MICHAEL B. MUKASEY
I HAVE TO TELL YOU THAT I DRAFTED THESE REMARKS BEFORE I BECAME AWARE THAT CHAIRMAN ROGERS WOULD BE JOINING US TODAY, AND I CAN THINK OF NO BETTER EXAMPLE THAN MIKE ROGERS OF THE KIND OF PUBLIC FIGURE WE NEED TO HELP GET US SERIOUS ABOUT DEALING WITH CYBER THREATS.
THIS IS PROBABLY ABOUT THE FIFTH OR SIXTH CONFERENCE OF THIS SORT – DEVOTED TO ANALYZING CYBER THREATS AND STRATEGIES FOR MEETING THEM – THAT I HAVE ATTENDED SINCE I LEFT GOVERNMENT, EITHER AS A PARTICIPANT OR AS A SPECTATOR. OF COURSE, THAT DOES NOT COUNT THE TWO I ATTENDED WHILE I WAS ATTORNEY GENERAL, OR THE NUMEROUS MEETINGS I ATTENDED THAT WERE ADDRESSED TO THIS PROBLEM IN WHAT SEEMS THE BYGONE DAYS OF 2007-2009.
TO BE SURE, THERE HAVE BEEN SUCCESSES IN CRACKING THIS OR THAT CYBER ATTACK – SOME LAUNCHED DOMESTICALLY BUT MANY ORIGINATING ABROAD – AND EVEN ARRESTING SOME PERPETRATORS, USUALLY YOUTHFUL. WE HAVE COOPERATED ACROSS NATIONAL BOUNDARIES, THROUGH THE G-8 HIGH TECH CRIME GROUP, WHICH INCLUDES MORE THAN 50 COUNTRIES, AND PERHAPS EVEN MORE REMARKABLY ACROSS BUREAUCRATIC BOUNDARIES WITHIN THE GOVERNMENT, AND THERE HAS BEEN SOME COOPERATION BETWEEN THE PUBLIC AND PRIVATE SECTORS THROUGH A CYBER FUSION CENTER IN PENNSYLVANIA THAT BRINGS TOGETHER PRIVATE PARTIES AND GOVERNMENT INVESTIGATORS TO COLLABORATE IN SOLVING BREACHES AND DETECTING CYBER THREATS. HOWEVER, I THINK IT IS ALSO FAIR TO SAY WE ARE NO NEARER TO DEALING COMPREHENSIVELY WITH THE ISSUES PRESENTED BY THE DANGER OF UNAUTHORIZED ENTRY INTO AND USE OF OUR COMPUTER SYSTEMS THAN WE WERE A DECADE AGO.
THAT IS NOT TO SAY THAT THERE IS NECESSARILY A COMPREHENSIVE APPROACH THAT WOULD WORK – COMPREHENSIVE BEING ONE OF THOSE WORDS THAT OFTEN MAKES ME WISH I DID NOT LIVE IN A STATE WITH RESTRICTIVE GUN LAWS. AFTER ALL, WE HAVEN’T COME UP WITH A COMPREHENSIVE APPROACH TO CRIME, AND THAT HAS BEEN WITH US SINCE THE GARDEN OF EDEN.
BUT AT LEAST WE HAVE LAWS AGAINST CRIMES, AND AT LEAST A COMPREHENSIBLE IF NOT A COMPREHENSIVE WAY OF APPLYING THEM.
WE REALLY DON’T HAVE EITHER IN THE CYBER SPHERE.
THAT IS NOT TO SAY THAT WE ARE SHORT ON PRONOUNCEMENTS. BACK IN MAY 2011, THE WHITE HOUSE ISSUED A 25-PAGE DOCUMENT TITLED “INTERNATIONAL STRATEGY FOR CYBERSPACE,” AND SUBTITLED “PROSPERITY, SECURITY AND OPENNESS IN A NETWORKED WORLD.” I THINK PERHAPS A FURTHER SUBTITLE FOR THAT DOCUMENT, AFTER PROSPERITY, SECURITY AND OPENNESS, MIGHT BE “PICK TWO OUT OF THREE, SO LONG AS THE TWO AREN’T SECURITY AND OPENNESS.” THE DOCUMENT, ALTHOUGH IT IS ENTITLED A STRATEGY, REALLY DOESN’T PURPORT TO LAY OUT WAYS OF ACHIEVING THE DESIRABLE OUTCOMES ITS TITLE SUGGESTS. FOR EXAMPLE, A PAGE AND A HALF OF THE 25 PAGES ARE DEVOTED TO DEFENSE, WHICH IS SAID TO CONSIST OF DISSUADING AND DETERRING; DISSUADING IS ACHIEVED BY DEVELOPING STRENGTH AT HOME AND STRENGTH ABROAD; DETERRENCE BY HOLDING OUT TO CRIMINALS THE PROSPECT OF INVESTIGATION,
APPREHENSION AND PROSECUTION, AND TO LARGER SCALE HOSTILE ACTORS IN CYBERSPACE THE PROMISE THAT, “WHEN WARRANTED, THE UNITED STATES WILL RESPOND TO HOSTILE ACTS IN CYBERSPACE AS WE WOULD TO ANY OTHER THREAT TO OUR COUNTRY.” THE DOCUMENT THEN GOES ON TO LIST THE MEANS AS “DIPLOMATIC, INFORMATIONAL, MILITARY AND ECONOMIC” – WITH THE ASSURANCE THAT ALL OPTIONS WILL BE EXHAUSTED BEFORE RESORT TO MILITARY, THAT THE COSTS OF INACTION WILL BE WEIGHED AGAINST THE COSTS OF INACTION, AND THAT WHEN WE DO ACT IT WILL BE IN A WAY “THAT REFLECTS OUR VALUES AND STRENGTHENS OUR LEGITIMACY, SEEKING BROAD INTERNATIONAL SUPPORT WHENEVER POSSIBLE.”
IT SEEMS TO ME SMALL WONDER THAT AFTER THAT DOCUMENT WAS ISSUED IN MAY 2011, DEFENSE SECRETARY LEON PANETTA RECEIVED A LETTER IN JULY 2011, SIGNED BY BOTH THE CHAIRMAN AND THE RANKING MEMBER OF THE SENATE ARMED SERVICES COMMITTEE, REMINDING HIM OF HIS OBLIGATION UNDER EXISTING LAW TO ADDRESS AND DEFINE THE POLICIES AND LEGAL AUTHORITIES NECESSARY FOR THE PENTAGON TO OPERATE IN THE CYBERSPACE DOMAIN, AND SAYING THAT THAT OBLIGATION HAD NOT YET BEEN MET.
THERE HAVE BEEN ATTEMPTS AT MAKING THE ABSTRACT GOALS OF THE WHITE HOUSE PAPER CONCRETE, BUT NOT NOTICEABLY SUCCESSFUL ONES. IN 2012 THERE WERE ATTEMPTS TO EXPAND EXISTING LEGISLATION THAT CRIMINALIZES COMPUTER HACKING SO AS TO GIVE THE FEDERAL GOVERNMENT THE LEAD IN SETTING PERFORMANCE STANDARDS FOR PROTECTING SECTORS OF OUR INFRASTRUCTURE, TO TRY TO STRIKE A BALANCE BETWEEN SECURITY DEMANDS AND PRIVACY CONCERNS BY PROVIDING FOR INFORMATION SHARING BETWEEN THE FEDERAL GOVERNMENT AND THE PRIVATE SECTOR WITH LIABILITY PROTECTION FOR THOSE WHO DO SHARE SUCH INFORMATION, AND TO INCREASE PENALTIES FOR VIOLATION – ALL OF WHICH WENT DOWN IN FLAMES UNDER FIRE FROM BOTH THE RIGHT AND THE LEFT – INDEED, WENT DOWN TWICE IN THE SENATE.
IN THE PRIVATE SECTOR, THOSE WHO MAKE A LIVING FROM EXISTING LAWS, AND FROM SUCCESSFULLY EXTENDING THOSE LAWS TO FRONTIERS FOR WHICH THEY MAY OR MAY NOT BE SUITED, HAVE BEEN BUSILY AT WORK. CASES FILED IN THE WAKE OF DATA PENETRATIONS HAVE ESTABLISHED THAT IF A COMPANY IS ARGUABLY NEGLIGENT IN ITS DATA SECURITY POLICIES, AND A PLAINTIFF SUFFERED ACTUAL DAMAGES AS A RESULT OF A DATA BREACH – WHETHER FOR EXAMPLE AS A DIRECT RESULT OF IDENTITY THEFT, OR FROM HAVING TO TAKE STEPS TO AVOID SUCH THEFT WHEN THERE IS A CREDIBLE REASON TO FEAR THAT IT WILL HAPPEN – THE PLAINTIFF HAS A CLAIM. WHEN THE ISSUE OF IMPACT CAN BE PROVED ON A CLASS-WIDE BASIS WITHOUT THE NEED FOR INDIVIDUAL FACT INQUIRIES, THEN DATA BREACH CASES CAN BE MAINTAINED AS CLASS ACTIONS.
BUT WHEN SOMEONE HAS SIMPLY BEEN PUT IN FEAR BY THE PROSPECT OF A BREACH, AND EITHER NEGLIGENCE CANNOT BE CLEARLY SHOWN OR IMMINENT DAMAGE CANNOT BE MADE APPARENT, FOR EXAMPLE BECAUSE IT CAN RESULT ONLY FROM THE SPECULATIVE ACTIONS OF AN UNKNOWN THIRD PARTY, THEN SUCH ITEMS AS CREDIT MONITORING COSTS CANNOT BE RECOVERED.
JUST AS AN ASIDE, THERE ARE THOSE WHO THINK THAT THE SUPREME COURT DECISION RECENTLY IN CLAPPER v. AMNESTY INTERNATIONAL, WHICH HELD THAT FEAR OF PROSECUTION FOR MATERIAL SUPPORT OF A TERRORIST ORGANIZATION CANNOT CONFER STANDING TO SUE, SOMEHOW RAISES THE BAR EVEN FURTHER IN DATA BREACH CASES. I AM NOT AMONG THEM. I THINK THAT CASE IS FAIRLY EASILY CONFINED FOR POLICY REASONS TO THE NATIONAL SECURITY CATEGORY, AND IS UNLIKELY TO HAVE WIDER RAMIFICATIONS.
ARE WE NOTABLY FURTHER ALONG NOW THAN WE WERE TWO YEARS AGO WHEN THE LEADERSHIP OF THE SENATE ARMED SERVICES COMMITTEE FIGURATIVELY STAMPED THEIR BUSTER BROWNS ON THE SIDEWALK AND DEMANDED A CLEAR STATEMENT OF POLICIES AND LEGAL AUTHORITIES? OF COURSE, WE ARE TWO YEARS FURTHER ALONG, AND EVENTS HAVE A WAY OF NOT STOPPING WHETHER WE HAVE POLICIES IN PLACE TO MEET THEM OR NOT.
THE CHINESE ARE CONTINUING TO ENGAGE IN NOT ONLY ECONOMIC BUT ALSO PROPAGANDA AND EVEN MILITARY WARFARE OVER THE INTERNET. THEY HAVE HACKED INTO THE COMPUTERS NOT ONLY OF PRIVATE INDUSTRIAL CORPORATIONS IN SEARCH OF INFORMATION USEFUL TO THEM ECONOMICALLY, BUT ALSO INTO THE COMPUTERS OF JOURNALISTS AT THE NEW YORK TIMES AND THE WALL STREET JOURNAL IN SEARCH OF WHERE THOSE PUBLISHERS AND OTHERS ARE GETTING THEIR INFORMATION ABOUT CHINA, AND WHAT THAT INFORMATION IS, AND INTO THE COMPUTERS OF THE PENTAGON WHICH THEY BOMBARD BY THE TENS OF THOUSANDS OF TIMES EACH DAY.
RECENTLY, A COMPANY CALLED MANDIANT ISSUED A DETAILED REPORT WITH WHICH I AM SURE MANY OF YOU ARE FAMILIAR, THAT IDENTIFIES A PARTICULAR UNIT WITHIN THE PEOPLE’S LIBERATION ARMY – UNIT 61398, LOCATED NEAR SHANGHAI – AS AN ADVANCED PERSISTENT THREAT OF THE HIGHEST ORDER – APT1 – AND DESCRIBES ITS PROLIFIC CONDUCT FROM SERVERS IN 13 COUNTRIES THAT HAS MANAGED TO COMPROMISE MORE THAN 140 ORGANIZATIONS AND SHOWN THE ABILITY TO STEAL FROM DOZENS OF ORGANIZATIONS SIMULTANEOUSLY AND IN A COORDINATED WAY. FOR THOSE WHO HAVE NOT SEEN IT, I RECOMMEND LOOKING THROUGH IT, ALTHOUGH NOT IF YOU PLAN TO GO TO SLEEP SOON AFTERWARD.
WE HAVE ALSO SEEN OUR OWN GOVERNMENT REMARKABLY, PERHAPS IMPROVIDENTLY, TAKE AT LEAST PARTIAL CREDIT FOR INTRODUCING A COMPUTER VIRUS INTO THE URANIUM ENRICHMENT FACILITIES OF IRAN, WITH THE RESULT THAT CENTRIFUGES SPUN OUT OF CONTROL AND DESTRYED THEMSELVES EVEN AS THEIR COMPUTER MONITORS CONTINUED TO SHOW THAT THE CENTRIFUGES WERE OPERATING NORMALLY, NOTWITHSTANDING THAT WE HAVE ALSO TAKEN THE POSITION THAT IF ANY FOREIGN POWER ACTED IN THE CYBER DOMAIN IN A WAY THAT CAUSED PHYSICAL CONSEQUENCES, WE WOULD RESERVE THE RIGHT TO RESPOND WITH KINETIC FORCE.
WE HAVE ALSO DISCLOSED RECENTLY THAT THE DEFENSE DEPARTMENT WILL ADD 4,000 PEOPLE TO CYBER COMMAND, WHICH UNTIL THAT COHORT ARRIVES HAS FEWER THAN A THOUSAND, AND THAT THAT UNIT – CYBER COMMAND – WILL PICK UP A NATIONAL DEFENSE MISSION TO PROTECT CRITICAL INFRASTRUCTURE BY DISABLING WOULD-BE AGGRESSORS. AND THERE IS AS WELL A REPORT THAT THE ADMINISTRATION HAS DECIDED IT HAS THE RIGHT TO STRIKE FIRST WHEN IT PERCEIVES WHAT IT BELIEVES IS AN IMMINENT DANGER OF SERIOUS CYBERATTACK ON THIS COUNTRY. I WELCOME BOTH OF THESE STEPS. AS TO THE FIRST, I RECALL A MEETING WITH GENERAL ALEXANDER, WHO DIRECTS CYBER COMMAND, IN 2008, WHEN HE SAID THAT HIS MANDATE RAN TO THE DOT-MIL AND PERHAPS TO THE DOT-GOV SEGMENTS OF THE INTERNET, AND THAT WHEN HE SAW A THREAT TO THE DOT COM PORTION HE THOUGHT HE HAD LITTLE AUTHORITY TO DO MORE THAN SAY – TO HIMSELF AND OTHERS IN THE ROOM – OUCH, THIS IS GOING TO BE A BAD ONE.
IT EVEN GOT TO THE POINT WHERE SOME COMMENTATORS WERE SUGGESTING THAT THE GOVERNMENT CREATE A SECURE, CLOSED INTERNET FOR THOSE AGENCIES AND FUNCTIONS WITH NATIONAL SECURITY RAMIFICATIONS – SORT OF AN INTERNET IN THE FASHION OF A HOSPITAL BED WITH SIDE RAILS — AND LEAVE THE REST FOR THE FACEBOOK AND TWITTER ENTHUSIASTS. I THINK THE IMPRACTICALITY OF SEPARATING EVEN MILITARY AND GOVERNMENTAL, LET ALONE CIVILIAN SITES LIKE UTILITIES AND UNIVERSITIES, MADE IT APPARENT THAT THAT DOG SIMPLY WON’T HUNT.
AS I SAID, THE ADMINISTRATION’S MORE FORWARD-LEANING VIEW OF HOW IT MUST DEAL WITH CYBER THREATS IS A WELCOME CHANGE. BUT EVEN AS WE APPLAUD IT, WE SHOULD BE AWARE OF THE DANGER, AS WAS POINTED OUT BY GENERAL HAYDEN IN AN ENORMOUSLY PERCEPTIVE ARTICLE, THAT WE ARE BACKING INTO A SITUATION NOT UNLIKE WHERE WE STAND IN SOME WAYS IN THE WAR ON TERROR. JUST THE WAY WE KEEP GETTING WRAPPED AROUND THE AXLE IN TRYING TO DECIDE WHERE AND HOW TO TRY TERRORISTS, AND ARE UNWILLING TO TAKE ANY NEWLY CAPTURED ONES TO GUANTANAMO, AND ARE TORN BETWEEN CIVILIAN COURTS AND MILITARY COMMISSIONS, AND CANNOT BRING OURSELVES TO DEVELOP A COHERENT STRATEGY FOR CAPTURING AND INTERROGATING SUSPECTS, BUT SEEM TO HAVE HAD LITTLE HESITATION IN LAUNCHING LETHAL DRONE STRIKES, WHICH ARE MUCH NEATER AND DO NOT PRESENT THE NASTY PROBLEM OF WHERE AND UNDER WHAT CONDITIONS AND FOR HOW LONG TO CONFINE SOMEONE, OR WHETHER OR NOT TO TRY THEM AND IF SO IN WHICH JURISDICTION, SO TOO IN THE CYBER REALM WE HAD, AS I SAID, TWO PROPOSALS FOR GIVING COHERENCE TO THE GOVERNMENT’S APPROACH DEFEATED UNDER ATTACK FROM BOTH THE RIGHT AND THE LEFT.
A PROPOSAL FOR SHARING OF INFORMATION BETWEEN THE PRIVATE SECTOR AND THE NATIONAL SECURITY AGENCY WAS NOT EVEN CONSIDERED, AND IN ANY EVENT FACED THE THREAT OF A PRESIDENTIAL VETO IF IT PASSED.
THE NATIONAL SECURITY AGENCY AND CYBER COMMAND, BOTH HEADQUARTERED AT FORT MEADE, CERTAINLY COULD WORK OUT A COHERENT ROLE FOR BOTH IN SETTING STANDARDS FOR DOMESTIC NETWORKS AND POLICING THEM, BUT PEOPLE RUNNING AROUND IN FRIGHT-WIGS CONJURING IMAGES OF BIG BROTHER PREVENT THAT FROM HAPPENING.
I LIKE TO THINK I AM AS PROTECTIVE OF MY ACTUAL PRIVACY AS THE NEXT FELLOW, BUT I RECOGNIZE THAT WHENEVER I VENTURE ON THE INTERNET TO LOOK AT SOMETHING, OR ORDER SOMETHING, OR COMMUNICATE SOMETHING, NOTE IS TAKEN SOMEWHERE AND MY ACT FREQUENTLY GENERATES IF NOTHING ELSE AT LEAST AN INVITATION TO LOOK AT OR BUY SIMILAR THINGS. ALL OF THIS IS FAIRLY HARMLESS; IT IS GENERATED NOT BY PEOPLE SITTING IN OFFICES CONDUCTING SURVEILLANCE OF ME, BUT BY ELECTRONS. SO WHAT!
OUR RESPONSES TO CYBER THREATS, WHETHER THOSE THREATS ARE REALIZED IN ACTUAL ATTACKS OR NOT, WILL BE GOVERNED BY THE SAME GENERAL RULES OF ENGAGEMENT THAT APPLY TO THE USE OF CONVENTIONAL FORCE – IS THE USE OF FORCE NECESSARY; IS IT PARTICULAR TO THE REALIZED OR POTENTIAL THREAT; IS IT PROPORTIONAL – AND THESE STANDARDS MAY EVEN BE POSSIBLE TO MAINTAIN IN THE CYBER DOMAIN, ALTHOUGH I WOULD SUGGEST THAT THE SHUTTING DOWN OF AN ELECTRICAL SYSTEM THAT SERVED A MILITARY TARGET BUT THAT ALSO SERVED A CIVILIAN HOSPITAL WOULD PRESENT DIFFICULT ISSUES, BUT WE WANT TO BE ABLE TO DO MORE THAN RESPOND TO ACTUAL OR POTENTIAL THREATS.
IN ORDER TO BUILD A ROBUST SYSTEM THAT CAN DISCLOSE AND DISCOURAGE THREATS, OR MAYBE EVEN AVOID THEM ENTIRELY, WE NEED A FRANK CONVERSATION ABOUT WHAT THE GOVERNMENT CAN AND CAN’T DO. AND SINCE PROACTIVE MEASURES ARE PRETTY MUCH OFF LIMITS FOR THE PRIVATE SECTOR, IN PART BECAUSE OF THE DIFFICULTY OF DETECTING THE SOURCE OF ATTACKS AND THREATS AND IN PART BECAUSE ANYONE WHO CONSIDERS LAUNCHING EVEN WHAT LOOKS LIKE A JUSTIFIED COUNTERMEASURE IS AT RISK OF VIOLATING THE LAW HIMSELF. THE DANGER AND THE DISORDER OF THE CYBER DOMAIN HAS CAUSED IT TO BE DESCRIBED FREQUENTLY AS THE WILD WEST, BUT AT LEAST IN THE WILD WEST THE GOOD GUYS COULD ALSO CARRY GUNS.
IT SEEMS THAT THE TIME IS OVERDUE TO GET A SHERIFF AND AN AUTHORIZED POSSE, AND MAYBE EVEN A SCHOOL MARM OR TWO TO TEACH US THE RULES.
THANK YOU VERY MUCH.