Combatting Evolving Cyber Threats: Leading with Disruption

Posted on in Presentations

Cyber threats are not just a risk to the businesses they attack directly; they are increasingly a tool for autocracies and a threat to our collective security. Over the last two years, the Justice Department has pivoted in its approach to cyber threats, teaming up with partners of all stripes to prioritize near-term disruptions and victim protection. How is it working and where do we go from here?

Video Transcript

   >> ANNOUNCER:  Please welcome U.S. Deputy Attorney General, Lisa Monaco, and First Director of Cybersecurity and Infrastructure Security Agency, Chris Krebs.


   >> CHRIS KREBS:  All right. Well, good afternoon, everyone.


   >> LISA MONACO:  Good afternoon.


   >> CHRIS KREBS:  Madam Deputy Attorney General.


   >> LISA MONACO:  How about Lisa? How about we do that?


   >> CHRIS KREBS:  Lisa, okay. Thanks for joining me up here today. I think we are the last – last window here in the afternoon, the opening day of RSA Conference. So, this is going to be fun. We get to spice it up a little bit maybe.


   >> LISA MONACO:  Yep. We know we are standing between you and the reception, so.


   >> CHRIS KREBS:  So, you have a storied history and career here in cybersecurity and technology, former Homeland Security advisor to the president, counterterrorism, national security roles within the Department of Justice, you led data security and privacy practice at a big law firm. And now you are the DAG.


   >> LISA MONACO:  It's a good acronym, the DAG.


   >> CHRIS KREBS:  It is a good one. But enough about you. Let's talk about me for a minute. So, as Director of CISA from the 2017 to 2020 period, it feels like I presided over an escalation in the threat landscape. We saw ransomware take off and in part due to the availability of cryptocurrencies and then, of course, Russia being a safe haven.


   And one of my frustrations at the time or the things I was concerned about was were we being proactive and disruptive enough. And then lo and behold, just like it seems every first year of a new administration, the threat landscape spikes in 2017. We had WannaCry and NotPetya and Bad Rabbit. Then you had Hafnium and the summer with JBS and Colonial.


   But it seems that there's been an intentional shift in the philosophy and the approach from the Department of Justice and the administration at large. Can you tell us a little bit? Am I seeing things right? And what is it with this evolution of approach by the department?


   >> LISA MONACO:  Well, you are right and you are seeing it right. And thanks for noticing. Because we did take a very intentional approach to shift our orientation. And, you know, when I left my role as Homeland Security and Counterterrorism Advisor to President Obama, I was spending more and more time during the president's daily briefing, the morning briefing, every morning meeting with the President, with the National Security Advisor, with the DNI. I was – started that job focusing on terrorism threats. Ended that job spending the majority of my time in the Oval Office with him focusing on cyber threats. But I was focused in particular on nation-state actors, Russia, China, Iran, North Korea.


   So, I come back in this current job and, for sure, those nation-state actors are still causing trouble all around the globe using cyber as a tool of geopolitical one-upmanship. But what I see is something also different, which is joining forces with criminal groups, criminal actors, and a lot of whom are featuring in the attacks that you just mentioned.


   So, we took a hard look in the Justice Department and said, how can we maximize our tools and what we can bring to this fight from a Justice Department perspective? We did a whole comprehensive cyber review and a few things came out of that.


   One was we needed to change our orientation. We needed to pivot to disruption and prevention and make that our focus. And then the other issue was we needed to put victims at the center of our approach. And you saw us do that with the Colonial Pipeline response. We used very old and familiar tools like a forfeiture warrant, legal authorities, to go after, follow that money through the blockchain, and seize it back and give it back to the victim. But we only could do that because Colonial came forward.


   And time and time again, we are able to take that disruptive action, take that preventative action because the victims work with us.


   So, the direction we have given to our prosecutors and investigators is, you got to have a bias towards action to disrupt and prevent, to minimize that harm if it's ongoing, to disrupt it, and take that action to prevent the next victim. And doing so will not always yield a prosecution. It's tough for a prosecutor to say that's fine, right? We are not measuring our success only with courtroom action or courtroom victories. This is about preventing and disrupting and putting the victims at the center.


   >> CHRIS KREBS:  Let's drill down into this strategy a little bit. Two specific cases that I have found quite interesting in 2021, we had the Hafnium operation, which was Chinese operatives, threat actors exploiting a Microsoft Exchange vulnerability. Followed the next year by the disruption of the Cyclops Blink botnet, all based on an update to the Federal Rules of Civil Procedure that allowed you to go get a court order to access a victim's machine and remove malware. So, novel application of a new authority that frankly, in 2016, 2017, there were some concerns about the privacy risks here.


   So, talk to me a little bit about how you see this new approach and where does DOJ then fit into the proactive defense in enhancement of the nation cybersecurity?


   >> LISA MONACO:  So, we want to be part of it, right? We want to work hand in glove with the private sector to give as much information as we can about what we are seeing to alert folks, which is what we did in the Hafnium case. But then when entities don't take as much kind of self-remedial action as maybe we would like them to or as maybe they should, we are going to take action. We are going to do so in a surgical and safe way and we are going to do so in consultation with the private sector, as we did with Microsoft and Hafnium, and we are going to do so pursuant to core process. And you saw us also do that in the Cyclops Blink operation and that was an operation that was – really exemplified this pivot towards prevention.


   So, we saw the GRU, Russia's Military Intelligence Operation, taking over a zombie group of computers here in the United States. We worked with our international partners, we worked with WatchGuard, whose devices were compromised. We used legal process to access that infrastructure, to delete that malware, and importantly, close those backdoors. And we did it all before the GRU could act to activate that botnet.


   Now, do we know what they precisely were going to do? Was it espionage, was it intel collection, was it a destructive attack against us, our allies, Ukraine? The point is we were able to act safely in consultation with the private sector before that botnet could be activated, and that was all about taking preventative action.


   >> CHRIS KREBS:  That specific disruption of Cyclops Blink is I think one of the success stories that the U.S. and other allies have taken around the Russian invasion of Ukraine. We have a cyber commanded and some of defend forward, hunt forward operations in Ukraine that I frankly don't think DOJ has gotten enough kind of credit or at least attention about that and how that could be used going forward.


   Shifting gears a little bit here. So, former national security or National Cyber Director Chris Inglis was always keen to talk about cybersecurity as a team sport. Jen Easterly, of course, is the director, talks about it the same way.


   This is a community of private sector defenders, academics, researchers, government defenders, it's a big tent. This is really the full cross section and spectrum of the cybersecurity community.


   At CISA, our authorities were primarily of the partnership nature. I mean really, the essence of CISA distills down to public/private partnerships in working together with industry. DOJ, the FBI obviously have a different set of authorities organically and originally, and yet, partnerships are part of your secret sauce as well with InfraGard, the FBI CISO Academy, all these things.


   How do you think about the partnership aspect of the mission set and how that ties into what DOJ sees as success in the cybersecurity mission?


   >> LISA MONACO:  So, two things here. One is absolutely, partnership has always been critical. But it has to be more than just kind of passive, kind of outreach entities. We’ve got to be willing to really put our tools on the table to kind of let folks into the tent, help them see what we are seeing, and then work together to take that action, right?


   So, a true partnership means you are working hand in glove, not let me kind of meet with you, you know, once or twice a year and promise some more products, right?


   So, what you have seen us do is really try and walk the walk, right? So, I mentioned the Colonial Pipeline attack. And what we did there was, and frankly, Colonial made a really brave decision to come forward to work with us. Kaseya also, similar situation. They made a tough decision in probably their darkest hour to come forward, to work with us. And the pitch I make is do that because, frankly, it's good for business, and you see that in the return of the ransomware payment, and I think it's good for America, because you are helping us prevent that next attack.


   What we have tried to do is operationally work as much as possible with the victims to say, we are in this together, right? This should not be an adversarial thing. We are in this together. That's why you saw us in the hive operation. Literally, no arrests made there, which, you know, that might have been in days gone by, that might have been heresy. We are going to do this operation but there's not going to be a prosecution at the end of the day. But what we did there was use our legal authorities, get into that network, top five ransomware network, right, and patiently laid in wait in a 21st Century cyber stakeout really, watch what was going on, took those – swiped those decrypter keys, and gave them to the victims, preventing, I think, over $130 million in ransomware payments that didn't get made because those systems didn't get locked up. And doing more and more of that is what we are all about, because we have to send the message that we cannot get after this threat if we are not working together.


   >> CHRIS KREBS:  So, I feel the compulsion right now to make a public service announcement even though I'm not in the public sector anymore. Please, for the love of God, do not bake in the assumption into your playbook for a ransomware event that the FBI or the DOJ are going to claw back your ransomware payment. That should not be part of your playbook.


   All right. I am going to test you a little bit here.


   >> LISA MONACO:  Okay.


   >> CHRIS KREBS:  Because you just – you are really stressing the need to work together, the partnership model. And yet here we are in San Francisco, the home of the prosecution of former Uber Chief Security Officer Joe Sullivan. There's a lot of agitation, I think, there's a lot of concern in the cybersecurity community that perhaps you have broken the trust, that we have undermined the trust between the FBI and the department with the cybersecurity community.


   Are you worried that something has been lost here and that the next time a bug bounty payment comes in, maybe they are not going to call you?


   >> LISA MONACO:  Well, first, thanks for raising it and allowing me to try and, kind of, rebut a little bit of what I think is a misperception out there.


   So, Joe Sullivan went to trial, which was his right, was convicted at trial of obstruction of an FTC proceeding, and of misprision of a felony, which means basically, seeing and being knowledgeable about a felony that is conducted by others. Those were intentional acts as was proved at trial and as the jury found. Very, very different from and not a mistake made by a CISO or a compliance officer in the heat of a very stressful time.


   So, this was intentional activity, misleading the FTC, and other intentional conduct found by the jury, very, very different and nothing to do with a well-meaning and, you know, stressful work that all CISOs and compliance officers have to deal with in the heat of, kind of, you know, the worst day of their lives if they are undergoing a breach.


   So, I really want to stress, this was intentional conduct as was found by the jury. The sentencing will be next week. But our message is we are working in partnership with the CISOs, with the compliance officers, and we need that partnership and we need to make sure that that trust is not broken. So, thanks for letting me address that.


   >> CHRIS KREBS:  Yeah, and I think as you mentioned, the sentencing is May 4th. There's more to come here.


   >> LISA MONACO:  Yep.


   >> CHRIS KREBS:  Right?


   >> LISA MONACO:  Yep.


   >> CHRIS KREBS:  All right. So, as you mentioned, we are the last thing between happy hour and the crowd here. So, maybe we will close out here and bring this one home. And this is more of a forward looking question.


   So, new emerging threats. A bunch of the opening keynotes mentioned ChatGPT and AI and other kind of over the horizon threats. If not already here.


   >> LISA MONACO:  Yep.


   >> CHRIS KREBS:  So, what should our audience be thinking about from a next generation threat, cybersecurity risk, and emerging technologies? And what is DOJ doing to counter those threats?


   >> LISA MONACO:  So, we are very, very focused on what the adversary, what nation-states are doing to acquire, to use and abuse what we are calling disruptive technologies, meaning innovations that really will be the game changers and create the next generation of military intelligence and indeed, national security advancement by those countries and those nation-state adversaries.


   What we are seeing is an increasing effort by nation-states to project power at home and abroad. And doing so with technology to repress their people, to intimidate others. We are seeing it in their foreign investment decisions, where they are no longer going after the bricks and mortar assets, but now the assets that they are going after are the datasets, the algorithms, the software, right?


   And we are seeing it in the efforts to evade our sanctions regimes, to violate export controls, to go after that disruptive technology so that they can add it to their competitive advantage.


   And so, what we have done is we looked at that threat space and saw this as a basically, a threat vector crossing the information space, crossing the economic battle space, and the difference maker here is nation states going after that disruptive technology.


   So, we brought our expertise together from across the Justice Department, paired it up with our colleagues at the Department of Commerce, working also with Department of Homeland Security and others to say what can we do to get after this challenge?


   So, we launched, in February, the Disruptive Technology Strike Force. So, this is bringing our enforcement tools along with the Department of Commerce's enforcement tools and their administrative and regulatory tools and being very data driven and intel led.


   So, we have got fourteen now strike forces all around the country, one right here in San Francisco, which I have met with recently. And a cell back in Washington that is using all source intelligence to try and understand what is going to be that next – what is going to be the next target for those adversary actors.


   >> CHRIS KREBS:  My takeaway from that is that everyone here in this audience is part of the national security mission.


   >> LISA MONACO:  Absolutely.


   >> CHRIS KREBS:  We are seeing this collision of geopolitical threat and technology risks colliding probably at a pace faster than any time at least in my lifetime. And I think that's the main takeaway. As we walk out of here, you're part of something much larger. There's a public service mission here, there's a national security mission. So, first, thanks to everybody for showing up tonight – this afternoon rather – and hearing you talk. And I want to thank you for your time this afternoon.


   >> LISA MONACO:  Thank you for having me.


   >> CHRIS KREBS:  And thank you for your service.


   >> LISA MONACO:  Thanks very much. Thank you.

Chris Krebs


Chief Intelligence and Public Policy Officer, SentinelOne

Lisa Monaco


Deputy Attorney General, U.S. Justice Department

Share With Your Community