As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding to cyber threats?” On the off chance that you’re not dying to read all 144 pages, we have provided a short summary and a couple of takeaways below.
The report focuses primarily on DOJ’s efforts in the cyber realm, rather issues of cyber-crime in the larger world. Not surprisingly, it first turns its attention to what it calls “countering malign foreign influence operations,” in other words attacks by foreign actors on American democratic institutions. Among other things, it notes the unprecedented nature of foreign interference in our 2016 elections, and the intelligence community’s assessment that Russia views the upcoming midterm elections as a potential target. In its second chapter, the DOJ report focuses on the types of cyber-attacks, dividing them into five categories:
- Damage to computer systems, including Distributed Denial of Service (DDoS), ransomware, and destructive attacks;
- Data Theft, including theft of personally identifying information (PII), and of intellectual property;
- Fraud/Carding Schemes, including Ponzi schemes, and fraudulent requests for transfers of money or donations;
- Cyber-enabled crimes threatening personal privacy, including sextortion, stalking and harassment, and doxxing, among others; and
- Cyber-enabled crimes threatening critical infrastructure, such as attacks on Supervisory Control and Data Acquisition (“SCADA”) systems for industrial control facilities.
The chapter reviews the various methods used to accomplish these types of attacks, including social engineering such as phishing, malware, and botnets. Chapter three focuses on DOJ’s techniques for pursuing cyber criminals, including evidence collection, reconnaissance, obtaining records from ISP’s, electronic surveillance and online undercover work. It makes special note of the use of cryptocurrencies by many cyber criminals, as well as the advent of the new CLOUD Act to permit the government to obtain data stored overseas by American companies, among other provisions. Chapter four turns to DOJ’s relationship with the private sector. Focusing on the sharing of information, it discusses the various reports that DOJ and FBI put out regularly to educate companies about threats, as well targeted sharing of threat information with specific sectors, the FBI’s semi-annual Chief Information Security Officers (CISO) Academy, aimed at critical infrastructure CISO’s, and a variety of alliances and sharing organizations that DOJ has created to communicate cyber information better with key industrial sectors.
After spending chapter 5 on internal issues such as training and hiring, the report concludes by looking to the future. Among other things, it discusses the need to work better with the private sector to prevent and respond to cyber incidents, the need to review procedures for victim notification in cyber cases, a new focus on technology transfer through CFIUS and other controls, taking advantage of the new CLOUD Act to access data abroad, the effect of GDPR on the ability to identify malicious actors, and law enforcement’s increasing inability to access encrypted devices and communications (known as the “going dark” issue).
Putting it Into Practice: The 144-page report spends much of its time on internal governmental issues, and foreign policy issues that don’t directly affect the private sector. But it contains important signs that DOJ intends both to get more aggressive in pursuing data stored and protected by the systems of private companies and to share what it knows to try to help those companies protect themselves.