, commercial facilities, water, avia- ods and tools these criminals use to commit tion, and critical manufacturing sectors.”46 computer intrusions and to steal from others Tis technical alert described a multistage have shown remarkable resilience. Russian intrusion campaign that compro- mised small commercial facilities’ networks Techniques Used to Facilitate and used them to stage malware and to con- duct spear-phishing attacks, which allowed Cyber Attacks the Russians to gain remote access into ener- gy sector networks. Te Russian cyber actors Te availability of sophisticated technolo- then conducted network reconnaissance, be- gy allows criminals to commit crimes from fore moving laterally across the network and distant locations, and to avoid detection by collecting information pertaining to Indus- victims and law enforcement. Indeed, these trial Control Systems. U.S. Treasury Secre- technologies greatly expand our adversar- tary Steven Mnuchin referenced this activity ies’ reach and impact, permitting a small when announcing that OFAC had sanctioned number of criminals to execute intrusions, fve Russian entities and nineteen Russian in- schemes, and attacks that afect millions of dividuals.47 victims. Four of the most common tools that criminals exploit to increase the scale of Likewise, in May 2018, the FBI and DHS their attacks include social engineering, ma- issued a technical alert notifying the public licious sofware, botnets, and criminal infra- about the FBI’s high confdence that mali- structure. cious North Korean government cyber actors have been using malware since at least 2009 1. Social Engineering “to target multiple victims globally and in the United States,” across various sectors—in- Social engineering is a tactic criminals use cluding critical infrastructure sectors.48 to convince or trick targets into engaging in a specifc activity, ofen by adopting a false * * * identity online of someone the target knows or otherwise believes to be innocuous. Un- Tis non-exhaustive list highlights the varied fortunately, because it preys upon widespread nature of the most serious cyber threats our trust that online identities are legitimate, so- Nation faces. To the extent the Department’s cial engineering is surprisingly efective and

35 CYBER-DIGITAL TASK FORCE REPORT is a technique used in the vast majority of tive, such as the company’s Chief Executive data breaches and online scams that the FBI Ofcer. In some cases, the scammers pick investigates.49 an address that does not belong to the exec- utive but appears to be a real address for the In a phishing scam, for example, criminals executive, such as being of by one letter. In impersonate a person or entity trusted by more sophisticated schemes, BEC fraudsters the victim in order to pressure the victim to gain access to the victim company’s e-mail engage in conduct that benefts the criminal. system and send requests from the senior Tese schemes may involve sending fraudu- executive’s actual e-mail account. In 2016, lent e-mails that appear to come from a le- these schemes caused over $360 million of gitimate source, such as a victim’s bank or losses reported to the FBI—the largest of any Internet Service Provider (“ISP”), requesting category of cybercrime tracked by IC3.52 In the recipient to click on a link to a website 2017, IC3 received over 15,000 BEC com- controlled by the criminals and to divulge plaints with adjusted losses of over $675 mil- personal account information, or seeking to lion, which once again placed these schemes get the victim to download malware under at the top of the loss list.52 .50 Other fraudsters use intim- idation and threats to entice the victim to act, 2. Malware such as by threatening to close an account, and ofen ask for usernames, passwords, Malware is malicious sofware that disrupts, dates of birth, Social Security numbers, bank damages, or otherwise compromises the in- numbers, PIN numbers, payment card num- tegrity of computer systems and networks. bers, or a mother’s maiden name. Te goal is It is frequently disseminated by fraudulent- to acquire PII that the fraudsters can then sell ly or otherwise unlawfully obtaining access or use to commit other crimes, such as mak- to a victim’s computer or system and then ing fraudulent purchases, or to gain access to launching a malicious on the vic- the victim’s computer to steal information or tim’s system. Malware takes many diferent install malware. forms. Some versions are written to erase data or even render computers unusable, for Business e-mail compromise (“BEC”) example by overwriting critical information scams are another variant of social engineer- on their hard drives, thereby preventing the ing, where the goal is not to have the victim computers from starting. Other types of mal- provide information, but rather to transfer ware, such as ransomware programs (dis- money. Sometimes operating as part of so- cussed above), render the data inaccessible phisticated transnational criminal organi- by encrypting victims’ systems and demand- zations, BEC scammers can send e-mails to ing a ransom with the promise of restoring employees with access to a company’s fnan- the victims’ data upon payment—a promise cial system, tricking them into wiring pay- that is not always fulflled. , includ- ments to accounts controlled by the crimi- ing keyloggers, secretly record users’ activi- nals. Te e-mails ofen are designed to look ties on computers, especially the entering of as if they came directly from a senior execu- passwords, and transmit sensitive informa-

36 CATEGORIZING SOPHISTICATED CYBER SCHEMES tion back to criminals for further exploita- creased as individual hackers and organized tion. Any of these actions may be performed criminal groups have used ever more sophis- by Trojans, which are programs disguised as ticated techniques to infect computers, en- legitimate sofware that, once uploaded onto crypt communications, and avoid detection victims’ systems, launch hidden malicious by investigators. Finally, as Fig. 3 illustrates, sofware that operates in the background the recent staggering growth in Internet-con- without the victims’ knowledge. nected consumer devices—the so-called “In- ternet of Tings”—has allowed malicious 3. Botnets actors to build botnets from under-protected IoT devices to launch DDoS attacks.53 Botnets are vast networks of malware-in- fected computers and devices that criminals 4. Criminal Infrastructure remotely control to conduct a wide range of cybercrime, including sending malware and Operating a criminal enterprise with some spam against targets, launching DDoS at- form of online presence requires a backend tacks, and providing infrastructure for ran- technical infrastructure that can be hidden somware schemes. Botnets—a shortening from law enforcement. While some crim- of “robot networks”—operate as force mul- inals may rely on their own computers and tipliers for criminals, giving them control servers, more sophisticated operations lease of hundreds, thousands, or even millions of services from “bulletproof hosters,” that is, computers to advance their schemes. Be- web hosting companies and data centers that cause of the relatively low cost of attempting purposefully are extremely lenient in what to infect computers with malware, even a content they will host, make little to no efort comparatively low infection rate can popu- to verify the true identity of their custom- late a botnet with a vast haul of compromised ers, and are designed to be unhelpful to law computers. Further, botnets help criminals enforcement requests for information about cover their tracks from law enforcement by their customers. Bulletproof hosters ofen creating an intermediary layer of remotely are located in countries with less stringent controlled compromised systems between cyber regulations and under-developed do- the criminals and investigators, making it mestic cybercrime law enforcement capabili- even more challenging for law enforcement ties, and are akin to digital safehouses where to determine who controls the botnet. More- criminals can stash malware exploit kits, run over, criminals running botnets ofen are lo- botnets, and store PII stolen from hacked da- cated abroad, which further protects them tabases. due to the numerous challenges the Depart- ment faces in investigating foreign threats: In addition to bulletproof hosters, cyber- limited access to digital evidence; delays criminals regularly use the Dark Web, the caused by reliance on mutual legal assistance collection of hidden sites and services that processes; and the possibility of safe haven are only accessible to users of specifc rout- from arrest or prosecution in their country ing and anonymizing services and sofware. of residence. Te threat from botnets has in- In recent years, criminals have launched so-

37 CYBER-DIGITAL TASK FORCE REPORT

October 16, 2016 – – April 5, 2017 – Brickerbot – Targets devices with default Targets devices with default credentials; Uses obfuscation credentials; After infection conducts techniques to hide infection on a Permanent Denial of Service devices; Communicates with C2 attack on device designed to corrupt server through a Peer to Peer storage, disrupt connectivity, and (P2P) Network delete ÿles, rendering devices useless

July 2016 – – Most signiÿcant November 16, 2016 – RSOCKS IoT botnet responsible for largest DDoS – Targets IoT devices via SSH brute attacks ever recorded; Hundreds of force attacks; Uses compromised spino° variants due to public source devices as proxies criminals can code availablity; Targets devices with purchase for anonymization and default user credentials other criminal activity

JUL AUG SEP OCT NOV DEC JAN FEB MAR APR M 2016

Figure 3: Signifcant Internet of Tings (IoT) Botnets

38 CATEGORIZING SOPHISTICATED CYBER SCHEMES

August 2017 – RouteX – November 23, 2017 – Satori – January 23, 2018 – January 24, 2018 – Targets a known vulnerability in DDoS botnet; Targets a zero-day Pure Masuta – DDoS Hide’N Seek – Primarily Netgear routers; Turns infected vulnerability in Huawei Home botnet; Created by the targets IP Cameras with devices into proxies for credential Gateway routers and custom- same author as Satori/ open telnet ports; Uses P2P validation attacks targeting er-premises equipment; Masuta; Targets a ˛aw in to spread to other devices ÿnancial institution and brokerage Programmed with 65,000 default D-Link routers and exploits customer accounts credentials combinations a bug in the Home Network Administration Protocol

November 2017 – Nexus_Mirai – A variant of Masuta/Satori; Based on Mirai source code; Targets devices with default credentials; Named after author whose moniker is 'Nexus'

July 2017 – Masuta – DDoS September 13, 2017 – January 14, 2018 – February 1, 2018 – Jen X botnet; Based o° of Mirai; Reaper – First major IoT Okiru – DDoS botnet; – Connected to a gaming Targets default user credentials; botnet to signiÿcantly vary Based o° of Masuta; server rental business; Source code available in a Dark from Mirai; Targets devices with Targets IoT devices with DDoS capabilities available Market forum 32 vulnerabilities, capable of ARC Processors, used in for $20; Targets a more complex attacks, and more than a billion vulnerability in Huawei scans devices less aggressively products each year routers and a vulnerability to avoid detection in the ÿrmware component of a wireless chipset

MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB 2017 2018

Credit: FBI Cyber Division

39 CYBER-DIGITAL TASK FORCE REPORT called dark markets, that is, websites hosted caught, incentivize the production of imag- on the Dark Web in which vendors and buy- es that document child sex abuse, and share ers congregate to buy, sell, and trade illicit images and videos depicting the sexual abuse goods such as narcotics, credit card numbers, and exploitation of children as young as in- hacking tools, and stolen PII in an environ- fants and toddlers. Such communities are ment that protects the vendors’ and buyer’s disturbingly commonplace, and frequently anonymity. In the midst of an ongoing opi- involve tens of thousands of members. oid crisis, the open availability of dark mar- kets where fentanyl and other illicit narcotics Te growth and continued operation of are available for purchase and are delivered these sites and communities is made possi- direct to consumers in the United States pos- ble by anonymizing technology that efec- es a signifcant public health threat. tively hides the servers hosting the sites, as well as users, from normal law enforcement Another persistent problem on the Dark Web techniques. Te best-known technology of are online child exploitation communities this type is free sofware called Te Onion where like-minded sex ofenders gather to Router (“Tor”). Tor transmits internet trafc promote the sexual abuse of children, provide through a global volunteer network of thou- an environment where such conduct seems sands of relays (i.e., proxy computers), using “normal,” educate each other about how to layers of to obscure users’ identi- perpetrate child sex abuse without getting ties and geographical locations. Tor not only

THE ONION ROUTER (TOR)

Tor operates by routing of the Tor network. Com- encrypted communica- munications sent through tions through a series these nodes—known as of relay computers. Tis the Guard, Relay, and Exit obscures the route of the nodes—are encrypted in a communications, there- manner that conceals both by frustrating moni- the contents of the commu- toring by third-parties, nication and the IP address such as law enforcement. Communi- of the computer that sent the commu- cations sent from a computer using Tor nication. Each node knows only which are bounced through a series of interme- other node gave it data, and which node diary servers, known as relays or nodes, is receiving data. None of the interme- chosen from among thousands of serv- diate Tor nodes ever has access to both ers located throughout the world that the sender’s true IP address and the ac- individuals have volunteered to be part tual content of the communication.

40 CATEGORIZING SOPHISTICATED CYBER SCHEMES anonymizes criminals’ Internet trafc, but nicate with victims, even going so far as to set also allows them to host websites, called Hid- up Tor Hidden Services websites to answer den Services, on servers whose location is victims’ questions and to facilitate payment. similarly masked using Tor. Criminals have In addition, the use of anonymizing proxy exploited Hidden Services to facilitate nu- networks interferes with law enforcement’s merous forms of illicit commercial and other ability to trace these communications and criminal activity. Some of the most infamous identify the actors running the ransomware. Hidden Services are dark markets, includ- Criminals also increasingly require payments ing the now-shuttered and Alpha- to be made using virtual currencies or oth- Bay, as well as notorious child exploitation er mechanisms that complicate law enforce- communities. Te Department’s successes in ment eforts to track those payments. We shutting down these illicit marketplaces are discuss the impact of such anonymizing tech- described in further detail in Chapter 3. nologies on our investigations in Chapter 3. For now, sufce it to say that no discussion of Criminals’ exploitation of increasingly so- the cyber threats our Nation confronts would phisticated technologies to cover their tracks be complete without the simple observation and avoid being caught represents a signif- that as the Department continues to wage cant challenge to law enforcement. Criminals battle against cybercriminals, it will need to executing ransomware schemes ofen use an- adequately meet the challenges posed by an- onymizing networks such as Tor to commu- onymizing technologies.

41 CYBER-DIGITAL TASK FORCE REPORT

NOTES

1 From the guilty materials in United States the-wannacry-malware-attack-to-north-ko- v. Paras Jha, No. 17-CRM-164 (D. Alaska, Dec. rea-121917/ (last accessed June 29, 2018). 5, 2017), available at: https://www.justice.gov/ opa/press-release/fle/1017546/download (last 8 Andrew E. Kramer, “Ukraine Cyberattack accessed June 29, 2018). Was Meant to Paralyze, not Proft, Evidence Shows,” N. Y. Times (June 28, 2017), available at: 2 See “Alert (TA16-288A): Heightened DDoS https://www.nytimes.com/2017/06/28/world/eu- Treat Posed by Mirai and Other Botnets,” Unit- rope/ukraine-ransomware-cyberbomb-accoun- ed States Computer Emergency Readiness tants-russia.html (last accessed June 29, 2018). Team, U.S. Dept. of Homeland Security (last revised Oct. 17, 2017), available at: https://www. 9 See the grugq, “Pnyetya: Yet Another Ran- us-cert.gov/ncas/alerts/TA16-288A (last ac- somware Outbreak,” The Medium (June 27, cessed June 29, 2018). 2017), available at: https://medium.com/@the- grugq/pnyetya-yet-another-ransomware-out- 3 Jha guilty plea, supra note 1. break-59afd1ee89d4 (last accessed June 29, 2018) (contemporaneous reporting noting that “the 4 See Indictment in United States v. Ahmad worm . . . has an extremely poor payment pipe- Fathi, et al., No. 16-CRM-48 (S.D.N.Y., March line,” observing that “the pseudo-ransomware is 24, 2016), available at: https://www.justice.gov/ in fact a wiper, with no potential for successfully opa/fle/834996/download (last accessed June 29, recovering from an attack,” and concluding: “[T] 2018). he real was a criminal enterprise for mak- ing money. Tis is defnitely not designed to 5 See Press Release, “Treasury Targets Support- make money. Tis is designed to spread fast and ers of Iran’s Islamic Revolutionary Guard Corps cause damage, with a plausibly deniable cover of and Networks Responsible for Cyber-Attacks ‘ransomware.’”). Against the United States,” U.S. Dept. of Trea- sury (Sept. 14, 2017), available at: https://www. 10 “Statement from the Press Secretary,” The treasury.gov/press-center/press-releases/Pages/ (Feb. 15, 2018), available at: sm0158.aspx (last accessed June 29, 2018). https://www.whitehouse.gov/briefings-state- ments/statement-press-secretary-25/ (last ac- 6 See Sujit Raman, “Petya or NotPetya? It All cessed June 29, 2018). Just Makes You WannaCry!” RSA Conference 2018 (April 16, 2018) at 3, available at: https:// 11 “Press Briefng on the Attribution of the published-prd.lanyonevents.com/published/ WannaCry Malware Attack to North Korea,” rsaus18/sessionsFiles/8546/SEM-M03-Ransom- The White House (Dec. 19, 2017), available ware-and-Destructive-Attacks-Raman.pdf (last at: https://www.whitehouse.gov/briefngs-state- accessed June 29, 2018). ments/press-briefing-on-the-attribution-of- the-wannacry-malware-attack-to-north-ko- 7 “Press Briefng on the Attribution of the rea-121917/ (last accessed June 29, 2018). WannaCry Malware Attack to North Korea,” The White House (Dec. 19, 2017), available 12 See Keith Wagstaf, “Sony Hack Exposed at: https://www.whitehouse.gov/briefngs-state- 47,000 Social Security Numbers, Security Firm ments/press-briefing-on-the-attribution-of- Says,” NBC News (Dec. 5, 2014), available at:

42 CATEGORIZING SOPHISTICATED CYBER SCHEMES http://www.nbcnews.com/storyline/sony-hack/ Dept. of Justice (November 28, 2017), avail- sony-hack-exposed-47-000-social-securi- able at: https://www.justice.gov/opa/pr/canadi- ty-numbers-security-frm-n262711 (last ac- an-hacker-who-conspired-and-aided-russian- cessed June 29, 2018). fsb-ofcers-pleads-guilty (last accessed June 29, 2018). 13 Press Release, “Treasury Imposes Sanctions Against the Government of Te Democratic Peo- 20 Executive Order 13757, “Taking Additional ple’s Republic Of Korea,” U.S. Dept. of Treasury Steps to Address the National Emergency with (Jan. 2, 2015), available at: https://www.treasury. respect to Signifcant Malicious Cyber-Enabled gov/press-center/press-releases/Pages/jl9733. Activities,” available at: https://www.treasury. aspx (last accessed June 29, 2018). gov/resource-center/sanctions/Programs/Doc- uments/cyber2_eo.pdf (last accessed June 29, 14 Risk Placement Services, Data Breach 2018). Tis order was later modifed to permit QuickView Report, First Quarter 2018 U.S. persons shipping technology goods to Rus- 2, 9 (2018), available at: https://www.rpsins. sia to obtain licenses from the FSB, as required com/knowledge-center/items/data-breach-re- by the Russian government. “General License port-q1-2018/ (last accessed June 29, 2018). No. 1, Authorizing Certain Transactions with the FSS,” available at: https://www.treasury.gov/re- 15 Ponemon Institute, 2017 Cost of Data source-center/sanctions/Programs/Documents/ Breach Study: United States, p. 1, available cyber_gl1.pdf (last accessed June 29, 2018). at https://www.ponemon.org/library/2017-cost- of-data-breach-study-united-states (last accessed 21 Press Release, “ISIL-Linked Kosovo Hack- June 29, 2018). er Sentenced to 20 Years in Prison,” U.S. Dept. of Justice (Sept. 23, 2016), available at: https:// 16 Federal Bureau of Investigation, 2016 www.justice.gov/opa/pr/isil-linked-kosovo- Internet Crime Report 20, 21, available at: hacker-sentenced-20-years-prison (last accessed https://pdf.ic3.gov/2016_IC3Report.pdf (last ac- June 29, 2018). cessed June 29, 2018). 22 Commission on the Tef of American Intel- 17 “What Happened,” Office of Personnel lectual Property, Update to the IP Commission Management Cybersecurity Resource Cen- Report, at 1 (2017), available at: http://www. ter (2015), available at: https://www.opm.gov/ ipcommission.org/report/IP_Commission_Re- cybersecurity/cybersecurity-incidents/ (last ac- port_Update_2017.pdf (last accessed June 29, cessed June 29, 2018). 2018).

18 “U.S. Charges Russian FSB Ofcers and Teir 23 National Counterintelligence and Security Criminal Conspirators for Hacking Yahoo and Center, Evolving Cyber Tactics in Stealing U.S. Millions of Accounts,” U.S. Dept. of Jus- Economic Secrets: Report to Congress on Foreign tice (March 15, 2017), available at: https://www. Economic Collection and in justice.gov/opa/pr/us-charges-russian-fsb-of- , at 1 (Nov. 2016). ficers-and-their-criminal-conspirators-hack- ing-yahoo-and-millions (last accessed June 29, 24 Center for Responsible Enterprise And Trade 2018). & PricewaterhouseCoopers LLP, Economic Im- pact of Trade Secret Tef 3 (2014), available at: 19 “Canadian Hacker Who Conspired With and https://create.org/wp-content/uploads/2014/07/ Aided Russian FSB Ofcers Pleads Guilty,” U.S.

43 CYBER-DIGITAL TASK FORCE REPORT

CREATe.org-PwC-Trade-Secret-Theft-FINAL- Acts, Policies, and Practices related to Technol- Feb-2014_01.pdf (last accessed June 29, 2018). ogy Transfer, Intellectual Property, and Innova- tion under Section 301 of the Trade Act of 1974,” 25 Press Release, “Member Of Megaupload Con- Office of the United States Trade Repre- spiracy Pleads Guilty to Copyright Infringement sentative (March 22, 2018), at 169, available Charges and is Sentenced to One Year in U.S. at: https://ustr.gov/sites/default/fles/Section%20 Prison,” U.S. Dept. of Justice (Feb. 13, 2015), 301%20FINAL.PDF (last accessed June 29, 2018) available at: https://www.justice.gov/opa/pr/ (citing reports). member-megaupload-conspiracy-pleads-guilty- copyright-infringement-charges-and-sentenced- 31 Press Release, “U.S. Charges Tree Chinese one (last accessed June 29, 2018). Hackers Who Work at Internet Security Firm for Hacking Tree Corporations for Commer- 26 Press Release, “U.S. Authorities Charge Own- cial Advantage,” U.S. Dept. of Justice (Nov. 27, er of Most-Visited Illegal File-Sharing Website 2017), available at: https://www.justice.gov/opa/ with Copyright Infringement,” U.S. Dept. of pr/us-charges-three-chinese-hackers-who-work- Justice (July 20, 2016), available at: https://www. internet-security-firm-hacking-three-corpora- justice.gov/opa/pr/us-authorities-charge-own- tions (last accessed June 29, 2018). er-most-visited-illegal-file-sharing-web- site-copyright-infringement (last accessed June 32 Elias Groll, “Feds Quietly Reveal Chinese 29, 2018). State-Backed Hacking Operation,” Foreign Policy (Nov. 30, 2017), available at: http:// 27 See Press Release, “Chinese Company Si- foreignpolicy.com/2017/11/30/feds-quietly-re- novel Wind Group Convicted of Tef of Trade veal-chinese-state-backed-hacking-operation/ Secrets,” U.S. Dept. of Justice (Jan. 24, 2018), (last accessed June 29, 2018) (quoting Depart- available at: https://www.justice.gov/opa/pr/ ment spokesperson). chinese-company-sinovel-wind-group-convict- ed-thef-trade-secrets (last accessed June 29, 33 Federal Bureau of Investigation, “Nige- 2018). rian Letter or ‘419’ Fraud,” available at: https:// www.fi.gov/scams-and-safety/common-fraud- 28 See Press Release, “FACT SHEET: President schemes/nigerian-letter-or-419-fraud (last ac- Xi Jinping’s State Visit to the United States,” The cessed June 29, 2018). White House (Sept. 25, 2015), available at: https://obamawhitehouse.archives.gov/the-press- 34 Federal Bureau of Investigation, “Busi- office/2015/09/25/fact-sheet-president-xi-jin- ness Fraud,” available at https://www.fi.gov/ pings-state-visit-united-states (last accessed June scams-and-safety/common-fraud-schemes/busi- 29, 2018). ness-fraud (last accessed June 29, 2018).

29 See Press Release, “FACT SHEET: Te 2015 35 Federal Bureau of Investigation, “Invest- G-20 Summit in Antalya, Turkey,” The White ment Fraud,” available at https://www.fi.gov/ House (Nov. 16, 2015), available at: https:// scams-and-safety/common-fraud-schemes/in- obamawhitehouse.archives.gov/the-press-of- vestment-fraud (last accessed June 29, 2018). fice/2015/11/16/fact-sheet-2015-g-20-summit- antalya-turkey (last accessed June 29, 2018). 36 Press Release, “Two Russian Nationals Sen- tenced to Prison for Massive Data Breach Con- 30 “Findings of the Investigation into China’s spiracy,” U.S. Dept. of Justice (Feb. 15, 2018),

44 CATEGORIZING SOPHISTICATED CYBER SCHEMES available at: https://www.justice.gov/opa/pr/ 44 See id. two-russian-nationals-sentenced-prison-mas- sive-data-breach-conspiracy (last accessed June 45 See Fathi indictment, supra note 4, at 14-16. 29, 2018). 46 Alert TA18-074A, “Russian Government Cy- 37 See Joey L. Blanch & Wesley L. Hsu, “An Intro- ber Activity Targeting Energy and Other Critical duction to Violent Crime on the Internet,” United Infrastructure,” U.S. Computer Emergency States Attorneys’ Bulletin (May 2016), at 2. Readiness Team, U.S. Dept. of Homeland Security (March 15, 2018), available at: 38 See 18 U.S.C. § 2261A. https://www.us-cert.gov/ncas/alerts/TA18-074A (last accessed June 29, 2018). 39 Press Release, “Former U.S. State Department Employee Sentenced to 57 Months in Extensive 47 Press Release, “Treasury Sanctions Russian Computer Hacking, Cyberstalking and “Sextor- Cyber Actors for Interference with the 2016 U.S. tion” Scheme,” U.S. Dept. of Justice (March 21, Elections and Malicious Cyber-Attacks,” U.S. 2016), available at: https://www.justice.gov/opa/ Dept. of Treasury (Mar. 15, 2018), available at: pr/former-us-state-department-employee-sen- https://home.treasury.gov/news/press-releases/ tenced-57-months-extensive-computer-hacking sm0312 (last accessed June 29, 2018). (last accessed June 29, 2018). 48 Alert TA18-149A, “HIDDEN COBRA – 40 Tis report does not detail related crimes in- Trojan and Server volving the sexual exploitation of children. For Message Block Worm,” U.S. Computer Emer- more detail on this criminal threat, see U.S. Dept. gency Readiness Team, U.S. Dept. of Home- of Justice, Te National Strategy for Child Ex- land Security (last revised May 31, 2018), ploitation Prevention and Interdiction (Apr. available at: https://www.us-cert.gov/ncas/alerts/ 2016), available at: https://www.justice.gov/psc/ TA18-149A (last accessed June 29, 2018). fle/842411/download (last accessed June 29, 2018). 49 See generally Mollie Halpern & Patrick Gea- han, “FBI, Tis Week: Social Engineering,” Fed- 41 “Critical Infrastructure Security,” U.S. Dept. eral Bureau of Investigation (Oct. 14, 2016) of Homeland Security, available at: https:// (podcast transcript), available at: https://www. www.dhs.gov/topic/critical-infrastructure-secu- fi.gov/audio-repository/fw-podcast-social-en- rity (last accessed June 29, 2018). gineering-101416.mp3/view (last accessed June 29, 2018). 42 42 U.S.C. § 5195c(e). 50 “Consumer Information: Phishing,” Fed- 43 See Richard J. Campbell, “Cybersecurity Issues eral Trade Commission (July 2017), avail- for the Bulk Power System,” Cong. Research able at: https://www.consumer.fc.gov/arti- Serv., 9R43989, at 9 (June 10, 2015), available cles/0003-phishing (last accessed June 29, 2018). at: https://www.fas.org/sgp/crs/misc/R43989.pdf (“Over time, modifcation of SCADA [Supervi- 51 Federal Bureau of Investigation, 2016 sory Control and Data Acquisition] systems has Internet Crime Report 1, 9, available at: https:// resulted in connection of many of these older, pdf.ic3.gov/2016_IC3Report.pdf (last accessed legacy systems to the Internet.”) (last accessed June 29, 2018). June 29, 2018).

45 CYBER-DIGITAL TASK FORCE REPORT

52 Federal Bureau of Investigation, 2017 Guilty In Manhattan Federal Court On All Internet Crime Report 3, 12, available at: https:// Counts,” U.S. Dept. of Justice (Feb. 5, 2015), pdf.ic3.gov/2017_IC3Report.pdf (last accessed available at: https://www.justice.gov/usao-sdny/ June 29, 2018). pr/ross-ulbricht-creator-and-owner-silk-road- website-found-guilty-manhattan-federal-court 53 See “A Report to the President on Enhanc- (last accessed June 29, 2018). ing the Resilience of the Internet and Commu- nications Ecosystem Against Botnets and Other 56 Press Release, “AlphaBay, the Largest Online Automated, Distributed Treats,” U.S. Dept. of ‘Dark Market,’ Shut Down,” U.S. Dept. of Justice Commerce & U.S. Dept. of Homeland Secu- (July 20, 2017), available at: https://www.justice. rity (May 22, 2018), available at: https://www. gov/opa/pr/alphabay-largest-online-dark-mar- commerce.gov/sites/commerce.gov/fles/media/ ket-shut-down (last accessed June 29, 2018). files/2018/eo_13800_botnet_report_-_finalv2. pdf (last accessed June 29, 2018). 57 See, e.g., Press Release, “Colorado and Illinois Men Sentenced to Prison for Engaging in Child 54 Exploit kits are a type of malicious toolkit Exploitation Enterprise,” U.S. Dept. of Justice used to exploit security holes found in sofware (Oct. 18, 2016), available at: https://www.jus- applications for the purpose of spreading mal- tice.gov/opa/pr/colorado-and-illinois-men-sen- ware. Tese kits come with pre-written exploit tenced-prison-engaging-child-exploitation-en- code and target users running insecure or outdat- terprise (last accessed June 29, 2018). ed sofware applications on their computers.

55 Press Release, “Ross Ulbricht, Te Creator And Owner Of Te “Silk Road” Website, Found

46

DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

Chapter 3 Detecting, Deterring, and Disrupting Cyber Threats

he Department of Justice plays an Key Investigative Techniques essential role in detecting, deterring, and disrupting cyber threats. As the To successfully bring malign cyber actors to TNation’s chief law enforcement ofcer, the justice, law enforcement frst must gather ev- Attorney General leads the Department’s idence of their criminal activity and attribute criminal and national security initiatives. that activity to particular individuals, orga- Working with and through the Criminal nizations, or nation states. Te key meth- Division, the National Security Division, ods and sources of evidence for disrupting and the 93 U.S. Attorney’s Ofces across the cyber threats include: gathering materials country, the Attorney General sets priorities during incident response; reviewing open for how those activities are conducted.1 source data; conducting online reconnais- sance; searching records from online provid- Since the early 1990s, when the commercial ers; undertaking undercover investigations; Internet was in its infancy, the Department engaging in authorized electronic surveil- has combated computer crime. In the inter- lance; tracing fnancial transactions; search- vening years, the Department has expand- ing storage media; and applying a variety of ed its focus to address burgeoning threats special techniques. Ofen, investigators also to public safety, economic security, and na- must work cooperatively with foreign part- tional security fowing from the widespread ners to access evidence and disrupt transna- adoption of the Internet. Today, the Depart- tional cyber threats. ment deters and disrupts a broad spectrum of the Nation’s cyber threats by enforcing federal laws through the array of legal tools 1. Evidence Collection During and capabilities that its investigators and Incident Response prosecutors have at their disposal. Ofen the frst evidence collected in an in- In this chapter, we describe the key methods vestigation concerning a cyber threat comes investigators and prosecutors use to gather from the victim as part of the incident re- evidence about cyber threats. We then ex- sponse. Te Department encourages victims plain the key legal authorities the Depart- to contact law enforcement as soon as they ment applies to bring perpetrators to justice, believe they are the victim of a computer in- or otherwise to disrupt and dismantle mali- trusion. Although many victims will simply cious cyber activity. provide consent to investigators collecting

49 CYBER-DIGITAL TASK FORCE REPORT digital evidence on scene, subpoenas and Te frst step in online reconnaissance ofen search warrants can be obtained if the vic- involves use of the Internet Corporation for tim prefers. In either case, investigators are Assigned Names and Numbers’ WHOIS da- committed to working collaboratively with tabase.3 WHOIS is a directory of all of the victims to minimize any disruption to busi- IP addresses and domains on the Internet. ness during an investigation. WHOIS records usually display the name and contact information of the registrar (the Afer obtaining digital copies of any afected business that sold the IP address or domain). devices, investigators may then turn to other Investigators can use the contact information devices in the victim’s architecture, includ- to send legal process to the registrar in or- ing frewalls, log servers, and routers, to look der to discover more information about the for additional evidence of the perpetrator’s registrant (the user of the IP address or do- presence. Investigators will also image these main). WHOIS ofen contains self-reported devices, as needed, and forensically examine information about the registrant, as well. In them. Such devices ofen contain traces of addition, an investigator ofen can tell from a criminal’s passage through the infrastruc- WHOIS and related information where a ture on the way to the afected device. In website is being hosted or who is hosting the particular, many devices maintain log fles e-mail server for a website, either (or both) that show when, and from where, the device of which can provide additional avenues for was accessed. In addition to preserving and investigation. copying digital evidence, investigators may interview employees (especially those tasked Afer consulting WHOIS, investigators of- with responding to cyber threats or securing ten perform online reconnaissance of the infrastructure), regular users of the afected identifers they have collected. Tis recon- systems, and management. naissance includes web searches looking for whether the identifers have been used else- where and searches of social media to deter- 2. Online Data Review and mine whether the identifers are related to Reconnaissance any accounts. Afer reviewing information obtained from a victim or other primary sources of informa- 3. Searching Records from Online tion regarding a cyberattack, investigators Providers frequently will review online data, which may be open source, to determine their next Successful WHOIS searches and online investigative steps. In undertaking these reconnaissance ofen results in the identi- actions, as with all their actions, investiga- fcation of e-mail providers, social media tors are trained to act consistently with our companies, registrars, and web hosting and Nation’s rule of law principles, and with our computer hosting companies that may con- society’s foundational respect for civil rights trol additional evidence about a subject or and civil liberties.2

50 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS target of an investigation. At this stage, an 4. Online Undercover Operations investigator will rely heavily on the provi- sions of the Electronic Communications In order to investigate cyber threat activity, Privacy Act (“ECPA”),4 which specifcally investigators may establish covert personas permits investigators to request evidence or consensually assume the accounts and from providers of electronic communica- identities of victims or cooperators to com- tions and computer processing. Investiga- municate online with the targets of the inves- tive teams may issue subpoenas to collect tigation. From such undercover operations, basic information about a subscriber to an investigators gather inculpatory contents identifed account. Investigators also may from communications, additional accounts, use court orders issued under the authority IP addresses, criminal proceeds, and records of section 2703(d) of title 18, United States of criminal transactions such as the purchase Code, which allows them to access addition- of malware, botnets, or stolen credit cards. al non-content records for online accounts, such as log fles or the e-mail addresses of 5. Electronic others with whom the subscriber has corre- sponded. Investigators may also need to conduct on- line surveillance on their targets. Tere are Finally, with probable cause, investigators three federal statutes that authorize the col- can seek a from a judge to lection of data on a real-time basis: the pen obtain the contents of accounts, including register and trap and trace (“PRTT”) statute,6 copies of e-mails, photographs, text messag- the wiretap statute,7 and the Foreign Intelli- es, and any other fles stored with a provider gence Surveillance Act (“FISA”).8 All three up to and including the contents of an entire generally require investigators to obtain computer belonging to a target of the inves- court authorization. tigation and hosted with the provider.5 Be- cause cyber threat actors ofen communicate A PRTT allows investigators to obtain the with each other using electronic communi- dialing, routing, addressing, and signaling cations to plan and execute their activities, information of communications, including these accounts can contain vast quantities dialed calls, IP addresses, and e-mail head- of useful evidence. In addition, cyber threat ers. PRTTs can be obtained for cell phones, actors sometimes keep other evidence in the e-mail accounts, and other social media or contents of their accounts, such as records of messaging applications. Although a PRTT their criminal activities, pictures that place does not obtain the content of any commu- them at the scene or with other members of nications, it can be useful in determining the conspiracy, and other evidence that can whether an account is still being used for help identify the actors and connect them to criminal purposes, to help identify co-con- the illicit activity. spirators, or to locate a target.

51 CYBER-DIGITAL TASK FORCE REPORT

(NEW) RULE 41(b)(6) Under Rule 41(b)(6) of the Federal Rules of , which went into efect in December 2016, “a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic media and to seize or copy electroni- cally stored information located within or outside that district if: (A) the district where the media or informa- tion is located has been concealed through technologi- cal means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in fve or more districts.”

Tis provision makes two narrow, but important, changes in the law. First, where a suspect has hidden the location of his or her computer using technological means, the new Rule ensures that federal agents know which judge to go to in order to apply for a warrant. Second, where the crime involves the hacking of com- puters located in fve or more diferent judicial districts, the new Rule ensures that federal agents may identify one judge to review an application for a search warrant rather than having to submit separate warrant applica- tions in each judicial district across the nation—up to 94—where a computer is afected. In sum, Rule 41(b) (6) addresses the unique challenges created by botnet activity by clarifying that courts may issue warrants authorizing the search of multiple computers when the identifed computers are located in multiple judicial districts.

Court-authorized wiretaps under the Wire- activity, and confrm previous activity. Every tap Act or FISA permit investigators to listen federal wiretap application must be approved to or observe the contents of communica- by a senior Department ofcial before it is tions in or near real time. For example, in- submitted to a court. Federal courts, in turn, vestigators can intercept wire and electronic apply rigorous standards both in authorizing communications over a target’s cell phone or and supervising wiretaps. read the target’s e-mail as it is sent, allowing them to locate targets, confrm relationships within a conspiracy, disrupt new criminal

52 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

6. Special Techniques nets are controlled by command and control servers (“C2 servers”), which periodically is- Cyber threat actors ofen try to hide their sue orders to the bots. One way to disrupt identities by disguising their IP address. A a botnet is to seize control of the C2 server. common way to do this is by using a proxy Investigators can use criminal authorities to computer, which sits between the actor and seize C2 servers; they can also use civil in- his victim, to obfuscate the actor’s IP ad- junctive authority to seek the redirection of dress. As described in Chapter 2, threat computers under the control of the botnet to actors also will ofen use Te Onion Router a server controlled by the court, instead of by (“Tor”), which is a particularly sophisticat- the threat actor’s C2 server. ed network of relay computers, to hide their true IP address. To circumvent the challeng- es presented by threat actors’ use of proxies 7. Tracing Financial Transactions and Tor, investigators can use Network In- Pursuing illicit assets is an important part of vestigative Techniques (“NITs”). NITs in- any fraud investigation, and computer crime clude computer code that investigators can cases are no exception. To pursue traditional send covertly to a device that is hidden be- bank accounts, the United States has made hind proxies. Once installed, a NIT can send extensive use of authorities, law enforcement particular information, of- including seizures involving correspondent ten including the device’s true IP address— bank accounts, as well as of sanctions pro- which investigators then can use to identify , including the Global Magnitsky sanc- the subscriber and user of the device. tions authority, to keep tainted funds out of the U.S. fnancial system. Yet, cybercrim- As described in Chapter 2, botnets pose inals increasingly use virtual currencies to unique challenges for law enforcement and advance their activities and to conceal their so require special techniques to investigate assets. Because most virtual currencies lack and disrupt them. Identifying victim com- any central authority, seizing them requires puters (or “bots”) can be very difcult be- diferent approaches. cause the bots may be spread throughout the world. Criminal dark markets that rent or In recent years, the Department has relied on sell botnet access ofen obfuscate the loca- a variety of legal authorities to seize virtual tion and other identifying information about currency that has been derived from illegal individual bots. Until recently, this posed a activity. Tese authorities include civil for- signifcant jurisdictional hurdle, as an inves- feiture orders, seizure warrants, and search tigator had to know the location of a bot to warrants. Where, for instance, a target of an get a search warrant for it. Now, thanks to investigation stores virtual currency with a a recent Department-led initiative to amend third-party service—typically, a virtual cur- the Federal Rules of Criminal Procedure rency exchanger—investigators may seize (see page 52), magistrate judges can autho- that virtual currency by obtaining a sei- rize search warrants even if the location of zure warrant for the user’s account at that the subject of the warrant is unknown. Bot-

53 CYBER-DIGITAL TASK FORCE REPORT

VIRTUAL CURRENCIES “Virtual currencies” such as , Ether, and enable the purchase and sale of a wide vari- are electronic assets that are circu- ety of illegal goods and services. While lated over the Internet as a form of law enforcement has made strides value but are not backed by any in its ability to trace virtual government. Tough virtual currency transactions, crim- currencies have legitimate inals ofen launder their vir- uses, they also ofen enable tual currency by mixing one individuals to transfer money user’s money with multiple with high levels of anonymity other users’, or sending their to other users worldwide. Cyber virtual currency through a criminals frequently transact in convoluted series of trans- virtual currencies, and online crim- actions, a process ofen called inal markets rely on virtual currencies to “mixing” or “tumbling.”

third-party service. If the target stores the tors may, however, seek an order for the inter- virtual currency locally (for example, on his locutory sale of virtual currency at the request own electronic devices, or on servers he con- and/or consent of all parties with an ownership trols), or even by printing the private keys interest. Consultation with the Criminal Divi- onto a physical medium, investigators may sion’s Money Laundering and Asset Recovery seize the virtual currency through a tradi- Section is required prior to any pre-forfeiture tional search warrant that allows the govern- conversion, or seeking an order for interlocu- ment to learn the private key. Te seizure tory sale of virtual currency. of virtual currency requires transferring the virtual currency to a government-controlled Any liquidation of virtual currency should virtual currency wallet. If the virtual cur- be executed according to established written rency is stored with an overseas exchange, policies of the seizing agency and the U.S. the Department will work with our foreign Marshals Service.10 Te Department is de- counterparts to efect the seizure. veloping guidance regarding disposition of alternative virtual currencies (i.e., anonym- Because of the risks that early conversion may ity enhanced and ICO to- pose, in most cases, virtual currency the gov- kens) for which the Marshals Service does ernment seizes is kept in the form it was seized not yet have a process in place to take custo- and not liquidated (i.e., converted to fat cur- dy or liquidate via auction. rency or other virtual currency) until a fnal order of forfeiture is entered or an administra- As detailed above, the Department in recent tive forfeiture is fnal. 9 Agencies or prosecu- years has regularly used civil forfeiture au-

54 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS thorities11 and seizure warrants to seize vir- . In particular, evaders can abuse tual currency derived from malicious cyber the anonymous and decentralized structure activity associated with the Dark Web and of virtual currencies in an attempt to conceal botnets. More recently, in July 2017, the their income and assets. Te relative lack of Department announced the indictment of reporting requirements for virtual currency a Russian national and an organization he also contributes to its secrecy and thus to its allegedly operated, BTC-e, for facilitating usefulness in committing tax crimes. And transactions for international cybercrimi- with the increase in value of virtual curren- nals, and for receiving the criminal proceeds cies in recent years, this anonymity and se- of numerous computer intrusions and hack- crecy may tempt individuals not to report as ing incidents, as well as of other crimes.12 income their gains from the sale of virtual According to the indictment, BTC-e’s virtual currency. currency exchange allegedly did not require users to validate their identity, obscured Tis is a particularly novel area for tax en- and anonymized transactions and source of forcement. But investigators pursuing tax funds, and eschewed any anti-money laun- investigations involving virtual currency can dering processes. Perhaps unsurprisingly, employ many of the techniques learned from the exchange is alleged to have become pop- money laundering investigations involving ular with criminals. At the time of the indict- virtual currency. For instance, investigators ment, the investigation revealed that BTC-e can track the movement of funds across the was alleged to have received more than $4 public ledger of a virtual currency and iden- billion worth of virtual currency through its tify when money moves into or out of vir- operation. tual currency through exchanges and other In parallel with the Department’s actions, parties. Moreover, the Internal Revenue Ser- the Financial Crimes Enforcement Network vice (“IRS”) Criminal Investigation division (“FinCEN”) assessed a $110 million civil is making criminal using virtu- money penalty against BTC-e for willfully al currencies a focus of its eforts, and the violating U.S. anti-money laundering laws. IRS is also pursuing civil and administrative Te operator of the exchange was assessed a remedies. Within the Department, the Tax $12 million penalty for his role in the viola- Division is partnering with the IRS and U.S. tions. FinCEN’s announcement underscored Attorneys’ Ofces to investigate and prose- the importance of the Department’s partner- cute tax crimes involving virtual currencies, ships with regulatory agencies in seeking to and to litigate civil enforcement actions. deter those who facilitate ransomware, dark Recently, the Tax Division, working with net drug , and other illicit activity using the IRS, issued and enforced the frst virtu- virtual currency. al-currency-related “John Doe” summons to Coinbase, one of the largest virtual currency Just as virtual currencies have provided a exchanges in the world.13 As a result of this new way for criminals to launder money, civil enforcement action, in March 2018, the they also provide another avenue for tax exchange turned over to the IRS information

55 CYBER-DIGITAL TASK FORCE REPORT regarding accounts “with at least the equiva- a target’s residence, business, or automobile, lent of $20,000 in any one transaction (buy, looking for storage media that may contain sell, send, or receive) in any one year during evidence of the cyber threat. As with storage the 2013-2015 period.”14 Tis information media collected during the initial incident should be useful in identifying particular in- response, investigators will image any elec- dividuals and transactions for further inves- tronic storage media before searching it, to tigation. preserve the contents for future searches and for use in court. In addition, Tax Division prosecutors are working with investigators and attorneys at 9. Cooperation with Foreign IRS, as well as at the Department’s Computer Governments Crime and Intellectual Property section, to develop training and guidance for criminal Cyber threats ofen emanate from interna- tax cases involving virtual currencies. Be- tional locations and use criminal networks cause the tax treatment of virtual currencies that stretch across jurisdictions, many of is a new area, there are many uncertainties which are not friendly to the rule of law or in the law that investigators and prosecutors democratic values. At the same time, foreign will need to navigate. Te Tax Division’s trial sovereigns—including some of our closest attorneys also have worked with the FinCEN allies—put limits on our government’s ability Intelligence, Cyber & Emerging Technology to act on its own in every investigation where Section to identify appropriate techniques the targets, or evidence of their crimes, are for civil tax investigations and litigation. located in another jurisdiction. Fortunate- ly, the Department has built relationships 8. Traditional and Forensic Searches with its counterparts around the world, that Involving Storage Media facilitate nimble information sharing in the event of an incident. Tis information shar- Once a criminal is identifed and arrested, ing enables mitigation of the incident, and investigators will seek electronic evidence also promotes the preservation of evidence, from his personal storage media, including even in situations where the evidence (or the his laptops and phones. Such storage me- perpetrators) are located outside the United dia ofen contain records that link the target States. to the evidence collected from providers or the victim, such as matching IP addresses, For more formal use of the information (e.g., e-mail accounts, and photos and other per- to support charges and hold criminal actors sonal identifers. Tis evidence completes accountable), the Department employs a vast the connection between the criminal activ- network of international treaties and other ity and the target. Such a search usually re- relationships. Te Criminal Division’s Ofce quires a traditional search warrant, based on of International Afairs (“OIA”), for example, probable cause. Investigators also will search leverages extradition treaties, mutual legal assistance treaties (“MLATs”), and other in-

56 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

Te CLOUD Act Due in part to the large volume of foreign government requests seeking electronic evidence in the custody or control of U.S.-based service providers, and the pressure those requests were placing on the smooth functioning of the MLAT process, the U.S. Congress, in March 2018, enacted, and the President signed into law, a statute called the Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Te CLOUD Act has two major efects. First, it clarifes that all warrants, subpoenas, and court orders issued pursuant to the Stored Communications Act, 18 U.S.C. § 2701 et seq—the law that governs the disclsoure of stored communicatons and transactional records held by third-party Internet service providers—apply to all data within a provider’s possession, custo- dy, or control, regardless of whether the data is stored inside or outside the United States. Second, it allows for bilateral treaties between the United States and foreign countries for the direct shar- ing of electronic evidence, without needing to use the MLAT process. Te CLOUD Act incorpo- rates safeguards to assure that such agreements are entered into only with countries with robust privacy and civil liberties protections, and that adhere to the rule of law.

Te CLOUD Act represents a major commitment by the American government to continue the global fght against crime by ensuring that rights-respecting and privacy-protecting foreign gov- ernments gain access to the electronic evidence they need to pursue their own investigations of serious crime, even as the Act reduces pressure on the MLAT process generally, and encourages higher privacy and civil liberties standards around the world.

57 CYBER-DIGITAL TASK FORCE REPORT struments and available legal tools to sup- tence, and the rule of specialty. Extradition port U.S. investigations and prosecutions of requests that result in defendants facing trial cybercriminals by returning fugitives to the in the United States or serving a U.S. criminal United States to face trial, and by obtaining sentence generally require carefully prepared the evidence located overseas that is needed documentary submissions and extensive to build a case against them. OIA also facil- coordination between OIA, U.S. prosecutors, itates the extradition of fugitives located in and law enforcement, including the FBI, U.S. the United States and transfers evidence to Marshals Service, the State Department, and foreign partners for those nations’ criminal the foreign government. investigations. Te ease and speed with which fugitives When a criminal located overseas is wanted can travel across jurisdictions highlight the for prosecution or to serve a criminal sen- importance of a treaty-based mechanism tence in the United States, OIA uses all the known as a provisional arrest. When the legal tools at its disposal—extradition, de- United States learns that a fugitive will be portation, and other lawful measures—to traveling to—or through—a country with ensure that the defendant will be transferred which it has an extradition treaty, there ofen to the United States to stand trial in a U.S. is not enough time to assemble and submit a court and be held accountable. Te process- formal request for extradition. Where time is es that must be followed to efectuate this re- of the essence, OIA can submit a provisional sult vary greatly in each case and depend on arrest request, which will enable the foreign a range of factors, including, among others, partner to arrest and detain the fugitive for the location of the criminal actor, his or her a short period of time until OIA submits the nationality, our law enforcement relation- formal extradition request. ship with the host country, and the alleged criminal conduct at issue. Tere are also countries with which the United States does not maintain an extra- Te United States currently has bilateral ex- dition treaty. In cases where the United tradition treaties with over 100 countries.15 States seeks the return of a fugitive from a Tese treaties, which establish reciprocal non-treaty partner, OIA attempts to accom- obligations to extradite persons charged plish this through other legal means, includ- with or convicted of certain crimes, contain ing, where possible, securing extradition un- varying features, including some that give der the domestic law of the foreign country, the requested state the discretion to decline and requests for deportation, expulsion, or to extradite its nationals. Other common other lawful transfer. Te range of options treaty provisions can afect the charges an available varies from case to case, including individual may face afer extradition. Tese using lawful measures to ensure the wanted include the statute of limitations, assuranc- person’s transit to a country from which the es against the imposition of a capital sen- United States can secure his extradition.

58 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

EXTRADITIONS Successfully prosecuting international More recently, in February 2018, the al- computer crime cases has been notorious- leged creator of the (see Ap- ly difcult. Fortunately, the Department’s pendix 2), a Russian national named Peter international outreach has made it easier. Levashov, was extradited from Spain, and In addition, the Department has relied on in March 2018, Yevgeniy Nikulin, of Mos- longstanding tools and processes, such as cow, made his initial appearance in U.S. extradition treaties and alternatives to ex- federal court following his extradition from tradition, to ensure that some of the most the Czech Republic to face allegations that notorious cybercriminals face justice in the he illegally accessed computers belonging United States. to LinkedIn, Dropbox, and Formspring.

In August 2016, for example, a U.S. feder- As these cases and others like them demon- al court jury convicted Roman Seleznev, a strate, we have successfully dismantled in- Russian national, of various crimes associ- ternational criminal rings and apprehend- ated with his thef ed some of the most and sale on the black FUGITIVE WANTED FOR PROSECUTION notorious interna- market of tens of tional cybercrimi- thousands of credit nals. At times, we card numbers, which have received valu- resulted in over $170 able evidence from million in fraudulent foreign authorities, purchases. A “pio- including Russian neer” cybercriminal law enforcement. who became “one But challenges re- of the most revered main, including an point-of-sale hackers increased willing- in the criminal un- ness by the Russian derworld,” Seleznev IN CUSTODY government to pro- is the “highest pro- tect its nationals fle long-term cyber- from extradition or criminal ever con- other removal to the victed by an American jury.”16 Seleznev was United States when its nationals are located arrested in the Maldives in July 2014 and in a third country. In such circumstanc- was subsequently expelled to the United es, Russia has applied pressure on the U.S. States, where he is currently serving a 27- partner, seeking to thwart the U.S. extradi- year federal sentence for his hacking crimes, tion or other removal request. Tis prac- concurrent to a 14-year federal sentence tice is yet another factor that complicates stemming from his involvement in a $50 our eforts to bring international cyber- million cyberfraud ring.17 criminals to justice in the United States.

59 CYBER-DIGITAL TASK FORCE REPORT

In sum, cybercriminals should not be im- crime, , child exploitation, and mune from justice simply because they oper- criminal organizations using the Dark Web. ate outside of U.S. borders. Although there As a result, OIA receives a high-volume of are state sovereignty principles that limit our requests for electronic records in the custody ability to act unilaterally, OIA has a diverse or control of U.S. providers. OIA executes toolkit that it can use to obtain foreign coun- these requests—many of which concern cas- tries’ cooperation and ensure that cyber- es involving foreign actors whose schemes criminals face justice in U.S. courts. have victimized U.S. citizens—as appropriate and pursuant to its treaty obligations. Doing Investigating and prosecuting cyber crim- so both increases the likelihood that foreign inals ofen also requires access to evidence governments will be able to disrupt the ille- located in foreign jurisdictions and assis- gal conduct and ensures their reciprocal co- tance from foreign governments. Tis evi- operation when needed for the United States dence and assistance may include electronic to obtain assistance from abroad. records, bank and business records, witness interviews, public records, investigative ma- Importantly, these cross-border requests for electronic evidence typically must meet terials, and seizure of assets, to name a few the legal requirements of the requested examples. Each year, OIA receives thousands state. In the United States, this means that of such requests for mutual legal assistance for requests seeking the contents, say, of an from both domestic and foreign prosecutors e-mail account, a Department of Justice at- seeking important evidence that may break torney—usually from OIA but sometimes open an investigative dead-end or secure a from a partner U.S. Attorney’s Ofce—must criminal conviction. Such requests for as- obtain a search warrant from a U.S. court on sistance to foreign governments are typically the foreign government’s behalf. Probable made pursuant to bilateral MLATs, region- cause is a distinctly American concept, and al instruments, or multilateral conventions, many countries struggle to articulate a suf- such as the international Convention on Cy- cient basis in their requests to meet this legal bercrime (known as the Budapest Conven- standard. OIA works closely with requesting tion). As the Central Authority for the Unit- state partners to develop, where possible, the ed States under international instruments, necessary basis to obtain a search warrant. OIA makes requests for assistance to treaty Other U.S. legal requirements, including the partners on behalf of U.S. prosecutors and “fltering” of any resulting productions, add executes requests it receives from abroad. to the complexity of this practice.

Many of the world’s communications service Because there are few rules governing most providers are U.S. companies, and electronic providers’ retention of data in the normal records in their custody or control are ofen course, it is important that electronic re- critical to cybercrime investigations, as well cords associated with targeted accounts be as other types of criminal and national se- “preserved” before they are deleted. Pursu- curity cases such as those targeting violent

60 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

THE BUDAPEST CONVENTION Te Budapest Convention (ofcial name: the ’s Convention on Cyber- crime) is a multilateral treaty that enhances international cooperation in cases involving computer-related crime. Te treaty entered into force in 2004, requires Parties to have a basic level of domestic criminal law in the cyber feld, and provides a platform for transnational law enforcement cooperation in investigations, evidence sharing, and extradition. Te Conven- tion also requires Parties to criminalize computer-related crimes such as computer hacking, fraud, and child sexual exploitation, and requires that Parties have the ability to efectively investigate computer-related crime through the collection and sharing of electronic evidence. Membership in the Convention is open to any nation. To date, nearly 60 countries spanning Europe, Asia, , Africa, and North and South America have fully ratifed the treaty, as illustrated below. Te United States participated in the drafing of the Convention and became a Party to it in 2006.

ant to U.S. law, U.S. investigators and prose- 10. Joint or Parallel Investigations cutors preserve targeted account data prior to obtaining a search warrant or other legal Law enforcement agencies from separate process for its disclosure. OIA and the De- countries may wish to cooperatively investi- partment’s Computer Crime and Intellectual gate crimes having relevance and jurisdiction Property section routinely assist prosecutors in both countries through joint or parallel and law enforcement around the world in investigations. Although these investigations performing this early, but important, inves- may be established in the absence of a trea- tigative step. ty, a number of existing treaties address the

61 CYBER-DIGITAL TASK FORCE REPORT creation of joint investigative teams (“JITs”), owners of computers the right to control who thereby highlighting the potentially useful may access their computers, take informa- impact of such arrangements. Tese include, tion from them, change how the computers for example, global multilateral instruments work, or delete information on them. Just as like the 2000 Convention the criminal laws against trespassing protect against Transnational Organized Crime,18 property rights in land, the CFAA protects and, in the case of the United States and the property rights in computers. As such, the , the 2003 Agreement on CFAA commits the United States to a cy- Mutual Legal Assistance between the United bersecurity policy that is founded on private States of America and the European Union.19 property rights, and backed by enforcement JITs can be useful tools to conduct joint op- of criminal law. Te CFAA defnes multiple erations, facilitate information sharing, and crimes, and assigns each a diferent statutory thwart criminal conduct. However, they maximum penalty. are not perfect solutions for all cases with multi-jurisdictional dimensions. U.S. crim- Although a detailed description and anal- inal law and practice difer in signifcant re- ysis of each ofense established by section spects from that of foreign partners, and as a 1030(a) is beyond the scope of this report,21 result, the prudent course is to assess oppor- below we provide a high-level overview of tunities for JITs on a case-by-case basis and how the CFAA combats cyber threats. to fashion cooperative eforts in a manner that works for all relevant participants. Accessing a Computer and Obtaining Information: 18 U.S.C. § 1030(a)(2) Key Prosecution Tools Section 1030(a)(2) protects the privacy of information stored on computers by crimi- Once investigators have gathered evidence of nalizing the act of accessing such informa- cyber threat activity, the Department’s pros- tion without authorization. Te statute sets ecuting attorneys then determine whether forth three distinct but overlapping crimes that evidence is sufcient to bring charges that collectively prohibit the unauthorized under U.S. federal law. Cyber threat activi- accessing of certain fnancial records stored ty is a U.S. federal crime if it violates one or on computers of fnancial institutions, of in- more of the following statutes, among others: formation from U.S. government computers, and of information from computers used in 1. Computer Fraud and Abuse Act: or afecting interstate or foreign commerce 18 U.S.C. § 1030 (for example, computers connected to the Internet). Tis provision applies both to out- Te Computer Fraud and Abuse Act side hackers who gain access to victim com- (“CFAA”)20 remains the U.S. government’s puters without authorization from anywhere tool for prosecuting computer around the world, and to those who have crimes. In lay terms, the CFAA gives the

62 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS some authorization to access a computer, but damage to computers by fooding an Inter- who intentionally exceed that access.22 net connection with data during a distribut- ed denial of service (“DDoS”) attack. To violate section 1030(a)(2), a person must access, and thereby obtain, the prohibited Accessing a Computer to Defraud and information “intentionally.” Mere mistake, Obtain Value: 18 U.S.C. § 1030(a)(4) inadvertence, or carelessness is insufcient.23 Additionally, to be charged, the defendant Section 1030(a)(4) establishes a of- must have understood that the access was fense that prosecutors use against hackers unauthorized. Accordingly, federal prose- who access a protected computer without cutions focus on hackers and insiders whose appropriate authorization in furtherance of conduct a clear intent to enter, a fraud to obtain something of value. Te without proper authorization, computer fles section bears similarities to the federal mail or data belonging to another. and wire fraud statutes (discussed below), but has a narrower jurisdictional scope by Damaging a Computer: requiring that the cybercriminal victimize 18 U.S.C. § 1030(a)(5) a protected computer without authorization or in excess of authorization. Section 1030(a)(5) is a critical tool for pros- ecuting criminals who “damage” comput- Prosecutors use this provision against defen- ers protected under the CFAA by causing dants who obtain information from a com- computers to fail to operate as their own- puter, and then later use that information to ers intended. Section 1030(a)(5) is used to commit fraud. For example, section 1030(a) prosecute hackers or intruders who gain un- (4) was charged in a case involving a defen- authorized access to a computer and commit dant who accessed a telephone company’s criminal acts that, in any way, impair the in- computer without authorization, obtained tegrity of data, a program, a system, or infor- calling card numbers, and then used those mation, as well as change the way a computer calling card numbers to make free long-dis- is intended to operate. Te statute extends tance telephone calls.24 Te provision also to intruders who gain unauthorized access to may be used to prosecute a defendant who a computer and send commands that delete alters or deletes records on a computer, and fles or shut the computer down. Subsection then receives something of value from an in- (a)(5) also may be used against cybercrim- dividual who relied on the accuracy of those inals who install malicious sofware that altered or deleted records.25 compromises a computer’s integrity. Tus, installing remote access tools, bot code, and Treatening to Damage a Computer: other attempts to persist on a victim’s system 18 U.S.C. § 1030(a)(7) are all chargeable under section 1030(a)(5). Tis provision is also an important tool for To deter high-tech attempts to commit prosecuting criminals who cause intentional old-fashioned , section 1030(a)(7)

63 CYBER-DIGITAL TASK FORCE REPORT criminalizes threats to interfere in any way ished under a wire fraud charge.28 Section with the normal operation of a protected 1343 shares a number of common proof ele- computer or system, as well as threats to ments with section 1030(a)(4) of the CFAA, compromise the confdentiality or integrity including the requirement that a defendant of information contained therein. Tis pro- act with fraudulent intent; however, the wire vision encompasses threats by criminals to fraud statute authorizes more punitive pen- deny access to authorized users, erase or cor- alties that may be more commensurate to the rupt data or programs, or slow down or shut- harm sufered by victims in cases involving down the operation of the computer system, signifcant loss amounts. Section 1343 vio- such as via a DDoS attack. Te provision lations also can serve as a predicate for the also reaches threats to steal confdential data. Racketeer Infuenced and Corrupt Organi- zations Act (“RICO”) and money launder- ing charges, whereas most CFAA violations Charging Policies cannot.29 Accordingly, the wire fraud statute Te Department’s decisions about when to is a particularly efective tool for prosecuting open an investigation or charge a case un- intricate networks of criminal hacker groups 30 der the CFAA are guided by the Intake and engaged in transnational organized crime. Charging Policy for Computer Crime Mat- 26 ters. As the policy explains, prosecutors 3. Identity Tef: must consider a number of factors in order 18 U.S.C. §§ 1028(a)(7) and 1028A to ensure that charges are brought only in cases that serve a substantial federal inter- Cybercriminals ofen commit computer in- est.27 Te policy also requires prosecutors trusions to compromise and steal PII that to conduct certain consultations to assure may be sold on the , or directly consistent practice across the Department. used to commit other crimes, such as wire In particular, prosecutors must consult with fraud. A criminal who misuses or trafcs in the Department’s Computer Crime and In- stolen PII ofen violates a variety of identity tellectual Property section before bringing thef statutes, including 18 U.S.C. §§ 1028(a) charges under the CFAA. (7) and 1028A.

2. Wire Fraud: 18 U.S.C. § 1343 In relevant part, section 1028(a)(7) criminal- izes the unauthorized transfer, possession, or Te wire fraud statute is another particularly use of a “means of identifcation of another powerful and commonly applicable charge person” with the intent to commit (or aid in computer crime cases involving fraud. and abet) a violation of federal law, or any Indeed, courts long have recognized that State or local felony. Te term “means of e-mails and other forms of Internet trans- identifcation,” in turn, broadly refers to “any missions constitute “wire, radio, or televi- name or number that may be used, alone or sion communication[s]” that may be pun-

64 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS in conjunction with any other information, predates the modern era of cybercrime, the to identify a specifc individual.”31 increased digitalization of trade secrets, the rise of cyber espionage, and the global ex- In computer intrusion cases, the Department pansion of online marketplaces that trafc also uses section 1028A (the “aggravated” in intellectual property, have signifcantly identity thef statute) to prosecute individ- magnifed the threats that insiders, hackers, uals who engage in the unauthorized trans- and nation states present to U.S. individuals fer, possession, or use of a “means of iden- and companies who maintain valuable trade tifcation of another person” during and in secrets.35 Indeed, in recent years, businesses relation to felony violations of certain enu- across key sectors of the U.S. economy have merated federal ofenses that are commonly sufered sophisticated and systematic cyber associated with computer crime.32 For exam- intrusions designed to steal sensitive com- ple, “carders” who sell or trade stolen credit mercial data from compromised networks, or debit card account information on online including research and design data, sofware forums, or “phishers” who obtain the same source code, and plans for commercial and type of information via fraudulent e-mails, military systems. ofen violate a predicate crime for a section 1028A violation. Similarly, defendants who Te Department’s principal tool for prevent- violate the CFAA and obtain identity or ac- ing and deterring serious instances of trade count information may also violate this sec- secret thef is the Economic Espionage Act tion. Although section 1028A is limited to (“EEA”). Te EEA criminalizes two types a far narrower list of predicate ofenses than of trade secret misappropriation: economic section 1028(a)(7), it is an important and espionage under section 1831, and trade se- powerful tool in the Department’s prosecu- cret thef under section 1832. Te econom- tions of cybercriminals because those who ic espionage provision prohibits the thef are convicted of section 1028A are subject of trade secrets for the beneft of a foreign to a mandatory minimum two-year term of government, instrumentality, or agent. Te 33 imprisonment. thef of trade secrets provision prohibits the commercial thef of trade secrets to beneft 4. Economic Espionage and Tef of someone other than the owner. Although Trade Secrets: 18 U.S.C. §§ 1831-32 the provisions defne separate ofenses, they share a number of common proof elements. Trade secret law prohibits the unauthorized Notably, conviction under either statute re- disclosure of confdential and proprietary quires the government to demonstrate be- information (for example, a formula or com- yond a reasonable doubt that: (1) the defen- pilation of information) when that infor- dant misappropriated information; (2) the mation possesses an independent economic defendant knew or believed this information value because it is secret, and the owner has was proprietary and that he had no claim to taken reasonable measures to keep it secret.34 it; and (3) the information was in fact a trade Although the problem of trade secret thef secret (unless the crime charged is a conspir-

65 CYBER-DIGITAL TASK FORCE REPORT acy or an attempt). Further, both provisions lease copyrighted materials, such as a com- are subject to the EEA’s broad defnition of mercial flm, song, video game, or sofware, a “trade secret,” which includes all types of that are still “being prepared for commercial information that the owner has taken rea- distribution,” by making the material “avail- sonable measures to keep secret and that it- able on a computer network accessible to self has independent economic value.36 Both members of the public.” provisions also punish attempts and conspir- acies to misappropriate trade secrets.37 To 6. Access Device Fraud: promote enforcement, federal law provides 18 U.S.C. § 1029 special protections to victims in trade secret cases to ensure that the confdentiality of Section 1029 of title 18, United States Code, trade secret information is preserved during 38 broadly prohibits the production, use, pos- the course of criminal proceedings. session, or trafcking of unauthorized or counterfeit “access devices,” such as PII, in- 5. Criminal Copyright: 17 U.S.C. § 506 strument identifers, or other means of ac- count access that may be used “to obtain Copyright law provides federal protection money, goods, services, or any other thing of against infringement of certain exclusive value, or that can be used to initiate a trans- rights, such as reproduction and distribution, fer of funds.” Prosecutors commonly bring of “original works of authorship,” including charges under section 1029 in “phishing” computer sofware, literary works, musi- cases, in which a cybercriminal uses fraud- cal works, and motion pictures.39 As with ulent e-mails to obtain bank account num- trade secrets, the increased digitalization of bers and passwords. Section 1029 also is an copyrighted materials, as well as the global efective tool in “carding” cases where a de- expansion of online marketplaces that trafc fendant purchases, sells, or transfers stolen in intellectual property, have enhanced their bank account, credit card, or debit account attractiveness and, in turn, vulnerability to information. Forfeiture is also available in cybercriminals. many cases.40

Te Department’s principal tool for prevent- 7. Racketeer Infuenced and Corrupt ing and deterring serious instances of copy- Organizations (RICO) Act: right infringement is section 506(a) of title 18 U.S.C. §§ 1961–1968 17, United States Code, which criminalizes willful copyright infringement if commit- Computer hacking conducted by transna- ted “for purposes of commercial advantage tional criminal groups poses a signifcant or private fnancial gain,” or “by the repro- threat to American cybersecurity. Equipped duction or distribution” of copyrighted with sizable funds, organized criminal works during a 180-day period that satisfes groups operating abroad employ highly so- the statute’s minimum retail value. Section phisticated malicious sofware, spear-phish- 506(a)(1)(C) also makes it a crime to pre-re-

66 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS ing campaigns, and other hacking tools— interception by another,44 prohibits disclo- some of which rival in sophistication those sure of any illegally intercepted communi- that nation states use—to hack into sensi- cation,45 and criminalizes unlawful use of tive fnancial systems, conduct massive data that communication.46 Te Wiretap Act has breaches, spread ransomware, attack critical proven to be an especially valuable tool for infrastructure, and steal critical intellectu- prosecuting cases involving spyware users al property. For transnational cybercrime and manufacturers, intruders using packet rings engaged in “racketeering” activity, such snifers (i.e., tools that intercept data fowing as identity thef, access device fraud, or wire in a network), persons improperly cloning fraud, a RICO charge may be a particular- e-mail accounts, and other cases involving ly efective tool for prosecuting individu- the surreptitious collection of communica- al members of the group. For instance, the tions from a victim’s computer. RICO statute authorizes more severe pen- alties than the CFAA, including maximum To prosecute a defendant under this statute, sentences of 20 years or more depending on however, federal courts have generally re- the nature of the predicate ofense,41 consec- quired that the “intercepted” communica- utive sentencing for RICO substantive and tions be acquired “contemporaneously” or at conspiracy convictions or violations of two approximately the same time as their trans- substantive RICO subsections,42 and forfei- mission.47 Accordingly, merely obtaining a ture of all reasonably foreseeable proceeds copy of the contents of a recorded commu- of racketeering activity on a joint and several nication—for example, a year-old e-mail on basis.43 Section 1963(d)(2) of title 18, Unit- a mail server—is not necessarily a criminal ed States Code, also empowers prosecutors “intercept[ion]” of the communication un- to obtain a pre-trial restraining order that der the Wiretap Act, though such an action preserves any assets that may be subject to may violate other provisions of law, includ- forfeiture following conviction. In addition, ing the Stored Communications Act, 18 a RICO conspiracy charge under section U.S.C. § 2701.48 1962(d) of title 18 allows prosecutors to hold one defendant responsible for the conduct of 9. Money Laundering: the enterprise. 18 U.S.C. §§ 1956, 1957

8. Wiretap Act: 18 U.S.C. § 2511 Cybercrimes are ofen committed for fnan- cial gain. And as with other crimes, those Te same surveillance statutes that empow- committing cybercrimes will seek ways to er law enforcement to collect evidence also conceal and spend their ill-gotten gains. protect the privacy of innocent Americans Federal money laundering laws are thus an by criminalizing the unlawful collection important tool for combatting cybercrime. of private communications. For example, Tese laws criminalize certain transactions the Wiretap Act shields private wire, oral, undertaken with the proceeds of designated or electronic communications from illegal crimes, referred to as “specifed unlawful ac-

67 CYBER-DIGITAL TASK FORCE REPORT tivity” (“SUA”).49 Crimes classifed as SUAs though civil and regulatory provisions are include many common charges brought in the Act’s primary enforcement mechanisms, cybercrime cases, such as violations of the it also created several new criminal ofenses. CFAA and wire fraud. Section 1037 addresses more egregious vio- lations of the CAN-SPAM Act, particularly Section 1956 of title 18, United States Code, is where the perpetrator has taken signifcant the main money laundering charge. Among steps to hide his or her identity, or the source other things, this statute makes it a crime for of the spam, from recipients, ISPs, or law en- a person to carry out a fnancial transaction forcement agencies. Prosecutors have used involving SUA proceeds when the person this statute in the context of disrupting or knows the transaction involves illicit pro- dismantling botnets. ceeds of some kind, and the transaction is designed to promote the carrying on of an 11. National Security Statutes SUA, 50 or to conceal “the nature, the loca- tion, the source, the ownership, or the con- 51 Some statutes that protect sensitive nation- trol of the proceeds” of the predicate crime. al security information are implicated in Section 1957 prohibits knowingly conduct- computer hacking investigations, when that ing certain monetary transactions involving information is targeted or stolen. For ex- SUA proceeds when the value is greater than ample, defense articles and services listed $10,000. on the U.S. munitions list, 22 C.F.R. § 121.1, cannot be exported without a license with- Courts have broadly interpreted the scope of out violating the Arms Export Control Act, the transactions covered by the money laun- 22 U.S.C. § 2778 (“AECA”). Other U.S.-or- dering laws. In particular, courts have up- igin items and related technology that have held the use of money laundering charges in- 52 both commercial and military applications volving transactions in virtual currencies. or otherwise warrant control are subject to the Export Administration Regulations 10. Controlling the of Non- (“EAR”), 15 C.F.R. pts. 730-74, and may re- Solicited Pornography and quire a license for export to certain countries Marketing Act: 18 U.S.C. § 1037 or for certain uses. Te statute that crimi- nalizes violation of the EAR (among other Te Controlling the Assault of Non-Solic- regulations) is the International Emergen- ited Pornography and Marketing (“CAN- cy Economic Powers Act, 50 U.S.C. § 1705 SPAM”) Act of 200353 provides a means for (“IEEPA”). A Chinese aerospace engineer prosecuting those responsible for sending was recently convicted of violating AECA large amounts of unsolicited commercial for helping hackers in the Chinese air force e-mail messages (i.e., “spam”), including choose which defense contractors to target messages sent on social media sites. Al- and which fles related to military projects

68 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS to steal;54 and a network of Iranian comput- now serving a 20-year sentence for providing er hackers (one of whom was apprehend- material support to ISIL.56 ed) was charged with violating AECA and Iranian sanctions under IEEPA for steal- ing specialized sofware from the networks Other Means of Dismantling, of American sofware companies, which the defendants are alleged to have resold Disrupting, and Deterring for proft to Iranian government entities.55 Computer Crimes Classifed information and national defense information, too, are protected by a number While criminal prosecutions of malicious cy- of criminal statutes. Te CFAA specifcally ber activity (and seizing the ill-gotten gains prohibits obtaining certain restricted data of such activity) are an important aspect of and information protected against disclo- the Department’s approach to combating sure for reasons of national defense or for- cybercrime, we recognize that the United eign relations through unauthorized access States cannot simply prosecute its way out to a computer, see 18 U.S.C. § 1030(a)(1), of the problem. Instead, the Department and espionage statutes prohibit the unau- has embraced a comprehensive approach thorized retention of national defense infor- to deterring cyber threats that builds upon mation or its dissemination to an unautho- a broad array of criminal, civil, and national rized person (whatever the means of doing security authorities, tools, and capabilities. so). See 18 U.S.C. §§ 793 & 794. Indeed, the government as a whole relies on a range of civil and administrative tools to Finally, material support to terrorists is like- raise the costs associated with malicious cy- wise prohibited, even if that support is pro- ber activity, and to disrupt ongoing activities vided online. See 18 U.S.C. §§ 2339A, 2339B. in the cyber underworld. As discussed in Chapter 2, for example, Ar- dit Ferizi was an Islamic State of Iraq and To support this broader approach, we work the Levant (“ISIL”)-linked hacker living in to interdict cyber threats before they become Malaysia who may never have met ISIL re- actual incidents by denying malign actors cruiters in Iraq. But when Ferizi broke into access to infrastructure, tools, funds, and the networks of an American retailer, stole victims, as well as by working with interna- PII for thousands of U.S. persons, and culled tional partners and members of the private that list down to approximately 1,300 mili- sector, who ofen may be better positioned to tary and other government personnel that he prevent cybercrime. shared with ISIL for purposes of publishing a kill list and ISIL to “hit them hard,” Congress has given the Department the le- he provided such support. Ferizi was appre- gal authority to disrupt, dismantle, and de- hended, brought to the United States, and is ter cyber threats through a blend of civil,

69 CYBER-DIGITAL TASK FORCE REPORT criminal, and administrative powers beyond 1. Disrupting and Disabling traditional prosecution. As a result, the De- International Botnets partment has been a driving force behind the U.S. government’s most notable and ef- In recent years, the Department has success- fective measures to disrupt online crime. As fully disrupted and disabled a number of mentioned above, the Department ofen uses international botnets not only by arresting civil injunctions, as well as seizure and for- and prosecuting the criminals involved in feiture authorities, to disrupt cybercriminal their creation and administration, but also groups by seizing the computer servers and by leveraging other civil, criminal, and ad- domain names those actors use to operate ministrative authorities. For instance, the botnets. In cases where the actors cannot Department uses civil injunctive authori- quickly be identifed, such tools—exercised ty under section 1345 (injunctions against with proper judicial oversight—have helped fraud) and section 2521 (injunctions against the Department disrupt and dismantle ongo- illegal interception) to authorize actions— ing criminal schemes, thereby protecting the such as seizing domains the botnet is using public from further victimization. Finally, to communicate with command-and-con- the Department, with the assistance of other trol servers—to disrupt and disable a bot- U.S. government and international partners, net’s ongoing commission of fraud crimes also executes trade actions, and participates or illegal wiretapping. Accompanying tem- in various cyber operations designed to porary restraining orders (“TROs”) secured neutralize and eradicate international cyber under Rule 65 of the Federal Rules of Civil threats. Procedure also are important to disrupting

Figure 1: Recent Department eforts to dismantle botnets and dark markets.

70 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS a botnet, and taking immediate steps to pre- botnets are illustrated in Fig. 1, and de- vent it from reconstituting. scribed in greater detail in Appendix 2.

Further, as discussed above, if law en- forcement is able to take over the com- 2. Dark Web Disruptions mand-and-control structure of a botnet, the Department may now use the recently In recent years, the Dark Web’s anonymi- promulgated venue provision of criminal ty and low barriers to entry have attracted Rule 41(b)(6)(B) to issue commands to bots scores of criminals to Dark Web markets, across a number of districts. For example, including those trafcking in child pornog- law enforcement may obtain identifying in- raphy, illicit frearms, illegal drugs, - formation from afected bot computers in for-hire, and human trafcking. Sophisticat- order to contact owners and warn them of ed hackers also frequent Dark Web forums the infection. In addition, law enforcement for the newest malware or stolen data, and might engage in an online operation de- might use the Tor network to host botnet signed to disrupt the botnet and restore full command-and-control infrastructure that is control over computers to their legal owners. more resistant to disruption and take-downs. Rule 41(b)(6)(B) allows the government to apply for warrants in a single judicial district Despite the many challenges the Dark Web to use these techniques. poses, law enforcement around the world have successfully disrupted criminals oper- Several successful examples of the Depart- ating in the cyber underground by de-ano- ment’s strategy for disrupting and disabling nymizing users engaging in illegal activity;

71 CYBER-DIGITAL TASK FORCE REPORT seizing their websites, domains, servers, and hensive strategy to combat malicious activity ill-gotten gains; and criminally prosecuting on the Dark Web. them. For instance, to pierce the Dark Web’s anonymizing technology, the Department diligently pursues traditional investigative 3. Sanctions and Designations techniques, studies patterns of criminal ac- tivity, collaborates with international law To ensure that investigative information is enforcement partners, and develops human used efectively to protect the Nation, the sources. Further, where anonymizing tech- Department regularly interacts with the nologies make less intrusive investigative Departments of Commerce, Treasury, and options inefective, the Department also ob- State, as well as with other agencies and regu- tains warrants to perform remote searches latory bodies, to support those departments’ using network investigative techniques un- actions to identify and impose sanctions on der limited circumstances.57 For example, malicious cyber actors. appropriate scenarios for seeking a warrant to authorize a remote search include, but are Sanctions imposed by the Ofce of Foreign not limited to: (1) obtaining stored content Assets Control at the Department of the from a hidden provider by using a username Treasury can deprive subjects of their access and password; (2) identifying a criminal us- to the U.S. fnancial system and their abili- ing a web-based e-mail account by sending ty to do business with U.S. persons, and can a NIT to the criminal’s e-mail account; and be particularly efective in reaching foreign (3) identifying users of a hidden child por- companies that beneft from stolen informa- nography forum by sending a NIT to each tion. Since 2011, the Treasury Department computer used to log on to the website. has had the authority to block the property of transnational criminal organizations under Once the cloak of anonymity has been Executive Order 13581 (“Blocking Property pulled back, the Department leverages a of Transnational Criminal Organizations”). range of civil and criminal tools, including Treasury also makes use of country-specifc civil and criminal forfeiture authorities, sei- regimes to respond to nation-state behav- zure warrants, and requests under mutual ior. As mentioned in Chapter 2, following legal assistance agreements to dismantle the North Korea’s destructive malware attack on infrastructure undergirding the Dark Web Sony Pictures Entertainment, the President systems and recover the proceeds of these il- in 2015 issued Executive Order 13687 (“Im- legal activities. Further, in many instances, posing Additional Sanctions with Respect to individuals responsible for creating, operat- North Korea”). Using this new sanction au- ing, and using Dark Web forums and mar- thority, the Treasury Department designated ketplaces are also criminally prosecuted. We three entities for being “controlled entities describe in Appendix 3 some recent promi- of the Government of North Korea” and ten nent examples of the Department’s compre-

72 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS individuals for being “agencies or ofcials of nifcant malicious cyber-enabled activities the North Korean government.”58 . . . in view of the increasing use of such ac- tivities to undermine democratic process- In 2015, the President also issued Execu- es or institutions.”60 Te 2016 amendment tive Order 13694 (“Blocking the Property expanded cyber-related sanctions and in an of Certain Persons Engaging in Signifcant annex designated fve Russian entities—in- Malicious Cyber-Enabled Activities”), which cluding that nation’s domestic and foreign authorized the Secretary of the Treasury, in intelligence services—and four Russian in- consultation with the Attorney General and dividuals who were determined to have in- the Secretary of State, to impose sanctions terfered with or undermined U.S. election on individuals or entities that engage in ma- processes or institutions.61 Te list of desig- licious cyber-enabled activity that results nated parties was expanded again on March in, or materially contributes to, a signifcant 15, 2018,62 and yet again on June 11, 2018.63 threat to the national security, foreign policy, or economic health or fnancial stability of Designations under E.O. 13694 are not lim- the United States.59 In December 2016, the ited to Russian actors. On March 23, 2018, President amended this executive order in in consultation with the Department, OFAC “order to take additional steps to deal with designated an Iranian entity, the Mabna the national emergency with respect to sig- Institute, and ten Iranian individuals who Amy Mathers, U.S. Department of Justice Justice of Department U.S. Mathers, Amy

Credit: Deputy Attorney General Rod Rosenstein announces on March 23, 2018 the fling of criminal charges against nine Iranians alleged to have conducted a massive cyber thef campaign on behalf of the Islamic Revolutionary Guard Corps. Te Treasury Depart- ment imposed sanctions the same day.

73 CYBER-DIGITAL TASK FORCE REPORT engaged in thef of valuable intellectual 4. Trade Actions property and data from hundreds of U.S. and third-country universities and a media Te Ofce of the United States Trade Rep- company for private fnancial gain.64 (Tat resentative (“USTR”) can raise the issue of same day, the Department unsealed criminal foreign cyber intrusions against American charges against the same entity and nine in- businesses in the context of its trade actions dividuals.65 See page 73.) under various U.S. laws or trade agree- ments. As declared in a USTR report made Te Department will continue to support public in April 2017, “Te United States uses sanctions under such authorities by help- all trade tools available to ensure that its ing the Treasury Department draf sanction trading partners provide robust protection nomination packages based on the infor- for trade secrets and enforce trade secrets 68 mation gathered during our investigations. laws.” Te Department has worked closely Where, for example, investigations identify with USTR to ensure that the Trade Repre- hackers who victimize U.S. individuals or sentative is appropriately informed about companies, or those who proft from criminal cyber-enabled activity by nation states that hacking by using stolen personal information may be actionable under U.S. trade laws. or trade secrets, the Department works with the Treasury Department to craf appropriate Due in part to China’s cyber-enabled thef of sanctions against those responsible. U.S. intellectual property and sensitive com- mercial information, the U.S. government Similarly, the Commerce Department can in March 2018 announced various tarifs against China and various restrictions on place persons and companies on its Entity 69 List if it fnds that they are engaged in activi- Chinese investments. Te announcement ties that are contrary to U.S. national security came afer USTR released a comprehensive 66 public report as part of its investigation un- or foreign policy interests. Persons and en- 70 tities on the Entity List are subject to special der section 301 of the Trade Act of 1974. licensing requirements for the export, re-ex- Te USTR report establishes a clear record port, and/or transfer (in-country) of items of China’s cyber intrusions and cyber thef listed in the EAR. In 2014, for example, in based on information provided by the De- addition to the Department of Justice’s pros- partment, among other parts of the U.S. gov- ecution of a Chinese engineer for consult- ernment. Te report indicates that the Chi- ing with Chinese military hackers who stole nese government has used cyber intrusions aerospace technology, the Commerce De- to serve its strategic economic objectives and partment placed his company on the Entity that “incidents of China’s cyber intrusions 67 against U.S. commercial entities align closely List, based on the FBI’s nomination. Such a 71 listing can have dramatic consequences, cut- with China’s industrial policy objectives.” ting the frm of from U.S. exports and caus- For example, the PLA’s thef of trade secrets ing U.S. and foreign businesses to reconsider from Westinghouse, Inc., as documented doing business with the designated entity. in an indictment brought by the Depart-

74 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS ment, illustrates how China uses cyber-en- Department has played an important role in abled thef as one of multiple instruments to bringing these threats to our national securi- achieve its state-led technology development ty to light. goals.72 Likewise, the USTR report noted that “[i]n September 2017, the Department 5. Cyber Operations fled an indictment against three Chinese nationals who were owners, employees, and Finally, the Department also assists oth- associates of the Guangzhou Bo Yu Informa- er agencies in analyzing the legal and pol- tion Technology Company Limited (“Boy- icy implications of operations conducted usec”), a company that cybersecurity frms through cyberspace, and ensuring that these have linked to the Chinese government.”73 operations comply with the Constitution Te USTR report contains other examples and applicable law. Where additional au- that illustrate how China uses cyber-enabled thority or injunctive relief is required to ad- intrusions to further the commercial inter- dress conduct within the United States, the ests of Chinese state-owned enterprises, to Department works with investigators and, as the detriment of its foreign partners and appropriate, the U.S. Attorney community, competitors. Available evidence also indi- to pursue it. Intelligence gathered by the FBI cates that China uses its cyber capabilities as using its national security investigative au- an instrument to achieve its industrial policy thorities may also assist agencies in planning and science and technology objectives. Te or carrying out such operations.

75 CYBER-DIGITAL TASK FORCE REPORT

NOTES

1 Te Department components responsible for 3 See ICANN WHOIS, available at: https:// this work are described in Chapter 5. whois..org/en (last accessed June 29, 2018). 4 Pub. L. No. 99–508, 100 Stat. 1848 (1986) 2 For example, the FBI, as the federal govern- (codifed at 18 U.S.C. § 2510 et seq.). ment’s primary investigative agency, must com- ply with Te Attorney General’s Guidelines for Do- 5 See 18 U.S.C. § 2703. mestic FBI Operations, available at: https://www. 6 justice.gov/archive/opa/docs/guidelines.pdf (last Id. § 3121 et seq. accessed June 29, 2018), and the FBI Domestic 7 Id. § 2510 et seq. Investigations and Operations Guide, available at: https://vault.fi.gov/FBI%20Domestic%20Inves- ⁸ 50 U.S.C. § 1801 et seq. tigations%20and%20Operations%20Guide%20 Virtual currency seizures with a value of %28DIOG%29/fbi-domestic -investiga - $500,000 or more must be forfeited judicially. tions-and-operations-guide-diog-2013-version/ Te value is assessed on the date of agency sei- FBI%20Domestic%20Investigations%20and%20 zure. Operations%20Guide%20%28DIOG%29%20 2013%20Version%20Part%2001%20of%2001/ 10 See, e.g., “For Sale Approximately view (last accessed June 29, 2018), which stan- 3,813.0481935 ,” U.S. Marshals Ser- dardizes the FBI’s criminal, national security, vice (Jan. 2018), available at: https://www. and foreign intelligence investigative activities. usmarshals.gov/assets/2018/bitcoinauction/ (last Te Attorney General’s Guidelines establish a set accessed June 29, 2018). of basic principles that serve as the foundation 11 for all FBI mission-related activities, and the 18 U.S.C. §§ 981-983. professional identity of each FBI agent, includ- 12 See Press Release, “Russian National And ing: (1) protecting the public includes protecting Bitcoin Exchange Charged In 21-Count Indict- their rights and liberties; (2) investigating only ment For Operating Alleged International Mon- for a proper and authorized law enforcement, ey Laundering Scheme And Allegedly Launder- national security, or foreign intelligence purpose; ing Funds From Hack Of Mt. Gox,” U.S. Dept. (3) ensuring that an independent, authorized law of Justice (July 26, 2017), available at: https:// enforcement or national security purpose exists www.justice.gov/usao-ndca/pr/russian-nation- for initiating investigative activity—race, ethnic- al-and-bitcoin-exchange-charged-21-count-in- ity, religion, or national origin alone can never dictment-operating-alleged (last accessed June constitute the sole basis for initiating investi- 29, 2018). gative activity; (4) performing only authorized activities in pursuit of investigative activities; 13 A “John Doe” summons is an administrative (5) employing the least intrusive means for in- summons that may be used, with court approval, vestigation that do not otherwise compromise to seek information about an ascertainable group FBI operations; and (6) applying best judgment or class of persons who may be involved in vio- to the circumstances at hand to select the most lating federal tax laws. See 26 U.S.C. § 7609(f) appropriate investigative means to achieve the (2012). investigative goal.

76 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

14 United States v. Coinbase, Inc. et al., Order dress the civil provisions of the statute except as Regarding Petition to Enforce IRS Summons they may pertain to the criminal provisions. at 14 (Doc. 78), Case No. 3:17-cv-01431 (N.D. 21 Cal.). More specifc guidance on the CFAA is avail- able at: https://www.justice.gov/sites/default/ 15 See 18 U.S.C. § 3181 note (listing the coun- fles/criminal-ccips/legacy/2015/01/14/ccmanu- tries with which the United States currently has a al.pdf (last accessed June 29, 2018). bilateral extradition agreement). 22 In the Second, Fourth, and Ninth Circuits, 16 Quoted from the United States’s sentenc- signifcant recent decisions have limited the def- ing memorandum in United States v. Roman nition of “exceeds authorized access” in 18 U.S.C. Seleznev, No. 11-CRM-007 (W.D. Wa., Apr. 14, § 1030(e)(6) “to violations of restrictions on ac- 2017), available at: https://assets.document- cess to information, and not restrictions on its cloud.org/documents/3673513/Seleznev-US-At- use.” See, e.g., United States v. Nosal, 676 F.3d 854, ty-Sentencing-Memo.pdf (last accessed June 29, 863-64 (9th Cir. 2012). Other language in Nosal 2018). suggests that the Ninth Circuit’s ultimate hold-

17 ing is broader: that an individual can “exceed[] See Press Release, “Russian Cyber-Criminal authorized access” only by accessing data that he Sentenced to 14 Years in Prison for Role in Or- or she was never authorized to access, under any ganized Cybercrime Ring Responsible for $50 circumstances. Accordingly, in those circuits, million in Online Identity Tef and $9 Million the Department recommends against charging Bank Fraud Conspiracy,” U.S. Dept. of Justice any case that relies on the defnition of “exceeds (Nov. 30, 2017) (describing all of Seleznev’s authorized access” in 18 U.S.C. § 1030(e)(6), un- federal sentences), available at: https://www. less it can be proven that the computer user had justice.gov/opa/pr/russian-cyber-criminal-sen- absolutely no authorization to access the relevant tenced-14-years-prison-role-organized-cyber- information. crime-ring-responsible (last accessed June 29, 2018). 23 See, e.g., S. Rep. No. 432, 99th Cong., 2d Sess., reprinted in 1986 U.S.C.C.A.N. 2479, 2483. 18 https://www.unodc.org/documents/mid- dleeastandnorthafrica/organised-crime/ 24 See United States v. Lindsley, 254 F.3d 71 (5th UNITED_NATIONS_CONVENTION_ Cir. 2001).

AGAINST_TRANSNATIONAL_ORGA- 25 NIZED_CRIME_AND_THE_PROTOCOLS_ See, e.g., United States v. Butler, 16 Fed. Appx. THERETO.pdf (Art. XIX) (last accessed June 29, 99 (4th Cir. 2001) (unpublished). 2018). 26 See Memorandum from , At- 19 https://www.state.gov/documents/organiza- torney General, “Intake and Charging Policy tion/180815.pdf (Art. V) (last accessed June 29, for Computer Crime Matters,” (Sept. 11, 2014), 2018). available at: https://www.justice.gov/crimi- nal-ccips/fle/904941/download (last accessed 20 Although the CFAA is primarily a criminal June 29, 2018). statute, individuals and companies may also 27 bring private civil suits against CFAA violators. See id. See 18 U.S.C. § 1030(g). Tis report does not ad- 28 See, e.g., United States v. Selby, 557 F.3d 968, 978-79 (9th Cir. 2009) (fnding defendant’s act of

77 CYBER-DIGITAL TASK FORCE REPORT sending a single e-mail “sufcient to establish the Subcomm. on Crime and Terrorism of the S. Ju- element of the use of the wires in furtherance of diciary Comm., 113 Cong. 4 (2016) (statement the scheme”); United States v. Drummond, 255 of Randall C. Coleman, Assistant Dir., Counter- Fed. Appx. 60, 64 (6th Cir. 2007) (unpublished) intelligence Div. FBI), available at: https://www. (afrming wire fraud conviction where defen- govinfo.gov/content/pkg/CHRG-113shrg96009/ dant made airline reservation with stolen credit pdf/CHRG-113shrg96009.pdf (last accessed card over the Internet). June 29, 2018). 29 As explained below, exceptions exist for ter- 36 18 U.S.C. § 1839(3). rorism-related violations of section 1030(a)(1) 37 and 1030(a)(5)(A). See id. §§ 1831(a)(4)-(5), 1832(a)(4)-(5). For an attempt, the defendant must (1) have the in- 30 Te United States Attorneys’ Manual provides tent needed to commit one of the two crimes, further guidance regarding wire fraud charges, and (2) perform an act amounting to a “substan- see U.S. Dept. of Justice, United States At- tial step” toward the commission of that crime. torneys’ Manual, § 9-43.000, as does the man- United States v. Hsu, 185 F.R.D. 192, 202 (E.D. ual, Identity Theft and Social Security Pa. 1999). For a conspiracy, the defendant must Fraud (Ofce of Legal Education 2004). agree with one or more people to commit a vi-

31 olation, and one or more of the co-conspirators 18 U.S.C. § 1028(d)(7). Although there is lit- must commit an overt act to efect the object of tle dispute about classifying a unique identifer, the conspiracy. 18 U.S.C. §§ 1831(a)(5), 1832(a) such as a social security number, as a “means (5). of identifcation,” some courts have questioned whether non-unique identifers, such as names 38 See id. § 1835. or birthdates, qualify as a “means of identifca- 39 tion” when standing alone. Compare United See 17 U.S.C. §§ 102(a), 106 (2012). States v. Silva, 554 F.3d 13, 23 n.4 (1st Cir. 2009) 40 See 18 U.S.C. § 1029(c)(1)(C), (c)(2). (fnding doctor’s signature constitutes a “means of identifcation”), with United States v. Mitchell, 41 Id. § 1963(a). 518 F.3d 230, 232-36 (4th Cir. 2008) (requiring 42 Organized Crime & Gang Section, U.S. that non-unique identifers be combined with Dept. of Justice, CRIMINAL RICO: 18 U.S.C. additional information that permits the identif- §§1961-1968, A Manual For Federal Pros- cation of a specifc person). ecutors (May 2016), https://www.justice.gov/ 32 E.g., 18 U.S.C. §§ 1028(a)(1)-(6), (8), 1029, usam/fle/870856/download (last visited June 29, 1030, 1037, 1343. 2018). 33 18 U.S.C. § 1028A(a)(1); see also id. § 43 Id. at 238-39. 1028A(a)(2) (providing a minimum fve-year 44 18 U.S.C. § 2511(1)(a) & (b). term for terrorism-related aggravated identity thef). 45 Id. § 2511(1)(c) § (e). 34 See 18 U.S.C. §§ 1831, 1832. 46 Id. § 2511(1)(d). 35 Combating Economic Espionage and Trade Se- 47 See, e.g., In re Pharmatrak, Inc. Privacy Litig., cret Tef, Hearing Before the S. Judiciary Comm., 329 F.3d 9, 21 (1st Cir. 2003).

78 DETECTING, DETERRING, AND DISRUPTING CYBER THREATS

48 Similarly, other surveillance statutes like the tools appropriately and lawfully. Additionally, Pen Trap Act and FISA criminalize violations of the FBI is required to adhere to the Attorney their provisions. See 18 U.S.C. § 3121 (Pen Trap General’s Guidelines for Domestic FBI Operations Act); 50 U.S.C. § 1809 (FISA). and the FBI’s Domestic Investigations and Oper-

49 ations Guide in conducting remote searches and 18 U.S.C. § 1956(c)(7) (defning SUA). seizures; see supra note 2. Tese documents re- 50 Id. § 1956(a)(1)(A)(i). quire the FBI to use the least intrusive method that is feasible when conducting a search. See 51 Id. § 1956(a)(1)(B)(i). Guidelines for Domestic FBI Operations, § 1(c) (2)(A); Domestic Investigations and Operations 52 See United States v. Budovsky, 2015 WL Guide, § 18.2. 5602853, at *12-13 (S.D.N.Y. Sept. 23, 2015) (holding that virtual currency created by Liberty 58 Press Release, “Treasury Sanctions Addi- Reserve constituted funds within the meaning of tional North Korean Ofcials and Entities in § 1956); United States v. Ulbricht, 31 F. Supp. 3d Response to the Regime’s Serious Human Rights 540, 569-70 (S.D.N.Y. 2014) (holding that trans- and Activities,” U.S. Dept. actions involving Bitcoin were fnancial transac- of the Treasury (Oct. 26, 2017), available at: tions within the scope of § 1956). https://www.treasury.gov/press-center/press-re- leases/Pages/sm0191.aspx (last accessed June 29, 53 Pub. L. No. 108-187, 117 Stat. 2699 (2003). 2018). 54 Press Release, “Chinese National Who Con- 59 Exec. Order No. 13694, 3 C.F.R. 297 (2016). spired to Hack into U.S. Defense Contractors’ Systems Sentenced to 46 Months in Federal 60 Exec. Order No. 13757, 3 C.F.R. 1 (2017). Prison,” U.S. Dept. of Justice (July 13, 2016), 61 available at: https://www.justice.gov/opa/pr/chi- Id. nese-national-who-conspired-hack-us-defense- 62 Press Release, “Treasury Sanctions Russian contractors-systems-sentenced-46-months (last Cyber Actors for Interference with the 2016 U.S. accessed June 15, 2018). Elections and Malicious Cyber-Attacks,” U.S. 55 Press Release, “Two Iranian Nationals Dept. of Treasury (March 15, 2018), available Charged in Hacking of Vermont Sofware Com- at: https://home.treasury.gov/index.php/news/ pany,” U.S. Dept. of Justice (July 17, 2017), press-releases/sm0312 (last accessed June 29, available at: https://www.justice.gov/opa/pr/ 2018). two-iranian-nationals-charged-hacking-ver- 63 Press Release, “Treasury Sanctions Russian mont-sofware-company (last accessed June 15, Federal Security Service Enablers,” U.S. Dept. 2018). of Treasury (June 11, 2018), available at: https:// 56 Press Release, “ISIL-Linked Kosovo Hack- home.treasury.gov/news/press-releases/sm0410 er Sentenced to 20 Years in Prison,” U.S. Dept. (last accessed June 29, 2018). of Justice (Sept. 23, 2016), available at: https:// 64 Press Release, “Treasury Sanctions Iranian www.justice.gov/opa/pr/isil-linked-kosovo- Cyber Actors for Malicious Cyber-Enabled Ac- hacker-sentenced-20-years-prison (last accessed tivities Targeting Hundreds of Universities,” U.S. June 15, 2018). Dept. of Treasury (March 23, 2018), available 57 As with all investigative techniques, Depart- ment personnel are trained to use remote search

79 CYBER-DIGITAL TASK FORCE REPORT at: https://home.treasury.gov/news/press-releas- 68 “2017 Special 301 Report,” Office of the es/sm0332 (last accessed June 29, 2018). United States Trade Representative at 18 (April 2017), available at: https://ustr.gov/sites/ 65 Press Release, “Nine Iranians Charged With default/files/301/2017%20Special%20301%20 Conducting Massive Cyber Tef Campaign Report%20FINAL.PDF (last accessed June 29, on Behalf of the Islamic Revolutionary Guard 2018). Corps,” U.S. Dept. of Justice (March 23, 2018), available at: https://www.justice.gov/opa/pr/ 69 See “Remarks by President Trump at Sign- nine-iranians-charged-conducting-massive-cy- ing of a Presidential Memorandum Targeting ber-thef-campaign-behalf-islamic-revolution- China’s Economic Aggression,” The White ary (last accessed June 29, 2018). House (March 22, 2018), available at: https:// www.whitehouse.gov/briefings-statements/ 66 Export Administration Regulations, Control remarks-president-trump-signing-presiden- Policy: End-User and End-Use Based, 15 C.F.R. tial-memorandum-targeting-chinas-econom- §§ 744.1–.22 (2016), available at: https://www. ic-aggression/ (last accessed June 29, 2018). gpo.gov/fdsys/pkg/CFR-2016-title15-vol2/xml/ CFR-2016-title15-vol2-part744.xml (last ac- 70 “Findings of the Investigation into China’s cessed June 29, 2018). Acts, Policies, and Practices related to Technol- ogy Transfer, Intellectual Property, and Innova- 67 “Addition of Certain Persons to the Entity tion under Section 301 of the Trade Act of 1974,” List,” 79 Fed. Reg. 44680 (Aug. 1, 2014), available Office of the United States Trade Repre- at: https://www.gpo.gov/fdsys/pkg/FR-2014-08- sentative (March 22, 2018), available at: https:// 01/pdf/2014-17960.pdf (last accessed June 29, ustr.gov/sites/default/files/Section%20301%20 2018) (adding PRC Lode Technology Corpora- FINAL.PDF (last accessed June 29, 2018). tion, a company owned by Su Bin, a Chinese na- tional serving a prison term for conspiring with 71 Id. at 153. Chinese air force ofcers to exploit computer 72 Id. at 166. systems of U.S. companies and of DoD contrac- tors to illicitly obtain and export information, in- 73 Id. at 168. cluding controlled technology, related to military projects).

80

RESPONDING TO CYBER INCIDENTS

Chapter 4 Responding to Cyber Incidents

s discussed in Chapter 3, the De- 1. Operational Engagement partment’s role in disrupting and preventing cyber threats not only In building relationships with potential vic- Aembraces the traditional model of criminal tims of , the FBI employs “op- law enforcement—which involves arresting erational engagement”—that is, tailored and suspected criminals and imprisoning of- targeted outreach. Building trust is funda- fenders afer they have been convicted—but mental to this approach, which initially may also extends beyond that model to the use of seem difcult to achieve, given concerns non-criminal authorities and remedies. about privacy, legal privileges, and the pro- tection of sensitive information. To address In this chapter, we discuss other non-crim- these concerns, the FBI as a frst step seeks inal, yet critically important, aspects of the to share its own information with industry, Department’s overall cyber mission: re- through a variety of outreach initiatives and information sharing programs. sponding to, preventing, and managing cyber incidents. Te FBI disseminates numerous reports geared directly to the private sector regarding Building Relationships and cyber threats. See Fig. 1. Common FBI-is- Sharing Cyber Treat Information sued reports include Private Industry Noti- fcations (“PINs”), which provide contextu- al information about ongoing or emerging When responding to cyber incidents, prepa- cyber threats, and FBI Liaison Alert System ration is key. Preparation will help victims of (“FLASH”) reports, which provide technical cyber attacks speed their response, lessen the indicators gleaned through investigations or efects of exploitation, and hasten recovery. intelligence. Tese communication methods In order to best assist potential victims of cy- facilitate information sharing with either a ber threats, the Department needs to prepare, broad or sector-specifc audience, and pro- too. Our preparation eforts involve relation- vide recipients with actionable intelligence ship building, routine information sharing, to protect against cyber threats and to detect and engaging with organizations and sectors ongoing exploitation. Te FBI also ofen col- that are at particular risk. And when inci- laborates with other government agencies, dents do occur, open lines of communication including DHS, to release joint products, enable reporting and facilitate response ef- such as Joint Analysis Reports (“JARs”) and forts. Joint Technical Advisories (“JTAs”).

83 CYBER-DIGITAL TASK FORCE REPORT

Figure 1: FBI Product Lines

Private Industry FBI Liaison Alert System Public Service Joint Analysis Report/ Notification (PIN) (FLASH) Announcement (PSA) Joint Technical Alert Product

FBI/DHS/Other Government FBI FBI FBI Partners Author

Provides technical Provides contextual Provides information Provides technical details indicators gleaned through information about ongoing related to general cyber and indicators gleaned investigations or

Content or emerging cyber threats threats to the public through joint analytic efforts. intelligence

Selected Partners/Target Private Industry General Public Private Industry Industries Audience

In certain circumstances, the FBI will join In 2015, the FBI’s Cyber Division began host- with sector-specifc agencies1 to execute an ing a semi-annual Chief “action campaign” to quickly and efciently Ofcers (“CISO”) Academy at the FBI Acad- advise a defned group of stakeholders of a emy in Quantico, Virginia. Te Academy particular cyber threat requiring their atten- seeks to enhance participants’ understanding tion. See Fig. 2. Tese eforts serve a dual of the government and its functions by host- purpose of helping potentially targeted enti- ing approximately 30 CISOs representing key ties and advancing the FBI’s cyber threat in- critical infrastructure sectors for a three-day vestigations. training session. Te event’s sessions provide the latest information and intelligence on cy- Te FBI also hosts targeted engagement events ber threats, explain how the government in- intended to bring together C-suite executives teracts with private industry before, during, with government subject matter experts in and afer a cyberattack, explore investigative order to build partnerships, encourage infor- case studies, and engage participants in ta- mation sharing, and better understand the bletop exercises. As of April 2018, the FBI challenges the private sector faces in protect- had hosted four CISO Academies with over ing against cyber threats. 120 total participants.

84 RESPONDING TO CYBER INCIDENTS

Figure 2: Recent FBI “action campaigns”

Healthcare Industry Classified Briefings (Spring 2016) •FBI, in collaboration with DHS and HHS, hosted executives in each of its 56 field offices and conducted classified briefings over teleconferences. •Briefed threats involving Personally Identifiable Information and Personal Health Information to the healthcare sector; over 800 industry executives participated.

Energy Sector Action Campaign (Spring 2016) •FBI, in collaboration with DHS ICS-CERT and DOE, provided briefings to owners and operators of electric facilities. •Fourteen events were held across the country, 10 in-person and four via webinar, with 1,600 total industry representatives briefed.

Ransomware Campaign (Spring/Fall FY 2016) •FBI, in collaboration with DHS, USSS, HHS, and the National Council of ISACs, hosted workshops, or “road shows,” targeting small, medium, and large organizations at the C-Suite level. •Over 5,700 individuals received briefings during the campaign.

Business E-mail Compromise (BEC) Campaign (FY 2017/FY 2018) •FBI, in collaboration with DHS, USSS, and National Council of ISACs, identified pre-scheduled events to conduct briefings to industry executives. Additionally, FBI and USSS hosted executives in field offices to brief on the threat. •Held workshops in 14 cities and briefed close to 2,500 total executives.

In addition, the FBI’s Cyber Division, in col- pants discuss how to overcome obstacles in laboration with a host FBI feld ofce and U.S. information sharing and how best to work Attorney’s Ofce, organizes one-day General with the U.S. government when responding Counsel Cyber Summits to bring corporate to a cyber incident. To date, the FBI has con- attorneys and CISOs together with Depart- ducted four summits with over 500 total at- ment personnel. At these summits, partici- tendees.

85 CYBER-DIGITAL TASK FORCE REPORT

2. Enduring Partnerships relevant to the protection of the nation’s crit- ical infrastructure. In contrast to DSAC, In- Te FBI has several established programs fraGard members join as individuals, not as that enable connectivity, information shar- corporations. Tere are over 50,000 vetted In- ing, and collaboration with the private sec- fraGard members nationally, representing all tor on a range of hazards, including cyber critical infrastructure sectors, organized into threats. Tese programs include: 84 local chapters called “InfraGard Member Alliances.” Each chapter is associated with its corresponding local FBI feld ofce.

Domestic Security Alliance Council (“DSAC”) was founded in 2006 as a nation- al membership program to encourage pub- National Cyber-Forensics & Training Alli- lic-private engagement between corporate ance (“NCFTA”) was conceived in 1997 and chief security ofcers and the FBI on emerg- the non-proft 501(c)(3) corporation was cre- ing threats facing the nation and economy. ated in 2003. Headquartered in Pittsburgh, DHS was later added as a partner organi- this organization has become an internation- zation. With over 500 member companies, al model for joining law enforcement, private DSAC provides the FBI and DHS direct en- industry, and academia to build and share gagement with decision-makers in the U.S. resources, strategic information, and cyber economy’s largest corporations and critical threat intelligence. Since its establishment, insight through the DSAC Executive Work- the NCFTA has evolved to keep up with the ing Group. ever-changing cybercrime landscape. To- day, the organization deals with threats from transnational criminal groups including spam, botnets, stock manipulation schemes, intellectual property thef, pharmaceutical fraud, telecommunication scams, and other fnancial fraud schemes that result in billions of dollars in losses to companies and con- sumers. Te extensive knowledge base with- InfraGard is a partnership between the FBI in the NCFTA has played a key role in some and members of the private sector for sharing of the FBI’s most signifcant cyber cases in information and promoting mutual learning the past several years.

86 RESPONDING TO CYBER INCIDENTS

Internet-facilitated criminal activity and to develop efective alliances with law enforce- ment and industry partners. Since 2000, the IC3 has received complaints crossing the spectrum of cybercrime matters, to include online fraud in its many forms, including National Domestic Communications Assis- Intellectual Property Rights (“IPR”) matters, tance Center (“NDCAC”) is a national hub computer intrusions, economic espionage, for technical knowledge management among online extortion, identity thef and others. It law enforcement agencies that also strength- is through this reporting that the program is ens law enforcement’s relationships with the able to analyze complaints for dissemination communications industry. Operated by the to the public, private industry, and for intelli- FBI’s Operational Technology Division, the gence/investigative purposes for law enforce- NDCAC leverages and shares law enforce- ment. ment’s collective technical knowledge and 3. Reporting Cyber Incidents and resources on issues involving real-time and Notifying Targeted Entities stored communications to address challenges posed by advanced communications services Trough the numerous FBI and U.S. Attor- and technologies. NDCAC develops and main- neys’ ofces nationwide, the Department is tains relationships with industry to ensure law uniquely positioned to interact with organi- enforcement’s understanding of new services zations that have experienced a cyber inci- and technologies, and it provides a venue to ex- dent. Te FBI has 56 feld ofces throughout change information, streamline processes, and the country, and has assisted victims of crime facilitate more efcient interaction between law for over 100 years, including since the earliest enforcement and industry. NDCAC also edu- days of computer crime. Te FBI may learn cates industry on law enforcement’s evidentia- through law enforcement or intelligence ry processes and works with industry to verify sources that a U.S. person or organization has that technical solutions work as expected. sufered an incident or is the target of illicit cyber activity, and can proactively notify the targeted entity. Conversely, victims may be the frst to detect the incident and then can notify the FBI. In either case, the Depart- ment stands ready to investigate the unau- thorized activity and support victims.

Internet Crime Complaint Center (“IC3”) Victim Notifcation provides the public with a reliable and con- venient reporting mechanism to submit in- Te Department identifes victims of cyber formation to the FBI concerning suspected intrusion through a variety of means, such

87 CYBER-DIGITAL TASK FORCE REPORT as from the FBI’s ongoing contact with vic- bute malicious cyber activity due to its dual tims, from investigations of threat actors, criminal investigative and national security from other members of the U.S. Intelligence responsibilities. Community, and from foreign partners. Tis information may be highly classifed or may While cyberattacks are typically conduct- carry special handling or sharing restrictions ed through technical means, behind the based on the sensitivity of the source and the malicious activity is an actual individual or information provided. Te FBI takes all rea- group perpetrating a crime. When the FBI sonable steps to identify the targeted individ- is promptly notifed, it can work to deter- ual or entity, determine if there was an actual mine who caused the incident, link the in- compromise, and assess if there is actionable cident to other incidents, maximize investi- information it may share. gative opportunities, and potentially provide context regarding the actor, their tradecraf, Depending upon the circumstances, the FBI and their motivations. Understanding who can undertake direct or indirect notice to is targeting a victim’s networks and for what victims or potential victims. “Direct” notif- purpose can inform defensive strategies and cation is typically handled in-person through prevent future attacks. By notifying and as- established liaison contacts, such as by noti- sisting law enforcement, victims also help the fying the representatives of an institutional FBI identify and pursue those responsible— victim. Larger scale data breaches involving which can help prevent future crimes against thousands or millions of afected customers other victims. Such identifcation and pursuit are more complicated. In such circumstanc- is not limited to criminal response options. es, the FBI relies on victimized institutions to For example, attribution resulting from FBI provide notifcation to afected individuals. investigative activities can support other In those cases, the victimized institution may U.S. government agencies’ abilities to impose be better situated to notify its customers or regulatory (e.g., sanctions), diplomatic, and members of a large-scale data breach. technical costs upon those responsible for, or benefting from, malicious cyber activities. Reporting Intrusions to the FBI Finally, notifying law enforcement may also place a victim company in a positive light While law enforcement and intelligence agen- with regulators, shareholders, and the public. cies can sometimes uncover malicious cyber activity before a victim detects it on their net- Te Department encourages key organi- works, in other cases a targeted organization zations, particularly critical infrastructure will be the frst to detect anomalous activity. owners and operators, to identify and form It is critically important to report incidents to relationships with personnel in their local law enforcement, as each incident potentially FBI feld ofce, including through the part- involves the commission of a federal crime nerships detailed above, before an incident and may warrant investigation. Te FBI is occurs. Tese pre-established relationships uniquely positioned to investigate and attri-

88 RESPONDING TO CYBER INCIDENTS

and open lines of communication will speed a nationally signifcant cyber incident, these reporting and response eforts. activities are carried out in a coordinated way by the afected entity, by its third-party Te White House’s Council of Economic cybersecurity providers (if any), and by rele- Advisors recently observed that most data vant federal agencies. breaches are not reported to the U.S. gov- ernment.2 Tis reluctance may be driven by PPD-41 designates the Department of Jus- a fear of regulatory action, of reputational tice, through the FBI and the National Cyber harm, or of an interruption to business oper- Investigative Joint Task Force (“NCIJTF”), as ations. Te reluctance of organizations and the lead federal agency for threat response businesses to disclose that they have been at- activities in the context of a signifcant cy- tacked constitutes a major challenge for the ber incident. Trough evidence collection, U.S. government in its battle against cyber- technical analysis, and related investigative crime. Law enforcement cannot be efective tools, the FBI works to quickly identify the without the cooperation of crime victims. A source of a cyber incident, connect that in- lack of cooperation may not only prevent dis- cident with related incidents, and determine covery of evidence that could lead to identify- attribution. ing and holding the threat actors accountable, but also creates barriers to fully understand- In addition to the cyber incident response ing the threat environment. framework laid out in PPD-41, the federal government also has adopted a Cyber Inci- Responding to Cyber Incidents dent Severity Schema,4 a rubric for describ- ing an incident’s signifcance and improving and Managing Crisis the federal government’s response. An inci- 1. Policy Framework dent of national signifcance is rated as a Level 3 “High” (Orange), or greater. While the FBI Presidential Policy Directive (“PPD”)-41, ti- does not allocate resources based exclusively tled “United States Cyber Incident Coordina- on the schema rating, the rating serves as an tion,” defnes the term “cyber incident,”3 and enabler to various multi-agency coordination describes cyber incident response in terms procedures and incident response eforts. of three concurrent and mutually benefcial lines of efort: threat response (investigation, Both PPD-41 and the severity schema recog- attribution, and threat pursuit); asset re- nize that not all cyber incidents are “signif- sponse (remediation and recovery); and in- cant” from a national perspective. Tus, the telligence support. It also refers to a fourth, scale and speed of a federal response will vary unnamed line of efort that is best described based on the facts and circumstances of par- as “business response” (ensuring business ticular cases. Te FBI has capability, plans, continuity, addressing legal and regulatory and procedures to manage routine incidents. issues, and external afairs). In the context of It also is prepared to react to circumstances

89 CYBER-DIGITAL TASK FORCE REPORT requiring a more robust approach. Responses Te FBI also has a strong international reach to both types of incidents are discussed below. through a network of approximately 80 Legal Attaché ofces throughout the world. It has 2. Routine Incident Response supplemented 20 of these international ofc- es with cyber-specifc investigators to facili- Te FBI’s nationwide reach puts it in an op- tate cooperation and information sharing to timal position to engage with potential vic- advance its cybercrime and national security tims. Te FBI’s feld-centric model also al- investigations. lows it to respond quickly, and in-person, to cyber incidents—ofen in a matter of hours. Because cyber threats and incidents occur around the clock, the FBI in 2014 estab- Each FBI feld ofce houses a multi-agency lished a steady-state, 24-hour watch capabil- Cyber Task Force (“CTF”) modeled afer the ity called CyWatch. Housed at the NCIJTF, FBI’s successful Joint Terrorism Task Force CyWatch is responsible for coordinating do- program. Te task forces bring together cy- mestic law enforcement response to crimi- ber investigators, prosecutors, intelligence nal and national security cyber intrusions, analysts, computer scientists, and digital fo- tracking victim notifcation, and partnering rensic technicians from various federal, State, with the other federal cyber centers many and local agencies present within the ofce’s times each day. CyWatch provides contin- territory. Te CTFs not only serve as a force uous connectivity to interagency partners to multiplier, but also provide a forum for co- facilitate information sharing, and real-time ordination amongst local partners for more incident management and tracking, as part efective incident response. Tis model also of an efort to ensure that all relevant agen- allows the FBI to draw on the relationships, cies are in communication. expertise, authorities, and tools of the task force members. 3. Signifcant Incident Response

In addition to these cyber-specifc resources, As directed by PPD-41, the FBI activates cer- the FBI has other technical assets it can use tain “enhanced coordination procedures” in as needed to combat cyber threats. Te FBI’s the event of a “signifcant cyber incident.”5 Operational Technology Division develops Tese procedures include naming an ac- and maintains a wide range of sophisticat- countable senior executive to manage the ed equipment, capabilities, and tools to sup- response and establishing a dedicated com- port investigations and to assist with techni- mand center with a full array of communica- cal operations. While every FBI feld ofce tion capabilities. has a laboratory, certain feld ofces host a larger Regional Comput- Members of the local FBI Cyber Task Force er Forensic Laboratory. Tese resources can will respond to the signifcant incident and a be leveraged throughout the FBI’s response designated special agent will serve as the U.S. and investigative cycle to respond to cyber government’s point of contact to the victim threats. throughout the response. Nearby FBI feld

90 RESPONDING TO CYBER INCIDENTS

Tips for Cooperative Cyber Incident Response

Preparation

•Develop a response plan that incorporates notifying and collaborating with law enforcement. •Establish a relationship with your local FBI Cyber Task Force and U.S. Attorney’ s Office in advance of an incident; invite them to participate in exercises. •Understand the threats and trends that may affect your organization and adjust defenses accordingly; FBI and DHS regularly publish relevant reports.

Discovery & Response

•Notify the FBI* when you experience an incident; your issue may be part of a larger adversary campaign. •Preserve key evidence that will enable investigators to attribute the incident and pursue the actors (e.g., logs and artifacts, affected devices, analysis reports). •Discuss options for leveraging advice and other services offered through other government agencies including DHS with the responding FBI team.

Recovery & Follow -up

•Share feedback on your experiences with the local DOJ and FBI representatives. Consider conducting an after -action review to discuss learnings to improve plans and performance in anticipation of future events.

* Notify the FBI through the local Cyber Task Force or CyWatch (24/7) at 855 -292-3937 or [email protected]* Notify the FBI through the local Cyber Task Force or CyWatch (24/7) at 855-292-3937 or [email protected]

ofces can provide surge support and exper- dents. CAT’s management and core team are tise as necessary, as each feld ofce maintains based in the Washington, D.C. metro area personnel specifcally trained on responding and are supplemented by carefully selected to incidents involving critical infrastruc- and highly trained feld personnel. Te FBI ture and control systems. Te response team also has technical analysis and operations may be further augmented by specialty sup- units that directly support the response team port from FBI headquarters. For example, through deep-dive malware analysis and the FBI Cyber Action Team (“CAT”) is the , and by implementing cus- agency’s elite rapid response force. On-call tom-built technical solutions to advance an CAT members are prepared to deploy glob- investigation. ally to bring their in-depth cyber intrusion expertise and specialized investigative skills If a cyber incident generates physical impacts to bear in response to signifcant cyber inci- rising to the level of a crisis, the FBI has ex-

91 CYBER-DIGITAL TASK FORCE REPORT tensive capability. Te Conclusion FBI Crisis Management Unit coordinates the FBI’s tactical and disaster relief eforts. Te Department stands ready to assist vic- Te unit also provides the capability to acti- tims of cyberattacks. By leveraging our vate command posts anywhere in the United feld-centric model, investigative expertise, States, and coordinates the FBI’s vast inves- and partnerships at home and abroad, the tigative resources and infrastructure to sup- Department works to pursue malicious cy- port large-scale incidents regardless of type. ber actors and to predict and prevent future attacks. We must continue to build trusting Finally, the FBI maintains a feet of aircraf to relationships and to work collaboratively to support deployments when an immediate re- address the global cyber threat, and to im- sponse is necessary, as well as command post pose costs on nation states, cybercriminals, vehicles to support on-scene operations. and other malign cyber actors.

92 RESPONDING TO CYBER INCIDENTS

NOTES

1 See “Sector Specifc Agencies,” U.S. Dept. of June 29, 2018) (defning a “cyber incident” as Homeland Sec rity (July 11, 2017), available “[a]n event occurring on or conducted through at: https://www.dhs.gov/sector-specifc-agencies a computer network that actually or imminently (last accessed June 29, 2018) (describing the “16 jeopardizes the integrity, confdentiality, or avail- critical infrastructure sectors whose assets, sys- ability of computers, information or communi- tems, and networks, whether physical or virtual, cations systems or networks, physical or virtual are considered so vital to the United States that infrastructure controlled by computers or infor- their incapacitation or destruction would have a mation systems, or information resident thereon. debilitating efect on security, national economic For purposes of [PPD-41], a cyber incident may security, national public health or safety, or any include a vulnerability in an information system, combination thereof,” and listing the “Sector-Spe- system security procedures, internal controls, cifc Agency” associated with each of these criti- or implementation that could be exploited by a cal infrastructure sectors). threat source.”).

2 “Te Cost of Malicious Cyber Activity to the 4 See “NCCIC Cyber Incident Scoring Sys- U.S. Economy,” Co ncil of Econ. Advisors, tem,” U.S. Comp ter Emergency Readiness Exec. Office of the President, at 33 (Feb. Team, available at: https://www.us-cert.gov/ 2018), available at: https://www.whitehouse.gov/ NCCIC-Cyber-Incident-Scoring-System (last ac- wp-content/uploads/2018/02/Te-Cost-of-Ma- cessed June 29, 2018). licious-Cyber-Activity-to-the-U.S.-Economy.pdf (last accessed June 29, 2018). 5 A “signifcant” cyber incident is one “that is likely to result in demonstrable harm to the na- 3 See “Presidential Policy Directive—United tional security interests, foreign relations, or States Cyber Incident Coordination,” The White economy of the United States or to the public Ho se (July 26, 2016) (“PPD-41”), available at: confdence, civil liberties, or public health and https://obamawhitehouse.archives.gov/the-press- safety of the American people.” See PPD-41, su- office/2016/07/26/presidential-policy-direc- pra note 3. tive-united-states-cyber-incident (last accessed

93

TRAINING AND MANAGING OUR WORKFORCE

Chapter 5 Training and Managing Our Workforce

o appropriately identify, disrupt, dis- cal background and experience necessary mantle, and deter computer intru- to make appropriate decisions in technolo- sions and cyber-enabled crimes, the gy cases. Second, we seek to retain a group TDepartment must develop and maintain a of non-lawyer professionals whose prima- broad cadre of highly trained prosecutors, ry expertise is technology. Tese comput- agents, and analysts. Whether identifying er scientists, engineers, and digital forensic and locating cyber threat actors; collecting investigators collaborate with attorneys and vital evidence through lawful process; or de- investigators, together forming a team with veloping the latest tools to overcome sophis- all necessary skills. Cultivating a workforce ticated technologies criminals use to conceal of technologically-savvy employees requires their activities, Department personnel must care in hiring and training, but also, crucial- understand how technology both facilitates ly, requires that the Department make the criminal activity and can be used to detect, right decisions about how it manages and disrupt, and dismantle the same activity. organizes its employees.

Investigators, for example, require advanced How the Department internally organiz- tools and resources to stay at least one step es itself, and especially how it assigns cyber ahead of increasingly sophisticated ano- work, is a central part of the strategy to carry nymizing technologies that criminals and out its critical cyber mission and to recruit, other adversaries exploit to avoid detection. train, and retain a technologically-expert Meanwhile, forensic analysts must possess workforce. In some respects, this challenge the latest know-how to extract key evidence is not new. For example, prosecuting envi- from sophisticated electronic media, such ronmental crimes requires mastery both of as encrypted cell phones and hard drives. a complex area of law and of relevant sci- Finally, prosecutors must tackle complex entifc facts; likewise, prosecuting antitrust questions regarding legal authorities, juris- and other complex business cases requires diction, privacy, and other issues raised by in-depth knowledge of how industries op- investigating cybercrime and prosecuting erate. Te Department’s solution to these those responsible for it. challenges has been to build headquarters components and networks of attorneys and Te Department pursues two objectives in investigators that specialize in these tech- developing its workforce and specialized nical areas of law enforcement. A similar training initiatives. First, we seek to cultivate strategy has worked well for cyber cases: a multitude of attorneys who, in addition to the Department has concentrated its work superior legal skills, have the technologi- of identifying, dismantling, disrupting, and

95 CYBER-DIGITAL TASK FORCE REPORT deterring computer intrusions and other than if the work were dispersed indiscrimi- cyber-enabled crimes into a select number nately around the Department. of headquarters components and into net- works of specialized attorneys and investiga- Finally, the Department is constantly work- tors. Tis method of organization yields at ing to retain experienced attorneys and in- least three benefts for recruitment, training, vestigators in government employment. Te and retention—which, in turn, benefts the skills of cyber investigators and attorneys are investigation and prosecution of cyber cases. in heavy demand in the private sector, where salaries are much higher. Te Department First, despite ever-increasing competition in will lose this competition for talent if the only the technology job market, the Department consideration is salary. Fortunately, that is can attract skilled prospects who are inspired not the only consideration for most employ- by our mission. Te Department now has ees. Only public service provides employees employees who, in addition to being excel- with so great an opportunity to protect and lent lawyers or investigators, also have deep defend their country; in many ways, the work experience in network defense, computer is itself a reward. To make maximum use forensics, and sofware engineering. Tese of that reward, however, the Department’s employees very ofen came to work at the talented cyber workforce needs to be given Department precisely because they wanted regular opportunities to work on the cases to work on cyber cases. Ofering prospective and subject matter they feel most passionate employees the chance to work exclusively (or about. Only an arrangement of specialized near-exclusively) in the rewarding and chal- ofces can ofer that beneft. lenging feld of computer crime is a signif- cant recruiting advantage. But making that In this spirit, the Department’s criminal law promise is credible only if the Department enforcement entities, its United States Attor- can ofer employment in specialized units, neys’ Ofces, and its relevant litigation di- where cyber work has been concentrated. visions have dedicated workforce units and training initiatives that anchor the Depart- Second, training employees in cyber cases ment’s broader strategy to recruit, train, and requires far more than classroom instruction retain a technologically expert workforce or reading from textbooks. Every seasoned in order to carry out its core cyber mission. attorney and investigator knows that the Tese units and their specialized training bulk of his or her expertise came from prac- initiatives are described below. tical, on-the-job experience. Because the Department’s specialized cyber units both 1. Federal Bureau of Investigation at headquarters and in the feld expose at- torneys and investigators to cyber investiga- As described in Chapter 4, the FBI is ofen a tions, and do so repeatedly, they build skills “frst responder” to a cyber incident. With and human capital much more efectively Cyber Task Forces located in each of its 56

96 TRAINING AND MANAGING OUR WORKFORCE feld ofces across the country, the FBI is home agencies. Te NCIJTF coordinates, prepared to respond to and investigate cy- integrates, and shares cyber threat infor- berattacks and intrusions wherever they mation to support investigations and oper- may occur. Its agents serve both as inves- ations for the intelligence community, law tigators and high-tech specialists, capable enforcement, military, policy makers, and of applying the most current technological trusted foreign partners in the fght against know-how to collect evidence at the scene of cyber threats. Te NCIJTF is responsible for a cyberattack or intrusion, analyze data fo- coordinating whole-of-government cyber rensically, and trace a cybercrime to its ori- campaigns, integrating domestic cyber data, gins. Trough its Cyber Division located at and sharing domestic cyber threat informa- FBI headquarters in Washington, D.C., and tion. the Operational Technology Division locat- ed at Quantico, Virginia, the FBI provides Te FBI Criminal Investigative Division has leadership to its global eforts to investigate created the Hi-Tech Organized Crime Unit cyber threats, whether they stem from crim- (“HTOCU”) to launch a long term, proac- inal or national security actors. Te Cyber tive strategy to target transnational orga- Division has organized itself, both at head- nized crime groups using advanced technol- quarters and in FBI feld ofces, to focus its ogy to conduct large scale computer-enabled investigations and operations exclusively on and computer-facilitated crime. HTOCU computer intrusions and attacks, and related works to bring traditional organized crime online threats. techniques, tradecraf, and strategies to bear on transnational criminal enterprises that Te FBI is also responsible for the operation use high technology to perpetrate crimi- of the National Cyber Investigative Joint nal activity. HTOCU, in coordination with Task Force (“NCIJTF”), a multi-agency cy- the FBI’s Cyber Division and the Money ber center that serves as the national focal Laundering Unit, has developed and imple- point for coordinating cyber investigations mented strategies to dismantle transnational across government agencies. Te NCIJTF criminal enterprises engaged in large-scale is comprised of 30 plus partnering agencies fraudulent activity. Furthermore, HTOCU from across law enforcement, the intelli- works to identify new sources, technical vul- gence community, and the Department of nerabilities, collection opportunities, and Defense, with representatives who are co-lo- emerging trends in cyber-enabled transna- cated and work jointly to accomplish the tional organized criminal activity. organization’s mission from a whole-of-gov- ernment perspective. Members have access Te Joint Criminal Opioid Enforce- to and analyze data that provides a unique, ment (“J-CODE”) Team is a new FBI initia- comprehensive view of the Nation’s cyber tive, announced by Attorney General Sessions threat while working together in a collabo- in January 2018, to target drug trafcking— rative environment in which they maintain especially fentanyl and other opioids—on the authorities and responsibilities of their the Dark Web. Building on the work that

97 CYBER-DIGITAL TASK FORCE REPORT began with the government’s dismantling of the technological landscape rapidly evolves. Silk Road and AlphaBay, the FBI is bringing For instance, the FBI is implementing the together agents, analysts, and professional “Cyber Certifed” training and certifcation staf with expertise in drugs, gangs, health program for investigators, intelligence an- care fraud and more, as well as federal, State, alysts, technical specialists, and attorneys, and local law enforcement partners from whether currently in the Cyber Program or across the U.S. government, to focus on dis- working in other mission areas. Tese em- rupting the sale of illegal drugs via the Dark ployees will be observed for future training Web and dismantling criminal enterprises and development activities. that facilitate this trafcking. Te J-CODE will create a formalized process to prioritize In an attempt to rapidly increase the level dark markets, vendors, and administrators of cyber knowledge shared throughout the for strategic targeting; to develop strategies organization, and in an efort to infuse cy- to undermine confdence in the Dark Web; ber knowledge into traditionally non-cy- and to formulate de-confiction and oper- ber programs, the FBI has also created the ational requirements with other domestic Workforce Training Initiative (“WTI”). Te and international partners. WTI is designed to increase the number of employees who are capable of responding In accordance with the requirements set to, investigating, and analyzing a variety of forth in the Federal Cybersecurity Work- cyber-related cross-programmatic matters, force Assessment Act of 2015, the Depart- and its courses cover the breadth of cy- ment, including the FBI, is identifying and ber-related topics. coding federal positions that perform infor- mation technology, cybersecurity, and other Te On the Job Training (“OJT”) initiative cyber-related functions based on the work is a combination of classes and real world roles described in the National Initiative for experiences encountered daily on a cyber Cybersecurity Education Framework.1 Tis squad. Te OJT program takes place over analysis will underpin an efort to prioritize a six-month period and requires a full-time areas of critical need within the workforce, commitment from participants. Te partic- and support possible recommendations for ipants are reassigned to a cyber squad and introducing new job roles that will improve are expected to work cyber cases under the the FBI’s ability to respond to Internet-en- mentorship of cyber-skilled professionals. abled crimes and technologically advanced At the conclusion of the six-month pro- threat actors. gram, participants return to their original squads with enhanced cyber skills to ad- With respect to training, the FBI has a num- dress cyber threats within that program and ber of programs to ensure its workforce to share their knowledge. Upon completion possesses the key cyber skills and tools to of this program, participants will be desig- succeed in their investigations, especially as nated Cyber Certifed.

98 TRAINING AND MANAGING OUR WORKFORCE

Te FBI Digital Forensics program ofers sis of Windows, Macintosh, UNIX, and mo- digital evidence related training and cer- bile operating systems, Internet artifacts, tifcations to personnel dedicated to man- secure device access, vehicle forensics, and aging digital evidence challenges, and also Internet of Tings related challenges. ofers technical training to the broader FBI workforce which familiarizes them with the 2. Te Criminal Division challenges of properly preserving and han- dling digital evidence. Te Forensic Exam- Computer Crime and Intellectual iner certifcation program includes over ten Property Section weeks of total training, practical exercises, mentorship, and a moot court which in- In 1996, the Department consolidated the cludes Department attorneys and senior ex- Criminal Division’s expertise in computer aminers. crime matters into a single ofce called the Computer Crime and Intellectual Property Te FBI’s Cyber Executive Certifcation Section (“CCIPS”), with prosecutors devot- Program provides high-level cyber training ed to pursuing computer crime prosecutions and prepares executives for their role in the fulltime. Over the years, CCIPS’s mission cyber investigation process. Participants has grown beyond prosecution to include have the opportunity to obtain two industry spearheading cyber policy and legislative standard certifcations, in addition to the initiatives, training and support, public out- internal FBI certifcate. Additionally, the reach, and cybersecurity guidance. CCIPS digital evidence program ofers advanced consists of a team of specially trained attor- training to personnel supervisors of digital neys dedicated to investigating and prose- evidence workforce, preparing them to en- cuting high-tech crimes and violations of sure the technical requirements of FBI in- intellectual property laws, and to advising on vestigation are met by the digital evidence legal issues concerning the lawful collection staf. of electronic evidence.

Finally, FBI-led cyber training takes place at Today, CCIPS is responsible for implement- Cyber Academy campuses located at difer- ing the Department’s national strategies to ent points in the country, while digital evi- combat computer and intellectual proper- dence training occurs at Regional Computer ty crimes worldwide by working with other Forensics Laboratories, and at FBI head- Department components and government quarters. Cyber training ranges from the agencies, the private sector, academic insti- Cyber Basic School, a two-week curriculum tutions, and foreign counterparts, among designed to instill cybersecurity fundamen- others. Section attorneys work to improve tals in all employees, to advanced training the domestic and international legal, techno- for seasoned cyber investigators. Digital ev- logical, and operational legal infrastructure idence training includes guidance in analy- to pursue network criminals most efective-

99 CYBER-DIGITAL TASK FORCE REPORT ly. Working in support of and alongside the necessary search warrants and court orders, 94 U.S. Attorneys’ Ofces (“USAOs”), CCIPS collect electronic evidence, and ultimately, prosecutes violations of federal law involving build a criminal case. Pursuant to depart- computer intrusions and attacks. CCIPS has mental regulation, U.S. Attorneys are re- also worked with the Treasury Department’s sponsible for ensuring that experienced and Ofce of Foreign Asset Control to use new technically-qualifed AUSAs serve as the dis- authorities under Executive Order 13694 trict’s CHIP prosecutors; ensuring that CHIP to bring sanctions against foreign nationals resources are dedicated to CHIP program for malicious cyber-enabled criminal activ- objectives; ensuring that the USAO notifes, ities. In conjunction with the Executive Of- consults, and coordinates with CCIPS and fce for United States Attorneys (“EOUSA”), other USAOs; and promoting and ensuring described below, CCIPS conducts at least efective interaction with law enforcement, four multi-day in-person trainings and up to industry representatives, and the public in twelve webinars a year. It also maintains an matters relating to computer and intellectual internal website with information available property crime. to all Department components that is visit- ed more than 90,000 times a year, and has a Money Laundering and Asset rotating daily duty-attorney system that re- Recovery Section sponds to approximately 2,000 calls for ad- vice a year. Te Criminal Division’s Money Launder- ing and Asset Recovery Section (“MLARS”) In addition, the Criminal Division estab- leads the Department’s asset forfeiture and lished the Computer Hacking and Intellectu- anti-money laundering enforcement ef- al Property (“CHIP”) coordinator program forts. MLARS is responsible for, among in 1995 to ensure that each USAO and litigat- other things, coordinating complex, sensi- ing division has at least one prosecutor who tive, multi-district, and international money is specially trained on cyber threats, elec- laundering and asset forfeiture investigations tronic evidence collection, and technologi- and cases; providing legal and policy assis- cal trends that criminals exploit. Te CHIP tance and training to federal, State, and local network now includes approximately 270 prosecutors and law enforcement personnel; prosecutors from USAOs and Main Justice, and assisting Departmental and interagency and aids in the coordination of multi-dis- policymakers by developing and reviewing trict prosecutions involving cyber threats. legislative, regulatory, and policy initiatives. Specialized CHIP units exist in 25 designat- ed USAOs. CHIP Assistant U.S. Attorneys With respect to cyber-enabled threats in (AUSAs) work with law enforcement part- particular, MLARS has established a Digital ners from multiple law enforcement agencies Currency Initiative that focuses on provid- at the outset of an investigation, ofen in con- ing support and guidance to investigators, sultation with CCIPS, to provide legal guid- prosecutors, and other government agencies ance, help craf an investigative plan, obtain on prosecutions and forfei-

100 TRAINING AND MANAGING OUR WORKFORCE tures. Te Digital Currency Initiative will and law enforcement agencies on the use of expand and implement cryptocurrency-re- electronic surveillance. Tey also assist in lated training to encourage and enable more developing Department policy on emerging investigators, prosecutors, and Department technology and telecommunications issues. components to pursue such cases, while de- veloping and disseminating policy guidance Ofce of International Afairs on various aspects of cryptocurrency, includ- ing seizure and forfeiture. Trough the Ini- Te Criminal Division’s Ofce of Interna- tiative, MLARS will also advise AUSAs and tional Afairs (“OIA”) returns fugitives to federal agents on complex questions of law face justice, and obtains essential evidence related to cryptocurrency to inform charging for criminal investigations and prosecutions decisions and other prosecutorial strategies. worldwide by working with domestic part- ners and foreign counterparts to facilitate Ofce of Enforcement Operations, the cooperation necessary to enforce the law, Electronic Surveillance Unit advance public safety, and achieve justice. Drawing upon a vast network of internation- Electronic surveillance is one of the most al agreements and its expertise in extradition efective law enforcement tools for investi- and mutual legal assistance, OIA in recent gating many types of criminal enterprises, years has worked with domestic and foreign including cyber-based criminal enterprises law enforcement to hold cybercriminals ac- that use electronic media and Internet-based countable in U.S. courts and obtain the evi- technologies to perpetrate their crimes. Te dence needed to untangle complex transna- Electronic Surveillance Unit (“ESU”) in the tional cybercrime schemes. Criminal Division’s Ofce of Enforcement Operations is responsible for reviewing all In addition to its work supporting investi- federal requests to conduct interceptions gations and prosecutions of cybercriminals, of wire, electronic, or oral communications OIA uses mutual legal assistance to obtain pursuant to the Wiretap Act. ESU’s special- electronic evidence for foreign and domestic ized attorneys provide suggested revisions law enforcement personnel. As the need to and ofer guidance to ensure that electron- obtain electronic evidence in virtually every ic surveillance applications meet all consti- type of criminal case has burgeoned, OIA tutional, statutory, and Department policy has worked to modernize its practice in this requirements. Every federal wiretap appli- area by creating a team of attorneys and sup- cation must be approved by a senior Depart- port personnel specially trained in obtaining ment of Justice ofcial before it is submitted electronic evidence, and by implementing to a court, and ESU makes recommenda- process efciencies to ensure swif attention tions to those ofcials based on its review. to requests from prosecutors and police. Additionally, ESU attorneys regularly con- OIA is also actively engaged in the policy, duct webinars and in-person trainings, and legislative, and multilateral arenas in which provide legal advice to federal prosecutors topics concerning access to electronic evi-

101 CYBER-DIGITAL TASK FORCE REPORT dence and law enforcement cooperation are ees, which is taught by NSD and CCIPS at- discussed and debated to ensure that the De- torneys. partment’s mission is advanced and that our law enforcement personnel get the tools they In addition, in 2012, NSD launched the Na- need to keep pace with ever-evolving threats. tional Security Cyber Specialist (“NSCS”) Consistent with these goals, OIA conducts network to equip USAOs around the Nation regular training for U.S. prosecutors on the with prosecutors trained on national security tools available to them to obtain evidence lo- cyber threats, such as nation-state cyber es- cated overseas and to secure the return of fu- pionage activities and terrorists’ use of tech- gitives. OIA also provides frequent regional nology to plot attacks. NSCS-Main is com- and bilateral trainings to our foreign part- prised of lawyers and other experts drawn ners to bolster their ability to stop criminal from NSD’s component sections and ofces, activity before it reaches our shores. as well as from CCIPS and ESU in the Crim- inal Division. NSCS-Main also coordinates as needed with other Department headquar- 3. Te National Security Division ters components, including the Civil Divi- Te investigation, disruption, and deterrence sion, the Antitrust Division, the Ofce of of national security cyber threats are among Legal Policy, and the Ofce of Legal Counsel, the highest priorities of the Department’s and works closely with the Department’s in- National Security Division (“NSD”). Tese vestigative components, including the FBI. priorities come from a recognition that net- work defense alone is not enough to counter Te NSCS Network also includes AUSAs the threat. To the contrary, we must also im- in each of the USAOs; these AUSAs serve pose costs on our adversaries using all of the as their ofces’ primary points of entry for U.S. government’s lawfully available tools. cases involving cyber threats to the national Tis “all-tools” approach informs NSD’s ef- security and coordinate closely with NSCS- forts to combat cyber threats to our national Main. NSD and CCIPS, in conjunction with security, with the goal of deterring and dis- EOUSA, provides annual training for NSCS rupting cyber-based intrusions and attacks. members. Te NSCS training covers a num- In this context, national security cyber cases ber of national security cyber topics to en- are those perpetrated by nation states, ter- hance the education of the prosecutors who rorists, or their agents or proxies, or cases handle these matters. In addition, through involving the targeting of information that is the National Security/Anti-Terrorism Advi- controlled for national security purposes. sory Council, there are approximately seven training courses conducted annually for na- All NSD attorneys must take a cyber course tional security prosecutors. Tose trainings within two years of joining the division. generally include a number of cyber-related NSD also conducts annually a one-day cy- sessions for national security prosecutors. ber training in-house for all NSD employ-

102 TRAINING AND MANAGING OUR WORKFORCE

Finally, this year, for the frst time, NSD is of- of technology to plan attacks. Te USAOs fering a Cyber Fellowship for those selected also coordinate as needed with Department attorneys who applied to further their edu- headquarters components, such as the Crim- cation on technology-related issues. Five at- inal and National Security Divisions, in a torneys were selected to participate in 2018 further efort to ensure the efectiveness of and have been attending a series of trainings such cyber-oriented investigations and pros- ofered by the FBI, the CIA, Carnegie Mellon ecutions. University, and the SANS Institute. Tose selected have also agreed to assist with train- EOUSA provides executive and administra- ing and other cyber initiatives at NSD. tive support for the 93 United States Attor- neys. Such support includes legal education, administrative oversight, technical support, 4. United States Attorney’s Ofces / and the creation of uniform policies, among Executive Ofce for United States Attorneys other responsibilities.

Te United States Attorneys serve as the na- Te National Advocacy Center, which EO- tion’s principal litigators, under the direction USA operates, provides numerous courses of the Attorney General. Tere are 93 Unit- every year addressing a wide variety of cy- ed States Attorneys stationed throughout ber-related topics. Tese courses are attend- the United States, Puerto Rico, the Virgin ed by prosecutors from across the country Islands, Guam, and the Northern Mariana and are tailored to address the training needs Islands.2 Each United States Attorney is the of attorneys with varying levels of experi- chief federal law enforcement ofcer of the ence handling cyber matters. Working with United States within his or her particular ju- CCIPS and the National Security Division’s risdiction. United States Attorneys conduct Counterterrorism and Counterespionage most of the trial work in which the United sections, these cybercrime courses range States is a party. Although the distribution from introductory to advanced level and of caseloads varies between districts, each have included training addressing the na- USAO deals with every category of cases, ture of computer forensics, the investigation including cybercrime prosecutions. As ref- of computer intrusions, and the use of elec- erenced above, the role of the CHIP AUSA tronic evidence, among other related topics. was established to ensure that each USAO In short, each year, the Department trains has personnel trained on cyber threats, elec- hundreds of federal prosecutors in cyber- tronic evidence collection, and technolog- crime and national security cyber matters. ical trends exploited by criminals. Similar- ly, the NSCS program discussed above was In addition to these in-person training pro- designed to equip USAOs around the nation grams, EOUSA, through the Ofce of Legal with prosecutors specially trained on nation- and Victim Programs and the Ofce of Le- al security cyber threats, such as nation state gal Education (“OLE”), sponsors additional cyber espionage activities and terrorists’ use cyber training, including webinars that are

103 CYBER-DIGITAL TASK FORCE REPORT broadcast nationwide. Tese webinars allow seminates to the feld guidance relating to the Department to provide supplemental these issues. STSO is attempting to bring cutting-edge training and allow prosecutors DEA employees into a more advanced to view these presentations from their own awareness of today’s cyber world, so they ofces, while still enabling them to remote- can adapt to that environment while per- ly ask the presenters questions and down- forming the daily tasks of Internet research load related materials. For example, EOUSA and investigations. sponsored a webinar discussing new provi- sions of a Federal Rule of Evidence relating 6. INTERPOL to electronic evidence, immediately afer those provisions became efective. Almost Te mission of INTERPOL Washington 1,000 Department employees viewed that (United States National Central Bureau), is to program. Working closely with CCIPS and advance the law enforcement interests of the OEO, additional notable webinars have in- United States as the ofcial representative to cluded programs addressing legal standards the International Criminal Police Organiza- for obtaining cell phone location informa- tion (INTERPOL); to share criminal justice, tion, searching and seizing computers and humanitarian, and public safety information other digital devices, cryptocurrency, and between our Nation’s law enforcement com- social media and online investigations, to munity and its foreign counterparts; and to name just a few. facilitate transnational investigative eforts that enhance the safety and security of our OLE, working with CCIPS, has also issued Nation. standalone written materials that prosecu- tors can use for training and law enforce- INTERPOL Washington leverages a network ment purposes. of 192 countries connected by a secure com- munications platform to share information 5. Drug Enforcement Administration for the purpose of enhancing international cooperation in all areas of criminal investi- Te DEA enforces the Nation’s controlled gation, including cybercrime investigations. substance laws and regulations. Trough its INTERPOL Washington maintains an of- participation in J-CODE and beyond, DEA fce dedicated to advancing the cybercrime is developing its expertise in Dark Market investigations of U.S. law enforcement by investigations. DEA’s Operational Support establishing and maintaining relationships Unit (“STSO”) serves as the point of contact with the heads of cybercrime units of other between DEA ofces and the technology countries; sharing information through the and communications industry, in order to secure communications platform to assist identify, address, and resolve subpoena and cybercrime investigations conducted by the related compliance issues, as well as other agencies of the Department of Justice and legal and regulatory issues. STSO also dis- the Department of Homeland Security; and

104 TRAINING AND MANAGING OUR WORKFORCE providing support to other federal, State, lo- thereby also increasing our own capacity to cal, and tribal law enforcement agencies. thwart cyber threats.

7. Foreign Government Training 8. Department-Wide Cybersecurity Initiatives Awareness Training

In addition to training its own personnel, In addition to the specialized units and the Department also provides training and training described above, the Department technical assistance to foreign governments recognizes that cybersecurity efectiveness to ensure that they are equipped to address depends on everyone in the organization. their own domestic cyber threats. As coun- Users are still one of the most attacked enti- tries develop their own capacity to address ties in the organization. Social engineering cyber issues, they are also better equipped attacks (described in more detail in Chapter to assist the United States in investigations 2) come in many forms, are still efective, involving criminal conduct emanating from and can target anyone in the Department. within their own borders. Te Department As such, all Department employees must has maintained a robust program for en- have a basic understanding of their respon- couraging foreign governments to develop sibilities when handling the Department’s their criminal and procedural laws to address information and accessing its information emerging cybercrime threats and capabilities, system, while being held accountable for consistent with the Budapest Convention on abusing those responsibilities. Cybercrime. As discussed in Chapter 3, the Budapest Convention—which the United All Department personnel receive annual States ratifed over ten years ago—provides a cybersecurity awareness training. In ad- legal framework for criminalizing key types dition, all employees and contractors must of cybercrime, developing the tools necessary sign the “Department of Justice Cybersecu- to investigate such crime, and establishing rity and Privacy Rules of Behavior (ROB) for the network for rapid international cooper- General Users” agreement, which confrms ation that must exist to investigate and pros- that the employee or contractor completed ecute cyber actors wherever they are located. the training and understands the applicable cybersecurity requirements and responsibil- Using a balanced approach of frank policy ities. As the agreement makes clear, “each discussions with countries that have techni- [Department] user is responsible for the se- cal capabilities similar to our own, combined curity and privacy of [Department] informa- with multilateral training initiatives aimed at tion systems and their data.” countries whose legal infrastructure for ad- dressing cyber threats is in earlier stages of Adequate training ensures that everyone development, the Department has continued within the Department has a basic under- to improve the capacity of other countries standing of the relevant threats, their role in to address cyber threats around the world, protecting our information and information

105 CYBER-DIGITAL TASK FORCE REPORT systems, and how to detect and respond to issues. In addition, the Department’s Ofce cybersecurity events. Typical web-based of the Chief Information Ofcer hosts an training is most common; however, many annual Cybersecurity Symposium, which training delivery mechanisms are used to get provides a forum for employees to gain an the broadest penetration of the material. For understanding of the latest trends in cyber- example, phishing exercises are conducted security from federal and industry leaders. throughout the year, and in-person briefngs Tese events help educate the Department’s and topic-specifc training sessions are of- workforce on the most current trends in in- fered for special audiences and material. formation security and privacy.

Finally, the Department has also hosted a While the Department employs a robust number of Department-wide trainings and training program, we can do more to carry awareness campaigns to educate the Depart- the Department into the future. Training ment’s workforce on privacy and cybersecu- can reinforce best practices, enable advanced rity. Te Ofce of Privacy and Civil Liberties threat detection, and improve security and organizes an annual Privacy Forum, which safety across the Department as we all work gathers the Department’s privacy ofcials to carry out its critical cyber mission. to discuss current privacy and civil liberties

106 TRAINING AND MANAGING OUR WORKFORCE

NOTES

1 See National Institute for Standards and Tech- 2 One United States Attorney is assigned to nology, Special Publication 800-181, National each of the 94 judicial districts, with the excep- Initiative for Cybersecurity Education (NICE) Cy- tion of Guam and the Northern Mariana Islands, bersecurity Workforce Framework (Aug. 2017), where a single United States Attorney serves in available at: https://nvlpubs.nist.gov/nistpubs/ both districts. SpecialPublications/NIST.SP.800-181.pdf (last accessed June 29, 2018).

107

LOOKING AHEAD

Chapter 6 Looking Ahead

his report describes the most signif- 1. Challenges in Preventing and icant cyber threats our Nation faces, Responding to Cyber Incidents and catalogs the ways in which the TDepartment confronts and combats those Working with the Private Sector threats. As the discussion in previous chap- ters reveals, the Department has had many Virtually every instance of cyber-related successes. At the same time, we face a num- crime implicates the private sector in some ber of challenges. way, whether the private sector is the target of malicious cyber activity, the provider of In this chapter, we further explore those technology or services through which cyber- challenges and identify specifc areas for ad- crimes are committed or concealed, or the ditional inquiry. We also outline eight key repository of evidence (such as communi- areas of future efort that will defne the De- cations) relating to cyber-enabled criminal partment’s work in the months ahead. activity. As such, the relationship that the Department, including the FBI, builds and Specifc Challenges maintains with the private sector is critical to our eforts to combat cybercrime. Fortu- Each part of the Department’s eforts to con- nately, the Department and the private sec- front cyber threats—(1) preventing and re- tor already have engaged in numerous for- sponding to cyber incidents (Chapter 4); (2) mal and informal collaborations. Even so, investigating and prosecuting cyber-related the Department must deepen these relation- crimes (Chapter 2); and (3) dismantling, ships, particularly as technology evolves and disrupting, and detering malicious cyber the cast of service providers and technology threats (Chapter 3)—bears its own unique manufacturers continues to change. challenges.1 a. Te Research Here, we describe those challenges and, Community where applicable, discuss how the Depart- ment has begun addressing the challenge or Te computer security research communi- what actions we may yet take to sharpen our ty—which is comprised of not only computer eforts. Where appropriate, we also highlight security companies but also individuals and issues that require further consideration and organizations with expertise in computer development due to the complex or evolving security—has made valuable contributions nature of the threat. to combating cyber threats by discovering

109 CYBER-DIGITAL TASK FORCE REPORT signifcant exploitable vulnerabilities afect- even more important as IoT devices prolifer- ing, among other things, the confdentiality ate, perform more household tasks, and col- of data, the safety of Internet-connected de- lect more data capable of being monetized by vices, and the security of automobiles. Some criminals. security researchers have also been allies in law enforcement eforts to dismantle cyber Te Copyright Ofce has initiated its next threats. For example, assistance with mal- rulemaking process to evaluate extending ware analysis and mitigation techniques has the DMCA exemptions. Te Department helped law enforcement conduct operations has submitted input to the Copyright Ofce against various cybercriminals, including in support of extending and expanding the through botnet takedowns. current security research exemption, with caveats intended to protect public safety Even so, some in the computer security re- and avoid confusion over legal research ac- search community harbor concerns that law tivities.4 At the same time, the Department enforcement may misconstrue as criminal should continue evaluating existing laws and activity their methods of searching for and regulations to identify other opportunities to analyzing vulnerabilities. Some researchers support and encourage legitimate computer have even expressed anxiety that such con- security research. Finally, the Criminal Di- cerns have chilled legitimate security re- vision’s Cybersecurity Unit should conduct search. additional outreach to the computer securi- ty community. In doing so, the Unit should To ensure the Department maintains and seek out opportunities to: (1) explain how the fosters a positive, collaborative working rela- Department’s policies and practices address tionship with computer security researchers, concerns about unwarranted prosecutions the Department should consider potential for legitimate security research; and (2) bet- legal options to encourage and protect legit- ter educate the computer security research imate computer security research. For in- community about the federal criminal laws stance, a three-year exemption to the Digital implicated by computer security activities. Millennium Copyright Act (“DMCA”)2—the result of rulemaking by the U.S. Copyright b. Encouraging Private Sector Reporting Ofce3—has allowed researchers to conduct of Cyber Incidents vulnerability research on consumer prod- ucts, including Internet of Tings (“IoT”) Another important component of the De- devices. IoT devices are prime targets of cy- partment’s collaboration with the private bercriminals for use in illicit activities like sector is the public-private work on infor- distributed denial of service attacks. Finding mation sharing and threat assessment. As and repairing vulnerabilities in consumer discussed in Chapter 4, the FBI disseminates devices is important and will likely become numerous reports directly to members of

110 LOOKING AHEAD the private sector to inform them of cyber ger civil or even criminal liability, or may threats. Tis information sharing provides impact U.S. foreign relations. Regardless of the private sector with actionable intelli- the reason, lack of reporting is a signifcant gence that enables them to take appropriate impediment to the Department’s eforts to precautions. thwart cybercriminals and to address threats to national security—particularly when new Information sharing, however, is most efec- threats are emerging. tive when it fows two ways. When a private sector entity reports a breach or attempted Encouraging reporting from private sector intrusion, the Department gains valuable in- victims is thus critical to enhancing the De- sights into threat activity that can help direct, partment’s ability to prevent, deter, investi- in real time, law enforcement eforts to in- gate, and prosecute (or otherwise disrupt) vestigate and disrupt the malicious activity. cybercrimes. To facilitate reporting, the De- Prompt reporting also provides information partment should consider not only how to that ofcials can accumulate and share with build deeper trust with the private sector, but other private sector entities to facilitate ap- also understand and address the private sec- propriate security measures. Indeed, eforts tor’s needs and concerns related to report- by the Department and FBI to help manage ing. Tis assessment should include under- cyber incidents and, later, to bring perpetra- standing how best to incentivize reporting as tors to justice through prosecution are best well as how to eliminate obstacles or barri- accomplished when the victim—who may be ers. Te Department should also continue the frst to discover an incident—reports the its outreach to the private sector to identify incident or intrusion in a timely manner. additional areas for collaboration, especial- ly with respect to reporting and information Unfortunately, many cyber incidents in the sharing. In the past, such outreach has re- United States are never reported to law en- sulted in industry-targeted guidance such as forcement. Victims—especially businesses— the Criminal Division Cybersecurity Unit’s ofen decide not to report cyber incidents Best Practices for Victim Reporting and Re- for a variety of reasons, including concerns sponding to Cyber Incidents.5 about publicity and potential harm to the company’s reputation or profts, and even Te Department must also consider the role concerns of retaliation by a nation state where that DHS and other government agencies they wish to do business. Some victims may play in working with the private sector to en- simply not know how to report the incident sure federal agencies’ eforts are complemen- to appropriate authorities. And still others, tary and cooperative. In addition to DHS particularly larger companies, may try to act and other federal partners, the Department on their own to pursue, confront, or disrupt should continue to work with the agencies the perpetrator, though doing so may trig- that regulate the private sector to evaluate

111 CYBER-DIGITAL TASK FORCE REPORT expectations and encourage clear thresholds of the harm—the Department should review for reporting. the AG Victim Guidelines to ensure, among other things, that the guidelines, and any re- Te Department’s additional eforts on pri- lated victim notifcation policies and practic- vate sector reporting should also include at- es, appropriately account for the unique and tention to statutory data breach notifcation ofen nuanced nature of cybercrime. requirements. Currently, all 50 States have enacted separate notifcation laws setting Preventing Cyber-Related Vulnerabilities standards governing notifcation by private in Connection with Foreign Investment entities when a data breach occurs, but there and Supply Chains is no federal reporting requirement or stan- dard. As such, companies must navigate and As part of its eforts to prevent cybercrime, comply with the varying requirements in 50 the Department is concerned with mitigat- State jurisdictions.6 In the wake of recent ing vulnerabilities that threaten national high-profle data breaches exposing Ameri- security. Such areas concern foreign invest- cans’ personal information, Congress has a ment in domestic assets and foreign supply revived interest in national notifcation re- chains. quirements. A national data breach standard could increase federal law enforcement’s ef- For example, a March 22, 2018 Presidential fectiveness to pursue hackers and prevent Memorandum observed that “China directs data breaches. and facilitates the systematic investment in, and acquisition of, U.S. companies and assets c. Reviewing Guidance on Victim by Chinese companies to obtain cutting-edge Notifcation technologies and intellectual property and to generate large-scale technology transfer In 2012, the Attorney General issued Gen- in industries deemed important by Chinese eral Guidelines for Victim and Witness As- government industrial plans.”7 Under ambi- sistance (“AG Victim Guidelines” or “guide- tious industrial policies, China aims to use lines”) that, among other things, discussed foreign investment as a means of dominating two statutes—the Victims’ Rights and Resti- cutting-edge technologies like advanced mi- tution Act, 42 U.S.C. § 10607, and the Crime crochips, artifcial intelligence, and electric Victims’ Rights Act, 18 U.S.C. § 3771—which cars, among others. accord certain rights to individuals who meet the statutory defnition of “victim.” Te AG Currently, the Department responds to Victim Guidelines also address when FBI threats posed by foreign investment in the notifcation to victims and witnesses is ap- United States and the export of sensitive propriate and warranted. Given the evolving technology by enforcing U.S. export con- nature of cyber-enabled crimes—including trols and through the Committee on Foreign the fact that it is not always easy to identify Investment in the United States (“CFIUS”), a cybercrime “victim” or the extent or nature a statutorily-established body that has au-

112 LOOKING AHEAD thority to review transactions that could re- 2. Challenges in Investigating and sult in control of a U.S. business by a foreign Prosecuting Computer Crime person. As the March 22, 2018 Presidential Memorandum indicates, further coordina- Accessing Data in the United States tion through CFIUS, enforcement of exist- ing technology transfer controls, and other Data not only is key to understanding the interagency eforts will be necessary to tackle nature of cybercrime and the identity of per- risks from foreign investment in sensitive in- petrators, but also is a primary source of ev- dustries and technologies. idence for prosecution. Unfortunately, the relevant data is ofen hard to reach, hidden In addition to foreign investment, the De- on computers in diferent States or even in partment is generally concerned with hard- countries half a world away, lurking on dark ening supply chains. Technology supply markets, or protected by anonymized host chains are especially vulnerable, because the servers or encryption. Recognizing that ac- hardware components and sofware code cessing data is the starting point and ofen that go into technology products ofen come the cornerstone of computer crime investi- from foreign sources, including develop- gations and prosecutions, the Department ers in Russia and China.8 To address these has made concerted eforts to improve its concerns, the Department coordinates with ability to collect data related to criminal ac- other government agencies and the private tivity. However, several challenges to access- sector to efectively manage and mitigate cy- ing data remain and require further collabo- bersecurity risks in U.S. supply chains. ration with federal, State, and private sector partners. For example, the Department contributes to Team Telecom, an ad hoc interagency work- One such challenge is the reality that cy- ing group that considers the law enforce- bercrime ofen does not take place in one ment, national security, and public safety identifable, physical location. Sophisticated implications of applications for licenses from cybercriminals can control botnets spread the Federal Communications Commission throughout several States or countries and involving a threshold percentage of foreign can hide their illegal activities on proxy net- ownership or control. Moving forward, the works. Te rules governing law enforcement Department should continue to engage with eforts, however, have largely not kept pace these and other interagency eforts to deter- with these criminal realities. For this reason, mine the best ways to strengthen defenses the Department proactively engaged with against national security risks. the Federal Rules Committee and on Decem- ber 1, 2016, an amended version of Rule 41 of the Federal Rules of Criminal Procedure went into efect. (Tat new Rule is discussed in detail in Chapter 3.)

113 CYBER-DIGITAL TASK FORCE REPORT

Te circumstances that the amendments to mation subject to a court order that is within Rule 41 address are important, but they do their “possession, custody, or control,” even not cover all instances where data related if the electronic servers containing that in- to criminal activity are stored in varying or formation are located overseas. Te CLOUD unknown locations within the United States. Act also authorizes our government to enter Te Department should identify any addi- into formal agreements with other nations tional common or recurring circumstances that remove legal barriers that would other- where current legal authorities fall short of wise create confict of laws problems where providing law enforcement with the tools a provider is subject to a foreign court order necessary to access relevant data within the to produce data stored in that other coun- United States and determine whether chang- try. Te Act requires both governments to es similar to the recent Rule 41 amendments “certify” that the laws and practices of the would be efective. other country provide adequate protections for human rights and personal privacy. Te Accessing Data Abroad agreements must also implement transpar- ency measures and periodic reviews to en- Te Department faces similar challenges in sure ongoing compliance. Te Department accessing data located outside the United is currently considering how it should imple- States. As with the Rule 41 amendments ment such agreements. in the domestic context, the Department recently engaged with partners to enhance Challenges remain, however, when inves- our investigative authority in such circum- tigating computer crimes that extend over- stances. In particular, as the result of a joint seas, particularly because the CLOUD Act efort between the private sector and the addresses only those instances where the Department to bring clarity to investiga- relevant overseas data is possessed or con- tive demands for data stored overseas, the trolled by an entity subject to U.S. jurisdic- Clarifying Lawful Overseas Use of Data Act tion. Many types of evidence fall outside (“CLOUD Act”) became law on March 23, those criteria, and traditional mutual legal 2018. (Te CLOUD Act is also discussed in assistance treaty (“MLAT”) procedures may Chapter 3.) also fall short.

Passage of the CLOUD Act institutes a frame- For those reasons, the Department contin- work for technology companies to comply ually aims to improve its international out- with investigative demands for data stored reach eforts and to engage with internation- outside of the requesting country’s territory, al Internet governance bodies to encourage and creates processes to resolve thorny con- them not to apply rules that unreasonably fict of laws problems. Te Act clarifes that restrict or interfere with valid investigations. the U.S. government’s traditional authority For example, the Department is currently in this area remains in force: communica- monitoring and assessing the impact of the tions service providers must disclose infor- European Union’s sweeping General Data

114 LOOKING AHEAD

Protection Regulation (“GDPR”), which risk associated with noncompliance with the went into efect on May 25, 2018. GDPR, however, the private organization responsible for maintaining WHOIS has de- Broadly speaking, the GDPR regulates how cided to remove much of the registrant data private companies and governments process, from the publicly-available segments of the store, and transfer data concerning E.U. resi- system while the organization works with dents, including how such data and informa- stakeholders, including the Department, to tion is handled and transferred into and out develop a GDPR-compliant system. of the E.U. Violators could be subject to fnes up to 4% of their gross revenue worldwide or Tis is only one example of how the GDPR 20 million Euros, whichever is greater, creat- may be interpreted to impede the ability of ing a serious fnancial incentive for covered law enforcement authorities to obtain data entities not to violate the new regulation. Ex- critical for their authorized criminal and ceptions written into the GDPR should en- civil law enforcement activities. Uncertainty sure that it does not afect the ability of U.S. about the GDPR also has placed in question law enforcement to obtain evidence through not only voluntary disclosures of informa- MLATs. Also, law enforcement-to-law en- tion about criminal activity—e.g., by their forcement sharing is covered by a separate employees, contractors, or customers—to directive and is thus outside of the scope of U.S. law enforcement agencies, but also may the GDPR. Still, signifcant questions and cause companies with a signifcant E.U. pres- uncertainties exist about the GDPR, which ence to become reluctant to comply even could negatively afect law enforcement, in- with disclosures required by legal process, cluding by impeding information sharing. such as warrants and subpoenas, for fear that such a disclosure would be in violation of the For example, some interpret the GDPR to GDPR. Absent ofcial guidance, companies require that the publicly-available WHOIS with signifcant E.U. business may become system remove information about the regis- reluctant to participate in mandatory data trants of Internet domain names from pub- transfers to U.S. law enforcement and regula- lic access, thereby necessitating the building tory authorities, which would impede efec- and maintenance of secured law enforce- tive tax collection, limit the ability of agencies ment portals to access that information. As to stop anti-competitive business practices, described in Chapter 3, prosecutors and law impair the work of public health and safety enforcement agencies around the world use agencies, and undermine the integrity of the WHOIS system thousands of times a day global banking, securities, and commodi- to investigate crimes ranging from botnets to ties markets. Tis could also undercut the online fraud. Te registrant data in WHOIS Department’s mitigation programs for busi- can create crucial leads to targets’ identities, nesses and individuals that wish to cooperate locations, and other pieces of their criminal in areas such as fraud, , money laun- infrastructure. Tis data can also help iden- dering, sanctions violations, and antitrust tify additional victims. Due to the signifcant matters—programs that yield information

115 CYBER-DIGITAL TASK FORCE REPORT that ofen results in criminal referrals, and wiretap orders. In the past several years, the thus relate to the Department’s core mission. Department has seen the proliferation of de- fault encryption where the only person who In short, given the uncertainty that the can access the unencrypted information is GDPR presents in certain key areas, the De- the end user. Te advent of such widespread partment (as well as the U.S. government as and increasingly sophisticated encryption a whole) must continue to collaborate with technologies that prevent lawful access poses European authorities and stakeholders to a signifcant impediment to the investigation carefully monitor the GDPR’s impacts. of most types of criminal activity, including violent crime, drug trafcking, child ex- Te “Going Dark” Problem ploitation, cybercrime, money laundering One of the most signifcant challenges to the (including through cryptocurrencies), and Department’s ability to access investigative domestic and international terrorism. data is the “Going Dark” problem. “Going Dark” describes circumstances where the Faced with the challenges posed by encrypt- government is unable to obtain critical infor- ed information, investigative agencies have mation in an intelligible and usable form (or sometimes looked to other sources of infor- at all), despite having a court order authoriz- mation and evidence, which can be costly to ing the government’s access to that informa- procure and maintain. While these eforts tion. Te problem impacts a range of issues, have occasionally been successful, evidence including data retention;9 anonymization; and information lost to encryption ofen provider compliance (or absence thereof); cannot be replaced solely by pursuing other foreign-stored data; data localization laws; sources of evidence. For example, communi- tool development and perishability; and oth- cations metadata, such as non-content infor- er similar issues. Te challenges posed by mation about who contacts whom in phone the Going Dark issue have achieved greatest records, can be helpful in putting the pieces prominence in the context of encryption. together, but it provides less information than the content of data and communications—a Tese challenges have signifcantly grown in diference that can prove outcome-deter- recent years as the sophistication of encryp- minative in the context of a criminal in- tion has increased. In the past, only the most vestigation, where prosecutors must prove sophisticated criminals encrypted their com- beyond a reasonable doubt. Moreover, munications and data storage; today the av- metadata is also ofen simply unavailable be- erage consumer has access to better technol- cause there is no mandate for providers to ogy than sophisticated criminals had twenty be able to access it. Relatedly, in the context years ago. Previously, providers used en- of a judicial order authorizing the real-time cryption of some sort but generally retained interception of communications, the court a way of accessing the unencrypted data if must fnd, by law, that alternate sources of necessary or desired, including to comply data do not exist or are insufcient to meet with law enforcement search warrants or the investigation’s goals.

116 LOOKING AHEAD

Going Dark

Warrant-proof encryption poses a serious challenge to efective law enforcement.

“We have engaged the tech com- munity aggressively to help solve this problem. You cannot take an “While convinced of the prob- “To those of us charged with the absolutist view on this. So if your lem, I’m open to all constructive protection of public safety and argument is strong encryption, solutions, solutions that take the national security, encryption tech- no matter what, and we can and public safety issue seriously. We nology and its application…will should, in fact, create black boxes, need a thoughtful and sensible ap- become a matter of life and death then that I think does not strike proach, one that may vary across which will directly impact our the kind of balance that we have business models and technologies, safety and freedoms.” lived with for 200, 300 years.” but . . . we need to work fast.”

– FBI Director Louis Freeh – President – FBI Director Christopher Wray July 9, 1997 March 11, 2016 March 7, 2018

1997 2016 2018

“To be very clear — the [U.K.] government supports strong encryp- tion and has no of banning end-to-end encryption. But the inability to gain access to encrypted data in specifc and tar- geted instances is right now severely limiting our agencies’ ability to stop terrorist attacks and bring criminals to justice.” – U.K. Home Secretary Amber Rudd August 1, 2017

“Few issues have vexed law enforcement agencies more than this one. Tey can’t get access to the data they need to stop crime and hold criminals to account. 95 per cent of [our intelligence orga- nization’s] most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications. We need access to digital networks and devices, and to the data on them, when there are reasonable grounds to do so. Tese powers must extend beyond traditional in- terception if our agencies are to remain efective and pre-empt and hold to account crimi- nal activity. Tere will also need to be obligations on industry – telecommunications and technology service providers – to cooperate with agencies to get access to that data . . . . ” – Australian Minister for Law Enforcement & Cybersecurity Angus Taylor June 6, 2018

117 CYBER-DIGITAL TASK FORCE REPORT

Exploiting sofware vulnerabilities can be ment purposes will likely require signifcant- another way to access encrypted (or other- ly higher expenditures—and in the end it wise inaccessible) data on a phone or other may not be a scalable solution. All vulnera- bilities have a limited lifespan and may have a limited scope of applicability. Sofware developers may discover and fx vulnera- bilities in the normal course of business, or the government’s use of a vulnerability could alert developers to its existence. Finally, each vulnerability might have very limited appli- cations—limited, for example, to a particular combination of phone model and operating system.

Te challenges posed by the Going Dark “Responsible encryption is achievable. problem are among law enforcement’s most Responsible encryption can involve efec- vexing. To address these challenges, the De- tive, secure encryption that allows access partment’s eforts should include: (1) consid- only with judicial authorization. Such en- ering whether legislation to address encryp- cryption already exists. Examples include tion (and all related service provider access) the central management of security keys challenges should be pursued; (2) coordi- and operating system updates…” nating with international law enforcement counterparts to better understand the in- —Deputy Attorney General ternational legal, operational, and technical Rod Rosenstein, challenges of encryption; (3) collecting accu- October 10, 2017 rate metrics and case examples that demon- strate the scope and impact of the problem; (4) working to use technical tools more ro- bustly in criminal investigations; (5) insist- device. Te Department has, in some in- ing that providers comply with their legal ob- stances, lawfully exploited security faws to ligations to produce all information in their access electronic data, including data stored possession called for by compulsory process, on smartphones. Tis is a promising tech- and holding them accountable when they do nique, and the Department should expand not; (6) working with State and local part- its use in criminal investigations. However, ners to understand the challenge from their so-called “engineered access” is not a re- perspective and to assist them technological- placement for all the evidence, including ev- ly in signifcant cases; and (7) reaching out idence subject to a court order, that is lost. to academics, industry, and technologists to Moreover, expanding the government’s ex- fully understand the implications and possi- ploitation of vulnerabilities for law enforce- bilities for lawful access solutions.

118 LOOKING AHEAD

Additional Investigative Authorities telephone calls10—in national security inves- tigations. ECTRs do not include the content Te Department has identifed at least two of communications, but they can provide additional legal authorities it needs to sup- crucial evidence early in national security port cyber-related investigations. First, ex- investigations, when investigators do not yet ceptions to the court order requirements of have a clear indication of a subject’s network the Pen Register statute, 18 U.S.C. § 3121, are of contacts. Information obtained from EC- unnecessarily narrow. Tat statute governs TRs, such as e-mail addresses, can help es- the real-time collection of non-content “di- tablish the probable cause necessary to get a aling, routing, addressing, or signaling infor- Foreign Intelligence Surveillance Act order mation” associated with wire or electronic or search warrant to allow the FBI to obtain communications. Tis information includes the content of stored communications, iden- phone numbers dialed as well as the “to” and tify a potential confdential human source “from” felds of e-mail. In general, the statute who may be able to provide valuable intelli- requires a court order authorizing collection gence, or help eliminate a subject from sus- of such information on a prospective basis picion. As electronic networks increasingly unless the collection falls within a statutory have supplanted telephone networks as the exception. Te exceptions to the Pen Regis- means for terrorists and foreign agents to ter statute, however, are not coextensive with communicate, the ability to access these re- the exceptions to the Wiretap Act, codifed at cords efciently has become even more im- 18 U.S.C. § 2511 et seq, which generally gov- portant to the FBI’s work. erns wiretaps to obtain the content of wire or electronic communications. Tis results Under 18 U.S.C. § 2709, electronic commu- in the illogical situation where non-content nication service providers are obliged to pro- information associated with a communica- vide ECTRs in response to certain requests— tion is subject to more extensive protection sometimes called National Security Letters than the content of the communication it- (“NSLs”)—made in connection with qualify- self. Moreover, the Pen Register statute’s ing national security investigations. Compa- consent provision could be clarifed to allow nies, however, have invoked an in users to provide direct, express consent for section 2709 to refuse to provide ECTRs in implementation of a pen/trap device by the response to NSLs. Te statute states in para- government to facilitate cooperative investi- graph (a) that wire or electronic communica- gation eforts. Te Department stands ready tion service providers have a duty to provide to assist Congress in developing legislation ECTRs in response to a request made by the to implement this needed improvement. Director of the FBI under paragraph (b). But paragraph (b) fails expressly to include EC- Second, the Department faces similar prob- TRs in the categories of information the Di- lems in obtaining electronic communica- rector may request, even though paragraph tion transactional records (“ECTRs”)—the (a) explicitly references ECTRs. e-mail equivalent of toll billing records for

119 CYBER-DIGITAL TASK FORCE REPORT

Clarifying the statutory authority would proceedings against, a criminal defendant. strengthen the Department’s ability to con- Prior to the amendment, Rule 4 did not ex- duct counterintelligence investigations and plicitly provide a method to serve process on to identify and disrupt terrorist plots in the an organization with no physical presence in United States. Law enforcement has ob- the United States, an artifact of the pre-cyber tained equivalent telephone records with a era when organizations could hardly commit simple subpoena for decades, and the courts crimes in the United States without having have held that non-content metadata of this a physical presence here. As discussed in kind, held by third-party service providers, Chapters 2 and 3, today, technology allows is not protected by the Fourth Amendment.11 foreign actors to commit intellectual proper- A proposal to clarify that the FBI may ob- ty and computer crimes in the United States tain ECTRs by issuing NSLs would reafrm from virtually anywhere in the world. a similar type of authority to the equivalent type of electronic communications informa- Rule 4, amended as of December 1, 2016, now tion. provides prosecutors with a “non-exhaustive list of methods” for serving “an organization Apprehending Criminals Located Abroad not within a judicial district of the United States.” Most importantly, the amended Rule Even when accessible data allows law en- 4 allows the government to serve a foreign forcement to understand the nature of the organization “by any . . . means that gives crime, to identify potential perpetrators, and notice.” For example, the government has to build a case for prosecution, holding the relied on the amended Rule 4 to serve for- guilty party or parties accountable can still eign organizations by mailing and e-mailing be a challenge. While the Department has process to the foreign organization’s U.S.- made several advances to enhance its ability based defense counsel. Te government has to prosecute sophisticated cybercriminals, also served foreign organizations by mailing difculties apprehending criminal suspects, process to the registered agent for a recently as well as the need for additional prosecuto- dissolved U.S. subsidiary of the foreign or- rial authorities, continue to hinder our eforts ganization or, in another case, by personal- to bring malicious cyber actors to justice. ly serving process on the president of a U.S. organization that shared a common “parent” For example, as with our successful efort organization with the subject of the sum- to amend Rule 41, the Department worked mons. Tis change is particularly important with the Federal Rules Committee to tackle in situations where a state-owned enterprise the problem of serving criminal defendants is charged with a crime but the foreign juris- accused of committing computer crimes. diction is unwilling to assist with eforts to Rule 4 governs the service of criminal pro- serve process. cess upon individuals and organizations— essentially the process by which prosecutors Service, however, is only one facet of the give notice of charges to, and initiate court problem that the Department faces in at-

120 LOOKING AHEAD tempting to hold sophisticated cybercrimi- partment prosecute and deter malicious cy- nals accountable. As noted throughout this ber activity. report, attributing a cyber-incident to an individual or group of actors is difcult due a. Protecting Election Computers to anonymizing technologies and encryp- from Attack tion techniques that allow cybercriminals to remain hidden from law enforcement. Te principal statute used to prosecute hack- Additionally, there are cybercriminals who, ers—the Computer Fraud and Abuse Act though identifed, manage to remain beyond (“CFAA”)—currently does not prohibit the the reach of U.S. law enforcement, especially act of hacking a voting machine in many when they are located abroad. While the De- common situations. In general, the CFAA partment has several mechanisms to bring only prohibits hacking computers that are cybercriminals to the United States to face connected to the Internet (or that meet oth- trial, including extradition treaties and col- er narrow criteria for protection). In many laborative relationships with other countries conceivable situations, electronic voting ma- (see Chapter 3), these eforts are not always chines will not meet those criteria, as they successful. Some foreign sovereigns choose are typically kept of the Internet. Conse- not to cooperate or will do so only afer im- quently, should hacking of a voting machine posing unreasonable limitations on law en- occur, the government would not, in many forcement. Other countries may not punish conceivable circumstances, be able to use the perpetrators for the specifc computer crime CFAA to prosecute the hackers. (Te con- the United States is seeking to prosecute or duct could, however, potentially violate oth- may lack sophisticated domestic cybercrime er criminal statutes.) law enforcement capabilities. In addition to continuing to build strong relationships with b. Insider Treat/Nosal Fix other countries and assisting their eforts to meet the requirements to join the Budapest Until recently, the Department regularly used Convention (also discussed in Chapter 3), the CFAA’s prohibition on “exceeding autho- the Department should continue to identify rized access” to prosecute insider threats—in necessary additional authorities and poten- particular, employees who abused permitted tial mechanisms for bringing foreign-based access to their employers’ systems by steal- cybercriminals to justice. ing proprietary information or accessing in- formation for their own illicit purposes and Additional Criminal Prohibitions gain. Te Department, for example, prose- cuted police ofcers who sold their access to Once malicious cyber actors are identifed, confdential criminal records databases, gov- it is important for the Department to have ernment employees who accessed private tax the authorities necessary to prosecute those and passport records without authority, and individuals for the illicit activity. Addition- bank employees who abused access to steal al criminal prohibitions would help the De- customers’ identities. Tese employees had

121 CYBER-DIGITAL TASK FORCE REPORT some right to access those computers, but access for illicit means. Any such authori- their conduct was a crime under the CFAA ty should also ensure appropriate consider- because they intentionally exceeded their ation and treatment of legitimate privacy-re- employer’s computer use rules. lated concerns.

Decisions in the Second, Fourth, and Ninth c. CFAA as RICO Predicate Circuit Courts of Appeals, however, have limited the defnition of “exceeds authorized As discussed in Chapter 3, the Racketeer access” in section 1030(e)(6) of the CFAA. Infuenced and Corrupt Organizations Act In United States v. Nosal, 676 F.3d 854 (9th (“RICO”) is an important prosecutorial tool Cir. 2012) (en banc), the Ninth Circuit held for charging organizations engaged in a pat- that an indictment did not state a violation tern of criminal activity because RICO vio- of the CFAA when it alleged that a former lations carry substantial sentencing penal- employee had asked current employees to ties as well as the ability for the government access information in a proprietary data- to seize assets of the criminal organization. base to aid him in starting a new frm. Te RICO requires proof of, among other things, company had computer policies that limited a pattern of “racketeering activity,” which is employee access to legitimate work purpos- defned as violations of two or more qualify- es. Although the employees’ eforts to access ing predicate criminal acts. information for the beneft of the former employee’s new frm violated the company’s Currently, computer fraud under the CFAA policies, the court held such an activity did does not qualify as a predicate act under the not violate federal criminal law. According RICO statute, whereas similar conduct, such to the Nosal court, the defnition of “exceeds as wire fraud and mail fraud, does qualify. authorized access” in section 1030(e)(6) “is Adding the CFAA as a predicate ofense for limited to violations of restrictions on access RICO purposes could increase our ability to to information, and not restrictions on its fght cybercrime and take down criminal or- u s e .” Id. at 863-64.12 ganizations engaged in such activities.

Such decisions have caused grave damage d. Combating Sextortion to the government’s ability to prosecute and protect against serious insider threats. If “Sextortion” and related ofenses are dis- the CFAA can be used only against outsid- cussed in Chapter 2. Although such conduct ers with no right at all to access computers, may implicate certain existing criminal laws, many insider threats—including those in the there are no federal criminal statutes specif- intelligence and law enforcement communi- ically addressing sextortion and non-con- ties with access to extremely sensitive infor- sensual pornography. Additionally, while mation—may go unpunished. Prosecutors stalking, , and harassment have should have adequate statutory authority to more commonly been dealt with by local law pursue insiders who abuse their computer enforcement or outside the criminal justice

122 LOOKING AHEAD system, the use of computers and mobile munications sent from computers running networks has turned many such crimes into Tor, and second, by allowing individuals to multi-jurisdictional and even multi-national operate websites on the Dark Web called Tor ofenses.13 Te increasingly expansive na- “Hidden Services” without divulging loca- ture of these crimes, in addition to the use tion information of the websites’ servers. of new technologies, may merit a federal re- sponse. New federal criminal ofenses spe- While sometimes used for innocuous and cifcally targeting sextortion and non-con- even benefcial purposes, the anonymity af- sensual pornography, as well as possible new forded by Tor also poses a unique and signif- sentencing enhancements for such ofenses icant threat to public safety. Te anonymiz- under existing authorities, could have merit. ing technology is efective, making it difcult to identify the physical location of dark mar- 3. Challenges in Connection with ket websites either to shut them down or to Other Legal Actions to Dismantling, identify who is administering them. Te re- Disrupting, and Deterring Malicious sult is that law enforcement investigators can Cyber Conduct observe and document the fact that disturb- ing criminal activity is occurring, but they As described in Chapter 3, in addition to tra- cannot use the sort of investigative steps that ditional investigation and prosecution, the ordinarily would allow them to determine Department has an array of other techniques who is perpetrating the crimes. and tools to dismantle, disrupt, and deter cy- ber threats, including a blend of civil, crim- Combating criminals’ abuse of Tor and their inal, and administrative powers. Te De- exploitation of dark markets requires a con- partment has employed these tools to disable certed efort. Te Department should work botnets, disrupt dark markets, and pursue with partners to develop new technological sanctions against specifed malicious actors. tools that will enable law enforcement to As with our investigation and prosecution identify the true location of Hidden Services activities, however, the Department needs websites engaged in criminal activity. Efec- additional tools and authorities to maximize tive development and use of these tools will efectiveness. enable law enforcement to locate and law- fully seize servers hosting such sites, and to Tackling Tor/Dark Markets identify the administrators, vendors, buyers, and participants who use them. In addition, Te Department cannot disrupt cyber activi- the federal government should carefully ty that it cannot fnd. Tis makes Tor and the evaluate its role in funding these anonymiz- existence of dark markets one of the greatest ing technologies, as currently the U.S. gov- impediments to our eforts. As discussed in ernment is the primary source of funding for detail in Chapter 2, Tor provides anonymi- , the organization responsible ty in two ways—frst, by anonymizing com- for maintaining the Tor sofware.

123 CYBER-DIGITAL TASK FORCE REPORT

Enhancing Our Ability to Disrupt Botnets Unfortunately, botnets can be and ofen are used for many other types of illegal activity On May 22, 2018, DHS and the Department beyond fraud or illegal wiretapping. As ex- of Commerce released a joint report titled, plained in Chapter 2, for example, malicious “A Report to the President on Enhancing the actors can employ botnets to steal sensitive Resilience of the Internet and Communica- corporate information, to harvest e-mail ac- tions Ecosystem Against Botnets and Other count addresses, to hack other computers, or Automated, Distributed Treats.”14 Te re- to execute DDoS attacks against websites or port encourages collaboration between the other computers. When these crimes do not government and private industry, recogniz- involve fraud or illegal wiretapping, courts ing that addressing the global botnet prob- may lack the statutory authority to issue an lem requires further discussions on market injunction to disrupt the botnet. Te De- incentives and on securing products at all partment should evaluate the merits of cre- stages of their life cycle. Te Department ating a more comprehensive authority for should play an active role in these eforts. courts to address all types of illegal botnets.

Despite being the principal law enforcement Advancing a CFAA Forfeiture Fix agency tasked with disrupting and disman- tling botnets, the Department’s current stat- As discussed in Chapter 3, the Department utory authority is limited. As it stands today, in recent years has regularly used civil for- the law gives federal courts the authority to feiture authorities to disrupt cybercriminal issue injunctions to stop the ongoing com- groups by seizing valuable assets such as mission of specifed fraud crimes or illegal computer servers and domain names used wiretapping through the use of botnets, by to operate botnets, as well as profts derived authorizing actions that prevent a continu- from illegal activity.15 Tese actions are per- ing and substantial injury. Te Department missible even when it is not yet possible to used this authority efectively in its success- arrest the ofenders. Expanding forfeiture au- ful disruption of the Corefood botnet in thority to CFAA ofences could enhance the 2011 and of the Gameover botnet in Department’s capacity to dismantle, disrupt, 2014. See Appendix 2. Because the criminals and deter cyber threats by targeting the in- behind these particular botnets used them to struments of, and profts from, cybercrime. intercept communications containing online fnancial account information and, with that Issues for Further Evaluation information, committed fraud, the existing law allowed us to obtain court authority to In addition to helping facilitate action on the disrupt the botnets by stopping the crimi- specifc recommendations made above and nals’ commands from reaching the infected elsewhere in this report, the Department computers. should initiate a deeper evaluation of sever- al key areas where strategic coordination is

124 LOOKING AHEAD especially important. Some of these evalu- dressing the complex issues raised by the ations are already underway; others will be legal and technical barriers that prevent law part of the Department’s ongoing eforts to enforcement from obtaining information in evaluate its authorities, practices, and re- electronic form is another Department pri- sources. ority. As discussed above, it is critical that the Department maintain the ability to iden- Te eight non-exclusive areas for deeper tify those who employ technology for illicit evaluation include: means and, with appropriate legal authority, to obtain evidence to bring criminals to jus- 1. Strengthening Our Own Defenses: tice. Te Department should continue to de- Consistent with the President’s May 2017 Ex- velop a framework to ensure that these pub- ecutive Order on Strengthening the Cyber- lic safety and national security objectives can security of Federal Networks and Critical In- be met even as encryption and anonymizing 16 frastructure, the Department is continually technologies continue to evolve. In addition, reassessing how best to defend its networks the Department should explore and, as ap- and reduce vulnerabilities. Te Department propriate, adopt new investigative methods should consider next steps and a longer-term to replace the investigative opportunities strategy to maintain the security of its own that have been lost. defenses. 4. Addressing Malign Foreign Infuence 2. Enhancing Efective Collaboration Operations: As discussed in Chapter 1, hos- with the Private Sector: Te Department’s tile foreign actors exploit the Internet and ability to work collaboratively and efective- social media platforms to conduct infuence ly with the private sector will continue to operations against our Nation, including by be one of the most critical elements of our spreading disinformation and propagan- strategy to fght cybercrime. In the coming da online on a scale greater than has ever months, the Department should engage in a been observed before. In addition to imple- more extensive evaluation of our work with menting the disclosure policy discussed in the private sector by seeking specifc input Chapter 1, the Department should consid- from private sector participants. Where ap- er additional ways to improve our ability to propriate, we will make recommendations respond to malign foreign infuence opera- to enhance these collaborative eforts, in- tions, including whether new criminal stat- cluding with regard to information-sharing, utes aimed directly at this threat are needed, threat and incident notifcation, data breach and whether there are new ways we can work notifcation standards, and frameworks for with the private sector in this area. Because joint disruptive eforts, such as botnet take- this problem requires a whole-of-govern- downs. ment solution, the Department should also consider how best to use existing or addi- 3. Addressing Encryption and Anonym- tional interagency coordination mechanisms ity (the Going Dark Array of Issues): Ad- to address the threat.

125 CYBER-DIGITAL TASK FORCE REPORT

5. Addressing the Global Nature of Cy- 7. Sharpening Departmental and Inter- ber-Enabled Crime: A hallmark of technol- agency Organization of Eforts to Fight Cy- ogy-enabled crime is that it increasingly cuts ber-Enabled Crime: Te Department’s cy- across international boundaries, even when ber-related mission requires efort and ex- less sophisticated actors are behind the mali- pertise from many components. Similarly, cious activity. As discussed above, the global the Department’s eforts make up just one nature of cybercrime carries with it numer- part of the U.S. government’s approach to ous impediments—both technological and cyber issues. As such, the Department must arising out of foreign laws and internation- continuously review its internal coordina- al agreements—to the Department’s ability tion approach and resources, as well as how to identify and locate malicious actors and it interacts with its interagency partners, to bring them to justice. Tese impediments determine if any improvements or adjust- bear no easy solutions and may only grow as ments are needed. Relatedly, the Depart- technology continues to evolve. Te Depart- ment should continue evaluating how most ment should continue evaluating this set of efectively to recruit and retain attorneys, challenges and make additional recommen- investigators, and professional staf with the dations to improve its global investigative necessary skills and mission-oriented mind- and prosecutorial reach. set to ensure it has the human capital it needs to confront evolving cyber threats. 6. Preparing for Emerging and Future Technology: Te technology behind current 8. Strengthening the Department’s Tools cyber-enabled threats will continue to evolve. and Authorities: Tis report has described Te Department must ensure that its contin- numerous additional recommendations to ued recalibration of eforts and resources not strengthen the Department’s tools and author- only aims at the major threats of today, but ities. Where such improvements are already also prepares it for the emerging threats of known, the Department should seek ways to tomorrow. Te Department should continue advance those improvements, including by to evaluate how its investigative and prosecu- seeking interagency approval to advocate for torial abilities can keep pace with, and even legislation, where appropriate. stay ahead of, the evolving technological threat. For example, the Department should In each of these key areas, the Department continue evaluating the emerging threats should not be merely reactive to known posed by rapidly developing cryptocurren- challenges and obstacles, but rather should cies that malicious cyber actors ofen use, pursue a strategic and forward-looking ap- and autonomous vehicle technology, which proach. has both ground and aerial applications (e.g., unmanned aircraf systems).

126 LOOKING AHEAD

NOTES

1 Challenges specifc to foreign infuence op- gress (June 28, 2018), available at: https://www. erations are discussed in detail in Chapter 1 and justice.gov/criminal-ccips/page/file/1075496/ so are not repeated here. download (last accessed June 29, 2018). To date, the Department is unaware of any claims that the 2 Te Digital Millennium Copyright Act, current security research exemption has thwart- codifed at 17 U.S.C. § 1201, prohibits the cir- ed or interfered with criminal investigations or cumvention of technological controls, such as prosecutions. encryption and password protocols, that protect copyrighted works. Section 1201 also includes a 5 Available at: https://www.justice.gov/ rulemaking process that recognizes that, in some sites/default/files/criminal-ccips/lega - cases, exceptions to the general prohibition may cy/2015/04/30/04272015reporting-cyber-inci- be justifed. Section 1201 requires the Copyright dents-fnal.pdf (last accessed June 29, 2018). Ofce to conduct a rulemaking every three years to evaluate proposed exemptions proposed by 6 See “Alabama Rolls with Tide as Last State the public to the anti-circumvention provision to Adapt Breach Notifcation Law,” Taf Stettin- and to recommend appropriate proposals for ius & Hollister LLP (Apr. 30, 2018), available at: adoption by the Librarian of Congress. Te ex- https://www.lexology.com/library/detail.aspx- emptions last only three years unless they are re- ?g=cc0e9bb3-fe24-4211-b9dc-1ffd350637f (last newed in a subsequent proceeding. accessed June 29, 2018).

3 Te last rulemaking process conducted in 7 “Presidential Memorandum on the Actions 2016 resulted, inter alia, in a three-year exemp- by the United States Related to the Section 301 tion for “security research” conducted on partic- Investigation,” The White Ho se (March 22, ular categories of devices, including machines 2018), available at: https://www.whitehouse. designed for use by individual consumers, mo- gov/presidential-actions/presidential-mem- torized land vehicles, and certain medical devic- orandum-actions-united-states-related-sec- es. Security research included “good faith testing tion-301-investigation/ (last accessed June 29, for and the identifcation, disclosure and correc- 2018). tion of malfunctions, security faws and vulnera- bilities in computer programs.” See generally U.S. 8 For example, due to such concerns, DHS in Copyright Office, “Section 1201 Rulemaking: September 2017 issued a directive requiring fed- Sixth Triennial Proceeding to Determine Ex- eral agencies to remove and discontinue use of emptions to the Prohibition on Circumvention,” antivirus sofware provided by Moscow-based (Oct. 2015), available at: https://www.copyright. . Several months later, Congress gov/1201/2015/registers-recommendation.pdf enacted a government-wide ban on Kaspersky (last accessed June 29, 2018). products and services that exceeded the scope of the DHS prohibition. Both measures came in 4 See John T. Lynch, Jr., Chief, Department of response to growing national security concerns Justice Computer Crime and Intellectual Proper- presented by the presence of Kaspersky products ty Section, to Regan Smith, General Counsel and on U.S. information systems. Kaspersky chal- Associate Register of Copyrights, Library of Con- lenged both measures in court, and both suits

127 CYBER-DIGITAL TASK FORCE REPORT were dismissed at the pleading stage. Litigation to access for any purpose which is located on a continues in the court of appeals. Also in 2017, computer that he is otherwise authorized to ac- Congress amended 10 U.S.C. § 491 to restrict cess”). Department of Defense procurement of certain telecommunications equipment or services with 13 For instance, a criminal in one State can particular Chinese or Russian origins. easily disseminate graphic images and person- ally-identifying information of his victim in an- 9 Accessing data is further complicated in other State or around the world. He can store the some circumstances by the lack of any uniform images and information on servers in unfriendly data retention standards or requirements for ser- foreign jurisdictions, using proxy technology to vice providers. Without such requirements, data conceal his true location. He can threaten and that is potentially critical to law enforcement extort the victim using end-to-end encrypted investigations is simply not retained or in some communication applications that store little or cases is not retained long enough to be useful. no information about subscribers. Without leav- ing home, the perpetrator can commit an elab- 10 Telephone toll billing records include the orate and hard-to-trace scheme using technolo- originating phone number, the phone number gy easily accessible to anyone. Worse, someone called, and the date, time, and length of the call. with no technical sophistication at all can hire ECTRs for e-mail show the sending e-mail ad- someone to do the harassment for him from a dress, the e-mail recipients, and the date, time, dark market online. and size of the e-mail message. 14 “A Report to the President on Enhancing 11 See, e.g., United States v. Forrester, 512 F.3d the Resilience of the Internet and Communi- 500, 510 (9th Cir. 2008) (holding that e-mail and cations Ecosystem Against Botnets and Other Internet users have no reasonable expectation of Automated, Distributed Treats,” U.S. Dept. of privacy in to/from addresses of their messages or Commerce & U.S. Dept. of Homeland Sec - in IP addresses of websites visited). rity (May 22, 2018), available at: https://www. commerce.gov/sites/commerce.gov/fles/media/ 12 See also WEC Carolina Energy Solutions files/2018/eo_13800_botnet_report_-_finalv2. LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) pdf (last accessed June 29, 2018). (“[W]e reject an interpretation of the CFAA that imposes liability on employees who violate a use 15 18 U.S.C. §§ 981-83. policy[.]”); United States v. Valle, 807 F.3d 508 511 (2d Cir. 2015) (an individual “‘exceeds au- 16 Exec. Order No. 13,800, 82 Fed. Reg. 22391 thorized access’ only when he obtains or alters (May 16, 2017). information that he does not have authorization

128

APPENDIX 1

131 CYBER-DIGITAL TASK FORCE REPORT

132 APPENDIX 2

Appendix 2 Recent Successful Botnet Disruptions

VPNFilter Kelihos In May 2018, the Department took steps to dis- On April 10, 2017, the Department announced rupt the operation of a global botnet of hun- an extensive efort to disrupt and dismantle the dreds of thousands of infected home and ofce Kelihos botnet—a global network of tens of thou- (“SOHO”) routers and other networked devices sands of computers infected with the Kelihos under the control of a group of actors known malware.3 Under the control of a cybercriminal, as the “Sofacy Group” (also known as “apt28,” Peter Levashov, that botnet facilitated a range of “sandworm,” “x-agent,” “pawn storm,” “fancy malicious activities, including harvesting login bear” and “sednit”).1 Te botnet, which the FBI credentials, distributing hundreds of millions and cybersecurity researchers called “VPNFil- of spam e-mails, and installing ransomware and ter,” targets SOHO routers and network-access other malicious sofware. Te enormous vol- storage devices. In order to identify infected de- ume of unsolicited spam e-mails sent by the bot- vices and facilitate their remediation, the U.S. At- net advertised counterfeit drugs, work-at-home torney’s Ofce for the Western District of Penn- scams, and a variety of other frauds, including sylvania applied for and obtained court orders deceptively promoted stocks in order to fraudu- authorizing the FBI to seize a domain that is part lently increase their price (so-called “pump-and- of the malware’s command-and-control infra- dump” stock fraud schemes). structure. Te FBI also put out a public service announcement urging individuals and organiza- To liberate the victim computers from the bot- tions to reset their routers.2 net, the Department obtained civil and criminal court orders that authorized measures to neu- Te cumulative efect of these actions would be tralize the Kelihos botnet by (1) seizing domain to purge parts of the malware from the routers names that the botnet used to communicate with that were reset, and to direct attempts by the the command-and-control servers, (2) establish- remaining malware to reinfect the device to an ing substitute servers that received the automated FBI-controlled server, which captured the Inter- requests for instructions so that infected comput- net Protocol (“IP”) address of infected devices. ers no longer communicated with the criminal A non-proft partner organization agreed to dis- operator, and (3) blocking any commands sent seminate the IP addresses to those who can assist from the criminal operator attempting to regain with remediating the botnet, including foreign control of the infected computers. As described CERTs and Internet service providers. in Chapter 3, Levashov was arrested in Spain and extradited to the U.S. to face justice. Although the devices would remain vulnerable to reinfection while connected to the Internet, Avalanche these eforts maximized opportunities to identi- fy and remediate the infection worldwide in the On November 30, 2016, the Department, in co- time available before Sofacy actors learned of the ordination with German state and federal police, vulnerability in their command-and-control in- , and various other countries and enti- frastructure. ties, conducted a takedown operation against

133 CYBER-DIGITAL TASK FORCE REPORT the Avalanche malware infrastructure. Tis Tis operation required an unprecedented level takedown led to the disabling of seven botnets of international coordination to seize, block, and that relied on this infrastructure and impacted sinkhole over 800,000 malicious domains associ- approximately 10 diferent malware families that ated with the Avalanche network. Tese domains had utilized the Avalanche network. had been used to send commands to infected devices, pass banking credentials to cyber crim- Te Avalanche network ofered cybercriminals inals, and obfuscate eforts by law enforcement a secure infrastructure, designed to stand in the to investigate this conspiracy. Te USAO for the way of detection by law enforcement and cyber Western District of Pennsylvania and the Com- security experts, over which the criminals con- puter Crime and Intellectual Property Section ducted malware campaigns as well as money obtained a temporary restraining order which laundering schemes known as “” greatly assisted in this efort. Te Department schemes. Access to the Avalanche network was continues to build on the success of this opera- ofered to the cybercriminals through postings tion, using information obtained through seized on exclusive underground online criminal fo- infrastructure to identify and arrest criminals re- rums. In these schemes, highly organized net- sponsible for the creation of the malware distrib- works of “mules” purchased goods with stolen uted via Avalanche. funds, enabling cybercriminals to launder the money they acquired through malware attacks Gameover Zeus & Cryptolocker or other illegal means. In 2014, the Department led a coalition of Te types of malware and money mule schemes nearly a dozen foreign countries and a group operating over this network varied. Ransomware, of elite computer security frms to disrupt and such as Nymain, encrypted victims’ computer dismantle the highly-sophisticated “Gameover fles until the victim paid a ransom (typically in Zeus botnet.”4 At its peak, that botnet consist- a form of electronic currency) to the cybercrim- ed of a global network of between 500,000 and inal. Other malware, such as GozNym, was de- 1 million computers infected malware that used signed to steal victims’ sensitive banking creden- to collect online fnancial ac- tials, which were directed through the intricate count information and, in turn, inficted more network of Avalanche servers to backend servers than $100 million of losses to individuals in the controlled by the cybercriminals and used to ini- United States. Te Gameover Zeus network tiate fraudulent wire transfers. was also used to spread the Cryptolocker ran- somware, which used cryptographic key pairs to encrypt the computer fles of its victims and Te Avalanche network, which had been operat- ofen lef victims with no choice but to pay hun- ing since at least 2010, was estimated to involve dreds of dollars to obtain the decryption keys hundreds of thousands of infected computers needed to unlock their fles. As of April 2014, worldwide. Te monetary losses associated with security researchers estimated that Cryptolocker malware attacks conducted over the Avalanche had infected more than 234,000 computers and, network were estimated to be in the hundreds according to one estimate, caused more than of millions of dollars worldwide, although exact $27 million in ransom payments in its frst two calculations are difcult due to the high number months in circulation. of malware families present on the network.

134 APPENDIX 2

To disrupt both the Gameover Zeus botnet and be controlled remotely to steal private personal the Cryptolocker malware, the Department de- and fnancial information from unsuspecting ployed a combination of criminal and civil tools computer users. Te botnet’s administrators, in available to law enforcement. As an initial mat- turn, used the stolen information for a variety of ter, a federal grand jury indicated a key admin- criminal purposes, including stealing funds from istrator of the botnet (Evgeniy Bogachev) with a the compromised accounts. In one example de- 14-count indictment, and the Department fled a scribed in court flings, for instance, Corefood separate civil injunction against Bogachev as the leveraged information gleaned through illegal leader of a tightly-knit gang of cyber criminals monitoring of Internet communications be- based in Russia and Ukraine responsible for both tween a user and the user’s bank to take over an the Gameover Zeus and Cryptolocker schemes. session and cause the fraudulent Further, as in Kelihos, the Department obtained transfer of funds to a foreign account. civil and criminal court orders authorizing mea- sures to redirect requests for instructions by Te Department employed a multi-prong en- computers victimized by the two schemes away forcement strategy to dismantle the Corefood from the criminal operators to substitute serv- botnet. It obtained search warrants to seize fve ers established pursuant to court order. Te FBI command-and-control servers that remotely was also authorized to obtain the IP addresses of controlled hundreds of thousands of infected the victim computers reaching out to the substi- computers, and a seizure warrant to secure 29 tute servers, and to provide that information to domain names that the botnet used to commu- DHS’s Computer Emergency Readiness Team nicate with the command-and-control servers. (US-CERT) to help victims remove the Game- Federal authorities also obtained a temporary over Zeus malware from their computers.5 restraining order that authorized the govern- ment to replace the illegal command-and-con- To identify servers as command-and-control trol servers with substitute servers. To prevent hubs for the Gameover Zeus botnet and Cryp- the defendants from reconstituting the botnet tolocker malware, and to subsequently facilitate through new servers, domains, and updated sof- victims’ eforts to remediate the damage to their ware, the TRO also authorized the government computers, the Department also enlisted the as- to respond to routine requests for direction from sistance of numerous computer security frms the infected computers in the United States with and leading universities. a command that temporarily stopped the Core- food malware from running on the infected Corefood computers. By limiting the defendants’ ability to control the botnet, computer security providers In 2011, the Department disrupted and disabled and victims were given the time and opportunity the decade-old “Corefood” botnet through a to remove the malware from infected comput- civil complaint, search warrants, a criminal sei- ers. Te Department also fled a civil complaint 6 zure warrant, and a temporary restraining order. against 13 “John Doe” defendants associated with the botnet. Tis botnet was a global network of 100,000 computers infected with a particularly harmful type of malware named Corefood, which could

135 CYBER-DIGITAL TASK FORCE REPORT

NOTES

1 Press Release, “Justice Department Announc- 4 Press Release, “U.S. Leads Multi-National Ac- es Actions to Disrupt Advanced Persistent Treat tion Against “Gameover Zeus” Botnet and “Cryp- 28 Botnet of Infected Routers and Network Stor- tolocker” Ransomware, Charges Botnet Admin- age Devices,” U.S. Dept. of Justice (May 23, istrator,” U.S. Dept. of Justice (June 2, 2014), 2018), available at: https://www.justice.gov/opa/ available at: https://www.justice.gov/opa/pr/ pr/justice-department-announces-actions-dis- us-leads-multi-national-action-against-game- rupt-advanced-persistent-threat-28-botnet-in- over-zeus-botnet-and--ransomware fected (last accessed June 29, 2018). (last accessed June 29, 2018).

2 Federal Bureau of Investigation, “For- 5 At no point during the operation did the FBI eign Cyber Actors Target Home and Ofce Rout- or law enforcement access the content of any of ers and Networked Devices Worldwide” (May the victims’ computers or electronic communi- 25, 2018), available at: https://www.ic3.gov/ cations. media/2018/180525.aspx (last accessed June 29, 2018). 6 Press Release, “Department of Justice Takes Action to Disable International Botnet,” U.S. 3 Press Release, “Justice Department An- Dept. of Justice (Apr. 13, 2011), available at: nounces Actions to Dismantle Kelihos Botnet,” https://www.justice.gov/opa/pr/department-jus- U.S. Dept. of Justice (Apr. 10, 2017), available tice-takes-action-disable-international-botnet at: https://www.justice.gov/opa/pr/justice-de- (last accessed June 29, 2018). partment-announces-actions-dismantle-keli- hos-botnet-0 (last accessed June 29, 2018).

136 APPENDIX 2

Appendix 3 Recent Successful Dar Web Disruptions

AlphaBay & sweep up all those new users who were displaced from AlphaBay and needed a new trading plat- On July 20, 2017, the Department announced the form. Te success of this joint operation stands seizure of AlphaBay, an online criminal market- out as yet another example of what international place that had operated for over two years on the law enforcement can accomplish when working dark web and facilitated the sale throughout the closely together to neutralize a cybercrime mar- world of deadly illegal drugs, stolen and fraudu- ketplace. lent identifcation documents and access devices, counterfeit goods, malware and other computer Silk Road hacking tools, frearms, and toxic chemicals. Around the time of its takedown, AlphaBay was In late 2013, the Department joined with various the largest criminal marketplace on the Inter- law enforcement partners across the government net. Indeed, prior to the site’s disruption, one to disrupt the hidden “Silk Road” website, and to AlphaBay staf member claimed that it serviced prosecute its creator and owner, Ross Ulbricht.1 over 200,000 users and 40,000 vendors. Alpha- Bay operated as a hidden service on the “Tor” For the two years leading up to the Department’s network, and used cryptocurrencies including actions, Silk Road stood out as the most sophisti- Bitcoin, Monero, and Ethereum in order to hide cated and extensive criminal marketplace on the the locations of its underlying servers and the Internet, serving as a sprawling black-market ba- identities of its administrators, moderators, and zaar where unlawful goods and services, includ- users. Based on law enforcement’s investigation ing illegal drugs of virtually all varieties, were of AlphaBay, authorities believe the site was also regularly bought and sold. At its height, several used to launder hundreds of millions of dollars thousand drug dealers and other unlawful ven- deriving from illegal transactions on the website. dors used the site to distribute hundreds of kilo- grams of illegal drugs and other unlawful goods Te operation to seize the AlphaBay site coin- and services to well over 100,000 buyers, and to cided with eforts by Dutch law enforcement to launder hundreds of millions of dollars deriving investigate and take down the Hansa Market, an- from these unlawful transactions. other prominent dark web market. Like Alpha- Bay, Hansa Market was used to facilitate the sale To remain outside the reach of law enforcement, of illegal drugs, toxic chemicals, malware, coun- Silk Road’s administrators anonymized the site’s terfeit identifcation documents, and illegal ser- transactions by operating it on the Tor network vices. To maximize the disruptive impact of the and including a Bitcoin-based payment system joint takedowns, Dutch authorities took covert designed to conceal its users’ identities and lo- control over the Hansa Market during the peri- cations. Despite these eforts, law enforcement od when AlphaBay was shutdown. Tat covert ultimately pierced Silk Road’s cloak of anonym- control not only allowed Dutch police to iden- ity and seized control of the website, its domain, tify and disrupt the regular criminal activity on its servers, and 29,655 Bitcoins residing on those Hansa, but then also allowed the authorities to servers (worth approximately $28 million at the

137 CYBER-DIGITAL TASK FORCE REPORT time of seizure). Te creator and administrator trators associated with these Dark Web markets of Silk Road, Ross Ulbricht, was also arrested were criminally prosecuted. and ultimately convicted of seven charges relat- ing to money laundering and computer hacking, Darkode among others, and sentenced to life in federal prison. Te government seized an additional On July 15, 2015, the Department announced 144,336 Bitcoins from Ulbricht’s computer hard the dismantling of a computer hacking forum drive (worth approximately $130 million at the known as “Darkode” as part of a coordinated law time of seizure). enforcement action across 20 countries that led to the search, arrest, or charging of 70 Darkode 3 Operation Onymous members and associates. Building on the success of the Silk Road take- At the time of its takedown, the Darkode forum down, in November 2014, U.S. and European represented a uniquely grave threat to the integ- authorities took joint action against the under- rity of data on computers because it provided a ground website known as “Silk Road 2.0,” as well platform where highly-sophisticated cybercrim- as dozens of additional dark market websites that inals congregated to buy, sell, and trade malware, were facilitating the sale of an astonishing range botnets, and PII used to steal from U.S. citi- of illegal goods and services on hidden services zens and individuals around the world. Before within the Tor network, including weapons, becoming a member of Darkode, prospective drugs, murder-for-hire services, stolen identif- members were allegedly vetted through a pro- cation data, money laundering, hacking services, cess in which an existing member invited a pro- and others.2 Silk Road 2.0 was created in Novem- spective member to the forum for the purpose of ber 2013 to fll the void lef by the government’s presenting the skills or products that he or she seizure of the Silk Road website in October 2013. could bring to the group. As part of Operation As with Silk Road, the Department used civil for- Shrouded Horizon, the FBI was able to disrupt feiture authorities to seize control over 400 Tor and dismantle Darkode by infltrating the fo- website addresses known as “.onion” addresses, rum’s membership. as well as the servers hosting them. Adminis-

138 APPENDIX 3

NOTES

1 Press Release, “Manhattan U.S. Attorney An- Conjunction with the Arrest of the Operator of nounces Seizure of Additional $28 Million Worth Silk Road 2.0,” Federal Bureau of Investiga- of Bitcoins Belonging to Ross William Ulbricht, tion (Nov. 7, 2014), available at: https://www. Alleged Owner and Operator of “Silk Road” fi.gov/contact-us/feld-ofces/newyork/news/ Website,” Federal Bureau of Investigation press-releases/dozens-of-online-dark-markets- (Oct. 25, 2013), available at: https://archives. seized-pursuant-to-forfeiture-complaint-filed- fbi.gov/archives/newyork/press-releases/2013/ in-manhattan-federal-court-in-conjunction- manhattan-u.s.-attorney-announces-sei- with-the-arrest-of-the-operator-of-silk-road-2.0 zure-of-additional-28-million-worth-of-bit- (last accessed June 29, 2018). coins-belonging-to-ross-william-ulbricht-al- leged-owner-and-operator-of-silk-road-website 3 Press Release, “Major Computing Hacking (last accessed June 29, 2018). Forum Dismantled,” U.S. Dept. of Justice (July 15, 2015), available at: https://www.justice.gov/ 2 Press Release, “Dozens of Online ‘Dark opa/pr/major-computer-hacking-forum-dis- Markets’ Seized Pursuant to Forfeiture Com- mantled (last accessed June 29, 2018). plaint Filed in Manhattan Federal Court in

139

APPENDIX 4

Appendix 4 Glossary of Key Terms

Acronym Meaning AECA Arms Export Control Act AUSA Assistant nited States Attorney BEC Business Email Compromise Boyusec Guangzhou Bo Yu Information Technology Company Limited C&C Command-and-Control C.F.R. Code of Federal Regulations C Command and Control CAATSA Countering America’s Adversaries Through Sanctions Act CAN-SPAM Controlling the Assault of Non- Solicited Pornography and Marketing CAT Cyber Action Team CCIPS Computer Crime and Intellectual Property Section CFAA Computer Fraud and Abuse Act CHIP Computer Hacking and Intellectual Property CFIUS Committee on Foreign Investment in the nited States CISO Chief Information Security Officer CLOUD Clarifying Lawful Overseas se of Data CNN Cable News Network CTF Cyber Task Force, Federal Bureau of Investigation DDoS Distributed Denial of Service DEA Drug Enforcement Administration DHS Department of Homeland Security DMCA Digital Millennium Copyright Act DOJ Department of Justice DSAC Domestic Security Alliance Council

141 CYBER-DIGITAL TASK FORCE REPORT

Acronym Meaning EAR Export Administration Regulations ECPA Electronic Communications Privacy Act ECTR Electronic Communication ransactional Record EEA Economic Espionage Act EOUSA Executive Office for United States Attorneys ESU Electronic Surveillance Unit FBI Federal Bureau of Investigation FinCE Financial Crimes Enforcement Network FISA Foreign Intelligence Surveillance Act FLASH FBI Liaison Alert System FSB Russian Federal Security Service GDPR General Data Protection Regulation HTOCU Hi- ech Organized Crime Unit IC3 he Internet Crime Complaint Center IEEPA International Emergency Economic Powers Act I TERPOL International Criminal Police Organization IoT Internet of hings IP (address) Internet Protocol IPR Intellectual Property Rights IRS Internal Revenue Service ISIL Islamic State of Iraq and the Levant ISP Internet Service Provider JAR Joint Analysis Report J-CODE Joint Criminal Opioid Darknet Enforcement JITs Joint Investigative eams JTA Joint echnical Advisory KAT Kickass orrents

142 APPENDIX 4

Acronym Meaning MLARS Money Laundering and Asset Recovery Section, Criminal ivision MLAT Mutual Legal Assistance Treaty MUCD Military Unit Cover esignator NCCIC National Cybersecurity and Communications Integration Center NCFTA National Cyber-Forensics and Training Alliance NCIJTF National Cyber Investigative Joint Task Force NDCAC National omestic Communications Assistance Center NIC National Initiative for Cybersecurity Education NITs Network Investigative Techniques NSCS National Security Cyber Specialists NSD National Security ivision NSL National Security Letter OFAC Office of Foreign Assets Control OIA Office of International Affairs, Criminal ivision OJT On the Job Training OL Office of Legal Education P2P Peer-to-Peer PII Personally Identifiable Information PINs Private Industry Notifications PLA People’s Liberation Army PPD Presidential Policy irective PRC People’s Republic of China PRTT Pen Register and Trap and Trace PSA Public Service Announcement RICO Racketeer Influenced and Corrupt Organizations Act ROB Rules of Behavior SCADA Supervisory Control and ata Acquisition

143 CYBER-DIGITAL TASK FORCE REPORT

Acronym Meaning SPE Sony Pictures Entertainment STSO Operational Support Unit (Drug Enforcement dministration) SUA Specified Unlawful ctivity Tor The Onion Router TRO Temporary Restraining Order USAO United States ttorney’s Office USNCB United States National Central Bureau (INTERPOL) US-CERT United States Computer Emergency Readiness Team USTR United States Trade Representative RRA Victims’ Rights and Restitution ct WTI Workforce Training Initiative

144