Source: United States Attorneys General 13
Remarks as Prepared for Delivery
My name is David Newman, and I serve as the Principal Deputy Assistant Attorney General for the National Security Division (NSD). It’s an honor to be here with such a distinguished crowd.
Before we begin the fireside chat, I want to spend a few minutes highlighting ways we at the Department – and we in NSD – are innovating to address national security cyber threats.
Role of the National Security Division
First, some very brief history. Congress created NSD in the aftermath of the September 11th terrorist attacks with a mission to unify the Justice Department’s national security work.
The vision was to bring together the prosecutors in the Counterterrorism and Counterespionage Sections – which were each separate parts of the Criminal Division – under the same leadership that oversaw the Justice Department lawyers who worked with the Intelligence Community (IC) on obtaining surveillance authorizations.
NSD’s original mandate was to take down unnecessary silos that separated law enforcement and intelligence professionals and to ensure the Justice Department uses the full range of our authorities to disrupt threats.
For the first decade of NSD’s existence, our principal focus was on confronting the threat of international terrorism. We needed to change our mindset to become more threat-driven. Even as hundreds of individuals were convicted of terrorism or terrorism-related crimes in federal courts in the decade after 9/11, we knew that the measure of success was not a conviction but a stopped plot – the imperative to detect and disrupt a terrorist attack before it occurs.
Today, there remains no greater priority for the Justice Department than international terrorism – as the horrific October 7th attacks remind us. But the national security threat landscape is more complex and varied. And NSD’s work has evolved to reflect the threat from capable nation-state adversaries.
This is especially true when it comes to national security cyber threats.
We have all seen the concerning trend lines: Hostile adversaries are conducting cyber operations with alarming scale, speed, and sophistication. Cyber has become the vector of choice for hostile nation-states seeking to steal our most sensitive technologies to exert foreign malign influence and project messages of repression at diaspora communities, and to compromise critical infrastructure.
The list of capable adversaries engaging in such activity is by no means limited to China and Russia. Iran and Iranian-backed proxies engage in a broad array of sophisticated cyber activities both to generate revenue and to advance operations. The DPRK engages in sophisticated crypto-heists and IT worker schemes to fund its nuclear program and authoritarian agenda. And we are seeing increasing use of cryptocurrency from international terrorist groups to advance plots.
Nation Security Cyber Section
Just as the cyber threat has evolved, the National Security Division and the work of the Justice Department has evolved to meet it. And we’ve tried to draw on our terrorism roots to do so.
It may surprise some here to learn that up until last year, there was no one section at the Justice Department dedicated to going after national security cyber threats. Instead, within NSD that work was housed in CES – our Counterintelligence and Export Control Section – whose mission also focuses on counterintelligence, sanctions and export enforcement, and countering foreign malign influence.
The number of national security prosecutors who specialized in cyber cases was in the single digits.
One of the key takeaways from a department-wide cyber review released by Deputy Attorney General Monaco in 2022 was that the Justice Department needed to scale up substantially in this space.
The theory was simple: Disrupting cyber-enabled threats requires prosecutors with dedicated time, strong partnerships, and increasingly specialized expertise. And we need more prosecutorial horsepower to achieve the ambitious disruption goals in the National Cybersecurity Strategy.
That’s why the Department last summer established the National Security Cyber Section – or “Nat Sec Cyber” – within NSD. This new section – the first new enforcement section in NSD’s history – puts cyber on an equal footing with counterterrorism and traditional counterespionage threats.
Within the Justice Department, NatSec Cyber is a critical resource and force multiplier for prosecutors in the 94 U.S. Attorneys’ Offices and 56 FBI field offices throughout the country. Prosecutors and agents in the field are on the front lines confronting the cyber threats in their districts. NatSec Cyber enables us to partner with the field to respond swiftly to highly technical cyber threats and to serve as an incubator for cases that are too sprawling or nascent for any one office to handle.
NatSec Cyber is also a way to align the Justice Department’s own structure so that it better matches that of our key U.S. government and international partners, many of whom have dedicated cyber units and workforces.
Cyber Actions/Disruptions
But, obviously, changes to the organizational chart are the means and not the ends. So, let me give a few concrete examples of the type of work we are accelerating.
First, our focus is on disrupting illegal cyber activity before it can cause harm and threaten national security. Drawing from our CT playbook, it’s a threat-driven and victim-centered approach.
While we always look to make arrests where possible, our law enforcement disruptions can take many forms. That’s a matter of necessity because many of our investigative cyber targets — particularly in the national security and ransomware space — are protected by hostile governments such as Russia and Iran. In some cases, we know they receive such protection in exchange for being “on call” for their local military or intelligence services.
So how is law enforcement disrupting actors outside the context of criminal charges and arrests? Most prominently, we are emphasizing court-authorized technical operations to, at scale, curtail and even at times eradicate the infrastructure these bad actors are using against us, including infrastructure in the homeland outside the authorities of other U.S. departments and agencies.
Not long ago, such law enforcement disruption operations occurred at most once per year. But, so far this year, the Department has announced already there significant such operations, two of which were spearheaded by NSD, alongside our U.S. Attorney’s Office and FBI partners.
First, in January, we announced a court-authorized takedown of what was referred to as the “KV botnet.” That was a botnet of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers known as “Volt Typhoon.” The hackers used this botnet to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims, including a campaign targeting critical infrastructure organizations in the U.S. and elsewhere. Using one of our age-old investigative tools, a Rule 41 search and seizure warrant, we deleted Volt Typhoon’s malware and took steps to sever the routers from the botnet.
Second, in February, we announced a court-authorized operation that neutralized another network of SOHO routers that had been compromised by Russian GRU. These routers were being used to launch cyberattacks against the United States and our allies, including Ukraine. Again, using a Rule 41 search warrant, we were able to delete stolen and malicious data from the compromised routers and block the Russian actors from gaining further access to them.
Finally, also in February, our colleagues in the Criminal Division – critical partners in this work – spearheaded their own disruption operation against Lockbit, one of the most prolific ransomware groups menacing the private sector.
It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.
In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.
Of course, technical disruptions represent just one aspect of our work.
We also use the criminal justice system to identify and attribute malicious activity – and to impose consequences on actors who may be specifically deterred even when foreign governments cannot.
When the Justice Department returns public charges against a malicious cyber actor, we are telling the world that we stand ready to prove the allegations in our case beyond a reasonable doubt with public evidence. We send a clear message about what conduct the U.S. government believes is so out of bounds that it is deserving of criminal punishment even when committed by overseas actors.
This public attribution enables us to galvanize international support. A good recent example is the indictment unsealed a few weeks ago in the Eastern District of New York. That indictment charged seven PRC nationals who were members of a group called APT31 with engaging in a 14-year cyber campaign targeting U.S. and foreign businesses, political officials, and critics of the PRC.
APT31’s targets included individuals working at the White House, elsewhere in the Executive Branch, and U.S. Senators and Representatives of both parties. The indictment noted that the actors gathered information that could have been – even if it wasn’t – released in influence operations in connection with previous U.S. elections.
The indictment, in turn, enabled the U.S. government to express common cause with 17 countries in Europe and Asia who on the same day the indictment was unsealed made public statements condemning APT31’s targeting of Democratic institutions and political processes across the world.
Disruptive Technology Strike Force
In addition to going after the cyber actors themselves, the Justice Department is also redoubling our efforts to go to the source – the cutting-edge technology that enables these threats.
Last year, the Department stood up the Disruptive Technology Strike Force, an interagency enforcement team co-led by NSD and the Commerce Department’s Bureau of Industry and Security. The Strike Force was created to counter efforts by authoritarian governments to acquire sensitive technologies, including the technology that enables advanced computing and autonomous vehicle capabilities – such as semiconductors and microelectronics.
The Strike Force brings together the collective power of law enforcement agencies to pursue enforcement actions against those who would violate export control and trade secrets laws to acquire sensitive U.S. technology. We’ve created 15 enforcement teams made up of federal prosecutors and agents strategically located across the country where there is a strong tech industry presence or heavy commercial trade – including in San Francisco, Phoenix, Miami, and Boston.
This collaboration is generating tangible results. In less than a year, the Strike Force has announced 16 criminal prosecutions charging actors in the United States and abroad with procuring microelectronics on behalf of the Russian war effort, software engineers with stealing source code and other proprietary information to take to China, and buyers working on behalf of the Iranian regime with seeking to illicitly acquire UAV and ballistic missile technology.
The Strike Force’s cases include protecting technology that can be used for cyber-related malign activity, including AI – which is an area of focus of this work. Last May, for example, we announced charges against a former employee at Apple who allegedly stole large quantities of data related to the company’s self-driving car technology before decamping to a subsidiary of a Chinese company working to develop the same technology.
Just last month, we announced the arrest of a software engineer at Google who allegedly stole over 500 confidential files from the company. The stolen information included details about the hardware infrastructure and software platform used in Google’s advanced supercomputing data centers. About the same time the defendant was allegedly stealing the information, he was secretly working with two China-based tech companies, including an AI-focused company he founded.
Data Security Executive Order
We know that the cyber threats we face will increasingly be generated by AI technology – and that technology will, in turn, be powered by bulk data sets on Americans.
Bulk data about an American’s finances, for example, can be mined for leverage for coercion, blackmail, and espionage. And adversaries can use geolocation data and other information to identify U.S. government personnel based on travel patterns and meeting activities.
As a U.S. government, we devote extensive resources to preventing adversaries from obtaining sensitive data through illegal means – including cyber espionage and insider threats. But for too long, no federal law prohibited adversaries from simply buying this bulk data from data brokers and others who sell it on the internet. That was perfectly legal.
That began to change in February when the President signed a groundbreaking Executive Order giving the Justice Department targeted new authority to prohibit or restrict foreign adversaries from acquiring Americans’ most sensitive personal data.
This Executive Order protects seven categories of Americans’ sensitive data that pose the greatest risk. This includes genomic data and biometric data, such as fingerprints and keyboard usage patterns, geolocation information and personal identifiers, and personal health and financial data.
NSD has been delegated the primarily responsibilities for implementing and enforcing this new program for the Department. We are upping our staffing and resources significantly so that we can carry out this responsibility as we move through the rulemaking process.
Conclusion
This is just a sampling of the work that we are doing on the cyber front, which also includes our sanctions and corporate enforcement work. And you can expect more of this type of innovation in the coming years. Thank you again for having me. I look forward to our discussion.