×

Exclusive: Department of Justice’s Rod Rosenstein Speaks at the Cambridge Cyber Summit Today

WHEN: Today, Wednesday, October 4th

Following is the unofficial transcript of a presentation with Rod Rosenstein, Deputy Attorney General, Department of Justice, live from the Cambridge Cyber Summit hosted by CNBC and The Aspen Institute on Wednesday, October 4th.

Mandatory credit: The Cambridge Cyber Summit hosted by CNBC and The Aspen Institute.

ROD ROSENSTEIN: Thank you very much. Good afternoon. It's a privilege for me to be here, among many of our nation's leading policymakers and corporate executives. I want to share some thoughts with you, but I'm reminded of a story of a young school boy who was asked to describe Socrates. He wrote: Socrates walked around giving people advice. They poisoned him.

[LAUGHTER ]

I hope to avoid the same fate, but at risk of causing offense, I want to speak to you today about three issues: First, the scope of the cybersecurity threat that confronts our nation; second, the challenges that we face encountering that threat; and, third, the ways that law enforcement can help before, during and after a cyber incident.

First, let me discuss the scope of the threat. The fact that so many of you have important responsibilities are here with us today demonstrates how critical cybersecurity has become. It tends to quantify just how big a problem we face, very widely. But everyone agrees that it's significant and that it's growing.

One estimate of the annual cost of global cyber crime predicts a doubling, from $3 trillion in 2015 to $6 trillion in 2021. Those numbers are staggering. But recent public events demonstrate the types of problems that we're facing.

Right now we're dealing with one of the largest breaches ever of a private company holding sensitive financial data. Public reports indicate more than 145 million people may have been affected. That would equate to one of every two Americans, and foreigners were affected as well.

According to the victim of the attack, hackers may have accessed names, Social Security numbers, birth dates, addresses, and driver's license information as well as credit cart numbers, for hundreds of thousands of U.S. consumers; basically everything that a criminal would need to steal a person's identity.

This breach is similar to thousands of others. Financially motivated criminals target American businesses. If you think it won't happen to your company, you are probably wrong. A private report put the risk of suffering in material data breach at better than one in four, and those odds continue to rise.

Mass data breaches can be extremely costly to victims. Reports peg the average cost of the data breach at over $3.6 million, but, of course, that's just an average. One large retailer reported spending $291 million for expenses related to just one attack on its network. In some cases, smaller businesses declare bankruptcy after a breach.

According to published reports, one major web service provider suffered a breach that affected every one of its 3 billion user accounts. Even if your company does not hold large quantities of financial information, it almost certainly has valuable intellectual property on its computer system.

The Justice Department has indicted foreign cyber criminals that have broken into systems in the United States looking to steal the ideas that make our nation strong and competitive in the marketplace. The issue is so important that it has become the subject of agreements among the world's major nations. G20 leaders agreed in 2015 that no country could steal trade secrets or other confidential business information with the intent of advantaging its companies or commercial sectors.

One of the cases that we prosecuted involved the theft of technology that caused $800 million in losses. That's more than ten times the largest bank robbery. Breaches that target financial data and intellectual property are serious concerns. Protecting Americans' data is not the only thing that we're worried about. Cyber criminals know that many companies cannot do business without access to the networks. As a result, a new business model for cyber crime has been developed.

Ransomware is now a global phenomenon. The FBI estimates that ransomware affected more than 100,000 computers a day around the world over the past year. That number continues to grow. Ransom payments are approaching a billion dollars annually.

Attacks used to be indiscriminate, scattershot attacks, perhaps to squeeze a few hundred dollars from anyone who happened to be affected. But today we see more sophisticated attacks that are targeted to particular businesses or sectors.

Even if you do everything right and your systems are impregnable, still not necessarily safe. Attackers have used distributed denial service attacks to go after everything from banks and critical internet infrastructure. While the Internet of Things exponentially increases the number of devices connected to the networks that we use every day, those devices, too, can be used against us. Computer disruptions do more than simply grind businesses to a halt. They can endanger lives. Given MRI machines and ventilators, they run software that is connected to networks and, therefore, vulnerable to attack.

Individual efforts, while very important, simply are not enough. Law enforcement is an essential part of combating cyber threats. Disrupting and deterring the next attack is far more effective than trying to merely avoid being the next victim.

That brings me to what the Department of Justice is doing about the cyber threat.

Federal law enforcement focuses primarily on transnational organized cyber criminals. And we've had significant successes. Earlier this year, we dismantled the largest dark market, AlphaBay. It operated for more than two years and was used to sell a host of illicit items, including deadly drugs, stolen and foreign identification documents, counterfeit goods, malware and other computer-hacking tools, firearms and even toxic chemicals.

Also, this year we worked with foreign authorities to arrest the alleged creator of Elios botnet. Over several years that network was used to steal log-in credentials, distribute hundreds of millions of spam emails and install ransomware and other malicious software across the globe. And we dismantled that pernicious network of tens of thousands of infected computers.

Some of the criminals that we pursue are acting at the behest or for the benefit of foreign governments. In March we indicted four defendants, including two officers of the Russian State Security Service. They're charged with stealing information from at least 500 million email accounts, conducting economic espionage, and engaging other criminal offenses in connection with a years' long conspiracy to access a major web service provider's network and the content of their email accounts.

In the past few weeks, our government announced significant actions to deter and punish Iranians who use cyberspace to imperil our national security. Drawing on the Justice Department's criminal investigation, Treasury Department sanctioned seven hackers and their Revolutionary Guard-affiliated employers for attacking the global financial system. The Justice Department also unsealed charges against other Iranian nationals, accusing them of stealing software and selling it to Iranian military and government entities. Some of that software had military applications and was export controlled in the U.S.

So 2017 has been a very busy year for the Department of Justice in the fight against cyber crime.

But those successes do not come easily. We face significant challenges. But for one thing, foreign governments use computer intrusions and attacks to invest their foreign policy goals, often at the expense of American companies and individuals. The federal government is not the only target of malicious state-sponsored activity. And that activity has included damaging cyber attacks, cost millions of dollars to repair. Not merely the theft of data, targeting of private citizens and companies by foreign governments is especially disturbing.

Another disturbing trend that helps explain why data breaches continue to occur is the growth of dark markets that facilitate all matter of crime, from narcotics trafficking, to illegal firearm sales, to identity theft, child exploitation, and computer hacking.

Even an unskilled hacker can purchase malware. Almost the entire supply chain for cyber crime can be outsourced, from the coding of malware, to the products that help malware evade security software, to the ultimate delivery of the malware.

Dark markets continue to support the sale of data after its stolen by others and use it to perpetrate fraud. Criminals then are able to launder their ill-gotten gains through networks available on those same dark markets. We have to do more to stop dark markets if we want to disrupt sophisticated underground economy that ports transnational organized crime.

Dark markets are one of the worst examples of a broader problem that we know is going dark. Increasingly, technology frustrates the traditional law enforcement efforts to collect evidence that's needed to protect public safety and solve crimes. For example, many instant messaging services now encrypt their messages by default, thereby blocking the police from reading those messages, even if an impartial judge authorizes their interception.

Or to take another important example, for years companies that make smartphones maintain the ability to access data stored on those phones when ordered by a court to do so. But some of those companies made a conscious decision to engineer away that critical capability.

Now, encryption is a valuable tool. It's the foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption. But the advent of warrant-proof encryption is a serious problem. It threatens to destabilize the balance between privacy and security that has existed for two centuries.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtained a court-authorized warrant. But that's the world that is being created. Companies create jobs that add valuable products and innovate in amazing ways. But in a democratic society, the decision to reset a constitutional balance should include review by the citizens and their elected representatives. People should understand the consequences of warrant-proof security. We should have a candid public debate about the pros and cons of allowing companies to create lock boxes that cannot be opened by police and judges.

I encourage you all to think broadly about your company's interest in this area, not only in how to secure your data, but also whether the means of doing so can prevent you from seeing what's happening on your networks and preclude law enforcement from effectively protecting you and your data. Security is not necessarily binary. It may not be either absolutely secure or hopelessly insecure. We can have managed security that permits fair and effective enforcement of laws, rather than absolute black box security that conceals criminal activity.

Finally, let me turn to how law enforcement can help. Despite all our tools and relationships and efforts, some companies are still reluctant to report cyber incidents to law enforcement. When deciding whether to notify law enforcement about a cyber incident or whether to cooperate fully in an investigation, organizations weigh the anticipated benefits of a proactive approach against the legal, business, reputational and other practical concerns. I know there are many considerations in making those decisions. I want to emphasize to you how important it is to report cyber incidents as quickly as possible.

Law enforcement provides many benefits to victims of cyber intrusions and attacks. We can help you understand what happened, we can share context and information about related incidents and malware, or by helping you shore up your defenses should the actors return. We can ensure proper investigation and preservation of evidence. We can inform regulators about your cooperation, and we are uniquely situated to prevent -- to pursue the perpetrators through criminal investigation and prosecution. And in appropriate cases that involve overseas actors, we can also pursue economic sanctions, diplomatic pressure and intelligence operations ourselves.

Let me address one myth in particular. It is not pointless to report cyber crime. Law enforcement has tools that are not available to the private sector to investigate crime, and we strive to work cooperatively with the victim companies to ensure they aren't further victimized. We also maintain relationships throughout the world that will help us find perpetrators and hold them accountable.

And even then, we may be unable to arrest or prosecute hackers. We leverage our investigations by supporting the tools of other agencies, many of which can reach beyond our borders. When you are up against the military or intelligence services of a foreign nation state, you should have our government in your corner.

Before I conclude, I would offer a concrete recommendation that you can take back to your colleagues. Software and hardware vulnerabilities are one means by which your networks are compromised. Finding and eradicating those vulnerabilities is an important aspect of cybersecurity. All companies should seriously consider promulgating a vulnerability disclosure policy. That is, a public invitation for white hat researchers to report vulnerabilities found on your system. Many organizations find that the value you can gain from crowdsourcing research of vulnerabilities in a controlled way is well worth it. The Department of Defense runs a program like that, and it's been very successful in finding and solving problems before they turn into crimes.

Within the Department of Justice, our criminal division's cybersecurity unit recently put out a paper to help companies think through creating such a program. It's available on our website, and I encourage you to ask your team to look at that document and consider implementing its suggestion.

Before I conclude, I want to thank you for your attention. My job here is to talk, and yours is to listen. And I want to finish my job before you finish your job and stay within my allotted time.

Let me close by saying that I thank you very much for having me, and I thank you for your commitment to cybersecurity. I've enjoyed the opportunity to talk with many of you earlier this morning. We can maximize our security only if we work cooperatively together. You have my commitment that the Department of Justice will work with you to achieve that end.

And I hope that we can count on all of you to do the same. Thank you very much.

[APPLAUSE]

About CNBC:

With CNBC in the U.S., CNBC in Asia Pacific, CNBC in Europe, Middle East and Africa, and CNBC World, CNBC is the recognized world leader in business news and provides real-time financial market coverage and business information to more than 409 million homes worldwide, including more than 91 million households in the United States and Canada. CNBC also provides daily business updates to 400 million households across China. The network's 15 live hours a day of business programming in North America (weekdays from 4:00 a.m. - 7:00 p.m. ET) is produced at CNBC's global headquarters in Englewood Cliffs, N.J., and includes reports from CNBC News bureaus worldwide. CNBC at night features a mix of new reality programming, CNBC's highly successful series produced exclusively for CNBC and a number of distinctive in-house documentaries.

CNBC also has a vast portfolio of digital products which deliver real-time financial market news and information across a variety of platforms including: CNBC.com; CNBC PRO, the premium, integrated desktop/mobile service that provides live access to CNBC programming, exclusive video content and global market data and analysis; a suite of CNBC mobile products including the CNBC Apps for iOS, Android and Windows devices; and additional products such as the CNBC App for the Apple Watch and Apple TV.

Members of the media can receive more information about CNBC and its programming on the NBCUniversal Media Village Web site at http://www.nbcumv.com/programming/cnbc.

For more information about NBCUniversal, please visit http://www.NBCUniversal.com.