Cyber-Digital Task Force Report

U.S.
Department of Justice
REPORT OF THE
ATTORNEY
GENERAL’S
CYBER
DIGITAL
TASK FORCE
REPORT OF THE
ATTORNEY
GENERAL’S
CYBER
DIGITAL
TASK FORCE
United States Department of Justice
Office of the Deputy Attorney General
Cyber-Digital Task Force
950 Pennsylvania Avenue, N.W.
Washington, D.C. 20530
https://www.justice.gov/cyberreport
INTRODUCTION
Table of Contents
Letter from the Deputy Attorney General ............................... i
Attorney General’s Cyber-Digital Task Force ....................... vii
Introduction......................................................................................... xi
Chapter 1
Countering Malign Foreign Influence Operations....................... 1
Chapter 2
Categorizing Sophisticated Cyber Schemes..................................... 23
Chapter 3
Detecting, Deterring, and Disrupting Cyber Threats................ 49
Chapter 4
Responding to Cyber Incidents............................................................... 83
Chapter 5
Training and Managing Our Workforce........................................... 95
Chapter 6
Looking Ahead ............................................................................................... 109
Appendices
Appendix 1: Memorandum Establishing the Task Force........... 131
Appendix 2: Recent Successful Botnet Disruptions .................. 133
Appendix 3: Recent Successful Dark Web Disruptions ............. 137
Appendix 4: Glossary of Key Terms ...................................................... 141
v
TASK FORCE MEMBERS
ATTORNEY GENERAL’S CYBER-DIGITAL TASK FORCE
Task Force Members
Sujit Raman, Chair

Associate Deputy Attorney General
Office of the Deputy Attorney General
John P. Cronan Andrew E. Lelling

Assistant Attorney General (Acting) United States Attorney
Criminal Division District of Massachusetts
John C. Demers David T. Resch

Assistant Attorney General Executive Assistant Director
National Security Division Federal Bureau of Investigation
Carl Ghattas Beth A. Williams

Executive Assistant Director Assistant Attorney General
Federal Bureau of Investigation Office of Legal Policy
John M. Gore Peter A. Winn

Assistant Attorney General (Acting) Chief Privacy & Civil Liberties Officer (Acting)
Civil Rights Division Director, Office of Privacy & Civil Liberties
CYBER-DIGITAL TASK FORCE REPORT
Task Force Contributors
Matthew J. Sheehan
Counsel to the Deputy Attorney General
Staff Director
Elizabeth Aloi Brendan Groves Erica O’Neil

Leonard Bailey Aarash Haghighat Richard Pilger
Michael F. Buchwald William Hall Jason Poole
Mark Champoux Christopher Hardee Andrew Proia
Thomas Dettore Adam Hickey Kimberley Raleigh
Richard Downing Ray Hulser Peter Roman
Benjamin Fitzpatrick Anitha Ibrahim Opher Shweiki
Lindsey Freeman Matthew Kluge Michael Stawasz
Tashina Gauhar John T. Lynch, Jr. Andrew Warden
Josh Goldfoot Katrina Mulligan J. Brad Wiegmann
Bonnie Greenberg Sean Newell Cory Wilson
And representatives from:
Bureau of Alcohol, Tobacco, Firearms, and Explosives Office of Strategic

Intelligence & Information
Drug Enforcement Administration Office of Investigative Technology
Federal Bureau of Investigation Counterintelligence Division
Federal Bureau of Investigation Counterterrorism Division
Federal Bureau of Investigation Criminal Investigative Division
Federal Bureau of Investigation Cyber Division
Federal Bureau of Investigation Digital Transformation Office
Federal Bureau of Investigation Information Technology Branch
Federal Bureau of Investigation Office of Private Sector
Federal Bureau of Investigation Office of the Chief Information Officer
Federal Bureau of Investigation Office of the Director
Federal Bureau of Investigation Office of the General Counsel
Federal Bureau of Investigation Operational Technology Division
INTERPOL Washington, the U.S. National Central Bureau
Justice Management Division Office of the Chief Information Officer/
Cybersecurity Services Staff
United States Marshals Service Investigative Operations Division
United States Marshals Service Judicial Security Division
viii
INTRODUCTION
Introduction
Cyber-enabled attacks are exacting an enormous toll on American busi-
nesses, government agencies, and families. Computer intrusions, cy-
bercrime schemes, and the covert misuse of digital infrastructure have
bankrupted firms, destroyed billions of dollars in investments, and
helped hostile foreign governments launch influence operations de-
signed to undermine fundamental American institutions.
The Department of Justice’s primary mission is to keep the American

people safe. We play a critical role in the federal government’s shared
effort to combat malicious, cyber-enabled threats.
I
n February 2018, the Attorney General policy—grounded in our longstanding prin-
established a Cyber-Digital Task Force ciples of political neutrality, adherence to
within the Department and directed the the rule of law, and safeguarding the public
Task Force to answer two basic, foundational trust—that governs the disclosure of foreign
questions: How is the Department respond- influence operations.
ing to cyber threats? And how can federal law
enforcement more effectively accomplish its Chapters 2 and 3 discuss other cyber-enabled
mission in this important and rapidly evolv- threats our Nation faces, particularly those
ing area? connected with cybercrimes. These chapters
describe the resources the Department is de-
This report addresses the first question. It be ploying to confront those threats, and how our
gins by focusing on one of the most press- efforts further the rule of law in this country
ing cyber-enabled threats our Nation faces: and around the world. Chapter 4 focuses on
the threat posed by malign foreign influence a critical aspect of the Department’s mission,
operations. Chapter 1 explains what foreign in which the Federal Bureau of Investigation
influence operations are, and how hostile for- plays a lead role: responding to cyber inci-
eign actors have used these operations to tar- dents. Chapter 5 then turns the lens inward,
get our Nation’s democratic processes, includ- focusing on the Department’s efforts to recruit
ing our elections. This chapter concludes by and train our own personnel on cyber mat-
describing the Department’s protective efforts ters. Finally, the report concludes in Chapter
with respect to the upcoming 2018 midterm 6 with thoughts and observations about cer-
elections, and announces a new Department tain priority policy matters, and charts a path
xi
for the Task Force’s future work. Over the criminals rely upon to penetrate our borders.
next few months, the Department will build We use legal authorities to take control of
upon this initial report’s findings, and will virtual infrastructure—such as networks of
provide recommendations to the Attorney compromised computers called “botnets”—
General for how the Department can even to prevent future victimization. We share in-
more efficiently manage the growing global formation gathered during our investigations
cyber challenge. to help victims protect themselves. And we
do all of these things to fight modern threats
The Department’s Cyber Mission while remaining faithful to our Nation’s re-
spect for personal freedom, civil liberties,
Computer intrusions and attacks are crimes, and the rule of law.
and the Department of Justice fights crime.
That is true regardless of whether the crimi- Where appropriate, we also work closely
nal is a transnational organized crime group, with our interagency partners to support fi-
a lone hacker, or an officer of a foreign mil- nancial, diplomatic, and military measures
itary or intelligence organization. In addi- to bring all possible instruments of national
tion, the Department has unique and indis- power to bear against cyber threats. Other
pensable cybersecurity roles in the realm of departments have the primary responsibil-
foreign intelligence and counterintelligence. ity for helping victims recover from cyber-
attacks; we have the primary responsibility
In fighting criminal computer intrusions and
for conducting the investigation into who is
attacks, the Department identifies, disman-
responsible. We do not have the federal gov-
tles, and disrupts cyber threats. In doing so,
ernment lead for assisting election officials
we provide justice to victims and deter others
in securing their systems, but we do have the
from committing similar offenses. To fulfill
primary responsibility for investigating our
our mission, we deploy criminal justice and
foreign adversaries’ efforts to target election
intelligence tools to find malicious hackers,
arrest them, incarcerate them, and require infrastructure.
them to pay restitution to their victims. We
shut down the dark markets criminals de- Similarly, we do not have the government’s
pend upon to buy and sell stolen informa- lead role in protecting private or government
tion. We deprive criminals of the tools and networks, in designing security standards,
services they use to attack American families or in regulating how the private sector must
and businesses. Working with private sec- defend itself. Those are important functions
tor partners, we seek to deny foreign gov- for which other government departments
ernments the infrastructure they would use take responsibility—often, with our support
to conduct illegal influence operations. We and assistance. Our mission is to enforce the
seize or disable the servers, domain names, law, to ensure public safety, and to seek just
and other infrastructure that transnational punishment.
xii
INTRODUCTION
How We Succeed crimes and to help identify cyber threats; and

upon the assistance of international partners
By faithfully executing the Department’s to gather foreign evidence, apprehend crimi-
crime-fighting mission, we have produced nals, and extradite suspects. Often, those au-
tangible and positive results for the Ameri- thorities are exclusive to the Department of
can people. These results are reflected by the Justice and other law enforcement agencies.
caliber of criminals we have taken offline and For example, the Department has the author-
taken off the streets; the millions of comput- ity to obtain the subpoenas, court orders, and
ers we have liberated from botnets that har- search warrants that the law requires in order
ness their processing power for fraud and to compel online service providers to pro-
theft; the web cameras that no longer spy on duce crucial records that can reveal criminal
unwitting victims; the dark markets selling il- activity.
licit drugs, weapons, and child pornography
we have disrupted and shuttered; the virtual
currency we have seized from criminals; and
the malicious software that is no longer of- “Our mission is to enforce the law,
fered for sale.
to ensure public safety, and to seek
just punishment.”
These tangible results have a secondary effect:
deterrence. Deterrence is one of the primary
objectives of criminal law, and it is a key fac-
tor in improving our Nation’s cybersecurity.
An effective deterrence policy requires us to Preserving these investigative authorities and
have a credible capability to enforce the law, capabilities, and using them responsibly and
and therefore to deter offenders. A credible consistent with law, is therefore vital to the
capability to enforce the law, in turn, requiresNation’s cybersecurity. It is also a Depart-
the Department to be able to credibly inves- ment priority. The Department’s agents and
tigate cybercrime. Without evidence, there prosecutors need the authority and tools to
is no attribution. Without attribution, there obtain evidence; the technical skill to un-
will be no consequences for offenders, and derstand it; and the ability to introduce that
thus no deterrence. evidence at trial and explain what it means.
Maintaining these capabilities is, in part, a
Yet, the reality is that identity-masking tech- question of making sure investigators retain
nologies and international investigative bar- the lawful authority to access evidence in a
riers pose unique challenges for deterring changing digital landscape. It is also a ques-
cyber threats. This report details the ways tion of building and maintaining a talented
in which we approach those challenges. We and dedicated workforce.
depend upon legal authorities to investigate
computer crimes; upon the cooperation of The Department—along with the entire U.S.
the public and of the private sector to report government—wants Americans to be able to
xiii
use their devices and computers secure in As Americans have shifted much of our
the knowledge that their data is safe. Many economy, our communications, our news
government departments and agencies are media, and our daily lives to the Internet,
working toward that cybersecurity goal. we are now discovering how vulnerable that
And while this report catalogs the many shift makes us. To defend against cyberat-
ways that the Department is at the cut- tacks from nation states and from equally so-
ting edge of keeping Americans safe from phisticated criminals, the American public
cyber threats, we are also keenly aware should be able to turn to the government for
that our tools and authorities are not suffi- leadership. This report details how the De-
cient by themselves to accomplish that goal. partment of Justice is responding to that call.
Our work is critical to cybersecurity, but
our work, alone, is not enough to secure the – Sujit Raman, Chair,
Nation. Attorney General’s Cyber-Digital Task Force
Credit: Amy Mathers, U.S. Department of Justice
Attorney General Jeff Sessions announces law enforcement’s July 2017 seizure of AlphaBay,
what was then the world’s largest “Dark Market.” In addition to traditional criminal enforce-
ment actions, disrupting and dismantling the illicit underworld’s digital infrastructure is a
major facet of the Department of Justice’s broader fight against cybercrime.
xiv
COUNTERING MALIGN FOREIGN INFLUENCE OPERATIONS
Chapter 1
Countering Malign Foreign Influence Operations
H
ostile foreign actors have long sought announce a Department policy regarding the
to influence, and to subvert, our Na- factors to be considered in disclosing malign
tion’s democratic institutions. Mod- foreign influence operations to victims, other
ern technology—including the Internet and affected individuals, and the public. This poli-
social media platforms—has both empowered cy provides guideposts for Department action
and emboldened foreign governments and to expose and thereby counter foreign influ-
their agents in their attempts to affect U.S. at- ence threats—consistent with the fundamen-
titudes, behaviors, and decisions in new and tal principle that we always must seek to act
troubling ways. in ways that are politically neutral, compliant
with the First Amendment, and designed to
The Department of Justice plays an import- maintain the public trust.
ant role in protecting the Nation’s democratic
processes from malign foreign influence op- Ultimately, one of the most effective ways to
erations. While the States, under the Con- counter malign foreign influence operations
stitution, have primary jurisdiction over the is to shine a light on the activity and raise
administration of elections,1 the Department awareness of the threat. In order to prevail
for decades has enforced federal criminal laws against our adversaries, all of society must
involving certain forms of ballot fraud.2 We work together: from government at all levels;
will continue our traditional commitment to to social media providers and others in the
combating such frauds, including any that private sector; to political candidates and or-
foreign governments or their agents may at- ganizations; to, perhaps most significantly, an
tempt to perpetrate. (See page 4). active and informed citizenry.
Foreign cyber-enabled and other active ef- Malign Foreign Influence

forts to influence our democratic processes, Operations
including our elections, demand an urgent
response. In the following pages, we provide Foreign influence operations include covert
background on malign foreign influence op- actions by foreign governments intended to
erations generally; outline five distinct types sow division in our society, undermine con-
of foreign influence operations aimed at our fidence in our democratic institutions, and
elections or at broader political issues in the otherwise affect political sentiment and pub-
United States; and describe the Department’s lic discourse to achieve strategic geopolitical
protective efforts with respect to such opera- objectives. Foreign influence operations can
tions, including efforts designed to protect the pose a threat to national security—and they
upcoming 2018 midterm elections. We also can violate federal criminal law.3 Operations
1
aimed at the United States are not new. These tent on multiple sides of controversial issues
efforts have taken many forms across the de- including race relations and gun control.
cades, from funding communist newspapers
and financing ostensibly independent non- As one component of this strategy, foreign
profit groups to promote favored policies, to influence operations have targeted U.S. elec-
more recent efforts at creating and operating tions. Elections are a particularly attractive
false U.S. personas on Internet sites designed target for foreign influence campaigns be-
to attract U.S. audiences and spread divisive cause they provide an opportunity to under-
messages. The nature of the problem, how- mine confidence in a core element of our de-
ever—and how the U.S. government must mocracy: the process by which we select our
combat it—is changing, as advances in tech- leaders. As explained in a January 2017 In-
nology allow foreign actors to reach unprec- telligence Community Assessment published
edented numbers of Americans covertly and by the Office of the Director of National In-
without setting foot on U.S. soil. Fabricated telligence (“ODNI”) addressing Russian in-
news stories and sensational headlines like terference in the 2016 U.S. presidential elec-
those sometimes found on social media plat- tion, Russia has had a “longstanding desire
forms are just the latest iteration of a practice
to undermine the U.S.-led liberal democratic
foreign adversaries have long employed in an order,” and that nation’s recent election-fo-
effort to discredit and undermine individuals cused “activities demonstrated a significant
and organizations in the United States. Al- escalation in directness, level of activity, and
though the tactics have evolved, the goals of scope of effort compared to previous opera-
these activities generally remain the same: to tions.”4 Russia’s foreign influence campaign,
spread disinformation and to sow discord on according to this assessment, “followed a
a mass scale in order to weaken the U.S. dem- longstanding Russian messaging strategy
ocratic process, and ultimately to undermine that blends covert intelligence operations—
the appeal of democracy itself. such as cyber activity—with overt efforts by
Russian Government agencies, state-funded
Malign foreign influence operations need not media, third-party intermediaries, and paid
favor one political figure, party, or point of social media users or ‘trolls.’” 5
view. Foreign adversaries can take advan-
tage of social media platforms to send con- Malign foreign influence operations did not
trary (and sometimes false) messages simul- begin in 2016, but the Internet-facilitated
taneously to different groups of users based operations in that year were unprecedented
on those users’ political and demographic in scale. The threat such operations pose to
characteristics, with the goal of heightening our society is unlikely to diminish. As the
tensions between different groups in our so- Director of National Intelligence recently
ciety. By exacerbating and inflaming existing observed, “Influence operations, especially
divisions, foreign-promoted narratives seek through cyber means, will remain a signifi-
to spread turmoil, mistrust, and acrimony. cant threat to U.S. interests as they are low-
For example, Russian-affiliated social media cost, relatively low-risk, and deniable ways to
activities have been detected promoting con- retaliate against adversaries, to shape foreign
2
perceptions, and to influence populations.”6 sia’s strategy for conducting foreign influence
“Russia probably will be the most capable operations against the United States, which
and aggressive source of this threat in 2018, may well inspire other countries to pursue
although many countries and some nonstate similar operations, includes a broad spec-
actors are exploring ways to use influence trum of activity targeting U.S. democratic
operations, both domestically and abroad.”7 and electoral processes. We categorize such
These actions require a strong and sustained activity as follows:
response.
1. Cyber operations targeting election
infrastructure. Cyber operations could seek
Types of Foreign Influence to undermine the integrity or availability of
Operations Targeting Democratic election-related data. For example, adver-
and Electoral Processes saries could employ cyber-enabled or other
means to target election-associated infra-
In advance of the 2018 midterm elections, structure, such as voter registration databases
the Department is mindful of ODNI’s as- and voting machines, or to target the power
sessment that “Moscow will apply lessons grid or other critical infrastructure in order
learned from its campaign aimed at the to impair an election. Operations aimed at
U.S. presidential election to future influence removing otherwise eligible voters from the
efforts in the United States and worldwide, rolls or attempting to manipulate the results
including against U.S. allies and their election of an election (or even simply spreading dis-
processes.”8 The Identifying
Intelligence Potential
CommunityTargetsinformation
of Election suggesting
Interference that such manipu-
(“IC”) has recently assessed that Russia views lation has occurred) could undermine the
the
This2018
graphicmidterm electionsforas
provides a framework a potential
recognizing integrity
tar- efforts
adversaries’ andin legitimacy
to interfere ofcyber
US elections with ouroperations
free and fair
get for continued
by identifying influence
four categories operations.
of potential 9
Rus-
targets—voters, elections,
campaigns, as welland
political entities, aselections
publicinfrastructure.
confidenceIt in elec-
does not address the likelihood or impact of an adversary’s targeting any specific entity or other influence efforts such
as direct financing of candidates. Detection and notification of foreign cyber activity against any of these targets may
provide warning of efforts to interfere with US elections.
Identifying Potential Targets of Election Interference

2018 Election Permanent Election Infrastructure
Potential Targets Related to Potential Targets Related to Potential Targets Related to Potential Targets Related to
Potential Targets Related Potential Targets Related to Potential Targets Related Potential Targets Related to
Voter Influence Campaigns Political Entities Elections Infrastructure
to Voter Influence Campaigns to Political Entities Elections Infrastructure
Credit: Cyber Threat Intelligence Integration Center
Foreign adversaries
For assistance with could
any issues pertaining target
to these targets, these
please categories
engage your of potential
established contacts targets—or
at the local FBI field others—to
office or one of the following:
interfere in U.S. elections DHS National through cyber operations.(24/7 Cyber Watch Floor)
Cybersecurity and
Communications Integration Center
FBI CyWatch
(703) 235-5273 • nccic@hq.dhs.gov (855) 292-3937 • cywatch@fbi.gov
3
DEPARTMENT OF JUSTICE PROGRAM

FOR COMBATING BALLOT FRAUD
“Every voter in a federal . . . election, . . . whether he votes for a candidate with little chance
of winning or for one with little chance of losing, has a right under the Constitution to have
his vote fairly counted, without its being distorted by fraudulently cast votes.” Anderson v.
United States, 417 U.S. 211, 227 (1974). The Department has a longstanding program for
predicating, investigating, and prosecuting ballot fraud schemes—which may overlap with
a criminal or national security investigation into a foreign influence operation. The De-
partment’s ballot fraud program brings together several components, including the Federal
Bureau of Investigation (“FBI”); the Criminal Division’s Public Integrity Section (“PIN”);
United States Attorney’s Offices around the nation; the Civil Rights Division (“CRT”); and
the Department of Homeland Security (“DHS”). (Each component’s specific role in the
program is described in the endnotes.16)
In the weeks and months leading up to the 2018 midterm elections, these components will
plan responses to election-related issues and identify lines of coordination and communi-
cation. On Election Day, they and a commissioner from the U.S. Election Assistance Com-
mission will arrange regular secure video teleconferences with Department leadership and
other agencies, including the National Security Council. Other PIN and CRT managers
and personnel also will be available throughout the period to answer telephone calls about
suspected ballot fraud activity and to respond to questions from federal prosecutors and
law enforcement agents, who in turn will be in close communication with state and local
partners.
tion results. To our knowledge, no foreign to discredit or embarrass candidates, un-

government has succeeded in perpetrating dermine political organizations, or impugn
ballot fraud, but the risk is real. the integrity of public officials. The IC has
assessed that, during the 2016 election cycle,
2. Cyber operations targeting political “Russia’s intelligence services conducted cy-
organizations, campaigns, and public of- ber operations against targets associated with
ficials. Cyber operations could also seek to the 2016 U.S. presidential election, including
compromise the confidentiality or integrity targets associated with both major U.S. polit-
of targeted groups’ or targeted individuals’ ical parties.”10
private information. For example, adversar-
ies could conduct cyber or other operations 3. Covert influence operations to assist
against U.S. political organizations and cam- or harm political organizations, campaigns,
paigns to steal confidential information and and public officials. Adversaries could also
use that information, or alterations thereof, conduct covert influence operations to pro-
4
vide assistance that is prohibited from foreign 4. Covert influence operations, includ-
sources to American political organizations, ing disinformation operations, to influence
campaigns, and government officials. These public opinion and sow division. Using false
operations might involve covert offers of fi- U.S. personas, adversaries could covertly
nancial, logistical, or other campaign support create and operate social media pages and
to—or covert attempts to influence the pol- other forums designed to attract U.S. audi-
icies, positions, or opinions of—unwitting ences and spread disinformation or divisive
politicians, party leaders, campaign officials, messages. This could happen in isolation or
or the public. For example, a federal grand in combination with other operations, and
jury indictment in February 2018 of thirteen could be intended to foster specific narra-
Russian nationals recounts, among other tives that advance foreign political objectives,
things, instances in which Russians alleged- or could be intended simply to turn citizens
ly provided covert assistance and financial against each other. These messages need not
support to unwitting U.S. persons, unwitting relate directly to political campaigns. They
individuals associated with a presidential could seek to depress voter turnout among
campaign, and other unwitting political ac- particular groups, encourage third-party
tivists seeking to coordinate political activi- voting, or convince the public of widespread
ties.11 The indictment also alleges that the voter fraud to undermine confidence in elec-
Russians sought to discourage some Amer- tion results. These messages could target dis-
icans from voting in the 2016 presidential crete U.S. populations based on their political
election, and denigrated certain candidates and demographic characteristics. They may
while supporting others. Russian actors also mobilize Americans to sign online petitions
allegedly staged political rallies inside the and join issue-related rallies and protests, or
United States while posing as U.S. grassroots even to incite violence. For example, adver-
entities and organized rallies inside the Unit- tisements from at least 2015 to 2017 linked
ed States after the presidential election, both to a Russian organization called the Internet
in protest of the election results and in sup- Research Agency focused on divisive issues,
port of the results.12 Such covert influence including illegal immigration and gun rights,
operations could be reinforced by the use of among others, and targeted those messages
“bots,” which are automated programs that to groups most likely to react.
can expand and amplify social media mes-
saging and bolster desired narratives. These 5. Overt influence efforts, such as the use
operations can also be amplified by stolen of lobbyists, foreign media outlets, and oth-
information illicitly acquired through illegal er organizations, to influence policymakers
cyber operations targeting government insti- and the public. Finally, adversaries could use
tutions, media, and political organizations or state-owned or state-influenced media out-
campaigns. Foreign agents could then use lets, or employ lobbyists or lobbying firms, to
this stolen information to reinforce divisive reach U.S. policymakers or the public. For-
narratives through systematic, controlled eign governments can disguise these efforts
leaks timed to maximize political damage. as independent while using them to promote
5
divisive narratives and political positions relating to espionage, sabotage, subversive

helpful to foreign objectives. Overt influence activities, and related matters.
efforts by foreign governments—including
by our adversaries—may not be illegal, pro- • Various federal statutes authorize the FBI
vided they comply with the Foreign Agents to conduct investigations of federal crimes,
Registration Act (“FARA”),13 and with Fed- make seizures and arrests, and serve war-
eral Communications Commission regula- rants, both under national security author-
tions. However, the American people should ities (title 50 of the U.S. Code) and law en-
be fully aware of any foreign government forcement authorities (title 18 of the U.S.
source of information so they can evaluate Code). For example, the FBI has primary
that source’s credibility and significance for investigative authority for all computer net-
themselves. work intrusions relating to threats to na-
tional security, including “cases involving
The Department of Justice’s Role espionage, foreign counterintelligence, [and]
information protected against unauthorized
in Countering Malign Foreign disclosure for reasons of national defense or
Influence Operations foreign relations . . .” 18 U.S.C. § 1030(d)(2).
The Department of Justice has a significant • Executive Order (“E.O.”) 12333, as amend-
role in investigating and disrupting foreign ed, establishes the FBI as the lead counterin-
government activity in the United States that telligence agency within the United States,
threatens U.S. national security. In partic- and authorizes the FBI to conduct counter-
ular, the Department has an important role intelligence activities, collect foreign intelli-
in identifying and combating malign foreign gence, or support foreign intelligence collec-
influence operations, and in enforcing feder- tion requirements of other agencies within
al laws that foreign agents may violate when the IC, and produce and disseminate foreign
engaging in such operations. intelligence and counterintelligence. See E.O.
12333, § 1.7(g).
Consistent with its longstanding mission, the
Department has broad authorities in this area • These lead responsibilities are also reflect-
that encompass both its law enforcement and ed in presidential policies, such as Presiden-
counterintelligence responsibilities: tial Policy Directive (“PPD”)-41 and PPD-21.
• The FBI is the primary investigative agency Working closely with our IC partners, the
of the federal government and is authorized Department uses these authorities to identi-
to investigate all violations of federal laws fy, analyze, and disrupt the most significant
that are not exclusively assigned to another threats from foreign influence operations.
federal agency. See 28 U.S.C. § 533. In addi- As explained below, the Department can act
tion, 28 C.F.R. § 0.85(d) designates the FBI to against these threats in several ways, either
take charge of investigative work in matters using its own authorities or supporting the
6
actions of other agencies. The Department ies, to build consensus with other nations to
also uses its investigative authority to devel- condemn such activities, and to build coali-
op information that can inform private sector tions to counter such activities. Likewise, we
efforts to guard against or deter foreign influ- work closely with DHS to share information
ence operations. about foreign influence operations in fur-
therance of DHS’s election security mission.
First, the Department’s investigations may re-
veal conduct that warrants criminal charges. Third, the Department’s investigations pro-
Criminal charges not only are a tool the De- duce information about threats and vulnera-
partment uses to pursue justice, but also can bilities that we can share with State and local
help deter similar conduct in the future. We election officials, political organizations, and
will work with our international partners to other potential victims. Because these enti-
obtain custody of foreign defendants when- ties lack the FBI’s investigative resources and
ever possible. Those who seek to avoid jus- legal authorities, sharing investigative infor-
tice in U.S. courts will find their freedom mation about the nature of the threat posed
of travel significantly restricted. Criminal by foreign influence operations can help
charges also provide the public with infor- these entities detect and prevent operations
mation about the illegal activities of foreign that target them.
actors we seek to hold accountable.
Fourth, the Department maintains strategic
Second, in some cases, the Department’s relationships with social media providers
investigations can support other U.S. gov- that reflect the private sector’s critical role in
ernment agencies’ actions, such as financial addressing this threat. Social media provid-
sanctions or diplomatic and intelligence ef- ers have unique insight into their own net-
forts. After a federal grand jury indicted works and bear the primary responsibility for
thirteen Russians in connection with their securing their own products, platforms, and
alleged influence activities, for example, the services. The FBI can assist the providers’
Secretary of the Treasury imposed financial voluntary efforts to identify foreign influence
sanctions against those individuals under an activity and to enforce terms of service that
executive order that authorizes sanctions for prohibit the use of their platforms for such
malicious cyber-enabled activity. The De- activities. This approach is similar to the
partment of the Treasury’s actions blocked all Department’s recent approaches in working
property and interests in property of the des- with providers to address terrorist use of so-
ignated persons subject to U.S. jurisdiction, cial media, and more traditional collabora-
and prohibited U.S. persons from engaging tion to combat child pornography, botnets,
in transactions with the sanctioned individ- Internet fraud, and other misuse of digital in-
uals. In addition, the State Department often frastructure. By providing information about
uses information from our investigations and potential threats, the Department can help
criminal indictments in diplomatic efforts to social media providers respond to malign use
attribute malign conduct to foreign adversar- of their platforms, identify foreign influence
7
operations on those platforms, share infor- coordinating the Department’s counter-for-

mation across diverse products and services, eign influence efforts with other federal agen-
and better ensure their users are not exposed cies, including DHS, the State Department,
to unlawful foreign influence. the National Security Agency, and the Central
Intelligence Agency. The FBI is also responsi-
Finally, information developed in our inves- ble for developing strategic relationships with
tigations can be used—either by the Depart- state and local authorities, international part-
ment or in coordination with the Intelligence ners, and the private sector, including social
Community and other government part- media and other technology companies, as
ners—to help protect the public by exposing part of a comprehensive approach to combat-
the nature of the foreign influence threat. ing the foreign influence problem.
The Department may alert victims or targets
about foreign influence operations consistent Armed with a deeper understanding of our
with its longstanding policies and practices. foreign adversaries’ operational methods and
As discussed below, in certain circumstances, committed to leveraging the full range of our
public disclosure and attribution can also be authorities, the Department has developed a
an important means of countering the threat strategic framework for countering foreign
and rendering those operations less effective. influence operations. See Fig. 1. This frame-
work seeks to employ the Department’s long-
The Department of Justice’s standing authorities proactively to pursue ag-
gressive countermeasures—using traditional
Framework to Counter Malign law enforcement tools, sharing information
Foreign Influence Operations with potential victims and the private sector
where appropriate, and exposing and attrib-
The Department is preparing ahead of the uting foreign influence operations where do-
2018 midterm elections to ensure that we ing so is in the national interest. The Depart-
address as effectively as possible the five dis- ment’s strategy aims to increase the resilience
tinct types of foreign influence operations of democratic and election processes against
described above. To underscore this priori- the foreign influence threat, while recogniz-
ty, the FBI in November 2017 established the ing that we cannot expect to eliminate those
Foreign Influence Task Force (“FITF”), which activities unless the responsible foreign gov-
serves as the central coordinating authority ernments alter their behavior.
within the FBI for investigations concerning
foreign influence operations. The FITF in- 1. Cyber operations targeting election
tegrates the FBI’s cyber, counterintelligence, infrastructure. Although the States are re-
counterterrorism, and criminal law enforce- sponsible for administering elections, and
ment resources to ensure that the Depart- DHS has the federal government lead for
ment better understands the threat presented assisting election officials in securing their
by malign foreign influence operations. An systems, the FBI has the primary responsibil-
important part of the FITF’s responsibility is ity for investigating our foreign adversaries’
8
Figure 1:
Department of Justice Framework to Counter Malign Foreign Influence Operations
Cyber operations targeting Cyber operations targeting Covert influence operations to Covert influence operations to Overt influence efforts to
election infrastructure political parties, campaigns, assist or harm political influence public opinion and influence policymakers
(integrity and availability and public officials organizations, campaigns and sow division and the public
of data) (confidentiality of data) public officials
DOJ and FBI Actions DOJ and FBI Actions DOJ and FBI Actions DOJ and FBI Actions DOJ and FBI Actions
• Identify threats and warn potential • Identify threats and warn potential • Investigate and disrupt activity by • Investigate and, as appropriate, • Investigate possible FARA
targets (state officials), with DHS. targets, with DHS. unregistered foreign agents. disrupt foreign influence operations. violations.
• Investigate and disrupt intrusions • Investigate and disrupt intrusions • Brief potential targets, consistent with • Attribute and expose activity, • Prosecute where possible.
and attacks, alerting victims and attacks, alerting victims applicable guidance. consistent with applicable guidance. • Compel registration as
consistent with applicable guidance. consistent with applicable guidance. • Prosecute where possible. • Prosecute where possible. appropriate.
• Prosecute where possible. • Prosecute where possible. • Raise awareness about malicious • Notify social media, other providers
• Respond to reports of election • Raise awareness about malicious cyber operations, mitigation, and of foreign influence operations and
9
day crimes (e.g. voter cyber operations, mitigation, and maintaining “cyber hygiene.” other abuse of their platforms.
suppression, computer maintaining “cyber hygiene.”
intrusions).
Other Agencies and Their Activities Other Agencies and Their Activities Other Agencies and Their Activities Other Agencies and Their Activities Other Agencies and Their Activities
• IC produces intelligence on • IC produces intelligence on • IC produces intelligence on foreign • DHS and State Dept. conduct • DHS and State Dept. conduct
malicious cyber operations. malicious cyber operations. influence efforts, goals. outreach on trends in influence outreach on trends in influence
• DHS shares intelligence (warnings) • DHS shares intelligence (warnings) • DHS and State Dept. conduct operations to domestic and foreign operations to domestic and foreign
and best practices with victims and and best practices with victims and outreach on trends in influence audiences. audiences.
assists with recovery efforts after assists with recovery efforts after operations to domestic and foreign • DHS provides tools to private • State Dept. responds to violations
an intrusion (if requested). an intrusion (if requested). audiences. industry to protect against malign of norms by foreign actors.
• Possible diplomatic, financial, or • Possible diplomatic, financial, or • Possible diplomatic, financial, or influence.
operational responses. operational responses. operational responses. • Possible diplomatic, financial, or
operational responses.
Key Considerations Key Considerations Key Considerations Key Considerations Key Considerations
• States own the election systems • Private parties own systems and • May require cooperation of affected • Technology companies bear • Open communications by
and are responsible for their data and are responsible for their individuals and organizations to primary responsibility for registered foreign media may be
administration and security. security. counter the threat. securing their own products, lawful.
• Limited ability to protect against • Many engagements with foreign platforms, and services.
misuse of stolen information. governments are legitimate.
efforts to target election infrastructure. In over 20 partnering agencies from across law
the event of a known or suspected cyber in- enforcement, the IC, and the Department of
cident, the FBI will investigate the intrusion Defense, with representatives who are co-lo-
and will alert targets of the intrusions where cated and work jointly to accomplish the
appropriate. Prosecutors will follow the Prin- organization’s mission from a whole-of-gov-
ciples of Federal Prosecution14 in determining ernment perspective.
whether federal criminal charges are appro-
priate. The FBI also may identify threats and Establishing close relationships with State
vulnerabilities to election infrastructure in and local officials is also important to en-
the course of other criminal or intelligence able the Department to respond quickly to
investigations. Consistent with the Depart- a major cyber intrusion before or during an
ment’s disclosure policy (described below), it election. The Department works closely with
will attempt to warn State and local officials DHS in connection with such incidents. The
who operate election systems about attempts Department will continue to work with DHS
to penetrate their systems and to share ap- and State and local officials to plan what they
propriate information about vulnerabilities should do, whom they should contact, and
they should patch or mitigate. In this regard, what assistance they may seek in the event
the FBI works closely with DHS and with the of a significant intrusion into their systems.
U.S. Election Assistance Commission, which The FBI’s general incident response activities
certifies voting systems and establishes vot- are described in greater detail in Chapter 4.
ing system guidelines.
2. Cyber operations targeting political
To that end, in February 2018, the FBI, to- organizations, campaigns, and public of-
gether with DHS and the IC, provided classi- ficials. The FBI investigates computer in-
fied briefings to election officials from all 50 trusions and attacks against U.S. victims,
States to help increase awareness of foreign using its broad investigative authority and
adversary intent and capabilities against the leveraging its close relationship with other
States’ election infrastructure, as well as ac- IC agencies that have the authority to col-
tions State and local officials can undertake lect foreign intelligence outside the United
to mitigate those threats. Establishing close States. Federal prosecutors may then charge
relationships with those officials, in partner- the perpetrators, as appropriate. The FBI also
ship with DHS, is critical because the De- alerts victims where possible and helps them
partment’s ability to identify and disrupt cy- respond to intrusions, often working closely
ber actors who target election infrastructure with DHS, and provides threat information
requires the officials who operate that infra- when necessary to address a specific threat or
structure to promptly share threat informa- incident.
tion with the FBI. The Department has em-
phasized the need for State and local officials The FBI is working with DHS to ensure that
promptly to share threat information with political organizations and individuals within
the FBI’s National Cyber Investigative Joint such organizations whom foreign adversar-
Task Force (“NCIJTF”). NCIJTF includes ies may target are aware of the specific cyber
10
DEPARTMENT OF JUSTICE POLICY REGARDING

NON-INTERFERENCE WITH ELECTIONS
The Department of Justice has a strong interest in the prosecution of election-related crimes, such as
those involving federal and State campaign finance laws, federal patronage laws, and corruption of the
election process, and Department employees must safeguard the Department’s reputation for fairness,
neutrality, and non-partisanship.
Partisan political considersations must play no role in the decisions of federal investigators or prosecutors
regarding any investigations or criminal charges. Law enforcement officers and prosecutors may never
select the timing of investigative steps or criminal charges for the purpose of giving an advantage or dis-
advantage to any candidate or political party.
For further guidance, prosecutors and law enforcement officers may contact the Criminal Division’s
Public Integrity Section. More detailed guidance is also available in sections 1-4.000 and 9-85.000 of the
United States Attorneys’ Manual, and in a treatise published by the Department called Federal Prose-
cution of Election Offenses (8th ed. 2017).17
threats and vulnerabilities we are monitoring. The Department will aggressively enforce
These efforts have included providing defen- federal laws that require foreign agents to
sive briefings to major political organizations register with the U.S. government and that
such as the Republican and Democratic Na- prohibit foreign nationals from tricking un-
witting Americans into participating in, or
tional Committees.
accepting support from, foreign influence
efforts. Along those lines, the Department
3. Covert influence operations to assist has stepped up enforcement efforts against
or harm political organizations, campaigns, individuals and entities that had not fulfilled
and government officials. The FBI counters their obligations under the Foreign Agents
the activities of foreign governments and Registration Act (“FARA”), including by ed-
their proxies by proactively investigating ucating prosecutors and agents nationwide
unregistered foreign agents in the United about the importance of the statute and how
States, alerting these foreign agents’ targets to investigate it; expanding our outreach to
(or intended targets) where appropriate, and individuals and entities who may be required
to register; and achieving the registrations of
raising public awareness of foreign influence
sophisticated individuals and entities that had
methods and effective countermeasures both
not fulfilled their legal obligations, including
through appropriate enforcement actions the American agents of Russian state-fund-
and through assistance to other federal agen- ed media networks (RT and Sputnik). Going
cies and State or local authorities with en- forward, we will increase FARA awareness
forcement authority. and compliance through increased outreach,
11
by making additional advisory opinions pub- success of a foreign influence campaign via
lic, and by issuing guidance if appropriate the Internet and social media depends heav-
under Department policy. In addition, we ily on the adversary’s ability to obscure the
will investigate and prosecute criminal viola- true motivation and origin of its activities—
tions of FARA and other laws that restrict the something the Internet can facilitate—the
activities of foreign agents acting within the infrastructure of online accounts required
United States. to carry out such a campaign also provides
the Department with opportunities for iden-
The Department also will seek to increase tification and disruption. For example, the
understanding of the foreign intelligence FBI and IC partners may be able to identi-
threat in order to reduce the effectiveness of fy and track foreign agents as they establish
covert activities and efforts to obscure the their infrastructure and mature their online
true motivation and origin of foreign influ- presence, in which case authorities can work
ence operations. The FBI can provide defen- with social media companies to illuminate
sive counterintelligence briefings to political and ultimately disrupt those agents’ activi-
organizations and campaigns as necessary to ties, including through voluntary removal
protect against and improve awareness of the of accounts that violate a company’s terms of
foreign influence threat. In addition, the FBI service.
continues to pursue criminal and traditional
counterintelligence investigations to address In addition to these activities, in some cir-
the range of potential covert operations tar- cumstances, public exposure and attribu-
geting political organizations. tion of foreign influence operations, and of
foreign governments’ goals and methods
4. Covert influence operations, includ- in conducting them, can be an important
ing disinformation operations, to influence means of countering the threat and render-
public opinion and sow division. Depending ing those operations less effective. Of course,
on the facts, a foreign government’s efforts to partisan politics must play no role in the de-
use the Internet as part of a hostile effort to cision whether to disclose the existence of a
multiply its propaganda’s malign influence foreign influence operation, and such dis-
on the American public may violate a num- closures must not be made for the purpose
ber of federal laws on which the Department of conferring any advantage or disadvantage
may base criminal investigations and prose- on any political or social group. In addition,
cutions. The Department is also considering the Department must seek to protect intelli-
whether new criminal statutes aimed more gence sources and methods and operational
directly at this type of activity are needed. equities, and attribution itself may present
challenges. It is also important not to take
The Department has crafted a strategy to actions that merely exacerbate the impact of
counter each phase of the foreign malign in- a foreign influence operation, or that re-vic-
fluence campaign cycle. See Fig. 2. While the timize its victims. Given the competing in-
12
Figure 2: The Malign Foreign Influence Campaign Cycle
13
terests sometimes at stake, the Department in addressing foreign influence operations

has established a formal policy on the disclo- aimed at sowing discord and undermining
sure of foreign influence operations to guide our Nation’s institutions. Combating foreign
its actions in this critically important area. influence operations requires a whole-of-so-
That policy is found at pages 16–17. ciety approach that relies on coordinated ac-
tions by federal, State, and local government
5. Overt influence efforts, such as the use agencies; support from potential victims and
of foreign media outlets to influence policy- the private sector; and the active engagement
makers and the public. Overt foreign gov- of an informed public.
ernment efforts to influence the American
public or policymakers may be lawful so long Even so, investigating and prosecuting those
as the relevant government complies with who violate our laws, disrupting particular
U.S. laws requiring public disclosure, along operations, and exposing covert foreign ac-
with other applicable laws. When foreign tivities can be useful in defending against
media outlets or lobbyists act as agents of for- this threat. It is therefore critical that the
eign governments, they may be required to Department consistently evaluate existing
register as foreign agents under FARA. Me- law and policy governing its actions, as well
dia outlets with links to China, Japan, Russia, as its strategic approach to the problem. In
and South Korea have done so. Apart from the short term, the Department must use all
enforcing such laws, the Department—in current authorities to counter the foreign
concert with the U.S. government as a whole, influence threat, working closely with the
as well as with American society more broad- IC, DHS, State and local governments, and
ly—can help increase public understanding where appropriate, the private sector.
of foreign influence operations.
We also must ensure that we are sharing in-
formation about the threat with potential
Conclusion victims, other affected individuals, and the
public, consistent with our policies and our
The nature of foreign influence operations national security interests. In the longer
will continue to change as technology and term, we must consider what additional au-
our foreign adversaries’ tactics change. Our thorities or policies would be useful and ap-
adversaries will persist in seeking to exploit propriate to enable us to respond as effective-
the diversity of today’s information space, ly as possible to the foreign influence threat.
and the tactics and technology they employ
will continue to evolve.
* * *
The Department plays an important role in The story is told that a woman named Eliz-
combating foreign efforts to interfere in our abeth Powel approached Benjamin Franklin
elections, but it cannot alone solve the prob- when he was walking home after the Consti-
lem. There are limits to the Department’s tutional Convention in the summer of 1787.
role—and the role of the U.S. government— Powel asked Franklin what type of govern-
14
ment the Founders had created. Franklin Our Nation’s democratic processes are strong.
replied: “A republic, madam, if you can keep But the Constitution comes with a condition:
it.” Powel’s question illustrates that it was not we need to keep it. We are all keepers of the
inevitable that our Nation would begin as a republic, and it is incumbent upon all of us,
democratic republic. Franklin’s answer re- as a society, to counter the foreign influence
minds us that it is not inevitable that we will threat. The Department of Justice will cer-
remain a democratic republic.15 tainly play its part.
15
DEPARTMENT OF JUSTICE POLICY ON DISCLOSURE

OF FOREIGN INFLUENCE OPERATIONS
Foreign influence operations include covert actions by foreign governments intended to sow
divisions in our society, undermine confidence in our democratic institutions, and otherwise
affect political sentiment and public discourse to achieve strategic geopolitical objectives.
Such operations are often empowered by modern technology that facilitates malicious cyber
activity and covert or anonymous communications with U.S. audiences on a mass scale from
abroad.
Our Nation’s democratic processes and institutions are strong and must remain resilient in
the face of this threat. It is the policy of the Department of Justice to investigate, disrupt,
and prosecute the perpetrators of illegal foreign influence activities where feasible. It is also
the Department’s policy to alert the victims and unwitting targets of foreign influence ac-
tivities, when appropriate and consistent with the Department’s policies and practices, and
with our national security interests.
It may not be possible or prudent to disclose foreign influence operations in certain con-
texts because of investigative or operational considerations, or other constraints. In some
circumstances, however, public exposure and attribution of foreign influence operations
can be an important means of countering the threat and rendering those operations less
effective.
Information the Department of Justice collects concerning foreign influence operations may
be disclosed as follows:
• To support arrests and charges for federal crimes arising out of foreign influence
operations, such as hacking or malicious cyber activity, identity theft, and fraud.
• To alert victims of federal crimes arising out of foreign influence operations,

consistent with Department guidelines on victim notification and assistance.18
• To alert unwitting recipients of foreign government-sponsored covert support,

as necessary to assist in countering the threat.
• To alert technology companies or other private sector entities to foreign influ-

ence operations where their services are used to disseminate covert foreign gov-
ernment propaganda or disinformation, or to provide other covert support to
political organizations or groups.
16
DEPARTMENT OF JUSTICE POLICY ON DISCLOSURE

OF FOREIGN INFLUENCE OPERATIONS, Continued
• To alert relevant Congressional committees to significant intelligence activities,

consistent with statutory reporting requirements and Executive Branch policies.
• To alert the public or other affected individuals, where the federal or national
interests in doing so outweigh any countervailing considerations.19
In performing these functions, the Department will be mindful of the following principles and
policies:
• Partisan political considerations must play no role in efforts to alert victims, oth-
er affected individuals, or the American public to foreign influence operations
against the United States. Such efforts must not be for the purpose of conferring
any advantage or disadvantage on any political or social group or any individual
or organization.
• In considering whether and how to disclose foreign influence operations, or

the details thereof, the Department will seek to protect intelligence sources and
methods, investigations, and other U.S. government operations.
• Foreign influence operations will be publicly identified as such only when the De-
partment can attribute those activities to a foreign government with high confi-
dence. Disinformation or other support or influence by unknown or domestic
sources not acting on behalf of a foreign government is beyond the scope of this
policy.
• Where a criminal or national security investigation during an election cycle is

at issue, the Department must also be careful to adhere to longstanding policies
regarding the timing of charges or taking overt investigative steps.20
The Department (including the FBI) will not necessarily be the appropriate entity to disclose
information publicly concerning a foreign influence operation. Where a Department com-
ponent is considering whether to alert the general public to a specific foreign influence oper-
ation, consultation with the National Security Division is required. Nothing in this policy is
intended to impair information sharing undertaken by Department components for investi-
gative or intelligence purposes.
17
NOTES
1
See U.S. Const. art. I, § 4 (Congressional elec- process.”), available at: https://intelligence.house.
tions) & art. II, § 4 (Presidential elections). gov/uploadedfiles/final_russia_investigation_re-
port.pdf (last accessed June 29, 2018); Minority
2
The term “ballot fraud” in this context in- Members of the House Permanent Select
cludes fraud in the processes by which voters are Committee on Intelligence, Report on Rus-
registered or by which votes are cast or tabulated. sian Active Measures 12 (March 2018), avail-
able at: https://democrats-intelligence.house.gov/
3
Foreign influence operations, while not always uploadedfiles/20180411_-_final_-_hpsci_mi-
illegal, can implicate several U.S. federal criminal nority_views_on_majority_report.pdf (last ac-
statutes, including (but not limited to): 18 U.S.C. cessed June 29, 2018) (summarizing Russian co-
§ 371 (conspiracy); 18 U.S.C. § 951 (acting in the vert cyber efforts and other intelligence and social
United States as an agent of a foreign government media operations during the 2016 elections); U.S.
without prior notification to the Attorney Gener- Senate Select Committee on Intelligence,
al); 18 U.S.C. § 1001 (false statements); 18 U.S.C. Russian Targeting of Election Infrastruc-
§ 1028A (aggravated identity theft); 18 U.S.C. § ture During the 2016 Election: Summary
1030 (computer fraud and abuse); 18 U.S.C. §§ of Initial Findings and Recommendations 1
1343, 1344 (wire fraud and bank fraud); 18 U.S.C. (May 2018) (“In 2016, cyber actors affiliated with
§ 1519 (destruction of evidence); 18 U.S.C. § 1546 the Russian Government conducted an unprece-
(visa fraud); 22 U.S.C. § 618 (Foreign Agents Reg- dented, coordinated cyber campaign against state
istration Act); 52 U.S.C. §§ 30109, 30121 (solicit- election infrastructure . . . This activity was part of
ing or making foreign contributions to influence a larger campaign to prepare to undermine confi-
federal elections, or donations to influence State dence in the voting process. The Committee has
or local elections). not seen any evidence that vote tallies were ma-
nipulated or that voter registration information
4
Office of the Director of National In- was deleted or modified.”), available at: https://
telligence, Background to “Assessing Rus- www.burr.senate.gov/imo/media/doc/Russ-
sian Activities and Intentions in Recent RptInstlmt1-%20ElecSec%20Findings,Recs2.pdf
U.S. Elections”: The Analytic Process and (last accessed June 29, 2018).
Cyber Incident Attribution ii (Jan. 2017)
(“ODNI Report”), available at: https://www.dni. 6
Daniel R. Coats, Dir. of National Intelligence,
gov/files/documents/ICA_2017_01.pdf (last ac- “Statement for the Record: Worldwide Threat
cessed June 29, 2018). Assessment of the U.S. Intelligence Community,”
at 11 (Feb. 13, 2018), available at: https://www.
5
ODNI Report at 2; see also U.S. House of dni.gov/files/documents/Newsroom/Testimo-
Representatives Permanent Select Com- nies/2018-ATA---Unclassified-SSCI.pdf (last ac-
mittee on Intelligence, Report on Russian cessed June 29, 2018).
Active Measures viii (March 2018) (“In 2015,
Russia began engaging in a covert influence cam- 7
Id.
paign aimed at the U.S. presidential election. The
Russian government, at the direction of Vladimir 8
ODNI Report at 5.
Putin, sought to sow discord in American soci-
ety and undermine our faith in the democratic 9
Daniel R. Coats, Dir. of National Intelligence,
18
“Annual Threat Assessment: Opening Statement,” gations from non-government groups or individ-
Worldwide Threats: Hearing Before the Senate Se- uals. The FBI then investigates properly-predi-
lect Comm. on Intelligence, 115th Cong. (Feb. cated ballot fraud cases, in coordination with a
13, 2018), at 18, available at: https://www.dni. local U.S. Attorney’s Office (“USAO”). The FBI
gov/files/documents/Newsroom/Testimonies/ and USAO are free to exercise their discretion to
ATA2018-asprepared.pdf (last accessed June 29, conduct a preliminary investigation after assess-
2018). ing the case and ensuring non-interference with
the election process. They may pursue a full field
ODNI Report at 2.
10
and grand jury investigation, and seek charges,
after consultation with the Criminal Division’s
11
Indictment in United States v. Internet Re- Public Integry Section (“PIN”). However, the
search Agency, et al., No. 18-cr-32-DLF (D.D.C. FBI and other federal law enforcement agencies
Feb. 16, 2018), available at: https://www.justice. may not conduct investigations that would in-
gov/file/1035477/download (last accessed June fringe the Department’s non-interference with
29, 2018). elections policy (see page 11), or that would un-
lawfully result in an armed federal presence at a
Id.
12
polling site. See 18 U.S.C. § 592. For almost forty
years, PIN has provided the field with an Elec-
22 U.S.C. § 611 et seq.
13
tion Crimes Branch Director. Pursuant to the
United States Attorneys’ Manual, the Director,
See “Principles of Federal Prosecution,” U.S.
14
assisted as needed by other managers and staff at
Attorneys’ Manual, Title 9, Section 27.000, PIN, functions as a mandatory consultant for the
available at: https://www.justice.gov/usam/us- USAOs on all ballot fraud matters that progress
am-9-27000-principles-federal-prosecution (last beyond a preliminary investigation, see U.S.A.M.
accessed June 29, 2018). § 9-85.210, and as a subject matter expert avail-
able to provide advice and assistance to USAOs
15
This story and its associated lessons are re- and the FBI. The Director coordinates and con-
counted in Rod J. Rosenstein, Deputy Attorney ducts mandatory live training with designated
General, “Constitution Day Address,” National field personnel of the USAOs and FBI. The Di-
Constitution Center (Sept. 18, 2017), available at: rector also leads an Election Day Watch program
https://www.justice.gov/opa/speech/deputy-at- during federal election seasons to monitor and
torney-general-rod-j-rosenstein-delivers-consti- coordinate responses to election events while the
tution-day-address (last accessed June 29, 2018). polls are open on each federal election day. The
Election Day Watch program is the Department’s
16
As part of the Department’s ballot fraud pro- mechanism for ensuring consistent and efficient
gram, the FBI must maintain an Election Crimes communication and coordination between in-
Coordinator (“ECC”) in each of its Divisions. teragency representatives, federal prosecutors
The ECCs are the Department’s primary liaison and investigators in the field, and State and lo-
with State and local police agencies, and election cal partners. Each USAO must maintain a Dis-
administrators, as well as with other federal agen- trict Election Officer (“DEO”) among its cadre
cies, in the field. They attend regular trainings, of Assistant United States Attorneys. The DEOs
coordinate local task force communications with are the Department’s primary liaison with State
State and local counterparts during elections, and local counterparts in the field. They attend
and handle intake reporting of ballot fraud alle- regular trainings, and as part of the Election Day
19
Watch program, coordinate local task force com- does not have a role in determining which can-
munications with State and local counterparts didate won a particular election, or whether an-
leading up to and during the elections. DEOs other election should be held because of the im-
also coordinate press releases concerning elec- pact of the alleged fraud on the election . . . . In
tion-day procedures to facilitate reporting to the investigating an election fraud matter, federal law
federal government of ballot fraud allegations enforcement personnel should carefully evaluate
from non-government groups or individuals. whether an investigative step under consider-
The Voting Section and Criminal Section of the ation has the potential to affect the election itself.
Department’s Civil Rights Division (“CRT”) co- Starting a public criminal investigation of alleged
ordinates regularly with PIN to ensure that ballot election fraud before the election to which the
fraud allegations are routed to the best response allegations pertain has been concluded runs the
entity. CRT maintains a hotline that operates all obvious risk of chilling legitimate voting and
year, including throughout federal election days, campaign activities. It also runs the significant
to facilitate reporting of allegations of potential risk of interjecting the investigation itself as an is-
voting-related federal law violations. CRT’s Vot- sue, both in the campaign and in the adjudication
ing Section also enforces the civil provisions of of any ensuing election contest . . . . Accordingly,
a wide range of federal statutes that protect the overt criminal investigative measures ordinarily
right to vote, including the Voting Rights Act; the should not be taken in matters involving alleged
National Voter Registration Act; the Uniformed fraud in the manner in which votes were cast or
and Overseas Citizens Absentee Voting Act; the counted until the election in question has been
Help America Vote Act; and the Civil Rights Act. concluded, its results certified, and all recounts
CRT’s Criminal Section enforces federal crimi- and election contests concluded. Not only does
nal statutes that prohibit voter intimidation and such investigative restraint avoid interjecting the
voter suppression based on race, color, national federal government into election campaigns, the
origin, or religion. Finally, the Department of voting process, and the adjudication of ensuing
Homeland Security (“DHS”) recently has joined recounts and election contest litigation, but it also
existing efforts to combat ballot fraud in the spe- ensures that evidence developed during any elec-
cific area of cyber threats. In particular, DHS tion litigation is available to investigators, there-
provides advice and resources to State and local by minimizing the need to duplicate investigative
counterparts to assess the risks to their computer efforts. Many election fraud issues are developed
systems for voter registration, balloting, and tab- to the standards of factual predication for a fed-
ulation. DHS also has certain resources for inci- eral criminal investigation during post-election
dent response, though the FBI has greater local litigation.”
resources and, under PPD-41, retains the lead on
incident response. See Attorney General Guidelines for Victim
18
and Witness Assistance (May 2012), available at:

17
This treatise is available online at: https://www. https://www.justice.gov/sites/default/files/olp/
justice.gov/criminal/file/1029066/download (last docs/ag guidelines2012.pdf (last accessed June
accessed June 29, 2018). The most relevant dis- 29, 2018); see also 42 U.S.C. § 10607 (Victims’
cussion can be found at pages 84-85: “The Justice Rights and Restitution Act).
Department’s goals in the area of election crime
are to prosecute those who violate federal crim- 19
For example, there may be an important fed-
inal law and, through such prosecutions, deter eral or national interest in publicly disclosing a
corruption of future elections. The Department foreign influence operation that threatens to un-
20
dermine confidence in the government or pub- acerbate the foreign government’s messaging, or
lic institutions; risks inciting violence or other may re-victimize the victim.
illegal actions; or may cause substantial harm,
alarm, or confusion if left unaddressed. On the 20
See, e.g., U.S. Dept. of Justice, Federal
other hand, in some cases, public disclosure of a Prosecution of Election Offenses 8-9, 84-
foreign influence operation may be counterpro- 85 (8th ed. 2017), quoted in supra note 17.
ductive because it may amplify or otherwise ex-
21
CATEGORIZING SOPHISTICATED CYBER SCHEMES
Chapter 2
Categorizing Sophisticated Cyber Schemes
M
align foreign influence operations schemes; (4) crimes threatening personal pri-
represent a significant cyber-enabled vacy; and (5) crimes threatening critical in-
threat to American society and na- frastructure.
tional security. But they are not the only one.
Every day, criminals and other hackers with- 1. Damage to computer systems
in the United States and around the world
seek to use computers, smart devices, and Many cyber threats directly target comput-
other chip-enabled technology—as well as er systems and networks, seeking to damage
the networks that connect them—to victim- the integrity or availability of data and ser-
ize American consumers and businesses, or vices housed on those systems. For example,
to do our government harm. a Distributed Denial of Service (“DDoS”)
attack involves the orchestrated transmis-
In this chapter, we describe some of the most sion of communications engineered to over-
prevalent and dangerous types of cybercrime whelm the victim network’s connection to
schemes our Nation currently faces. Various the Internet in order to impair or disrupt
actors, with varying motivations, perpetrate that network’s ability to send or receive com-
these schemes, targeting various categories munications. Because they require the near
of victims. All of these schemes, however, simultaneous and sustained sending of com-
rely on the malicious, unauthorized use of munications against a discrete target, DDoS
computers to penetrate into another person’s attacks usually are launched by a large net-
computer or network. This technical base- work of hijacked computers called a botnet.
line provides a set of common operational (For further discussion of botnets, see page
techniques across the range of complicated 41.) Common targets of DDoS attacks in-
cybercriminal plots. Indeed, in a threat land- clude websites that the criminals wish to dis-
scape that constantly evolves and features a able and push off-line, either because they
diverse set of actors, motivations, and targets, disagree with the content, or because they
the prevalence of certain key techniques is a wish to drive traffic to sites they prefer.
significant and rare constant.
DDoS attacks can have crippling, far-reach-
Cybercrime Schemes ing effects. In October 2016, for example, a
massive DDoS attack targeting a U.S.-based
In the current landscape, cyber-enabled company that controls much of the Internet’s
schemes tend to fall into one or more of domain name system infrastructure brought
five basic categories: (1) damage to comput- down many of the world’s best-known web-
er systems; (2) data theft; (3) fraud/carding sites for several hours, including sites belong-
23
ing to Twitter, Pinterest, CNN, Fox News, and as they worked to neutralize and mitigate the
Netflix. The botnet used to launch this attack attacks on their servers. In 2017, the Depart-
was originally created a few years before. The ment of the Treasury added the seven hack-
Department recently convicted the botnet’s ers to the Office of Foreign Assets Control
creators after the leader of the group admit- (“OFAC”) Specially Designated National and
ted that he and his conspirators developed Blocked Persons List.5
it in part to initiate powerful DDoS attacks
“against business competitors and others Malign actors also use ransomware to in-
against whom [they] held grudges.”1 They flict damage to a victim’s computer systems.
also used the botnet—which, in an alarm- Ransomware is malicious computer code
ing new twist, enlisted everyday so-called (or “malware”) that blocks a victim’s access
“Internet of Things” devices into its network to data on its systems, typically by encrypt-
of hijacked machines, thereby amplifying its ing the data and demanding that the victim
strength by orders of magnitude2—to pro- pay a ransom, often in the form of a diffi-
vide a source of revenue, either by renting it cult-to-trace virtual currency, to restore the
out to third-parties in exchange for payment, data. See Fig. 1.
or by employing it to “extort hosting compa-
nies and others into paying protection mon- Ransomware can be delivered in a variety of
ey in order to avoid being targeted” by DDoS ways, including through fraudulent e-mails.
attacks.3 Such e-mails can be drafted to look like they
are from trustworthy senders, containing
Hostile governments, too, may employ DDoS malicious attachments or links that, once
attacks to advance their geopolitical goals and opened or clicked, activate the ransomware.
undermine our national security. In March Some variants also try, once they have gained
2016, for example, a federal grand jury in New a foothold in a victim’s network, to spread
York indicted seven Iranian hackers belong- laterally across the network to encrypt files
ing to two companies that worked for Iran’s on other computers or servers to which the
Islamic Revolutionary Guard Corps for their victim’s device has access. A second com-
role in DDoS attacks targeting the public-fac- mon method involves planting ransomware
ing websites of nearly fifty U.S. banks.4 These in hacked websites, which infect the comput-
DDoS attacks against the U.S. financial sector ers of visitors to the sites. In addition, it is
began in approximately December 2011, and not uncommon for criminals to use botnet
occurred sporadically until September 2012, infrastructure and code to facilitate the wide-
at which point they escalated in frequency to spread delivery of ransomware.
a near-weekly basis. On certain days during
the DDoS campaign, victim computer serv- Like DDoS attacks, ransomware attacks
ers were hit with massive amounts of traf- can impose immense costs. For example, in
fic, which cut off hundreds of thousands of 2017, the “WannaCry” ransomware attack
customers from online access to their bank spread rapidly and indiscriminately around
accounts. These attacks collectively cost the the world over a mere four days. This cam-
banks tens of millions of dollars to remediate paign—which ultimately was attributed to
24
Figure 1: The Anatomy of a Ransomware Attack
Credit: FBI Cyber Division
the North Korean government—rendered with nation states and other entities that have
useless “hundreds of thousands of comput- broader motivations. To be sure, destructive
ers in hospitals, schools, businesses, and attacks may come disguised as ransomware
homes in over 150 countries.”7 Total dam- campaigns; the malware linked to the no-
ages likely ran into the hundreds of millions torious “NotPetya” attack launched by the
of dollars. High-profile incidents such as Russian military in June 2017, for example,
the March 2018 attack that crippled Atlanta’s locked up its victims’ files and purported
city government make clear that ransomware to demand a ransom. It soon became clear,
schemes remain a threat. however, that this cyberattack was “meant
to paralyze, not profit,” as victims who tried
Typically, cybercriminals run ransomware to pay found it almost impossible to do so.9
campaigns: the goal is to damage the victim’s This attack, which was “part of the Krem-
computer system in the short-term in order lin’s ongoing effort to destabilize Ukraine,”
to get the victim to pay. If the scheme is to resulted in “the most destructive and costly
succeed, in other words, the victim needs to cyberattack in history,” “causing billions of
get their files back. By contrast, destructive dollars in damage across Europe, Asia, and
attacks—another type of cyber threat that the Americas.”10 Similarly, the “WannaCry”
directly targets computer systems and net- attack described above did not prove to be
works—destroy the victim’s data. For that very lucrative to the attackers. Rather, it was
reason, these attacks often are associated a reckless attack that resulted in havoc and
25
destruction; any money that was raised was In response to the cyberattack on SPE, the
purely a side benefit.11 U.S. government publicly attributed the inci-
dent to the North Korean government, and
Perhaps the most notorious example of a de- then sanctioned a North Korean government
structive attack launched against a U.S. com- agency, two trading companies, and ten
pany was the November 2014 cyberattack by North Korean individuals.13
North Korea on Sony Pictures Entertainment
(“SPE”). This attack destroyed much of SPE’s 2. Data Theft
computer systems, compromised private in-
formation, released valuable corporate data As the world grows increasingly reliant on
and intellectual property, and threatened em- digital technology, and as companies store
ployees, customers, and film distributers with ever larger quantities of data about their cus-
violence. The attackers stole a large number tomers and other individuals, criminals have
of files—which included private correspon- sought to steal and profit from control over
dence, unreleased films, salary records, and that data. The past decade has witnessed
social security numbers—and released much numerous publicly reported instances of
of the information to the public, imposing criminals hacking into computer systems and
significant financial and other consequenc- stealing personally identifying information
es. The attack forced SPE to take its compa- (“PII”) about hundreds of millions of indi-
ny-wide computer network offline and left viduals.
thousands of its computers inoperable.
26
According to one report, there were at least general public, but also their own employees.
686 data breaches reported in the first quar- This fact makes them valuable targets. For
ter of 2018, resulting in the theft of as many as example, the U.S. Office of Personnel Man-
1.4 billion records.14 Stolen PII can include agement announced in 2015 it had been vic-
dates of birth, social security numbers, cred- timized through two separate but related cy-
it card numbers, e-mail addresses, drivers’ berattacks that resulted in the theft of highly
license numbers, payroll and tax informa- sensitive background investigation records of
tion, and even answers to security questions current, former, and prospective federal em-
used to log into systems—namely, everything ployees and contractors, as well as the theft
needed to misappropriate victims’ identities, of personnel data of over 21 million people.17
make fraudulent purchases (including filing Data breaches like these degrade public trust
fraudulent claims for tax refunds), and craft in government agencies.
phishing and other social engineering attacks
on specific targets. Breaches of major retail- Sometimes, nation states facilitate the work
ers can reveal transaction information and of criminals who seek to steal and profit from
expose these companies to massive financial user data. In March 2017, the Department
losses, while imposing upon members of the announced criminal charges against two of-
public the risk that their identities will be ficers of the Russian Federal Security Service
used to commit other financial crimes, with (“FSB”) and two additional conspirators in-
all of the associated impacts. Crimes of this volving computer hacking, economic espio-
sort are tremendously costly to all involved. nage, and other offenses in connection with a
According to one estimate, the average to- conspiracy to access Yahoo’s network as well
tal cost in 2017 to a victim company from as information concerning millions of indi-
a data breach was approximately $7.35 mil- vidual webmail accounts.18 Those charges
lion.15 The Internet Crime Complaint Cen- revealed that officers from the FSB unit that
ter (“IC3”), the FBI unit that receives and serves as the FBI’s point of contact in Mos-
tracks cybercrime complaints from victims, cow on cybercrime matters were using crim-
received a total of 3,785 complaints of corpo- inal hackers—one of whom already had been
rate data breach in 2017, with reported losses publicly charged in two separate investiga-
exceeding $60 million.16 tions in the United States—to target Ameri-
can webmail providers and technology com-
Government agencies face similar threats. As panies, among others.
agencies try to use new information technol-
ogies to make it easier for individuals and en- The public revelation that FSB officers for
tities to submit and obtain information nec- years had worked with a wanted cybercrimi-
essary for paying taxes, obtaining benefits, or nal, and had allowed him to further victimize
providing services, the avenues for potential his targets (for example, by searching com-
breaches dramatically increase. Of course, promised accounts for credit card and other
government agencies collect and store sen- information that could be monetized), laid
sitive information concerning not only the bare for the public and international com-
27
munity the nexus between the Russian state we are extracting confidential data and pass-
apparatus and the Russian criminal under- ing on your personal information to the sol-
world. These charges also demonstrated that diers of the khilafah, who soon with the per-
the Russian government has not always been mission of Allah will strike at your necks in
a responsible stakeholder in the fight against your own lands!” Malaysian authorities de-
international cybercrime. One of the in- tained Ferizi, who subsequently consented to
dicted hackers was arrested in Canada and extradition to the United States. He pleaded
brought to the United States; he pled guilty guilty and was sentenced to 20 years in pris-
to eight criminal counts in U.S. federal court on for providing material support to ISIL,
in November 2017, and was sentenced to a and for accessing a protected computer with-
five-year prison term in May 2018.19 In De- out authorization and obtaining information
cember 2016, OFAC designated the FSB un- in order to provide material support to a des-
der a new executive order issued to expand ignated foreign terrorist organization.21
the authority under E.O. 13694, which em-
powers the President to block the property
of persons who engage in significant mali-
cious cyber-enabled activities.20 On March
15, 2018, the Department of the Treasury THE COSTS OF INTELLECTUAL
also designated the FSB pursuant to section PROPERTY CRIME
224 of the Countering America’s Adversaries Estimates vary regarding the size of eco-
Through Sanctions Act, which targets cyber nomic loss that can be attributed to the
actors operating on behalf of the Russian theft of intellectual property and trade
government in particular. secrets. The Commission on the Theft of
American Intellectual Property has es-
Malign actors can also use data thefts to fur- timated that the annual cost to the U.S.
ther terrorist acts. In June 2015, an ISIL- economy through the theft of trade se-
linked hacker named Ardit Ferizi stole PII crets, and through counterfeit goods and
belonging to tens of thousands of customers pirated software, exceeds $225 billion
of a U.S. company, including members of the and could be as high as $600 billion.22
military and other government personnel. According to a cybersecurity industry
Ferizi subsequently culled the PII belong- report, the direct costs of cyber theft in
ing to 1,300 particular individuals employed 2014 for over 50 U.S.-based private and
by the U.S. government and provided that public sector organizations ranged from
information to Junaid Hussain, a now-de- just under $2 million to $65 million each
ceased ISIL recruiter and attack facilitator. year per company, an increase of 82 per-
In August 2015, Hussain posted the names cent over six years.23 Pricewaterhouse
on Twitter in the name of the Islamic State Coopers estimated in 2014 that the Unit-
Hacking Division with a message saying, in ed States lost between one and three per-
part: “We are in your emails and computer cent of its gross domestic product each
systems, watching and recording your every year due to trade secret theft.24
move, we have your names and addresses, we
are in your emails and social media accounts,
28
The theft of intellectual property represents and the others were arrested in 2012 in New
another significant data theft problem. The Zealand, but their extraditions to the United
two most notable types of cyber-enabled States still remain on appeal in that nation.
intellectual property crime are the infringe- Despite delays in the criminal case, the De-
ment of copyrighted material over the Inter- partment of Justice has prevailed in a civil
net and the misappropriation of trade secrets forfeiture action in U.S. federal court to for-
stored in a digital format. Internet sites that feit the proceeds of the criminal conspiracy.
profit from the unauthorized distribution of
copyrighted movies, music, software, and Following the takedown of Megaupload.com,
other digital works can have a global reach, other online piracy sites grew in popularity.
generate millions of dollars of illicit revenue On July 20, 2016, Artem Vaulin of Ukraine
for the operators, and cause extensive finan- was arrested in Poland based on U.S. feder-
cial harm to the owners of the works being al charges for conspiracy to commit crim-
shared. While copyrighted works generally inal copyright infringement, conspiracy to
are intended to be accessible to the public un- commit money laundering, and criminal
der terms set by the copyright owner, trade copyright infringement.26 Vaulin is alleged
secrets receive criminal protection specifical- to have run one of the world’s most visited
ly because they involve knowledge that is not illegal file-sharing websites, Kickass Torrents
known to the public and derive value from (“KAT”), which was seized as part of the op-
remaining secret. eration. KAT enabled users to illegally repro-
duce and distribute hundreds of millions of
Kim Dotcom, Finn Batato, Mathias Ort- copyrighted motion pictures, video games,
mann, Bram van der Kolk, and others are television programs, musical recordings, and
members of a worldwide criminal organi- other electronic media. Initial investigation
zation whose members allegedly engaged indicates that the copyrighted material was
in criminal copyright infringement with es- collectively valued at well over $1 billion, and
timated harm to copyright holders well in that the site, which was in the top 100 most
excess of $400 million, and which yielded frequently visited sites on the Internet, re-
over $175 million in illicit proceeds.25 The ceived more than 50 million unique visitors
conspirators operated a commercial website each month.
and service called Megaupload.com, which
reproduced and distributed copies of popular On the trade secret front, the Department
copyrighted content without authorization obtained a conviction in January 2018 in U.S.
and claimed at one time to account for four federal court against a China-based manu-
percent of total Internet traffic—including facturer and exporter of wind turbines that
more than one billion total visits, 150 million stole trade secrets from a U.S.-based com-
registered users, and 50 million daily visitors. pany. The Chinese company, Sinovel Wind
A federal grand jury charged members of Group Co. Ltd., conspired with others to steal
the conspiracy with a number of conspiracy, proprietary wind turbine technology from
racketeering, copyright infringement, mon- the American corporate victim in order to
ey laundering, and fraud offenses. Dotcom produce its own wind turbines and to retrofit
29
existing wind turbines with stolen technolo- ample, a federal grand jury indicted five uni-
gy. These crimes cost the victim more than formed members of the Chinese military on
$1 billion in shareholder equity and almost charges of hacking and conducting econom-
700 jobs—over half its global workforce.27 ic espionage against large U.S. entities in the
nuclear power, metal, and solar energy in-
In addition, the Department has pursued dustries. The lengthy statement of charges
charges not only against criminals seeking described numerous specific instances where
monetary gain, but also against nation-state officers of the People’s Liberation Army
actors engaged in economic espionage (“PLA”) were alleged to have hacked into
through cyber means. In May 2014, for ex- the computer systems of U.S. victims to steal
Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of
Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code
and Commands; Aggravated Identity Theft; Economic Espionage; Theft of Trade Secrets
WANG DONG SUN KAILIANG WEN XINYU

Aliases: Jack Wang, "UglyGorilla" Aliases: Sun Kai Liang, Jack Sun Aliases: Wen Xin Yu, “WinXYHappy”,
“Win_XY”, Lao Wen
HUANG ZHENYU GU CHUNHUI

Aliases: Huang Zhen Yu, “hzy_lhx” Aliases: Gu Chun Hui, “KandyGoo”
DETAILS
On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People’s Liberation Army
(PLA) of the People’s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud;
accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging
computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade
secrets.
The subjects, Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, were officers of the PRC’s Third
Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit
Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals
allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged
conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or
joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access
to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets
related to technical specifications for nuclear plant designs.
If you have any information concerning these individuals, please contact your local FBI office or the nearest American
Embassy or Consulate.
Figure 2: Chinese Military Officers Charged with Hacking and

Economic Espionage
30
trade secrets and sensitive, internal commu- no meaningful response,”32 the Department
nications for commercial advantage or pri- acknowledged as much and unsealed the in-
vate financial gain. See Fig. 2. Although the dictment, providing insight into the status of
five charged PLA officers remain at large, this China’s adherence to norms it purportedly
case illustrated how the Department’s inde- had embraced.
pendent investigations and actions can play
an important role as part of a broader, coor- 3. Fraud/Carding Schemes
dinated approach designed to support Amer-
ican companies, deter our adversaries, and At the core of fraud lies deceit. It can man-
otherwise change their behavior. ifest in an intent to deceive by those one
knows and trusts, or, as is often the case with
The indictment sent a clear message that the cybercrime, by criminals defrauding victims
state-sponsored theft of trade secrets or oth- by abusing the Internet’s lack of a trusted
er confidential business information, with and effective means to authenticate another’s
the intent of providing competitive advan- identity. Online systems with weak authen-
tages to companies or commercial sectors, is tication and few indications for determining
unacceptable. This norm thereafter gained another’s true identity have opened the door
widespread acceptance, most notably in a bi- for fraudsters to commit numerous crimes by
lateral agreement between the United States faking their online identities or fraudulently
and China in September 2015,28 and among adopting the identities of others. Cyber fraud
the G20 at the Antalya Summit in Turkey schemes take many forms, including Nigeri-
in November 2015.29 Although some U.S. an-letter scams in which fraudsters e-mail
cybersecurity firms indicate that computer victims claiming to be Nigerian government
intrusions by Chinese state-sponsored hack- officials in need of assistance in transferring
ers targeting U.S. firms have decreased since stolen funds out of Nigeria. Recipients who
then,30 the U.S. government continues to respond are encouraged to cover upfront the
monitor China’s compliance with the norm, supposed expenses for the transfers them-
and with that nation’s September 2015 com- selves, upon the fraudulent promise of later
mitment to cooperate on investigations of repayment, and to provide personal banking
crimes emanating from its territory. To that information and other identifying informa-
end, in late 2017, the Department charged tion—which is later used to drain victims’
three Chinese nationals who worked for the bank accounts.33 Other forms include frauds
purported Internet security firm known as that convince victims to donate to fake char-
Boyusec with stealing trade secrets and oth- ities, especially after natural disasters, and
er confidential information from American fraudulent online transactions or exchanges
firms until as recently as May 2017—long in which no payment is made to, or no good
after the Chinese commitments of Septem- or service is received by, the victim.34
ber 2015.31 After the Department sought
assistance from the Chinese authorities in Other schemes entice victims to purchase
investigating the allegations and “received investment and financial instruments, often
31
marketed with misleading claims of offering hacking, phishing attacks, and social media
low-risk, high-reward guaranteed returns or manipulation—to gain access to sensitive, of-
overly consistent returns. Examples include ten sexually explicit information that they use
Ponzi schemes, advance fee frauds, pyramid to extort, harass, or stalk all types of people,
schemes, and market manipulation frauds. including vulnerable youth and young adults.
These schemes can target members of affin-
ity groups, such as groups with a common Sextortion fact patterns vary, but some typi-
religion or ethnicity, in order to exploit that cal scenarios have emerged. A common fact
supposed connection to build trust and oper- pattern involves a perpetrator demanding
ate the investment fraud against the victim.35 something of value, typically sexually explicit
Carding schemes are another major finan- images, from a victim. The perpetrator en-
cial threat. These schemes involve criminals forces these demands through threats to dis-
selling and purchasing hacked credit card tribute material that the victim seeks to keep
information, typically through dark markets private, such as embarrassing or sexually ex-
devoted to criminal activity, that is then used plicit images involving the victim, or through
to commit fraudulent ATM transactions, threats to harm the victim’s friends or family,
purchase pre-paid gift cards, and buy goods for example by using stolen account infor-
that are then re-shipped to criminal organi- mation to bankrupt them. A primary tactic
zations. In just one example, a group of Rus- that sextortionists use is to lure the victim to
sian criminals hacked into systems at credit share a compromising image or information,
card processors, banks, retailers, and other which, once obtained, the criminal can use
companies, and stole over 160 million credit to blackmail the victim into providing addi-
card numbers.36 tional images or videos. Often, criminals use
social engineering tactics to target victims. A
4. Cyber-enabled crimes threatening common approach is to misrepresent them-
personal privacy selves as peers—for example, using profile
photos or avatars on social media websites
Criminals regularly abuse the global reach, bearing images close in age to the victim—
connectivity, and anonymity of information to convince victims they are communicating
technology services to commit a wide range with an age-appropriate individual who is
of crimes targeting specific individuals. actually interested in them. By fraudulent-
Many of these behaviors represent reprehen- ly building a rapport using flattery, romance,
sible and often dangerous violations of the and manipulation, criminals are able to be-
victim’s privacy rights, and can have lasting, friend victims and entice them to share sensi-
damaging impact. Examples of these crimes tive images or information. Other criminals
include sextortion and non-consensual por- have presented themselves as representatives
nography (sometimes colloquially called from a modeling agency that is interested
“revenge porn”), as well as cyber-enabled ha- in representing the victim; still others have
rassment and stalking of victims. Criminals successfully impersonated the victim’s part-
are using online tactics—including computer ner in order to trick the victim. In addition,
32
criminals also obtain material from victims’ includes any course of conduct or series of
online social media accounts, such as per- acts taken by the perpetrator that places the
sonal information and “friends lists,” which victim in reasonable fear of death or serious
the criminals exploit to present themselves bodily injury, or causes, attempts to cause, or
as acquaintances or someone with similar in- would reasonably be expected to cause sub-
terests. Finally, some criminals simply hack stantial emotional distress to the victim or
into a victim’s computer and install malware the victim’s immediate family. Prohibited
that controls the device’s cameras, thereby acts include repeated, unwanted, intrusive,
surreptitiously capturing compromising or and frightening communications from the
personal video footage of the victim. As ma- perpetrator by phone, e-mail, or other forms
jor consumers of social media, children and of communication; harassment and threats
young adults are particularly vulnerable to communicated through the Internet, such as
these types of offenses. social media sites; and the posting of infor-
mation or spreading rumors about the vic-
Non-consensual pornography describes tim on the Internet. Cyber-enabled harass-
the distribution of nude or sexually explicit ment, by contrast, involves more generalized
images and videos of an individual without threats to victims, and includes swatting and
the victim’s consent. Images taken consen- doxxing. Swatting involves deceiving emer-
sually during an intimate relationship are gency responders to dispatch a SWAT team
released once the relationship ends. Other or other police unit to the victim’s home or
times, perpetrators obtain consensually pro- location, purportedly because the victim has
duced images by hacking into systems, or taken hostages or is otherwise armed and
obtain non-consensually produced imagery dangerous, which tragically has resulted in
through hidden cameras or by recording sex- deadly outcomes. Doxxing involves broad-
ual assaults. The images may be posted on- casting personal information about the vic-
line, often with identifying information and tim on the Internet, exposing him or her to
links to social media profiles, or may be sent further harassment by others.
directly to the victim’s co-workers, friends,
and family.37 Non-consensual pornography The Department vigorously pursues these
sometimes overlaps with sextortion, particu- acts when they rise to the level of federal
larly when the perpetrator threatens to dis- crimes. As just one example, we prosecut-
tribute sexually explicit images of the victim ed a Department of State employee at the
unless the victim provides additional images U.S. Embassy in London for engaging in a
or some other thing of value. widespread international computer hacking,
cyberstalking, and sextortion campaign.39
Cyber-enabled stalking and harassment are This defendant’s scheme involved, among
other particularly pernicious cyber threats other steps, sending e-mails to thousands
against individuals. These terms cover sim- of potential victims pretending to be from
ilar criminal activity that threatens victims, his targets’ e-mail provider. The defendant
though only cyberstalking is explicitly de- then used these e-mails to trick victims into
fined in federal criminal law.38 Cyberstalking revealing their account passwords, which
33
he then used to hack into the accounts and that can be used in the future to disrupt op-
search for sexually explicit photographs. erations or to steal valuable proprietary in-
Once the defendant located private photos, formation. In addition, perpetrators of ran-
he searched for additional personal informa- somware schemes, as described above, have
tion about his victims, such as addresses and sought to exploit society’s need for critical
family member names. Using this informa- infrastructure to remain continuously op-
tion and the stolen explicit images, he then erational by targeting (and extorting) hospi-
engaged in a cyberstalking campaign, threat- tals, and other vital institutions, that cannot
ening to release the photos if victims did not afford any downtime.
comply with his demands. This defendant
ultimately was sentenced to 57 months in Increased connectivity has helped U.S. com-
federal prison.40 panies manage and monitor their businesses,
but it also has made critical infrastructure
5. Cyber-enabled crimes threatening vulnerable to cyberattack. Modernization
critical infrastructure has been a double-edged sword: while it has
unlocked new potential for efficiency and
Our Nation’s critical infrastructure provides performance, the resulting increased con-
the essential services that underpin Amer- nectivity between devices and systems, and
ican society and serves as the backbone of especially vital systems like the electrical grid
our economy, security, and health systems.41 and water treatment facilities, have also creat-
Critical infrastructure includes the finan- ed new vulnerabilities and attack vectors that
cial services sector, the electrical grid, dams, must be defended.43 As a result, the indus-
electoral systems, and over a dozen oth- trial-control systems that manage and mon-
er sectors of society whose assets, systems, itor many of our most important industrial
and networks are considered so vital to the facilities and systems are increasingly being
United States that their incapacitation or targeted by adversaries intent on wreaking
destruction would have a debilitating effect havoc.44 This is not a hypothetical threat:
on our national security, national economic one of the Iranian hackers indicted for the
security, national public health or safety, or DDoS attacks against the U.S. financial sector
any combination thereof.42 These sectors are is also alleged repeatedly to have gained ac-
highly reliant on IT systems and networks. cess to the Supervisory Control and Data Ac-
As such, threats targeting critical infrastruc- quisition (“SCADA”) system of a dam in New
ture deserve particular attention. For exam- York, allowing him to obtain information re-
ple, major energy systems, such as pipelines garding the dam’s status and operation. Had
and refineries, operate using networked the system not been under maintenance at
industrial control systems that permit re- the time, the hacker would have been able to
mote operation of massive, geographical- control the dam’s sluice gate.45
ly dispersed facilities and machines. These
systems rely on sophisticated computer and Because private entities own and operate
communication networks that adversaries the vast majority of the Nation’s critical in-
target by seeking to identify vulnerabilities frastructure, the FBI works to make threat
34
information available to affected sectors most important responsibility is to keep

through briefings and widely distributed Americans safe, it must continue combating
technical alerts developed jointly with DHS. these threats and aggressively monitoring
In March 2018, for example, the FBI and DHS how they evolve. One of the most important
announced that for at least two years, Russian ways we can stay abreast (if not ahead) of cy-
government cyber actors had “targeted gov- bercriminals is to fully understand the tech-
ernment entities and multiple U.S. critical niques they use to cause harm. The threats
infrastructure sectors, including the energy, themselves will likely change, but the meth-
nuclear, commercial facilities, water, avia- ods and tools these criminals use to commit
tion, and critical manufacturing sectors.”46 computer intrusions and to steal from others
This technical alert described a multistage have shown remarkable resilience.
Russian intrusion campaign that compro-
mised small commercial facilities’ networks Techniques Used to Facilitate
and used them to stage malware and to con-
duct spear-phishing attacks, which allowed
Cyber Attacks
the Russians to gain remote access into ener-
gy sector networks. The Russian cyber actors The availability of sophisticated technolo-
then conducted network reconnaissance, be- gy allows criminals to commit crimes from
fore moving laterally across the network and distant locations, and to avoid detection by
collecting information pertaining to Indus- victims and law enforcement. Indeed, these
trial Control Systems. U.S. Treasury Secre- technologies greatly expand our adversar-
tary Steven Mnuchin referenced this activity ies’ reach and impact, permitting a small
when announcing that OFAC had sanctioned number of criminals to execute intrusions,
five Russian entities and nineteen Russian in- schemes, and attacks that affect millions of
dividuals.47 victims. Four of the most common tools
that criminals exploit to increase the scale of
Likewise, in May 2018, the FBI and DHS their attacks include social engineering, ma-
issued a technical alert notifying the public licious software, botnets, and criminal infra-
about the FBI’s high confidence that mali- structure.
cious North Korean government cyber actors
have been using malware since at least 2009 1. Social Engineering
“to target multiple victims globally and in the
United States,” across various sectors—in- Social engineering is a tactic criminals use
cluding critical infrastructure sectors.48 to convince or trick targets into engaging in
a specific activity, often by adopting a false
* * * identity online of someone the target knows
or otherwise believes to be innocuous. Un-
This non-exhaustive list highlights the varied fortunately, because it preys upon widespread
nature of the most serious cyber threats our trust that online identities are legitimate, so-
Nation faces. To the extent the Department’s cial engineering is surprisingly effective and
35
is a technique used in the vast majority of tive, such as the company’s Chief Executive
data breaches and online scams that the FBI Officer. In some cases, the scammers pick
investigates.49 an address that does not belong to the exec-
utive but appears to be a real address for the
In a phishing scam, for example, criminals executive, such as being off by one letter. In
impersonate a person or entity trusted by more sophisticated schemes, BEC fraudsters
the victim in order to pressure the victim to gain access to the victim company’s e-mail
engage in conduct that benefits the criminal. system and send requests from the senior
These schemes may involve sending fraudu- executive’s actual e-mail account. In 2016,
lent e-mails that appear to come from a le- these schemes caused over $360 million of
gitimate source, such as a victim’s bank or losses reported to the FBI—the largest of any
Internet Service Provider (“ISP”), requesting category of cybercrime tracked by IC3.52 In
the recipient to click on a link to a website 2017, IC3 received over 15,000 BEC com-
controlled by the criminals and to divulge plaints with adjusted losses of over $675 mil-
personal account information, or seeking to lion, which once again placed these schemes
get the victim to download malware under at the top of the loss list.52
false pretenses.50 Other fraudsters use intim-
idation and threats to entice the victim to act, 2. Malware
such as by threatening to close an account,
and often ask for usernames, passwords, Malware is malicious software that disrupts,
dates of birth, Social Security numbers, bank damages, or otherwise compromises the in-
numbers, PIN numbers, payment card num- tegrity of computer systems and networks.
bers, or a mother’s maiden name. The goal is It is frequently disseminated by fraudulent-
to acquire PII that the fraudsters can then sell ly or otherwise unlawfully obtaining access
or use to commit other crimes, such as mak- to a victim’s computer or system and then
ing fraudulent purchases, or to gain access to launching a malicious payload on the vic-
the victim’s computer to steal information or tim’s system. Malware takes many different
install malware. forms. Some versions are written to erase
data or even render computers unusable, for
Business e-mail compromise (“BEC”) example by overwriting critical information
scams are another variant of social engineer- on their hard drives, thereby preventing the
ing, where the goal is not to have the victim computers from starting. Other types of mal-
provide information, but rather to transfer ware, such as ransomware programs (dis-
money. Sometimes operating as part of so- cussed above), render the data inaccessible
phisticated transnational criminal organi- by encrypting victims’ systems and demand-
zations, BEC scammers can send e-mails to ing a ransom with the promise of restoring
employees with access to a company’s finan- the victims’ data upon payment—a promise
cial system, tricking them into wiring pay- that is not always fulfilled. Spyware, includ-
ments to accounts controlled by the crimi- ing keyloggers, secretly record users’ activi-
nals. The e-mails often are designed to look ties on computers, especially the entering of
as if they came directly from a senior execu- passwords, and transmit sensitive informa-
36
tion back to criminals for further exploita- creased as individual hackers and organized
tion. Any of these actions may be performed criminal groups have used ever more sophis-
by Trojans, which are programs disguised as ticated techniques to infect computers, en-
legitimate software that, once uploaded onto crypt communications, and avoid detection
victims’ systems, launch hidden malicious by investigators. Finally, as Fig. 3 illustrates,
software that operates in the background the recent staggering growth in Internet-con-
without the victims’ knowledge. nected consumer devices—the so-called “In-
ternet of Things”—has allowed malicious
3. Botnets actors to build botnets from under-protected
IoT devices to launch DDoS attacks.53
Botnets are vast networks of malware-in-
fected computers and devices that criminals 4. Criminal Infrastructure
remotely control to conduct a wide range of
cybercrime, including sending malware and Operating a criminal enterprise with some
spam against targets, launching DDoS at- form of online presence requires a backend
tacks, and providing infrastructure for ran- technical infrastructure that can be hidden
somware schemes. Botnets—a shortening from law enforcement. While some crim-
of “robot networks”—operate as force mul- inals may rely on their own computers and
tipliers for criminals, giving them control servers, more sophisticated operations lease
of hundreds, thousands, or even millions of services from “bulletproof hosters,” that is,
computers to advance their schemes. Be- web hosting companies and data centers that
cause of the relatively low cost of attempting purposefully are extremely lenient in what
to infect computers with malware, even a content they will host, make little to no effort
comparatively low infection rate can popu- to verify the true identity of their custom-
late a botnet with a vast haul of compromised ers, and are designed to be unhelpful to law
computers. Further, botnets help criminals enforcement requests for information about
cover their tracks from law enforcement by their customers. Bulletproof hosters often
creating an intermediary layer of remotely are located in countries with less stringent
controlled compromised systems between cyber regulations and under-developed do-
the criminals and investigators, making it mestic cybercrime law enforcement capabili-
even more challenging for law enforcement ties, and are akin to digital safehouses where
to determine who controls the botnet. More- criminals can stash malware exploit kits, run
over, criminals running botnets often are lo- botnets, and store PII stolen from hacked da-
cated abroad, which further protects them tabases.
due to the numerous challenges the Depart-
ment faces in investigating foreign threats: In addition to bulletproof hosters, cyber-
limited access to digital evidence; delays criminals regularly use the Dark Web, the
caused by reliance on mutual legal assistance collection of hidden sites and services that
processes; and the possibility of safe haven are only accessible to users of specific rout-
from arrest or prosecution in their country ing and anonymizing services and software.
of residence. The threat from botnets has in- In recent years, criminals have launched so-
37
EXTERN

(U//FOUO) Significant Internet of Things (IoT) Botnets
(U//FOUO) Summary: The timeline below provides a brief overview of some of the most significant IoT botnet
attacks or for use as proxies for criminal activity.
October 16, 2016 – Hajime – April 5, 2017 – Brickerbot –

Targets devices with default Targets devices with default
credentials; Uses obfuscation credentials; After infection conducts
techniques to hide infection on a Permanent Denial of Service
devices; Communicates with C2 attack on device designed to corrupt
server through a Peer to Peer storage, disrupt connectivity, and
(P2P) Network delete files, rendering devices
useless
July 2016 – Mirai – Most significant November 16, 2016 – RSOCKS

IoT botnet responsible for largest DDoS – Targets IoT devices via SSH brute
attacks ever recorded; Hundreds of force attacks; Uses compromised
spinoff variants due to public source devices as proxies criminals can
code availablity; Targets devices with purchase for anonymization and
default user credentials other criminal activity
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR M
2016
Figure 3: Significant Internet of Things (IoT) Botnets
UNCLASSIFIE
38
TERNAL
tnets since July 2016. All of the highlighted botnets are leveraged for Distributed Denial of Service (DDoS)
August 2017 – RouteX – November 23, 2017 – Satori – January 23, 2018 – January 24, 2018 –
Targets a known vulnerability in DDoS botnet; Targets a zero-day Pure Masuta – DDoS Hide’N Seek – Primarily
Netgear routers; Turns infected vulnerability in Huawei Home botnet; Created by the targets IP Cameras with
devices into proxies for credential Gateway routers and custom- same author as Satori/ open telnet ports; Uses P2P
validation attacks targeting er-premises equipment; Masuta; Targets a flaw in to spread to other devices
financial institution and brokerage Programmed with 65,000 default D-Link routers and exploits
customer accounts credentials combinations a bug in the Home
Network Administration
Protocol
November 2017 – Nexus_Mirai –

A variant of Masuta/Satori; Based on
Mirai source code; Targets devices with
default credentials; Named after author
whose moniker is 'Nexus'
July 2017 – Masuta – DDoS September 13, 2017 – January 14, 2018 – February 1, 2018 – Jen X
botnet; Based off of Mirai; Reaper – First major IoT Okiru – DDoS botnet; – Connected to a gaming
Targets default user credentials; botnet to significantly vary Based off of Masuta; server rental business;
Source code available in a Dark from Mirai; Targets devices with Targets IoT devices with DDoS capabilities available
Market forum 32 vulnerabilities, capable of ARC Processors, used in for $20; Targets a
more complex attacks, and more than a billion vulnerability in Huawei
scans devices less aggressively products each year routers and a vulnerability
to avoid detection in the firmware component
of a wireless chipset
MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB
2017 2018
FBICYD 280 Rev4 03-2018
SIFIED//FOUO
39
called dark markets, that is, websites hosted caught, incentivize the production of imag-
on the Dark Web in which vendors and buy- es that document child sex abuse, and share
ers congregate to buy, sell, and trade illicit images and videos depicting the sexual abuse
goods such as narcotics, credit card numbers, and exploitation of children as young as in-
hacking tools, and stolen PII in an environ- fants and toddlers. Such communities are
ment that protects the vendors’ and buyer’s disturbingly commonplace, and frequently
anonymity. In the midst of an ongoing opi- involve tens of thousands of members.
oid crisis, the open availability of dark mar-
The growth and continued operation of
kets where fentanyl and other illicit narcotics
are available for purchase and are delivered these sites and communities is made possi-
direct to consumers in the United States pos- ble by anonymizing technology that effec-
es a significant public health threat. tively hides the servers hosting the sites, as
well as users, from normal law enforcement
Another persistent problem on the Dark Web techniques. The best-known technology of
are online child exploitation communities this type is free software called The Onion
where like-minded sex offenders gather to Router (“Tor”). Tor transmits internet traffic
promote the sexual abuse of children, provide through a global volunteer network of thou-
an environment where such conduct seems sands of relays (i.e., proxy computers), using
“normal,” educate each other about how to layers of encryption to obscure users’ identi-
perpetrate child sex abuse without getting ties and geographical locations. Tor not only
THE ONION ROUTER (TOR)
Tor operates by routing of the Tor network. Com-

encrypted communica- munications sent through
tions through a series these nodes—known as
of relay computers. This the Guard, Relay, and Exit
obscures the route of the nodes—are encrypted in a
communications, there- manner that conceals both
by frustrating moni- the contents of the commu-
toring by third-parties, nication and the IP address
such as law enforcement. Communi- of the computer that sent the commu-
cations sent from a computer using Tor nication. Each node knows only which
are bounced through a series of interme- other node gave it data, and which node
diary servers, known as relays or nodes, is receiving data. None of the interme-
chosen from among thousands of serv- diate Tor nodes ever has access to both
ers located throughout the world that the sender’s true IP address and the ac-
individuals have volunteered to be part tual content of the communication.
40
anonymizes criminals’ Internet traffic, but nicate with victims, even going so far as to set
also allows them to host websites, called Hid- up Tor Hidden Services websites to answer
den Services, on servers whose location is victims’ questions and to facilitate payment.
similarly masked using Tor. Criminals have In addition, the use of anonymizing proxy
exploited Hidden Services to facilitate nu- networks interferes with law enforcement’s
merous forms of illicit commercial and other ability to trace these communications and
criminal activity. Some of the most infamous identify the actors running the ransomware.
Hidden Services are dark markets, includ- Criminals also increasingly require payments
ing the now-shuttered Silk Road and Alpha- to be made using virtual currencies or oth-
Bay, as well as notorious child exploitation er mechanisms that complicate law enforce-
communities. The Department’s successes in ment efforts to track those payments. We
shutting down these illicit marketplaces are discuss the impact of such anonymizing tech-
described in further detail in Chapter 3. nologies on our investigations in Chapter 3.
For now, suffice it to say that no discussion of
Criminals’ exploitation of increasingly so- the cyber threats our Nation confronts would
phisticated technologies to cover their tracks be complete without the simple observation
and avoid being caught represents a signifi- that as the Department continues to wage
cant challenge to law enforcement. Criminals battle against cybercriminals, it will need to
executing ransomware schemes often use an- adequately meet the challenges posed by an-
onymizing networks such as Tor to commu- onymizing technologies.
41
NOTES
1
From the guilty plea materials in United States the-wannacry-malware-attack-to-north-ko-
v. Paras Jha, No. 17-CRM-164 (D. Alaska, Dec. rea-121917/ (last accessed June 29, 2018).
5, 2017), available at: https://www.justice.gov/
opa/press-release/file/1017546/download (last 8
Andrew E. Kramer, “Ukraine Cyberattack
accessed June 29, 2018). Was Meant to Paralyze, not Profit, Evidence
Shows,” N. Y. Times (June 28, 2017), available at:
2
See “Alert (TA16-288A): Heightened DDoS https://www.nytimes.com/2017/06/28/world/eu-
Threat Posed by Mirai and Other Botnets,” Unit- rope/ukraine-ransomware-cyberbomb-accoun-
ed States Computer Emergency Readiness tants-russia.html (last accessed June 29, 2018).
Team, U.S. Dept. of Homeland Security (last
revised Oct. 17, 2017), available at: https://www. 9
See the grugq, “Pnyetya: Yet Another Ran-
us-cert.gov/ncas/alerts/TA16-288A (last ac- somware Outbreak,” The Medium (June 27,
cessed June 29, 2018). 2017), available at: https://medium.com/@the-
grugq/pnyetya-yet-another-ransomware-out-
Jha guilty plea, supra note 1.
3
break-59afd1ee89d4 (last accessed June 29, 2018)
(contemporaneous reporting noting that “the
4
See Indictment in United States v. Ahmad worm . . . has an extremely poor payment pipe-
Fathi, et al., No. 16-CRM-48 (S.D.N.Y., March line,” observing that “the pseudo-ransomware is
24, 2016), available at: https://www.justice.gov/ in fact a wiper, with no potential for successfully
opa/file/834996/download (last accessed June 29, recovering from an attack,” and concluding: “[T]
2018). he real Petya was a criminal enterprise for mak-
ing money. This is definitely not designed to
5
See Press Release, “Treasury Targets Support- make money. This is designed to spread fast and
ers of Iran’s Islamic Revolutionary Guard Corps cause damage, with a plausibly deniable cover of
and Networks Responsible for Cyber-Attacks ‘ransomware.’”).
Against the United States,” U.S. Dept. of Trea-
sury (Sept. 14, 2017), available at: https://www. “Statement from the Press Secretary,” The
10
treasury.gov/press-center/press-releases/Pages/ White House (Feb. 15, 2018), available at:

sm0158.aspx (last accessed June 29, 2018). https://www.whitehouse.gov/briefings-state-
ments/statement-press-secretary-25/ (last ac-
6
See Sujit Raman, “Petya or NotPetya? It All cessed June 29, 2018).
Just Makes You WannaCry!” RSA Conference
2018 (April 16, 2018) at 3, available at: https:// “Press Briefing on the Attribution of the
11
published-prd.lanyonevents.com/published/ WannaCry Malware Attack to North Korea,”

rsaus18/sessionsFiles/8546/SEM-M03-Ransom- The White House (Dec. 19, 2017), available
ware-and-Destructive-Attacks-Raman.pdf (last at: https://www.whitehouse.gov/briefings-state-
accessed June 29, 2018). ments/press-briefing-on-the-attribution-of-
the-wannacry-malware-attack-to-north-ko-
7
“Press Briefing on the Attribution of the rea-121917/ (last accessed June 29, 2018).
WannaCry Malware Attack to North Korea,”
The White House (Dec. 19, 2017), available See Keith Wagstaff, “Sony Hack Exposed
12
at: https://www.whitehouse.gov/briefings-state- 47,000 Social Security Numbers, Security Firm

ments/press-briefing-on-the-attribution-of- Says,” NBC News (Dec. 5, 2014), available at:
42
http://www.nbcnews.com/storyline/sony-hack/ Dept. of Justice (November 28, 2017), avail-

sony-hack-exposed-47-000-social-securi- able at: https://www.justice.gov/opa/pr/canadi-
ty-numbers-security-firm-n262711 (last ac- an-hacker-who-conspired-and-aided-russian-
cessed June 29, 2018). fsb-officers-pleads-guilty (last accessed June 29,
2018).
13
Press Release, “Treasury Imposes Sanctions
Against the Government of The Democratic Peo- 20
Executive Order 13757, “Taking Additional
ple’s Republic Of Korea,” U.S. Dept. of Treasury Steps to Address the National Emergency with
(Jan. 2, 2015), available at: https://www.treasury. respect to Significant Malicious Cyber-Enabled
gov/press-center/press-releases/Pages/jl9733. Activities,” available at: https://www.treasury.
aspx (last accessed June 29, 2018). gov/resource-center/sanctions/Programs/Doc-
uments/cyber2_eo.pdf (last accessed June 29,
Risk Placement Services, Data Breach
14
2018). This order was later modified to permit
QuickView Report, First Quarter 2018 U.S. persons shipping technology goods to Rus-
2, 9 (2018), available at: https://www.rpsins. sia to obtain licenses from the FSB, as required
com/knowledge-center/items/data-breach-re- by the Russian government. “General License
port-q1-2018/ (last accessed June 29, 2018). No. 1, Authorizing Certain Transactions with the
FSS,” available at: https://www.treasury.gov/re-
Ponemon Institute, 2017 Cost of Data
15
source-center/sanctions/Programs/Documents/
Breach Study: United States, p. 1, available cyber_gl1.pdf (last accessed June 29, 2018).
at https://www.ponemon.org/library/2017-cost-
of-data-breach-study-united-states (last accessed Press Release, “ISIL-Linked Kosovo Hack-
21
June 29, 2018). er Sentenced to 20 Years in Prison,” U.S. Dept.

of Justice (Sept. 23, 2016), available at: https://
Federal Bureau of Investigation, 2016
16
www.justice.gov/opa/pr/isil-linked-kosovo-
Internet Crime Report 20, 21, available at: hacker-sentenced-20-years-prison (last accessed
https://pdf.ic3.gov/2016_IC3Report.pdf (last ac- June 29, 2018).
cessed June 29, 2018).
22
Commission on the Theft of American Intel-
“What Happened,” Office of Personnel
17
lectual Property, Update to the IP Commission
Management Cybersecurity Resource Cen- Report, at 1 (2017), available at: http://www.
ter (2015), available at: https://www.opm.gov/ ipcommission.org/report/IP_Commission_Re-
cybersecurity/cybersecurity-incidents/ (last ac- port_Update_2017.pdf (last accessed June 29,
cessed June 29, 2018). 2018).
18
“U.S. Charges Russian FSB Officers and Their National Counterintelligence and Security
23
Criminal Conspirators for Hacking Yahoo and Center, Evolving Cyber Tactics in Stealing U.S.
Millions of Email Accounts,” U.S. Dept. of Jus- Economic Secrets: Report to Congress on Foreign
tice (March 15, 2017), available at: https://www. Economic Collection and Industrial Espionage in
justice.gov/opa/pr/us-charges-russian-fsb-of- Cyberspace, at 1 (Nov. 2016).
ficers-and-their-criminal-conspirators-hack-
ing-yahoo-and-millions (last accessed June 29, Center for Responsible Enterprise And Trade
24
2018). & PricewaterhouseCoopers LLP, Economic Im-

pact of Trade Secret Theft 3 (2014), available at:
“Canadian Hacker Who Conspired With and
19
https://create.org/wp-content/uploads/2014/07/
Aided Russian FSB Officers Pleads Guilty,” U.S.
43
CREATe.org-PwC-Trade-Secret-Theft-FINAL- Acts, Policies, and Practices related to Technol-

Feb-2014_01.pdf (last accessed June 29, 2018). ogy Transfer, Intellectual Property, and Innova-
tion under Section 301 of the Trade Act of 1974,”
Press Release, “Member Of Megaupload Con-
25
Office of the United States Trade Repre-
spiracy Pleads Guilty to Copyright Infringement sentative (March 22, 2018), at 169, available
Charges and is Sentenced to One Year in U.S. at: https://ustr.gov/sites/default/files/Section%20
Prison,” U.S. Dept. of Justice (Feb. 13, 2015), 301%20FINAL.PDF (last accessed June 29, 2018)
available at: https://www.justice.gov/opa/pr/ (citing reports).
member-megaupload-conspiracy-pleads-guilty-
copyright-infringement-charges-and-sentenced- 31
Press Release, “U.S. Charges Three Chinese
one (last accessed June 29, 2018). Hackers Who Work at Internet Security Firm
for Hacking Three Corporations for Commer-
26
Press Release, “U.S. Authorities Charge Own- cial Advantage,” U.S. Dept. of Justice (Nov. 27,
er of Most-Visited Illegal File-Sharing Website 2017), available at: https://www.justice.gov/opa/
with Copyright Infringement,” U.S. Dept. of pr/us-charges-three-chinese-hackers-who-work-
Justice (July 20, 2016), available at: https://www. internet-security-firm-hacking-three-corpora-
justice.gov/opa/pr/us-authorities-charge-own- tions (last accessed June 29, 2018).
er-most-visited-illegal-file-sharing-web-
site-copyright-infringement (last accessed June 32
Elias Groll, “Feds Quietly Reveal Chinese
29, 2018). State-Backed Hacking Operation,” Foreign
Policy (Nov. 30, 2017), available at: http://
See Press Release, “Chinese Company Si-
27
foreignpolicy.com/2017/11/30/feds-quietly-re-
novel Wind Group Convicted of Theft of Trade veal-chinese-state-backed-hacking-operation/
Secrets,” U.S. Dept. of Justice (Jan. 24, 2018), (last accessed June 29, 2018) (quoting Depart-
available at: https://www.justice.gov/opa/pr/ ment spokesperson).
chinese-company-sinovel-wind-group-convict-
ed-theft-trade-secrets (last accessed June 29, 33
Federal Bureau of Investigation, “Nige-
2018). rian Letter or ‘419’ Fraud,” available at: https://
www.fbi.gov/scams-and-safety/common-fraud-
See Press Release, “FACT SHEET: President
28
schemes/nigerian-letter-or-419-fraud (last ac-
Xi Jinping’s State Visit to the United States,” The cessed June 29, 2018).
White House (Sept. 25, 2015), available at:
https://obamawhitehouse.archives.gov/the-press- Federal Bureau of Investigation, “Busi-
34
office/2015/09/25/fact-sheet-president-xi-jin- ness Fraud,” available at https://www.fbi.gov/

pings-state-visit-united-states (last accessed June scams-and-safety/common-fraud-schemes/busi-
29, 2018). ness-fraud (last accessed June 29, 2018).
29
See Press Release, “FACT SHEET: The 2015 Federal Bureau of Investigation, “Invest-
35
G-20 Summit in Antalya, Turkey,” The White ment Fraud,” available at https://www.fbi.gov/
House (Nov. 16, 2015), available at: https:// scams-and-safety/common-fraud-schemes/in-
obamawhitehouse.archives.gov/the-press-of- vestment-fraud (last accessed June 29, 2018).
fice/2015/11/16/fact-sheet-2015-g-20-summit-
antalya-turkey (last accessed June 29, 2018). 36
Press Release, “Two Russian Nationals Sen-
tenced to Prison for Massive Data Breach Con-
“Findings of the Investigation into China’s
30
spiracy,” U.S. Dept. of Justice (Feb. 15, 2018),
44
available at: https://www.justice.gov/opa/pr/ See id.

44
two-russian-nationals-sentenced-prison-mas-
sive-data-breach-conspiracy (last accessed June See Fathi indictment, supra note 4, at 14-16.
45
29, 2018).
46
Alert TA18-074A, “Russian Government Cy-
See Joey L. Blanch & Wesley L. Hsu, “An Intro-
37 ber Activity Targeting Energy and Other Critical
duction to Violent Crime on the Internet,” United Infrastructure,” U.S. Computer Emergency
States Attorneys’ Bulletin (May 2016), at 2. Readiness Team, U.S. Dept. of Homeland
Security (March 15, 2018), available at:
38
See 18 U.S.C. § 2261A. https://www.us-cert.gov/ncas/alerts/TA18-074A
(last accessed June 29, 2018).
39
Press Release, “Former U.S. State Department
Employee Sentenced to 57 Months in Extensive Press Release, “Treasury Sanctions Russian
47
Computer Hacking, Cyberstalking and “Sextor- Cyber Actors for Interference with the 2016 U.S.
tion” Scheme,” U.S. Dept. of Justice (March 21, Elections and Malicious Cyber-Attacks,” U.S.
2016), available at: https://www.justice.gov/opa/ Dept. of Treasury (Mar. 15, 2018), available at:
pr/former-us-state-department-employee-sen- https://home.treasury.gov/news/press-releases/
tenced-57-months-extensive-computer-hacking sm0312 (last accessed June 29, 2018).
(last accessed June 29, 2018).
Alert TA18-149A, “HIDDEN COBRA –
48
40
This report does not detail related crimes in- Joanap Backdoor Trojan and Brambul Server
volving the sexual exploitation of children. For Message Block Worm,” U.S. Computer Emer-
more detail on this criminal threat, see U.S. Dept. gency Readiness Team, U.S. Dept. of Home-
of Justice, The National Strategy for Child Ex- land Security (last revised May 31, 2018),
ploitation Prevention and Interdiction (Apr. available at: https://www.us-cert.gov/ncas/alerts/
2016), available at: https://www.justice.gov/psc/ TA18-149A (last accessed June 29, 2018).
file/842411/download (last accessed June 29,
2018). See generally Mollie Halpern & Patrick Gea-
49
han, “FBI, This Week: Social Engineering,” Fed-

41
“Critical Infrastructure Security,” U.S. Dept. eral Bureau of Investigation (Oct. 14, 2016)
of Homeland Security, available at: https:// (podcast transcript), available at: https://www.
www.dhs.gov/topic/critical-infrastructure-secu- fbi.gov/audio-repository/ftw-podcast-social-en-
rity (last accessed June 29, 2018). gineering-101416.mp3/view (last accessed June
29, 2018).
42
42 U.S.C. § 5195c(e).
50
“Consumer Information: Phishing,” Fed-
43
See Richard J. Campbell, “Cybersecurity Issues eral Trade Commission (July 2017), avail-
for the Bulk Power System,” Cong. Research able at: https://www.consumer.ftc.gov/arti-
Serv., 9R43989, at 9 (June 10, 2015), available cles/0003-phishing (last accessed June 29, 2018).
at: https://www.fas.org/sgp/crs/misc/R43989.pdf
(“Over time, modification of SCADA [Supervi- Federal Bureau of Investigation, 2016
51
sory Control and Data Acquisition] systems has Internet Crime Report 1, 9, available at: https://
resulted in connection of many of these older, pdf.ic3.gov/2016_IC3Report.pdf (last accessed
legacy systems to the Internet.”) (last accessed June 29, 2018).
June 29, 2018).
45
Federal Bureau of Investigation, 2017

52
Guilty In Manhattan Federal Court On All
Internet Crime Report 3, 12, available at: https:// Counts,” U.S. Dept. of Justice (Feb. 5, 2015),
pdf.ic3.gov/2017_IC3Report.pdf (last accessed available at: https://www.justice.gov/usao-sdny/
June 29, 2018). pr/ross-ulbricht-creator-and-owner-silk-road-
website-found-guilty-manhattan-federal-court
53
See “A Report to the President on Enhanc- (last accessed June 29, 2018).
ing the Resilience of the Internet and Commu-
nications Ecosystem Against Botnets and Other 56
Press Release, “AlphaBay, the Largest Online
Automated, Distributed Threats,” U.S. Dept. of ‘Dark Market,’ Shut Down,” U.S. Dept. of Justice
Commerce & U.S. Dept. of Homeland Secu- (July 20, 2017), available at: https://www.justice.
rity (May 22, 2018), available at: https://www. gov/opa/pr/alphabay-largest-online-dark-mar-
commerce.gov/sites/commerce.gov/files/media/ ket-shut-down (last accessed June 29, 2018).
files/2018/eo_13800_botnet_report_-_finalv2.
pdf (last accessed June 29, 2018). 57
See, e.g., Press Release, “Colorado and Illinois
Men Sentenced to Prison for Engaging in Child
Exploit kits are a type of malicious toolkit
54
Exploitation Enterprise,” U.S. Dept. of Justice
used to exploit security holes found in software (Oct. 18, 2016), available at: https://www.jus-
applications for the purpose of spreading mal- tice.gov/opa/pr/colorado-and-illinois-men-sen-
ware. These kits come with pre-written exploit tenced-prison-engaging-child-exploitation-en-
code and target users running insecure or outdat- terprise (last accessed June 29, 2018).
ed software applications on their computers.
Press Release, “Ross Ulbricht, The Creator

55
And Owner Of The “Silk Road” Website, Found
46
DETECTING, DETERRING, AND DISRUPTING CYBER THREATS
Chapter 3
Detecting, Deterring, and Disrupting
Cyber Threats
T Key Investigative Techniques

he Department of Justice plays an
essential role in detecting, deterring,
and disrupting cyber threats. As the To successfully bring malign cyber actors to
Nation’s chief law enforcement officer, the justice, law enforcement first must gather ev-
Attorney General leads the Department’s idence of their criminal activity and attribute
criminal and national security initiatives. that activity to particular individuals, orga-
Working with and through the Criminal nizations, or nation states. The key meth-
Division, the National Security Division, ods and sources of evidence for disrupting
and the 93 U.S. Attorney’s Offices across the cyber threats include: gathering materials
country, the Attorney General sets priorities during incident response; reviewing open
for how those activities are conducted.1 source data; conducting online reconnais-
sance; searching records from online provid-
Since the early 1990s, when the commercial ers; undertaking undercover investigations;
Internet was in its infancy, the Department engaging in authorized electronic surveil-
has combated computer crime. In the inter- lance; tracing financial transactions; search-
vening years, the Department has expanding storage media; and applying a variety of
ed its focus to address burgeoning threats special techniques. Often, investigators also
to public safety, economic security, and na- must work cooperatively with foreign part-
tional security flowing from the widespread ners to access evidence and disrupt transna-
adoption of the Internet. Today, the Depart- tional cyber threats.
ment deters and disrupts a broad spectrum
of the Nation’s cyber threats by enforcing
federal laws through the array of legal tools 1. Evidence Collection During
and capabilities that its investigators and Incident Response
prosecutors have at their disposal.
Often the first evidence collected in an in-
In this chapter, we describe the key methods vestigation concerning a cyber threat comes
investigators and prosecutors use to gather from the victim as part of the incident re-
evidence about cyber threats. We then ex- sponse. The Department encourages victims
plain the key legal authorities the Depart- to contact law enforcement as soon as they
ment applies to bring perpetrators to justice, believe they are the victim of a computer in-
or otherwise to disrupt and dismantle mali- trusion. Although many victims will simply
cious cyber activity. provide consent to investigators collecting
49
digital evidence on scene, subpoenas and The first step in online reconnaissance often
search warrants can be obtained if the vic- involves use of the Internet Corporation for
tim prefers. In either case, investigators are Assigned Names and Numbers’ WHOIS da-
committed to working collaboratively with tabase.3 WHOIS is a directory of all of the
victims to minimize any disruption to busi- IP addresses and domains on the Internet.
ness during an investigation. WHOIS records usually display the name
and contact information of the registrar (the
After obtaining digital copies of any affected business that sold the IP address or domain).
devices, investigators may then turn to other Investigators can use the contact information
devices in the victim’s architecture, includ- to send legal process to the registrar in or-
ing firewalls, log servers, and routers, to look der to discover more information about the
for additional evidence of the perpetrator’s registrant (the user of the IP address or do-
presence. Investigators will also image these main). WHOIS often contains self-reported
devices, as needed, and forensically examine information about the registrant, as well. In
them. Such devices often contain traces of addition, an investigator often can tell from
a criminal’s passage through the infrastruc- WHOIS and related information where a
ture on the way to the affected device. In website is being hosted or who is hosting the
particular, many devices maintain log files e-mail server for a website, either (or both)
that show when, and from where, the device of which can provide additional avenues for
was accessed. In addition to preserving and investigation.
copying digital evidence, investigators may
interview employees (especially those tasked After consulting WHOIS, investigators of-
with responding to cyber threats or securing ten perform online reconnaissance of the
infrastructure), regular users of the affected identifiers they have collected. This recon-
systems, and management. naissance includes web searches looking for
whether the identifiers have been used else-
where and searches of social media to deter-
2. Online Data Review and
mine whether the identifiers are related to
Reconnaissance
any accounts.
After reviewing information obtained from a
victim or other primary sources of informa- 3. Searching Records from Online
tion regarding a cyberattack, investigators Providers
frequently will review online data, which
may be open source, to determine their next Successful WHOIS searches and online
investigative steps. In undertaking these reconnaissance often results in the identi-
actions, as with all their actions, investiga- fication of e-mail providers, social media
tors are trained to act consistently with our companies, registrars, and web hosting and
Nation’s rule of law principles, and with our computer hosting companies that may con-
society’s foundational respect for civil rights trol additional evidence about a subject or
and civil liberties.2
50
target of an investigation. At this stage, an 4. Online Undercover Operations

investigator will rely heavily on the provi-
sions of the Electronic Communications In order to investigate cyber threat activity,
Privacy Act (“ECPA”),4 which specifically investigators may establish covert personas
permits investigators to request evidence or consensually assume the accounts and
from providers of electronic communica- identities of victims or cooperators to com-
tions and computer processing. Investiga- municate online with the targets of the inves-
tive teams may issue subpoenas to collect tigation. From such undercover operations,
basic information about a subscriber to an investigators gather inculpatory contents
identified account. Investigators also may from communications, additional accounts,
use court orders issued under the authority IP addresses, criminal proceeds, and records
of section 2703(d) of title 18, United States of criminal transactions such as the purchase
Code, which allows them to access addition- of malware, botnets, or stolen credit cards.
al non-content records for online accounts,
such as log files or the e-mail addresses of 5. Electronic Surveillance
others with whom the subscriber has corre-
sponded. Investigators may also need to conduct on-
line surveillance on their targets. There are
Finally, with probable cause, investigators three federal statutes that authorize the col-
can seek a search warrant from a judge to lection of data on a real-time basis: the pen
obtain the contents of accounts, including register and trap and trace (“PRTT”) statute,6
copies of e-mails, photographs, text messag- the wiretap statute,7 and the Foreign Intelli-
es, and any other files stored with a provider gence Surveillance Act (“FISA”).8 All three
up to and including the contents of an entire generally require investigators to obtain
computer belonging to a target of the inves- court authorization.
tigation and hosted with the provider.5 Be-
cause cyber threat actors often communicate A PRTT allows investigators to obtain the
with each other using electronic communi- dialing, routing, addressing, and signaling
cations to plan and execute their activities, information of communications, including
these accounts can contain vast quantities dialed calls, IP addresses, and e-mail head-
of useful evidence. In addition, cyber threat ers. PRTTs can be obtained for cell phones,
actors sometimes keep other evidence in the e-mail accounts, and other social media or
contents of their accounts, such as records of messaging applications. Although a PRTT
their criminal activities, pictures that place does not obtain the content of any commu-
them at the scene or with other members of nications, it can be useful in determining
the conspiracy, and other evidence that can whether an account is still being used for
help identify the actors and connect them to criminal purposes, to help identify co-con-
the illicit activity. spirators, or to locate a target.
51
(NEW) RULE 41(b)(6)

Under Rule 41(b)(6) of the Federal Rules of Criminal Procedure, which went into effect in
December 2016, “a magistrate judge with authority in any district where activities related
to a crime may have occurred has authority to issue a warrant to use remote access to
search electronic media and to seize or copy electroni-
cally stored information located within or outside that
district if: (A) the district where the media or informa-
tion is located has been concealed through technologi-
cal means; or (B) in an investigation of a violation of 18
U.S.C. § 1030(a)(5), the media are protected computers
that have been damaged without authorization and are
located in five or more districts.”
This provision makes two narrow, but important,

changes in the law. First, where a suspect has hidden
the location of his or her computer using technological
means, the new Rule ensures that federal agents know
which judge to go to in order to apply for a warrant.
Second, where the crime involves the hacking of com-
puters located in five or more different judicial districts,
the new Rule ensures that federal agents may identify
one judge to review an application for a search warrant
rather than having to submit separate warrant applica-
tions in each judicial district across the nation—up to
94—where a computer is affected. In sum, Rule 41(b)
(6) addresses the unique challenges created by botnet activity by clarifying that courts may
issue warrants authorizing the search of multiple computers when the identified computers
are located in multiple judicial districts.
Court-authorized wiretaps under the Wire- activity, and confirm previous activity. Every
tap Act or FISA permit investigators to listen federal wiretap application must be approved
to or observe the contents of communica- by a senior Department official before it is
tions in or near real time. For example, in- submitted to a court. Federal courts, in turn,
vestigators can intercept wire and electronic apply rigorous standards both in authorizing
communications over a target’s cell phone or and supervising wiretaps.
read the target’s e-mail as it is sent, allowing
them to locate targets, confirm relationships
within a conspiracy, disrupt new criminal
52
6. Special Techniques nets are controlled by command and control

servers (“C2 servers”), which periodically is-
Cyber threat actors often try to hide their sue orders to the bots. One way to disrupt
identities by disguising their IP address. A a botnet is to seize control of the C2 server.
common way to do this is by using a proxy Investigators can use criminal authorities to
computer, which sits between the actor and seize C2 servers; they can also use civil in-
his victim, to obfuscate the actor’s IP ad- junctive authority to seek the redirection of
dress. As described in Chapter 2, threat computers under the control of the botnet to
actors also will often use The Onion Router a server controlled by the court, instead of by
(“Tor”), which is a particularly sophisticat- the threat actor’s C2 server.
ed network of relay computers, to hide their
true IP address. To circumvent the challeng-
es presented by threat actors’ use of proxies 7. Tracing Financial Transactions
and Tor, investigators can use Network In-
Pursuing illicit assets is an important part of
vestigative Techniques (“NITs”). NITs in-
any fraud investigation, and computer crime
clude computer code that investigators can
cases are no exception. To pursue traditional
send covertly to a device that is hidden be-
bank accounts, the United States has made
hind proxies. Once installed, a NIT can send
extensive use of asset forfeiture authorities,
law enforcement particular information, of-
including seizures involving correspondent
ten including the device’s true IP address—
bank accounts, as well as of sanctions pro-
which investigators then can use to identify
grams, including the Global Magnitsky sanc-
the subscriber and user of the device.
tions authority, to keep tainted funds out of
the U.S. financial system. Yet, cybercrim-
As described in Chapter 2, botnets pose
inals increasingly use virtual currencies to
unique challenges for law enforcement and
advance their activities and to conceal their
so require special techniques to investigate
assets. Because most virtual currencies lack
and disrupt them. Identifying victim com-
any central authority, seizing them requires
puters (or “bots”) can be very difficult be-
different approaches.
cause the bots may be spread throughout the
world. Criminal dark markets that rent or
In recent years, the Department has relied on
sell botnet access often obfuscate the loca-
a variety of legal authorities to seize virtual
tion and other identifying information about
currency that has been derived from illegal
individual bots. Until recently, this posed a
activity. These authorities include civil for-
significant jurisdictional hurdle, as an inves-
feiture orders, seizure warrants, and search
tigator had to know the location of a bot to
warrants. Where, for instance, a target of an
get a search warrant for it. Now, thanks to
investigation stores virtual currency with a
a recent Department-led initiative to amend
third-party service—typically, a virtual cur-
the Federal Rules of Criminal Procedure
rency exchanger—investigators may seize
(see page 52), magistrate judges can autho-
that virtual currency by obtaining a sei-
rize search warrants even if the location of
zure warrant for the user’s account at that
the subject of the warrant is unknown. Bot-
53
VIRTUAL CURRENCIES
“Virtual currencies” such as Bitcoin, Ether, and enable the purchase and sale of a wide vari-
Monero are electronic assets that are circu- ety of illegal goods and services. While
lated over the Internet as a form of law enforcement has made strides
value but are not backed by any in its ability to trace virtual
government. Though virtual currency transactions, crim-
currencies have legitimate inals often launder their vir-
uses, they also often enable tual currency by mixing one
individuals to transfer money user’s money with multiple
with high levels of anonymity other users’, or sending their
to other users worldwide. Cyber virtual currency through a
criminals frequently transact in convoluted series of trans-
virtual currencies, and online crim- actions, a process often called
inal markets rely on virtual currencies to “mixing” or “tumbling.”
third-party service. If the target stores the tors may, however, seek an order for the inter-
virtual currency locally (for example, on his locutory sale of virtual currency at the request
own electronic devices, or on servers he con- and/or consent of all parties with an ownership
trols), or even by printing the private keys interest. Consultation with the Criminal Divi-
onto a physical medium, investigators may sion’s Money Laundering and Asset Recovery
seize the virtual currency through a tradi- Section is required prior to any pre-forfeiture
tional search warrant that allows the govern- conversion, or seeking an order for interlocu-
ment to learn the private key. The seizure tory sale of virtual currency.
of virtual currency requires transferring the
virtual currency to a government-controlled Any liquidation of virtual currency should
virtual currency wallet. If the virtual cur- be executed according to established written
rency is stored with an overseas exchange, policies of the seizing agency and the U.S.
the Department will work with our foreign Marshals Service.10 The Department is de-
counterparts to effect the seizure. veloping guidance regarding disposition of
alternative virtual currencies (i.e., anonym-
Because of the risks that early conversion may ity enhanced cryptocurrencies and ICO to-
pose, in most cases, virtual currency the gov- kens) for which the Marshals Service does
ernment seizes is kept in the form it was seized not yet have a process in place to take custo-
and not liquidated (i.e., converted to fiat cur- dy or liquidate via auction.
rency or other virtual currency) until a final
order of forfeiture is entered or an administra- As detailed above, the Department in recent
tive forfeiture is final. 9 Agencies or prosecu- years has regularly used civil forfeiture au-
54
thorities11 and seizure warrants to seize vir- evasion. In particular, evaders can abuse
tual currency derived from malicious cyber the anonymous and decentralized structure
activity associated with the Dark Web and of virtual currencies in an attempt to conceal
botnets. More recently, in July 2017, the their income and assets. The relative lack of
Department announced the indictment of reporting requirements for virtual currency
a Russian national and an organization he also contributes to its secrecy and thus to its
allegedly operated, BTC-e, for facilitating usefulness in committing tax crimes. And
transactions for international cybercrimi- with the increase in value of virtual curren-
nals, and for receiving the criminal proceeds cies in recent years, this anonymity and se-
of numerous computer intrusions and hack- crecy may tempt individuals not to report as
ing incidents, as well as of other crimes.12 income their gains from the sale of virtual
According to the indictment, BTC-e’s virtual currency.
currency exchange allegedly did not require
users to validate their identity, obscured This is a particularly novel area for tax en-
and anonymized transactions and source of forcement. But investigators pursuing tax
funds, and eschewed any anti-money laun- investigations involving virtual currency can
dering processes. Perhaps unsurprisingly, employ many of the techniques learned from
the exchange is alleged to have become pop- money laundering investigations involving
ular with criminals. At the time of the indict- virtual currency. For instance, investigators
ment, the investigation revealed that BTC-e can track the movement of funds across the
was alleged to have received more than $4 public ledger of a virtual currency and iden-
billion worth of virtual currency through its tify when money moves into or out of vir-
operation. tual currency through exchanges and other
In parallel with the Department’s actions, parties. Moreover, the Internal Revenue Ser-
the Financial Crimes Enforcement Network vice (“IRS”) Criminal Investigation division
(“FinCEN”) assessed a $110 million civil is making criminal tax evasion using virtu-
money penalty against BTC-e for willfully al currencies a focus of its efforts, and the
violating U.S. anti-money laundering laws. IRS is also pursuing civil and administrative
The operator of the exchange was assessed a remedies. Within the Department, the Tax
$12 million penalty for his role in the viola- Division is partnering with the IRS and U.S.
tions. FinCEN’s announcement underscored Attorneys’ Offices to investigate and prose-
the importance of the Department’s partner- cute tax crimes involving virtual currencies,
ships with regulatory agencies in seeking to and to litigate civil enforcement actions.
deter those who facilitate ransomware, dark Recently, the Tax Division, working with
net drug sales, and other illicit activity using the IRS, issued and enforced the first virtu-
virtual currency. al-currency-related “John Doe” summons to
Coinbase, one of the largest virtual currency
Just as virtual currencies have provided a exchanges in the world.13 As a result of this
new way for criminals to launder money, civil enforcement action, in March 2018, the
they also provide another avenue for tax exchange turned over to the IRS information
55
regarding accounts “with at least the equiva- a target’s residence, business, or automobile,
lent of $20,000 in any one transaction (buy, looking for storage media that may contain
sell, send, or receive) in any one year during evidence of the cyber threat. As with storage
the 2013-2015 period.”14 This information media collected during the initial incident
should be useful in identifying particular in- response, investigators will image any elec-
dividuals and transactions for further inves- tronic storage media before searching it, to
tigation. preserve the contents for future searches and
for use in court.
In addition, Tax Division prosecutors are
working with investigators and attorneys at
9. Cooperation with Foreign
IRS, as well as at the Department’s Computer
Governments
Crime and Intellectual Property section, to
develop training and guidance for criminal Cyber threats often emanate from interna-
tax cases involving virtual currencies. Be- tional locations and use criminal networks
cause the tax treatment of virtual currencies that stretch across jurisdictions, many of
is a new area, there are many uncertainties which are not friendly to the rule of law or
in the law that investigators and prosecutors democratic values. At the same time, foreign
will need to navigate. The Tax Division’s trial sovereigns—including some of our closest
attorneys also have worked with the FinCEN allies—put limits on our government’s ability
Intelligence, Cyber & Emerging Technology to act on its own in every investigation where
Section to identify appropriate techniques the targets, or evidence of their crimes, are
for civil tax investigations and litigation. located in another jurisdiction. Fortunate-
ly, the Department has built relationships
8. Traditional and Forensic Searches with its counterparts around the world, that
Involving Storage Media facilitate nimble information sharing in the
event of an incident. This information shar-
Once a criminal is identified and arrested, ing enables mitigation of the incident, and
investigators will seek electronic evidence also promotes the preservation of evidence,
from his personal storage media, including even in situations where the evidence (or the
his laptops and phones. Such storage me- perpetrators) are located outside the United
dia often contain records that link the target States.
to the evidence collected from providers or
the victim, such as matching IP addresses, For more formal use of the information (e.g.,
e-mail accounts, and photos and other per- to support charges and hold criminal actors
sonal identifiers. This evidence completes accountable), the Department employs a vast
the connection between the criminal activ- network of international treaties and other
ity and the target. Such a search usually re- relationships. The Criminal Division’s Office
quires a traditional search warrant, based on of International Affairs (“OIA”), for example,
probable cause. Investigators also will search leverages extradition treaties, mutual legal
assistance treaties (“MLATs”), and other in-
56
The CLOUD Act

Due in part to the large volume of foreign government requests seeking electronic evidence in the
custody or control of U.S.-based service providers, and the pressure those requests were placing
on the smooth functioning of the MLAT process, the U.S. Congress, in March 2018, enacted,
and the President signed into law, a statute called the Clarifying Lawful Overseas Use of Data
(CLOUD) Act.
The CLOUD Act has two major effects. First, it clarifies that all warrants, subpoenas, and court
orders issued pursuant to the Stored Communications Act, 18 U.S.C. § 2701 et seq—the law
that governs the disclsoure of stored communicatons and transactional records held by
third-party Internet service providers—apply to all data within a provider’s possession, custo-
dy, or control, regardless of whether the data is stored inside or outside the United States. Second,
it allows for bilateral treaties between the United States and foreign countries for the direct shar-
ing of electronic evidence, without needing to use the MLAT process. The CLOUD Act incorpo-
rates safeguards to assure that such agreements are entered into only with countries with robust
privacy and civil liberties protections, and that adhere to the rule of law.
The CLOUD Act represents a major commitment by the American government to continue the
global fight against crime by ensuring that rights-respecting and privacy-protecting foreign gov-
ernments gain access to the electronic evidence they need to pursue their own investigations of
serious crime, even as the Act reduces pressure on the MLAT process generally, and encourages
higher privacy and civil liberties standards around the world.
57
struments and available legal tools to sup- tence, and the rule of specialty. Extradition
port U.S. investigations and prosecutions of requests that result in defendants facing trial
cybercriminals by returning fugitives to the in the United States or serving a U.S. criminal
United States to face trial, and by obtaining sentence generally require carefully prepared
the evidence located overseas that is needed documentary submissions and extensive
to build a case against them. OIA also facil- coordination between OIA, U.S. prosecutors,
itates the extradition of fugitives located in and law enforcement, including the FBI, U.S.
the United States and transfers evidence to Marshals Service, the State Department, and
foreign partners for those nations’ criminal the foreign government.
investigations.
The ease and speed with which fugitives
When a criminal located overseas is wanted can travel across jurisdictions highlight the
for prosecution or to serve a criminal sen- importance of a treaty-based mechanism
tence in the United States, OIA uses all the known as a provisional arrest. When the
legal tools at its disposal—extradition, de- United States learns that a fugitive will be
portation, and other lawful measures—to traveling to—or through—a country with
ensure that the defendant will be transferred which it has an extradition treaty, there often
to the United States to stand trial in a U.S. is not enough time to assemble and submit a
court and be held accountable. The process- formal request for extradition. Where time is
es that must be followed to effectuate this re- of the essence, OIA can submit a provisional
sult vary greatly in each case and depend on arrest request, which will enable the foreign
a range of factors, including, among others, partner to arrest and detain the fugitive for
the location of the criminal actor, his or her a short period of time until OIA submits the
nationality, our law enforcement relation- formal extradition request.
ship with the host country, and the alleged
criminal conduct at issue. There are also countries with which the
United States does not maintain an extra-
The United States currently has bilateral ex- dition treaty. In cases where the United
tradition treaties with over 100 countries.15 States seeks the return of a fugitive from a
These treaties, which establish reciprocal non-treaty partner, OIA attempts to accom-
obligations to extradite persons charged plish this through other legal means, includ-
with or convicted of certain crimes, contain ing, where possible, securing extradition un-
varying features, including some that give der the domestic law of the foreign country,
the requested state the discretion to decline and requests for deportation, expulsion, or
to extradite its nationals. Other common other lawful transfer. The range of options
treaty provisions can affect the charges an available varies from case to case, including
individual may face after extradition. These using lawful measures to ensure the wanted
include the statute of limitations, assuranc- person’s transit to a country from which the
es against the imposition of a capital sen- United States can secure his extradition.
58
EXTRADITIONS
Successfully prosecuting international More recently, in February 2018, the al-
computer crime cases has been notorious- leged creator of the Kelihos botnet (see Ap-
ly difficult. Fortunately, the Department’s pendix 2), a Russian national named Peter
international outreach has made it easier. Levashov, was extradited from Spain, and
In addition, the Department has relied on in March 2018, Yevgeniy Nikulin, of Mos-
longstanding tools and processes, such as cow, made his initial appearance in U.S.
extradition treaties and alternatives to ex- federal court following his extradition from
tradition, to ensure that some of the most the Czech Republic to face allegations that
notorious cybercriminals face justice in the he illegally accessed computers belonging
United States. to LinkedIn, Dropbox, and Formspring.
In August 2016, for example, a U.S. feder- As these cases and others like them demon-
al court jury convicted Roman Seleznev, a strate, we have successfully dismantled in-
Russian national, of various crimes associ- ternational criminal rings and apprehend-
ated with his theft ed some of the most
and sale on the black FUGITIVE WANTED FOR PROSECUTION notorious interna-
market of tens of tional cybercrimi-
thousands of credit nals. At times, we
card numbers, which have received valu-
resulted in over $170 able evidence from
million in fraudulent foreign authorities,
purchases. A “pio-
D Y including Russian
TO
neer” cybercriminal law enforcement.
who became “one
of the most revered
C U S But challenges re-
main, including an
IN
point-of-sale hackers increased willing-
in the criminal un- ness by the Russian
derworld,” Seleznev government to pro-
is the “highest protect its nationals
file long-term cyber- from extradition or
criminal ever con- other removal to the
victed by an American jury.”16 Seleznev was United States when its nationals are located
arrested in the Maldives in July 2014 and in a third country. In such circumstanc-
was subsequently expelled to the United es, Russia has applied pressure on the U.S.
States, where he is currently serving a 27- partner, seeking to thwart the U.S. extradi-
year federal sentence for his hacking crimes, tion or other removal request. This prac-
concurrent to a 14-year federal sentence tice is yet another factor that complicates
stemming from his involvement in a $50 our efforts to bring international cyber-
million cyberfraud ring.17 criminals to justice in the United States.
59
In sum, cybercriminals should not be im- crime, terrorism, child exploitation, and
mune from justice simply because they oper- criminal organizations using the Dark Web.
ate outside of U.S. borders. Although there As a result, OIA receives a high-volume of
are state sovereignty principles that limit our requests for electronic records in the custody
ability to act unilaterally, OIA has a diverse or control of U.S. providers. OIA executes
toolkit that it can use to obtain foreign coun- these requests—many of which concern cas-
tries’ cooperation and ensure that cyber- es involving foreign actors whose schemes
criminals face justice in U.S. courts. have victimized U.S. citizens—as appropriate
and pursuant to its treaty obligations. Doing
Investigating and prosecuting cyber crim- so both increases the likelihood that foreign
inals often also requires access to evidence governments will be able to disrupt the ille-
located in foreign jurisdictions and assis- gal conduct and ensures their reciprocal co-
tance from foreign governments. This evi- operation when needed for the United States
dence and assistance may include electronic to obtain assistance from abroad.
records, bank and business records, witness
interviews, public records, investigative ma- Importantly, these cross-border requests
for electronic evidence typically must meet
terials, and seizure of assets, to name a few
the legal requirements of the requested
examples. Each year, OIA receives thousands
state. In the United States, this means that
of such requests for mutual legal assistance
for requests seeking the contents, say, of an
from both domestic and foreign prosecutors
e-mail account, a Department of Justice at-
seeking important evidence that may break
torney—usually from OIA but sometimes
open an investigative dead-end or secure a
from a partner U.S. Attorney’s Office—must
criminal conviction. Such requests for as-
obtain a search warrant from a U.S. court on
sistance to foreign governments are typically
the foreign government’s behalf. Probable
made pursuant to bilateral MLATs, region-
cause is a distinctly American concept, and
al instruments, or multilateral conventions,
many countries struggle to articulate a suffi-
such as the international Convention on Cy-
cient basis in their requests to meet this legal
bercrime (known as the Budapest Conven- standard. OIA works closely with requesting
tion). As the Central Authority for the Unit- state partners to develop, where possible, the
ed States under international instruments, necessary basis to obtain a search warrant.
OIA makes requests for assistance to treaty Other U.S. legal requirements, including the
partners on behalf of U.S. prosecutors and “filtering” of any resulting productions, add
executes requests it receives from abroad. to the complexity of this practice.
Many of the world’s communications service Because there are few rules governing most
providers are U.S. companies, and electronic providers’ retention of data in the normal
records in their custody or control are often course, it is important that electronic re-
critical to cybercrime investigations, as well cords associated with targeted accounts be
as other types of criminal and national se- “preserved” before they are deleted. Pursu-
curity cases such as those targeting violent
60
THE BUDAPEST CONVENTION

The Budapest Convention (official name: the Council of Europe’s Convention on Cyber-
crime) is a multilateral treaty that enhances international cooperation in cases involving
computer-related crime. The treaty entered into force in 2004, requires Parties to have a basic
level of domestic criminal law in the cyber field, and provides a platform for transnational law
enforcement cooperation in investigations, evidence sharing, and extradition. The Conven-
tion also requires Parties to criminalize computer-related crimes such as computer hacking,
fraud, and child sexual exploitation, and requires that Parties have the ability to effectively
investigate computer-related crime through the collection and sharing of electronic evidence.
Membership in the Convention is open to any nation. To date, nearly 60 countries spanning
Europe, Asia, Australia, Africa, and North and South America have fully ratified the treaty,
as illustrated below. The United States participated in the drafting of the Convention and
became a Party to it in 2006.
ant to U.S. law, U.S. investigators and prose- 10. Joint or Parallel Investigations
cutors preserve targeted account data prior
to obtaining a search warrant or other legal Law enforcement agencies from separate
process for its disclosure. OIA and the De- countries may wish to cooperatively investi-
partment’s Computer Crime and Intellectual gate crimes having relevance and jurisdiction
Property section routinely assist prosecutors in both countries through joint or parallel
and law enforcement around the world in investigations. Although these investigations
performing this early, but important, inves- may be established in the absence of a trea-
tigative step. ty, a number of existing treaties address the
61
creation of joint investigative teams (“JITs”), owners of computers the right to control who
thereby highlighting the potentially useful may access their computers, take informa-
impact of such arrangements. These include, tion from them, change how the computers
for example, global multilateral instruments work, or delete information on them. Just as
like the 2000 United Nations Convention the criminal laws against trespassing protect
against Transnational Organized Crime,18 property rights in land, the CFAA protects
and, in the case of the United States and the property rights in computers. As such, the
European Union, the 2003 Agreement on CFAA commits the United States to a cy-
Mutual Legal Assistance between the United bersecurity policy that is founded on private
States of America and the European Union.19 property rights, and backed by enforcement
JITs can be useful tools to conduct joint op- of criminal law. The CFAA defines multiple
erations, facilitate information sharing, and crimes, and assigns each a different statutory
thwart criminal conduct. However, they maximum penalty.
are not perfect solutions for all cases with
multi-jurisdictional dimensions. U.S. crim- Although a detailed description and anal-
inal law and practice differ in significant re- ysis of each offense established by section
spects from that of foreign partners, and as a 1030(a) is beyond the scope of this report,21
result, the prudent course is to assess oppor- below we provide a high-level overview of
tunities for JITs on a case-by-case basis and how the CFAA combats cyber threats.
to fashion cooperative efforts in a manner
that works for all relevant participants.
Accessing a Computer and Obtaining
Information: 18 U.S.C. § 1030(a)(2)
Key Prosecution Tools Section 1030(a)(2) protects the privacy of

information stored on computers by crimi-
Once investigators have gathered evidence of nalizing the act of accessing such informa-
cyber threat activity, the Department’s pros- tion without authorization. The statute sets
ecuting attorneys then determine whether forth three distinct but overlapping crimes
that evidence is sufficient to bring charges that collectively prohibit the unauthorized
under U.S. federal law. Cyber threat activi- accessing of certain financial records stored
ty is a U.S. federal crime if it violates one or on computers of financial institutions, of in-
more of the following statutes, among others: formation from U.S. government computers,
and of information from computers used in
1. Computer Fraud and Abuse Act: or affecting interstate or foreign commerce
18 U.S.C. § 1030 (for example, computers connected to the
Internet). This provision applies both to out-
The Computer Fraud and Abuse Act side hackers who gain access to victim com-
(“CFAA”)20 remains the U.S. government’s puters without authorization from anywhere
principal tool for prosecuting computer around the world, and to those who have
crimes. In lay terms, the CFAA gives the
62
some authorization to access a computer, but damage to computers by flooding an Inter-

who intentionally exceed that access.22 net connection with data during a distribut-
ed denial of service (“DDoS”) attack.
To violate section 1030(a)(2), a person must
access, and thereby obtain, the prohibited
Accessing a Computer to Defraud and
information “intentionally.” Mere mistake,
Obtain Value: 18 U.S.C. § 1030(a)(4)
inadvertence, or carelessness is insufficient.23
Additionally, to be charged, the defendant Section 1030(a)(4) establishes a felony of-
must have understood that the access was fense that prosecutors use against hackers
unauthorized. Accordingly, federal prose- who access a protected computer without
cutions focus on hackers and insiders whose appropriate authorization in furtherance of
conduct evidences a clear intent to enter, a fraud to obtain something of value. The
without proper authorization, computer files section bears similarities to the federal mail
or data belonging to another. and wire fraud statutes (discussed below),
but has a narrower jurisdictional scope by
Damaging a Computer: requiring that the cybercriminal victimize
18 U.S.C. § 1030(a)(5) a protected computer without authorization
or in excess of authorization.
Section 1030(a)(5) is a critical tool for pros-
ecuting criminals who “damage” comput- Prosecutors use this provision against defen-
ers protected under the CFAA by causing dants who obtain information from a com-
computers to fail to operate as their own- puter, and then later use that information to
ers intended. Section 1030(a)(5) is used to commit fraud. For example, section 1030(a)
prosecute hackers or intruders who gain un- (4) was charged in a case involving a defen-
authorized access to a computer and commit dant who accessed a telephone company’s
criminal acts that, in any way, impair the in- computer without authorization, obtained
tegrity of data, a program, a system, or infor- calling card numbers, and then used those
mation, as well as change the way a computer calling card numbers to make free long-dis-
is intended to operate. The statute extends tance telephone calls.24 The provision also
to intruders who gain unauthorized access to may be used to prosecute a defendant who
a computer and send commands that delete alters or deletes records on a computer, and
files or shut the computer down. Subsection then receives something of value from an in-
(a)(5) also may be used against cybercrim- dividual who relied on the accuracy of those
inals who install malicious software that altered or deleted records.25
compromises a computer’s integrity. Thus,
installing remote access tools, bot code, and
Threatening to Damage a Computer:
other attempts to persist on a victim’s system
18 U.S.C. § 1030(a)(7)
are all chargeable under section 1030(a)(5).
This provision is also an important tool for To deter high-tech attempts to commit
prosecuting criminals who cause intentional old-fashioned extortion, section 1030(a)(7)
63
criminalizes threats to interfere in any way ished under a wire fraud charge.28 Section
with the normal operation of a protected 1343 shares a number of common proof ele-
computer or system, as well as threats to ments with section 1030(a)(4) of the CFAA,
compromise the confidentiality or integrity including the requirement that a defendant
of information contained therein. This pro- act with fraudulent intent; however, the wire
vision encompasses threats by criminals to fraud statute authorizes more punitive pen-
deny access to authorized users, erase or cor- alties that may be more commensurate to the
rupt data or programs, or slow down or shut- harm suffered by victims in cases involving
down the operation of the computer system, significant loss amounts. Section 1343 vio-
such as via a DDoS attack. The provision lations also can serve as a predicate for the
also reaches threats to steal confidential data. Racketeer Influenced and Corrupt Organi-
zations Act (“RICO”) and money launder-
ing charges, whereas most CFAA violations
Charging Policies
cannot.29 Accordingly, the wire fraud statute
The Department’s decisions about when to is a particularly effective tool for prosecuting
open an investigation or charge a case un- intricate networks of criminal hacker groups
der the CFAA are guided by the Intake and engaged in transnational organized crime.30
Charging Policy for Computer Crime Mat-
ters.26 As the policy explains, prosecutors 3. Identity Theft:
must consider a number of factors in order 18 U.S.C. §§ 1028(a)(7) and 1028A
to ensure that charges are brought only in
cases that serve a substantial federal inter- Cybercriminals often commit computer in-
est.27 The policy also requires prosecutors trusions to compromise and steal PII that
to conduct certain consultations to assure may be sold on the black market, or directly
consistent practice across the Department. used to commit other crimes, such as wire
In particular, prosecutors must consult with fraud. A criminal who misuses or traffics in
the Department’s Computer Crime and In- stolen PII often violates a variety of identity
tellectual Property section before bringing theft statutes, including 18 U.S.C. §§ 1028(a)
charges under the CFAA. (7) and 1028A.
2. Wire Fraud: 18 U.S.C. § 1343 In relevant part, section 1028(a)(7) criminal-

izes the unauthorized transfer, possession, or
The wire fraud statute is another particularly use of a “means of identification of another
powerful and commonly applicable charge person” with the intent to commit (or aid
in computer crime cases involving fraud. and abet) a violation of federal law, or any
Indeed, courts long have recognized that State or local felony. The term “means of
e-mails and other forms of Internet trans- identification,” in turn, broadly refers to “any
missions constitute “wire, radio, or televi- name or number that may be used, alone or
sion communication[s]” that may be pun-
64
in conjunction with any other information, predates the modern era of cybercrime, the
to identify a specific individual.”31 increased digitalization of trade secrets, the
rise of cyber espionage, and the global ex-
In computer intrusion cases, the Department pansion of online marketplaces that traffic
also uses section 1028A (the “aggravated” in intellectual property, have significantly
identity theft statute) to prosecute individ- magnified the threats that insiders, hackers,
uals who engage in the unauthorized trans- and nation states present to U.S. individuals
fer, possession, or use of a “means of iden- and companies who maintain valuable trade
tification of another person” during and in secrets.35 Indeed, in recent years, businesses
relation to felony violations of certain enu- across key sectors of the U.S. economy have
merated federal offenses that are commonly suffered sophisticated and systematic cyber
associated with computer crime.32 For exam- intrusions designed to steal sensitive com-
ple, “carders” who sell or trade stolen credit mercial data from compromised networks,
or debit card account information on online including research and design data, software
forums, or “phishers” who obtain the same source code, and plans for commercial and
type of information via fraudulent e-mails, military systems.
often violate a predicate crime for a section
1028A violation. Similarly, defendants who The Department’s principal tool for prevent-
violate the CFAA and obtain identity or ac- ing and deterring serious instances of trade
count information may also violate this sec- secret theft is the Economic Espionage Act
tion. Although section 1028A is limited to (“EEA”). The EEA criminalizes two types
a far narrower list of predicate offenses than of trade secret misappropriation: economic
section 1028(a)(7), it is an important and espionage under section 1831, and trade se-
powerful tool in the Department’s prosecu- cret theft under section 1832. The econom-
tions of cybercriminals because those who ic espionage provision prohibits the theft
are convicted of section 1028A are subject of trade secrets for the benefit of a foreign
to a mandatory minimum two-year term of government, instrumentality, or agent. The
imprisonment.33 theft of trade secrets provision prohibits the
commercial theft of trade secrets to benefit
4. Economic Espionage and Theft of someone other than the owner. Although
Trade Secrets: 18 U.S.C. §§ 1831-32 the provisions define separate offenses, they
share a number of common proof elements.
Trade secret law prohibits the unauthorized Notably, conviction under either statute re-
disclosure of confidential and proprietary quires the government to demonstrate be-
information (for example, a formula or com- yond a reasonable doubt that: (1) the defen-
pilation of information) when that infor- dant misappropriated information; (2) the
mation possesses an independent economic defendant knew or believed this information
value because it is secret, and the owner has was proprietary and that he had no claim to
taken reasonable measures to keep it secret.34 it; and (3) the information was in fact a trade
Although the problem of trade secret theft secret (unless the crime charged is a conspir-
65
acy or an attempt). Further, both provisions lease copyrighted materials, such as a com-
are subject to the EEA’s broad definition of mercial film, song, video game, or software,
a “trade secret,” which includes all types of that are still “being prepared for commercial
information that the owner has taken rea- distribution,” by making the material “avail-
sonable measures to keep secret and that it- able on a computer network accessible to
self has independent economic value.36 Both members of the public.”
provisions also punish attempts and conspir-
acies to misappropriate trade secrets.37 To
6. Access Device Fraud:
promote enforcement, federal law provides
18 U.S.C. § 1029
special protections to victims in trade secret
cases to ensure that the confidentiality of Section 1029 of title 18, United States Code,
trade secret information is preserved during broadly prohibits the production, use, pos-
the course of criminal proceedings.38 session, or trafficking of unauthorized or
counterfeit “access devices,” such as PII, in-
5. Criminal Copyright: 17 U.S.C. § 506 strument identifiers, or other means of ac-
count access that may be used “to obtain
Copyright law provides federal protection money, goods, services, or any other thing of
against infringement of certain exclusive value, or that can be used to initiate a trans-
rights, such as reproduction and distribution, fer of funds.” Prosecutors commonly bring
of “original works of authorship,” including charges under section 1029 in “phishing”
computer software, literary works, musi- cases, in which a cybercriminal uses fraud-
cal works, and motion pictures.39 As with ulent e-mails to obtain bank account num-
trade secrets, the increased digitalization of bers and passwords. Section 1029 also is an
copyrighted materials, as well as the global effective tool in “carding” cases where a de-
expansion of online marketplaces that traffic fendant purchases, sells, or transfers stolen
in intellectual property, have enhanced their bank account, credit card, or debit account
attractiveness and, in turn, vulnerability to information. Forfeiture is also available in
cybercriminals. many cases.40
The Department’s principal tool for prevent-

7. Racketeer Influenced and Corrupt
ing and deterring serious instances of copy-
Organizations (RICO) Act:
right infringement is section 506(a) of title
18 U.S.C. §§ 1961–1968
17, United States Code, which criminalizes
willful copyright infringement if commit- Computer hacking conducted by transna-
ted “for purposes of commercial advantage tional criminal groups poses a significant
or private financial gain,” or “by the repro- threat to American cybersecurity. Equipped
duction or distribution” of copyrighted with sizable funds, organized criminal
works during a 180-day period that satisfies groups operating abroad employ highly so-
the statute’s minimum retail value. Section phisticated malicious software, spear-phish-
506(a)(1)(C) also makes it a crime to pre-re-
66
ing campaigns, and other hacking tools— interception by another,44 prohibits disclo-
some of which rival in sophistication those sure of any illegally intercepted communi-
that nation states use—to hack into sensi- cation,45 and criminalizes unlawful use of
tive financial systems, conduct massive data that communication.46 The Wiretap Act has
breaches, spread ransomware, attack critical proven to be an especially valuable tool for
infrastructure, and steal critical intellectu- prosecuting cases involving spyware users
al property. For transnational cybercrime and manufacturers, intruders using packet
rings engaged in “racketeering” activity, such sniffers (i.e., tools that intercept data flowing
as identity theft, access device fraud, or wire in a network), persons improperly cloning
fraud, a RICO charge may be a particular- e-mail accounts, and other cases involving
ly effective tool for prosecuting individu- the surreptitious collection of communica-
al members of the group. For instance, the tions from a victim’s computer.
RICO statute authorizes more severe pen-
alties than the CFAA, including maximum To prosecute a defendant under this statute,
sentences of 20 years or more depending on however, federal courts have generally re-
the nature of the predicate offense,41 consec- quired that the “intercepted” communica-
utive sentencing for RICO substantive and tions be acquired “contemporaneously” or at
conspiracy convictions or violations of two approximately the same time as their trans-
substantive RICO subsections,42 and forfei- mission.47 Accordingly, merely obtaining a
ture of all reasonably foreseeable proceeds copy of the contents of a recorded commu-
of racketeering activity on a joint and several nication—for example, a year-old e-mail on
basis.43 Section 1963(d)(2) of title 18, Unit- a mail server—is not necessarily a criminal
ed States Code, also empowers prosecutors “intercept[ion]” of the communication un-
to obtain a pre-trial restraining order that der the Wiretap Act, though such an action
preserves any assets that may be subject to may violate other provisions of law, includ-
forfeiture following conviction. In addition, ing the Stored Communications Act, 18
a RICO conspiracy charge under section U.S.C. § 2701.48
1962(d) of title 18 allows prosecutors to hold
one defendant responsible for the conduct of
9. Money Laundering:
the enterprise.
18 U.S.C. §§ 1956, 1957
8. Wiretap Act: 18 U.S.C. § 2511 Cybercrimes are often committed for finan-
cial gain. And as with other crimes, those
The same surveillance statutes that empow- committing cybercrimes will seek ways to
er law enforcement to collect evidence also conceal and spend their ill-gotten gains.
protect the privacy of innocent Americans Federal money laundering laws are thus an
by criminalizing the unlawful collection important tool for combatting cybercrime.
of private communications. For example, These laws criminalize certain transactions
the Wiretap Act shields private wire, oral, undertaken with the proceeds of designated
or electronic communications from illegal crimes, referred to as “specified unlawful ac-
67
tivity” (“SUA”).49 Crimes classified as SUAs though civil and regulatory provisions are
include many common charges brought in the Act’s primary enforcement mechanisms,
cybercrime cases, such as violations of the it also created several new criminal offenses.
CFAA and wire fraud. Section 1037 addresses more egregious vio-
lations of the CAN-SPAM Act, particularly
Section 1956 of title 18, United States Code, is where the perpetrator has taken significant
the main money laundering charge. Among steps to hide his or her identity, or the source
other things, this statute makes it a crime for of the spam, from recipients, ISPs, or law en-
a person to carry out a financial transaction forcement agencies. Prosecutors have used
involving SUA proceeds when the person this statute in the context of disrupting or
knows the transaction involves illicit pro- dismantling botnets.
ceeds of some kind, and the transaction is
designed to promote the carrying on of an
11. National Security Statutes
SUA,50 or to conceal “the nature, the loca-
tion, the source, the ownership, or the con- Some statutes that protect sensitive nation-
trol of the proceeds”51 of the predicate crime. al security information are implicated in
Section 1957 prohibits knowingly conduct- computer hacking investigations, when that
ing certain monetary transactions involving information is targeted or stolen. For ex-
SUA proceeds when the value is greater than ample, defense articles and services listed
$10,000. on the U.S. munitions list, 22 C.F.R. § 121.1,
cannot be exported without a license with-
Courts have broadly interpreted the scope of out violating the Arms Export Control Act,
the transactions covered by the money laun- 22 U.S.C. § 2778 (“AECA”). Other U.S.-or-
dering laws. In particular, courts have up- igin items and related technology that have
held the use of money laundering charges in- both commercial and military applications
volving transactions in virtual currencies.52 or otherwise warrant control are subject
to the Export Administration Regulations
10. Controlling the Assault of Non- (“EAR”), 15 C.F.R. pts. 730-74, and may re-
Solicited Pornography and quire a license for export to certain countries
Marketing Act: 18 U.S.C. § 1037 or for certain uses. The statute that crimi-
nalizes violation of the EAR (among other
The Controlling the Assault of Non-Solic- regulations) is the International Emergen-
ited Pornography and Marketing (“CAN- cy Economic Powers Act, 50 U.S.C. § 1705
SPAM”) Act of 200353 provides a means for (“IEEPA”). A Chinese aerospace engineer
prosecuting those responsible for sending was recently convicted of violating AECA
large amounts of unsolicited commercial for helping hackers in the Chinese air force
e-mail messages (i.e., “spam”), including choose which defense contractors to target
messages sent on social media sites. Al- and which files related to military projects
68
to steal;54 and a network of Iranian comput- now serving a 20-year sentence for providing
er hackers (one of whom was apprehend- material support to ISIL.56
ed) was charged with violating AECA and
Iranian sanctions under IEEPA for steal-
ing specialized software from the networks
Other Means of Dismantling,
of American software companies, which
the defendants are alleged to have resold Disrupting, and Deterring
for profit to Iranian government entities.55 Computer Crimes
Classified information and national defense
information, too, are protected by a number While criminal prosecutions of malicious cy-
of criminal statutes. The CFAA specifically ber activity (and seizing the ill-gotten gains
prohibits obtaining certain restricted data of such activity) are an important aspect of
and information protected against disclo- the Department’s approach to combating
sure for reasons of national defense or for- cybercrime, we recognize that the United
eign relations through unauthorized access States cannot simply prosecute its way out
to a computer, see 18 U.S.C. § 1030(a)(1), of the problem. Instead, the Department
and espionage statutes prohibit the unau- has embraced a comprehensive approach
thorized retention of national defense infor- to deterring cyber threats that builds upon
mation or its dissemination to an unautho- a broad array of criminal, civil, and national
rized person (whatever the means of doing security authorities, tools, and capabilities.
so). See 18 U.S.C. §§ 793 & 794. Indeed, the government as a whole relies on
a range of civil and administrative tools to
Finally, material support to terrorists is like- raise the costs associated with malicious cy-
wise prohibited, even if that support is pro- ber activity, and to disrupt ongoing activities
vided online. See 18 U.S.C. §§ 2339A, 2339B. in the cyber underworld.
As discussed in Chapter 2, for example, Ar-
dit Ferizi was an Islamic State of Iraq and To support this broader approach, we work
the Levant (“ISIL”)-linked hacker living in to interdict cyber threats before they become
Malaysia who may never have met ISIL re- actual incidents by denying malign actors
cruiters in Iraq. But when Ferizi broke into access to infrastructure, tools, funds, and
the networks of an American retailer, stole victims, as well as by working with interna-
PII for thousands of U.S. persons, and culled tional partners and members of the private
that list down to approximately 1,300 mili- sector, who often may be better positioned to
tary and other government personnel that he prevent cybercrime.
shared with ISIL for purposes of publishing a
kill list and enabling ISIL to “hit them hard,” Congress has given the Department the le-
he provided such support. Ferizi was appre- gal authority to disrupt, dismantle, and de-
hended, brought to the United States, and is ter cyber threats through a blend of civil,
69
criminal, and administrative powers beyond 1. Disrupting and Disabling

traditional prosecution. As a result, the De- International Botnets
partment has been a driving force behind
the U.S. government’s most notable and ef- In recent years, the Department has success-
fective measures to disrupt online crime. As fully disrupted and disabled a number of
mentioned above, the Department often uses international botnets not only by arresting
civil injunctions, as well as seizure and for- and prosecuting the criminals involved in
feiture authorities, to disrupt cybercriminal their creation and administration, but also
groups by seizing the computer servers and by leveraging other civil, criminal, and ad-
domain names those actors use to operate ministrative authorities. For instance, the
botnets. In cases where the actors cannot Department uses civil injunctive authori-
quickly be identified, such tools—exercised ty under section 1345 (injunctions against
with proper judicial oversight—have helped fraud) and section 2521 (injunctions against
the Department disrupt and dismantle ongo- illegal interception) to authorize actions—
ing criminal schemes, thereby protecting the such as seizing domains the botnet is using
public from further victimization. Finally, to communicate with command-and-con-
the Department, with the assistance of other trol servers—to disrupt and disable a bot-
U.S. government and international partners, net’s ongoing commission of fraud crimes
also executes trade actions, and participates or illegal wiretapping. Accompanying tem-
in various cyber operations designed to porary restraining orders (“TROs”) secured
neutralize and eradicate international cyber under Rule 65 of the Federal Rules of Civil
threats. Procedure also are important to disrupting
Figure 1: Recent Department efforts to dismantle botnets and dark markets.
70
a botnet, and taking immediate steps to pre- botnets are illustrated in Fig. 1, and de-
vent it from reconstituting. scribed in greater detail in Appendix 2.
Further, as discussed above, if law en-

forcement is able to take over the com- 2. Dark Web Disruptions
mand-and-control structure of a botnet,
the Department may now use the recently In recent years, the Dark Web’s anonymi-
promulgated venue provision of criminal ty and low barriers to entry have attracted
Rule 41(b)(6)(B) to issue commands to bots scores of criminals to Dark Web markets,
across a number of districts. For example, including those trafficking in child pornog-
law enforcement may obtain identifying in- raphy, illicit firearms, illegal drugs, murder-
formation from affected bot computers in for-hire, and human trafficking. Sophisticat-
order to contact owners and warn them of ed hackers also frequent Dark Web forums
the infection. In addition, law enforcement for the newest malware or stolen data, and
might engage in an online operation de- might use the Tor network to host botnet
signed to disrupt the botnet and restore full command-and-control infrastructure that is
control over computers to their legal owners. more resistant to disruption and take-downs.
Rule 41(b)(6)(B) allows the government to
apply for warrants in a single judicial district Despite the many challenges the Dark Web
to use these techniques. poses, law enforcement around the world
have successfully disrupted criminals oper-
Several successful examples of the Depart- ating in the cyber underground by de-ano-
ment’s strategy for disrupting and disabling nymizing users engaging in illegal activity;
71
seizing their websites, domains, servers, and hensive strategy to combat malicious activity
ill-gotten gains; and criminally prosecuting on the Dark Web.
them. For instance, to pierce the Dark Web’s
anonymizing technology, the Department
diligently pursues traditional investigative 3. Sanctions and Designations
techniques, studies patterns of criminal ac-
tivity, collaborates with international law To ensure that investigative information is
enforcement partners, and develops human used effectively to protect the Nation, the
sources. Further, where anonymizing tech- Department regularly interacts with the
nologies make less intrusive investigative Departments of Commerce, Treasury, and
options ineffective, the Department also ob- State, as well as with other agencies and regu-
tains warrants to perform remote searches latory bodies, to support those departments’
using network investigative techniques un- actions to identify and impose sanctions on
der limited circumstances.57 For example, malicious cyber actors.
appropriate scenarios for seeking a warrant
to authorize a remote search include, but are Sanctions imposed by the Office of Foreign
not limited to: (1) obtaining stored content Assets Control at the Department of the
from a hidden provider by using a username Treasury can deprive subjects of their access
and password; (2) identifying a criminal us- to the U.S. financial system and their abili-
ing a web-based e-mail account by sending ty to do business with U.S. persons, and can
a NIT to the criminal’s e-mail account; and be particularly effective in reaching foreign
(3) identifying users of a hidden child por- companies that benefit from stolen informa-
nography forum by sending a NIT to each tion. Since 2011, the Treasury Department
computer used to log on to the website. has had the authority to block the property of
transnational criminal organizations under
Once the cloak of anonymity has been Executive Order 13581 (“Blocking Property
pulled back, the Department leverages a of Transnational Criminal Organizations”).
range of civil and criminal tools, including Treasury also makes use of country-specific
civil and criminal forfeiture authorities, sei- regimes to respond to nation-state behav-
zure warrants, and requests under mutual ior. As mentioned in Chapter 2, following
legal assistance agreements to dismantle the North Korea’s destructive malware attack on
infrastructure undergirding the Dark Web Sony Pictures Entertainment, the President
systems and recover the proceeds of these il- in 2015 issued Executive Order 13687 (“Im-
legal activities. Further, in many instances, posing Additional Sanctions with Respect to
individuals responsible for creating, operat- North Korea”). Using this new sanction au-
ing, and using Dark Web forums and mar- thority, the Treasury Department designated
ketplaces are also criminally prosecuted. We three entities for being “controlled entities
describe in Appendix 3 some recent promi- of the Government of North Korea” and ten
nent examples of the Department’s compre-
72
individuals for being “agencies or officials of nificant malicious cyber-enabled activities

the North Korean government.”58 . . . in view of the increasing use of such ac-
tivities to undermine democratic process-
In 2015, the President also issued Execu- es or institutions.”60 The 2016 amendment
tive Order 13694 (“Blocking the Property expanded cyber-related sanctions and in an
of Certain Persons Engaging in Significant annex designated five Russian entities—in-
Malicious Cyber-Enabled Activities”), which cluding that nation’s domestic and foreign
authorized the Secretary of the Treasury, in intelligence services—and four Russian in-
consultation with the Attorney General and dividuals who were determined to have in-
the Secretary of State, to impose sanctions terfered with or undermined U.S. election
on individuals or entities that engage in ma- processes or institutions.61 The list of desig-
licious cyber-enabled activity that results nated parties was expanded again on March
in, or materially contributes to, a significant 15, 2018,62 and yet again on June 11, 2018.63
threat to the national security, foreign policy,
or economic health or financial stability of Designations under E.O. 13694 are not lim-
the United States.59 In December 2016, the ited to Russian actors. On March 23, 2018,
President amended this executive order in in consultation with the Department, OFAC
“order to take additional steps to deal with designated an Iranian entity, the Mabna
the national emergency with respect to sig- Institute, and ten Iranian individuals who
Credit: Amy Mathers, U.S. Department of Justice
Deputy Attorney General Rod Rosenstein announces on March 23, 2018 the filing of
criminal charges against nine Iranians alleged to have conducted a massive cyber theft
campaign on behalf of the Islamic Revolutionary Guard Corps. The Treasury Depart-
ment imposed sanctions the same day.
73
engaged in theft of valuable intellectual 4. Trade Actions

property and data from hundreds of U.S.
and third-country universities and a media The Office of the United States Trade Rep-
company for private financial gain.64 (That resentative (“USTR”) can raise the issue of
same day, the Department unsealed criminal foreign cyber intrusions against American
charges against the same entity and nine in- businesses in the context of its trade actions
dividuals.65 See page 73.) under various U.S. laws or trade agree-
ments. As declared in a USTR report made
The Department will continue to support public in April 2017, “The United States uses
sanctions under such authorities by help- all trade tools available to ensure that its
ing the Treasury Department draft sanction trading partners provide robust protection
nomination packages based on the infor- for trade secrets and enforce trade secrets
mation gathered during our investigations. laws.”68 The Department has worked closely
Where, for example, investigations identify with USTR to ensure that the Trade Repre-
hackers who victimize U.S. individuals or sentative is appropriately informed about
companies, or those who profit from criminal cyber-enabled activity by nation states that
hacking by using stolen personal information may be actionable under U.S. trade laws.
or trade secrets, the Department works with
the Treasury Department to craft appropriate Due in part to China’s cyber-enabled theft of
sanctions against those responsible. U.S. intellectual property and sensitive com-
mercial information, the U.S. government
Similarly, the Commerce Department can in March 2018 announced various tariffs
place persons and companies on its Entity against China and various restrictions on
List if it finds that they are engaged in activi- Chinese investments.69 The announcement
ties that are contrary to U.S. national security came after USTR released a comprehensive
or foreign policy interests.66 Persons and en- public report as part of its investigation un-
tities on the Entity List are subject to special der section 301 of the Trade Act of 1974.70
licensing requirements for the export, re-ex- The USTR report establishes a clear record
port, and/or transfer (in-country) of items of China’s cyber intrusions and cyber theft
listed in the EAR. In 2014, for example, in based on information provided by the De-
addition to the Department of Justice’s pros- partment, among other parts of the U.S. gov-
ecution of a Chinese engineer for consult- ernment. The report indicates that the Chi-
ing with Chinese military hackers who stole nese government has used cyber intrusions
aerospace technology, the Commerce De- to serve its strategic economic objectives and
partment placed his company on the Entity that “incidents of China’s cyber intrusions
List, based on the FBI’s nomination.67 Such a against U.S. commercial entities align closely
listing can have dramatic consequences, cut- with China’s industrial policy objectives.”71
ting the firm off from U.S. exports and caus- For example, the PLA’s theft of trade secrets
ing U.S. and foreign businesses to reconsider from Westinghouse, Inc., as documented
doing business with the designated entity. in an indictment brought by the Depart-
74
ment, illustrates how China uses cyber-en- Department has played an important role in
abled theft as one of multiple instruments to bringing these threats to our national securi-
achieve its state-led technology development ty to light.
goals.72 Likewise, the USTR report noted
that “[i]n September 2017, the Department 5. Cyber Operations
filed an indictment against three Chinese
nationals who were owners, employees, and Finally, the Department also assists oth-
associates of the Guangzhou Bo Yu Informa- er agencies in analyzing the legal and pol-
tion Technology Company Limited (“Boy- icy implications of operations conducted
usec”), a company that cybersecurity firms through cyberspace, and ensuring that these
have linked to the Chinese government.”73 operations comply with the Constitution
The USTR report contains other examples and applicable law. Where additional au-
that illustrate how China uses cyber-enabled thority or injunctive relief is required to ad-
intrusions to further the commercial inter- dress conduct within the United States, the
ests of Chinese state-owned enterprises, to Department works with investigators and, as
the detriment of its foreign partners and appropriate, the U.S. Attorney community,
competitors. Available evidence also indi- to pursue it. Intelligence gathered by the FBI
cates that China uses its cyber capabilities as using its national security investigative au-
an instrument to achieve its industrial policy thorities may also assist agencies in planning
and science and technology objectives. The or carrying out such operations.
75
NOTES
1
The Department components responsible for See ICANN WHOIS, available at: https://
3
this work are described in Chapter 5. whois.icann.org/en (last accessed June 29, 2018).
4
Pub. L. No. 99–508, 100 Stat. 1848 (1986)
2
For example, the FBI, as the federal govern-
(codified at 18 U.S.C. § 2510 et seq.).
ment’s primary investigative agency, must com-
ply with The Attorney General’s Guidelines for Do- 5
See 18 U.S.C. § 2703.
mestic FBI Operations, available at: https://www.
justice.gov/archive/opa/docs/guidelines.pdf (last
6
Id. § 3121 et seq.
accessed June 29, 2018), and the FBI Domestic 7
Id. § 2510 et seq.
Investigations and Operations Guide, available at:
https://vault.fbi.gov/FBI%20Domestic%20Inves- ⁸ 50 U.S.C. § 1801 et seq.
tigations%20and%20Operations%20Guide%20
9 Virtual currency seizures with a value of
% 2 8 D I O G % 2 9 / f b i - d o m e s t i c - i nv e s t i g a -
$500,000 or more must be forfeited judicially.
tions-and-operations-guide-diog-2013-version/
The value is assessed on the date of agency sei-
FBI%20Domestic%20Investigations%20and%20
zure.
Operations%20Guide%20%28DIOG%29%20
2013%20Version%20Part%2001%20of%2001/ See, e.g., “For Sale Approximately
10
view (last accessed June 29, 2018), which stan- 3,813.0481935 Bitcoins,” U.S. Marshals Ser-
dardizes the FBI’s criminal, national security, vice (Jan. 2018), available at: https://www.
and foreign intelligence investigative activities. usmarshals.gov/assets/2018/bitcoinauction/ (last
The Attorney General’s Guidelines establish a set accessed June 29, 2018).
of basic principles that serve as the foundation
for all FBI mission-related activities, and the
11
18 U.S.C. §§ 981-983.
professional identity of each FBI agent, includ- 12
See Press Release, “Russian National And
ing: (1) protecting the public includes protecting Bitcoin Exchange Charged In 21-Count Indict-
their rights and liberties; (2) investigating only ment For Operating Alleged International Mon-
for a proper and authorized law enforcement, ey Laundering Scheme And Allegedly Launder-
national security, or foreign intelligence purpose; ing Funds From Hack Of Mt. Gox,” U.S. Dept.
(3) ensuring that an independent, authorized law of Justice (July 26, 2017), available at: https://
enforcement or national security purpose exists www.justice.gov/usao-ndca/pr/russian-nation-
for initiating investigative activity—race, ethnic- al-and-bitcoin-exchange-charged-21-count-in-
ity, religion, or national origin alone can never dictment-operating-alleged (last accessed June
constitute the sole basis for initiating investi- 29, 2018).
gative activity; (4) performing only authorized
activities in pursuit of investigative activities; 13
A “John Doe” summons is an administrative
(5) employing the least intrusive means for in- summons that may be used, with court approval,
vestigation that do not otherwise compromise to seek information about an ascertainable group
FBI operations; and (6) applying best judgment or class of persons who may be involved in vio-
to the circumstances at hand to select the most lating federal tax laws. See 26 U.S.C. § 7609(f)
appropriate investigative means to achieve the (2012).
investigative goal.
76
United States v. Coinbase, Inc. et al., Order

14
dress the civil provisions of the statute except as
Regarding Petition to Enforce IRS Summons they may pertain to the criminal provisions.
at 14 (Doc. 78), Case No. 3:17-cv-01431 (N.D.
Cal.).
21
More specific guidance on the CFAA is avail-
able at: https://www.justice.gov/sites/default/
15
See 18 U.S.C. § 3181 note (listing the coun- files/criminal-ccips/legacy/2015/01/14/ccmanu-
tries with which the United States currently has a al.pdf (last accessed June 29, 2018).
bilateral extradition agreement). 22
In the Second, Fourth, and Ninth Circuits,
16
Quoted from the United States’s sentenc- significant recent decisions have limited the defi-
ing memorandum in United States v. Roman nition of “exceeds authorized access” in 18 U.S.C.
Seleznev, No. 11-CRM-007 (W.D. Wa., Apr. 14, § 1030(e)(6) “to violations of restrictions on ac-
2017), available at: https://assets.document- cess to information, and not restrictions on its
cloud.org/documents/3673513/Seleznev-US-At- use.” See, e.g., United States v. Nosal, 676 F.3d 854,
ty-Sentencing-Memo.pdf (last accessed June 29, 863-64 (9th Cir. 2012). Other language in Nosal
2018). suggests that the Ninth Circuit’s ultimate hold-
ing is broader: that an individual can “exceed[]
17
See Press Release, “Russian Cyber-Criminal authorized access” only by accessing data that he
Sentenced to 14 Years in Prison for Role in Or- or she was never authorized to access, under any
ganized Cybercrime Ring Responsible for $50 circumstances. Accordingly, in those circuits,
million in Online Identity Theft and $9 Million the Department recommends against charging
Bank Fraud Conspiracy,” U.S. Dept. of Justice any case that relies on the definition of “exceeds
(Nov. 30, 2017) (describing all of Seleznev’s authorized access” in 18 U.S.C. § 1030(e)(6), un-
federal sentences), available at: https://www. less it can be proven that the computer user had
justice.gov/opa/pr/russian-cyber-criminal-sen- absolutely no authorization to access the relevant
tenced-14-years-prison-role-organized-cyber- information.
crime-ring-responsible (last accessed June 29,
2018). 23
See, e.g., S. Rep. No. 432, 99th Cong., 2d Sess.,
reprinted in 1986 U.S.C.C.A.N. 2479, 2483.
https://www.unodc.org/documents/mid-
18
dleeastandnorthafrica/organised-crime/ See United States v. Lindsley, 254 F.3d 71 (5th

24
U N I T E D _ NAT I O N S _ C O N V E N T I O N _ Cir. 2001).

AG A I N S T _ T R A N S NAT I O NA L _ O R G A-
NIZED_CRIME_AND_THE_PROTOCOLS_ See, e.g., United States v. Butler, 16 Fed. Appx.
25
THERETO.pdf (Art. XIX) (last accessed June 29, 99 (4th Cir. 2001) (unpublished).
2018). 26
See Memorandum from Eric Holder, At-
19
https://www.state.gov/documents/organiza- torney General, “Intake and Charging Policy
tion/180815.pdf (Art. V) (last accessed June 29, for Computer Crime Matters,” (Sept. 11, 2014),
2018). available at: https://www.justice.gov/crimi-
nal-ccips/file/904941/download (last accessed
20
Although the CFAA is primarily a criminal June 29, 2018).
statute, individuals and companies may also
bring private civil suits against CFAA violators. See id.
27
See 18 U.S.C. § 1030(g). This report does not ad- See, e.g., United States v. Selby, 557 F.3d 968,
28
978-79 (9th Cir. 2009) (finding defendant’s act of
77
sending a single e-mail “sufficient to establish the Subcomm. on Crime and Terrorism of the S. Ju-
element of the use of the wires in furtherance of diciary Comm., 113 Cong. 4 (2016) (statement
the scheme”); United States v. Drummond, 255 of Randall C. Coleman, Assistant Dir., Counter-
Fed. Appx. 60, 64 (6th Cir. 2007) (unpublished) intelligence Div. FBI), available at: https://www.
(affirming wire fraud conviction where defen- govinfo.gov/content/pkg/CHRG-113shrg96009/
dant made airline reservation with stolen credit pdf/CHRG-113shrg96009.pdf (last accessed
card over the Internet). June 29, 2018).
As explained below, exceptions exist for ter-
29
18 U.S.C. § 1839(3).
36
rorism-related violations of section 1030(a)(1)

and 1030(a)(5)(A).
37
See id. §§ 1831(a)(4)-(5), 1832(a)(4)-(5). For
an attempt, the defendant must (1) have the in-
30
The United States Attorneys’ Manual provides tent needed to commit one of the two crimes,
further guidance regarding wire fraud charges, and (2) perform an act amounting to a “substan-
see U.S. Dept. of Justice, United States At- tial step” toward the commission of that crime.
torneys’ Manual, § 9-43.000, as does the man- United States v. Hsu, 185 F.R.D. 192, 202 (E.D.
ual, Identity Theft and Social Security Pa. 1999). For a conspiracy, the defendant must
Fraud (Office of Legal Education 2004). agree with one or more people to commit a vi-
olation, and one or more of the co-conspirators
31
18 U.S.C. § 1028(d)(7). Although there is lit- must commit an overt act to effect the object of
tle dispute about classifying a unique identifier, the conspiracy. 18 U.S.C. §§ 1831(a)(5), 1832(a)
such as a social security number, as a “means (5).
of identification,” some courts have questioned
whether non-unique identifiers, such as names See id. § 1835.
38
or birthdates, qualify as a “means of identifica-

tion” when standing alone. Compare United See 17 U.S.C. §§ 102(a), 106 (2012).
39
States v. Silva, 554 F.3d 13, 23 n.4 (1st Cir. 2009) See 18 U.S.C. § 1029(c)(1)(C), (c)(2).
40
(finding doctor’s signature constitutes a “means

of identification”), with United States v. Mitchell, Id. § 1963(a).
41
518 F.3d 230, 232-36 (4th Cir. 2008) (requiring

Organized Crime & Gang Section, U.S.
42
that non-unique identifiers be combined with
Dept. of Justice, CRIMINAL RICO: 18 U.S.C.
additional information that permits the identifi-
§§1961-1968, A Manual For Federal Pros-
cation of a specific person).
ecutors (May 2016), https://www.justice.gov/
E.g., 18 U.S.C. §§ 1028(a)(1)-(6), (8), 1029,
32 usam/file/870856/download (last visited June 29,
1030, 1037, 1343. 2018).
33
18 U.S.C. § 1028A(a)(1); see also id. § Id. at 238-39.
43
1028A(a)(2) (providing a minimum five-year

18 U.S.C. § 2511(1)(a) & (b).
44
term for terrorism-related aggravated identity
theft). Id. § 2511(1)(c) § (e).
45
See 18 U.S.C. §§ 1831, 1832.

34
Id. § 2511(1)(d).
46
35
Combating Economic Espionage and Trade Se- See, e.g., In re Pharmatrak, Inc. Privacy Litig.,
47
cret Theft, Hearing Before the S. Judiciary Comm., 329 F.3d 9, 21 (1st Cir. 2003).
78
Similarly, other surveillance statutes like the

48
tools appropriately and lawfully. Additionally,
Pen Trap Act and FISA criminalize violations of the FBI is required to adhere to the Attorney
their provisions. See 18 U.S.C. § 3121 (Pen Trap General’s Guidelines for Domestic FBI Operations
Act); 50 U.S.C. § 1809 (FISA). and the FBI’s Domestic Investigations and Oper-
ations Guide in conducting remote searches and
18 U.S.C. § 1956(c)(7) (defining SUA).
49
seizures; see supra note 2. These documents re-
Id. § 1956(a)(1)(A)(i).
50 quire the FBI to use the least intrusive method
that is feasible when conducting a search. See
Id. § 1956(a)(1)(B)(i).
51
Guidelines for Domestic FBI Operations, § 1(c)
(2)(A); Domestic Investigations and Operations
52
See United States v. Budovsky, 2015 WL
Guide, § 18.2.
5602853, at *12-13 (S.D.N.Y. Sept. 23, 2015)
(holding that virtual currency created by Liberty 58
Press Release, “Treasury Sanctions Addi-
Reserve constituted funds within the meaning of tional North Korean Officials and Entities in
§ 1956); United States v. Ulbricht, 31 F. Supp. 3d Response to the Regime’s Serious Human Rights
540, 569-70 (S.D.N.Y. 2014) (holding that trans- Abuses and Censorship Activities,” U.S. Dept.
actions involving Bitcoin were financial transac- of the Treasury (Oct. 26, 2017), available at:
tions within the scope of § 1956). https://www.treasury.gov/press-center/press-re-
leases/Pages/sm0191.aspx (last accessed June 29,
Pub. L. No. 108-187, 117 Stat. 2699 (2003).
53
2018).
Press Release, “Chinese National Who Con-
54
Exec. Order No. 13694, 3 C.F.R. 297 (2016).
59
spired to Hack into U.S. Defense Contractors’
Systems Sentenced to 46 Months in Federal Exec. Order No. 13757, 3 C.F.R. 1 (2017).
60
Prison,” U.S. Dept. of Justice (July 13, 2016),

available at: https://www.justice.gov/opa/pr/chi- Id.
61
nese-national-who-conspired-hack-us-defense- Press Release, “Treasury Sanctions Russian

62
contractors-systems-sentenced-46-months (last Cyber Actors for Interference with the 2016 U.S.
accessed June 15, 2018). Elections and Malicious Cyber-Attacks,” U.S.
Press Release, “Two Iranian Nationals
55 Dept. of Treasury (March 15, 2018), available
Charged in Hacking of Vermont Software Com- at: https://home.treasury.gov/index.php/news/
pany,” U.S. Dept. of Justice (July 17, 2017), press-releases/sm0312 (last accessed June 29,
available at: https://www.justice.gov/opa/pr/ 2018).
two-iranian-nationals-charged-hacking-ver- 63
Press Release, “Treasury Sanctions Russian
mont-software-company (last accessed June 15, Federal Security Service Enablers,” U.S. Dept.
2018). of Treasury (June 11, 2018), available at: https://
Press Release, “ISIL-Linked Kosovo Hack-
56 home.treasury.gov/news/press-releases/sm0410
er Sentenced to 20 Years in Prison,” U.S. Dept. (last accessed June 29, 2018).
of Justice (Sept. 23, 2016), available at: https:// 64
Press Release, “Treasury Sanctions Iranian
www.justice.gov/opa/pr/isil-linked-kosovo- Cyber Actors for Malicious Cyber-Enabled Ac-
hacker-sentenced-20-years-prison (last accessed tivities Targeting Hundreds of Universities,” U.S.
June 15, 2018). Dept. of Treasury (March 23, 2018), available
As with all investigative techniques, Depart-
57
ment personnel are trained to use remote search
79
at: https://home.treasury.gov/news/press-releas- “2017 Special 301 Report,” Office of the

68
es/sm0332 (last accessed June 29, 2018). United States Trade Representative at 18
(April 2017), available at: https://ustr.gov/sites/
Press Release, “Nine Iranians Charged With
65
default/files/301/2017%20Special%20301%20
Conducting Massive Cyber Theft Campaign Report%20FINAL.PDF (last accessed June 29,
on Behalf of the Islamic Revolutionary Guard 2018).
Corps,” U.S. Dept. of Justice (March 23, 2018),
available at: https://www.justice.gov/opa/pr/ 69
See “Remarks by President Trump at Sign-
nine-iranians-charged-conducting-massive-cy- ing of a Presidential Memorandum Targeting
ber-theft-campaign-behalf-islamic-revolution- China’s Economic Aggression,” The White
ary (last accessed June 29, 2018). House (March 22, 2018), available at: https://
www.whitehouse.gov/briefings-statements/
Export Administration Regulations, Control
66
remarks-president-trump-signing-presiden-
Policy: End-User and End-Use Based, 15 C.F.R. tial-memorandum-targeting-chinas-econom-
§§ 744.1–.22 (2016), available at: https://www. ic-aggression/ (last accessed June 29, 2018).
gpo.gov/fdsys/pkg/CFR-2016-title15-vol2/xml/
CFR-2016-title15-vol2-part744.xml (last ac- 70
“Findings of the Investigation into China’s
cessed June 29, 2018). Acts, Policies, and Practices related to Technol-
ogy Transfer, Intellectual Property, and Innova-
67
“Addition of Certain Persons to the Entity tion under Section 301 of the Trade Act of 1974,”
List,” 79 Fed. Reg. 44680 (Aug. 1, 2014), available Office of the United States Trade Repre-
at: https://www.gpo.gov/fdsys/pkg/FR-2014-08- sentative (March 22, 2018), available at: https://
01/pdf/2014-17960.pdf (last accessed June 29, ustr.gov/sites/default/files/Section%20301%20
2018) (adding PRC Lode Technology Corpora- FINAL.PDF (last accessed June 29, 2018).
tion, a company owned by Su Bin, a Chinese na-
tional serving a prison term for conspiring with Id. at 153.
71
Chinese air force officers to exploit computer

Id. at 166.
72
systems of U.S. companies and of DoD contrac-
tors to illicitly obtain and export information, in- Id. at 168.
73
cluding controlled technology, related to military

projects).
80
RESPONDING TO CYBER INCIDENTS
Chapter 4
Responding to Cyber Incidents
A
s discussed in Chapter 3, the De- 1. Operational Engagement
partment’s role in disrupting and
preventing cyber threats not only In building relationships with potential vic-
embraces the traditional model of criminal tims of cyberattacks, the FBI employs “op-
law enforcement—which involves arresting erational engagement”—that is, tailored and
suspected criminals and imprisoning of- targeted outreach. Building trust is funda-
fenders after they have been convicted—but mental to this approach, which initially may
also extends beyond that model to the use of seem difficult to achieve, given concerns
non-criminal authorities and remedies. about privacy, legal privileges, and the pro-
tection of sensitive information. To address
In this chapter, we discuss other non-crim- these concerns, the FBI as a first step seeks
inal, yet critically important, aspects of the to share its own information with industry,
Department’s overall cyber mission: re- through a variety of outreach initiatives and
information sharing programs.
sponding to, preventing, and managing cyber
incidents.
The FBI disseminates numerous reports
geared directly to the private sector regarding
Building Relationships and cyber threats. See Fig. 1. Common FBI-is-
Sharing Cyber Threat Information sued reports include Private Industry Noti-
fications (“PINs”), which provide contextu-
al information about ongoing or emerging
When responding to cyber incidents, prepa-
cyber threats, and FBI Liaison Alert System
ration is key. Preparation will help victims of
(“FLASH”) reports, which provide technical
cyber attacks speed their response, lessen the
indicators gleaned through investigations or
effects of exploitation, and hasten recovery.
intelligence. These communication methods
In order to best assist potential victims of cy- facilitate information sharing with either a
ber threats, the Department needs to prepare, broad or sector-specific audience, and pro-
too. Our preparation efforts involve relation- vide recipients with actionable intelligence
ship building, routine information sharing, to protect against cyber threats and to detect
and engaging with organizations and sectors ongoing exploitation. The FBI also often col-
that are at particular risk. And when inci- laborates with other government agencies,
dents do occur, open lines of communication including DHS, to release joint products,
enable reporting and facilitate response ef- such as Joint Analysis Reports (“JARs”) and
forts. Joint Technical Advisories (“JTAs”).
83
Figure 1: FBI Product Lines

Product
Private Industry FBI Liaison Alert System Public Service Joint Analysis Report/
Notification (PIN) (FLASH) Announcement (PSA) Joint Technical Alert
Author
FBI/DHS/Other Government
FBI FBI FBI
Partners
Provides technical
Provides contextual Provides information Provides technical details
Content
indicators gleaned through

information about ongoing related to general cyber and indicators gleaned
investigations or
or emerging cyber threats threats to the public through joint analytic efforts.
intelligence
Audience
Selected Partners/Target
Private Industry General Public Private Industry
Industries
In certain circumstances, the FBI will join In 2015, the FBI’s Cyber Division began host-
with sector-specific agencies1 to execute an ing a semi-annual Chief Information Security
“action campaign” to quickly and efficiently Officers (“CISO”) Academy at the FBI Acad-
advise a defined group of stakeholders of a emy in Quantico, Virginia. The Academy
particular cyber threat requiring their atten- seeks to enhance participants’ understanding
tion. See Fig. 2. These efforts serve a dual of the government and its functions by host-
purpose of helping potentially targeted enti- ing approximately 30 CISOs representing key
ties and advancing the FBI’s cyber threat in- critical infrastructure sectors for a three-day
vestigations. training session. The event’s sessions provide
the latest information and intelligence on cy-
The FBI also hosts targeted engagement events ber threats, explain how the government in-
intended to bring together C-suite executives teracts with private industry before, during,
with government subject matter experts in and after a cyberattack, explore investigative
order to build partnerships, encourage infor- case studies, and engage participants in ta-
mation sharing, and better understand the bletop exercises. As of April 2018, the FBI
challenges the private sector faces in protect- had hosted four CISO Academies with over
ing against cyber threats. 120 total participants.
84
Figure 2: Recent FBI “action campaigns”
Healthcare Industry Classified Briefings (Spring 2016)

•FBI, in collaboration with DHS and HHS, hosted executives in each of its
56 field offices and conducted classified briefings over teleconferences.
•Briefed threats involving Personally Identifiable Information and
Personal Health Information to the healthcare sector; over 800 industry
executives participated.
Energy Sector Action Campaign (Spring 2016)

•FBI, in collaboration with DHS ICS-CERT and DOE, provided
briefings to owners and operators of electric facilities.
•Fourteen events were held across the country, 10 in-person and
four via webinar, with 1,600 total industry representatives
briefed.
Ransomware Campaign (Spring/Fall FY 2016)

•FBI, in collaboration with DHS, USSS, HHS, and the National
Council of ISACs, hosted workshops, or “road shows,” targeting
small, medium, and large organizations at the C-Suite level.
•Over 5,700 individuals received briefings during the campaign.
Business E-mail Compromise (BEC) Campaign (FY 2017/FY 2018)

•FBI, in collaboration with DHS, USSS, and National Council of ISACs,
identified pre-scheduled events to conduct briefings to industry
executives. Additionally, FBI and USSS hosted executives in field offices
to brief on the threat.
•Held workshops in 14 cities and briefed close to 2,500 total executives.
In addition, the FBI’s Cyber Division, in col- pants discuss how to overcome obstacles in
laboration with a host FBI field office and U.S. information sharing and how best to work
Attorney’s Office, organizes one-day General with the U.S. government when responding
Counsel Cyber Summits to bring corporate to a cyber incident. To date, the FBI has con-
attorneys and CISOs together with Depart- ducted four summits with over 500 total at-
ment personnel. At these summits, partici- tendees.
85
2. Enduring Partnerships relevant to the protection of the nation’s crit-

ical infrastructure. In contrast to DSAC, In-
The FBI has several established programs fraGard members join as individuals, not as
that enable connectivity, information shar- corporations. There are over 50,000 vetted In-
ing, and collaboration with the private sec- fraGard members nationally, representing all
tor on a range of hazards, including cyber critical infrastructure sectors, organized into
threats. These programs include: 84 local chapters called “InfraGard Member
Alliances.” Each chapter is associated with its
corresponding local FBI field office.
Domestic Security Alliance Council

(“DSAC”) was founded in 2006 as a nation-
al membership program to encourage pub- National Cyber-Forensics & Training Alli-
lic-private engagement between corporate ance (“NCFTA”) was conceived in 1997 and
chief security officers and the FBI on emerg- the non-profit 501(c)(3) corporation was cre-
ing threats facing the nation and economy. ated in 2003. Headquartered in Pittsburgh,
DHS was later added as a partner organi- this organization has become an internation-
zation. With over 500 member companies, al model for joining law enforcement, private
DSAC provides the FBI and DHS direct en- industry, and academia to build and share
gagement with decision-makers in the U.S. resources, strategic information, and cyber
economy’s largest corporations and critical threat intelligence. Since its establishment,
insight through the DSAC Executive Work- the NCFTA has evolved to keep up with the
ing Group. ever-changing cybercrime landscape. To-
day, the organization deals with threats from
transnational criminal groups including
spam, botnets, stock manipulation schemes,
intellectual property theft, pharmaceutical
fraud, telecommunication scams, and other
financial fraud schemes that result in billions
of dollars in losses to companies and con-
sumers. The extensive knowledge base with-
InfraGard is a partnership between the FBI in the NCFTA has played a key role in some
and members of the private sector for sharing of the FBI’s most significant cyber cases in
information and promoting mutual learning the past several years.
86
Internet-facilitated criminal activity and to

develop effective alliances with law enforce-
ment and industry partners. Since 2000, the
IC3 has received complaints crossing the
spectrum of cybercrime matters, to include
online fraud in its many forms, including
National Domestic Communications Assis- Intellectual Property Rights (“IPR”) matters,
tance Center (“NDCAC”) is a national hub computer intrusions, economic espionage,
for technical knowledge management among online extortion, identity theft and others. It
law enforcement agencies that also strength- is through this reporting that the program is
ens law enforcement’s relationships with the able to analyze complaints for dissemination
communications industry. Operated by the to the public, private industry, and for intelli-
FBI’s Operational Technology Division, the gence/investigative purposes for law enforce-
NDCAC leverages and shares law enforcement.
ment’s collective technical knowledge and
3. Reporting Cyber Incidents and
resources on issues involving real-time and
Notifying Targeted Entities
stored communications to address challenges
posed by advanced communications services
Through the numerous FBI and U.S. Attor-
and technologies. NDCAC develops and main-
neys’ offices nationwide, the Department is
tains relationships with industry to ensure law
uniquely positioned to interact with organi-
enforcement’s understanding of new services
zations that have experienced a cyber inci-
and technologies, and it provides a venue to ex-
dent. The FBI has 56 field offices throughout
change information, streamline processes, and
the country, and has assisted victims of crime
facilitate more efficient interaction between law
for over 100 years, including since the earliest
enforcement and industry. NDCAC also edu-
days of computer crime. The FBI may learn
cates industry on law enforcement’s evidentia-
through law enforcement or intelligence
ry processes and works with industry to verify
sources that a U.S. person or organization has
that technical solutions work as expected.
suffered an incident or is the target of illicit
cyber activity, and can proactively notify the
targeted entity. Conversely, victims may be
the first to detect the incident and then can
notify the FBI. In either case, the Depart-
ment stands ready to investigate the unau-
thorized activity and support victims.
Internet Crime Complaint Center (“IC3”) Victim Notification

provides the public with a reliable and con-
venient reporting mechanism to submit in- The Department identifies victims of cyber
formation to the FBI concerning suspected intrusion through a variety of means, such
87
as from the FBI’s ongoing contact with vic- bute malicious cyber activity due to its dual
tims, from investigations of threat actors, criminal investigative and national security
from other members of the U.S. Intelligence responsibilities.
Community, and from foreign partners. This
information may be highly classified or may While cyberattacks are typically conduct-
carry special handling or sharing restrictions ed through technical means, behind the
based on the sensitivity of the source and the malicious activity is an actual individual or
information provided. The FBI takes all rea- group perpetrating a crime. When the FBI
sonable steps to identify the targeted individ- is promptly notified, it can work to deter-
ual or entity, determine if there was an actual mine who caused the incident, link the in-
compromise, and assess if there is actionable cident to other incidents, maximize investi-
information it may share. gative opportunities, and potentially provide
context regarding the actor, their tradecraft,
Depending upon the circumstances, the FBI and their motivations. Understanding who
can undertake direct or indirect notice to is targeting a victim’s networks and for what
victims or potential victims. “Direct” notifi- purpose can inform defensive strategies and
cation is typically handled in-person through prevent future attacks. By notifying and as-
established liaison contacts, such as by noti- sisting law enforcement, victims also help the
fying the representatives of an institutional FBI identify and pursue those responsible—
victim. Larger scale data breaches involving which can help prevent future crimes against
thousands or millions of affected customers other victims. Such identification and pursuit
are more complicated. In such circumstanc- is not limited to criminal response options.
es, the FBI relies on victimized institutions to For example, attribution resulting from FBI
provide notification to affected individuals. investigative activities can support other
In those cases, the victimized institution may U.S. government agencies’ abilities to impose
be better situated to notify its customers or regulatory (e.g., sanctions), diplomatic, and
members of a large-scale data breach. technical costs upon those responsible for, or
benefiting from, malicious cyber activities.
Reporting Intrusions to the FBI Finally, notifying law enforcement may also
place a victim company in a positive light
While law enforcement and intelligence agen- with regulators, shareholders, and the public.
cies can sometimes uncover malicious cyber
activity before a victim detects it on their net- The Department encourages key organi-
works, in other cases a targeted organization zations, particularly critical infrastructure
will be the first to detect anomalous activity. owners and operators, to identify and form
It is critically important to report incidents to relationships with personnel in their local
law enforcement, as each incident potentially FBI field office, including through the part-
involves the commission of a federal crime nerships detailed above, before an incident
and may warrant investigation. The FBI is occurs. These pre-established relationships
uniquely positioned to investigate and attri-
88
and open lines of communication will speed a nationally significant cyber incident, these
reporting and response efforts. activities are carried out in a coordinated
way by the affected entity, by its third-party
The White House’s Council of Economic cybersecurity providers (if any), and by rele-
Advisors recently observed that most data vant federal agencies.
breaches are not reported to the U.S. gov-
ernment.2 This reluctance may be driven by PPD-41 designates the Department of Jus-
a fear of regulatory action, of reputational tice, through the FBI and the National Cyber
harm, or of an interruption to business oper- Investigative Joint Task Force (“NCIJTF”), as
ations. The reluctance of organizations and the lead federal agency for threat response
businesses to disclose that they have been at- activities in the context of a significant cy-
tacked constitutes a major challenge for the ber incident. Through evidence collection,
U.S. government in its battle against cyber- technical analysis, and related investigative
crime. Law enforcement cannot be effective tools, the FBI works to quickly identify the
without the cooperation of crime victims. A source of a cyber incident, connect that in-
lack of cooperation may not only prevent dis- cident with related incidents, and determine
covery of evidence that could lead to identify- attribution.
ing and holding the threat actors accountable,
but also creates barriers to fully understand- In addition to the cyber incident response
ing the threat environment. framework laid out in PPD-41, the federal
government also has adopted a Cyber Inci-
Responding to Cyber Incidents dent Severity Schema,4 a rubric for describ-
ing an incident’s significance and improving
and Managing Crisis the federal government’s response. An inci-
1. Policy Framework dent of national significance is rated as a Level
3 “High” (Orange), or greater. While the FBI
Presidential Policy Directive (“PPD”)-41, ti- does not allocate resources based exclusively
tled “United States Cyber Incident Coordina- on the schema rating, the rating serves as an
tion,” defines the term “cyber incident,”3 and enabler to various multi-agency coordination
describes cyber incident response in terms procedures and incident response efforts.
of three concurrent and mutually beneficial
lines of effort: threat response (investigation, Both PPD-41 and the severity schema recog-
attribution, and threat pursuit); asset re- nize that not all cyber incidents are “signifi-
sponse (remediation and recovery); and in- cant” from a national perspective. Thus, the
telligence support. It also refers to a fourth, scale and speed of a federal response will vary
unnamed line of effort that is best described based on the facts and circumstances of par-
as “business response” (ensuring business ticular cases. The FBI has capability, plans,
continuity, addressing legal and regulatory and procedures to manage routine incidents.
issues, and external affairs). In the context of It also is prepared to react to circumstances
89
requiring a more robust approach. Responses The FBI also has a strong international reach
to both types of incidents are discussed below. through a network of approximately 80 Legal
Attaché offices throughout the world. It has
2. Routine Incident Response supplemented 20 of these international offic-
es with cyber-specific investigators to facili-
The FBI’s nationwide reach puts it in an op- tate cooperation and information sharing to
timal position to engage with potential vic- advance its cybercrime and national security
tims. The FBI’s field-centric model also al- investigations.
lows it to respond quickly, and in-person, to
cyber incidents—often in a matter of hours. Because cyber threats and incidents occur
around the clock, the FBI in 2014 estab-
Each FBI field office houses a multi-agency lished a steady-state, 24-hour watch capabil-
Cyber Task Force (“CTF”) modeled after the ity called CyWatch. Housed at the NCIJTF,
FBI’s successful Joint Terrorism Task Force CyWatch is responsible for coordinating do-
program. The task forces bring together cy- mestic law enforcement response to crimi-
ber investigators, prosecutors, intelligence nal and national security cyber intrusions,
analysts, computer scientists, and digital fo- tracking victim notification, and partnering
rensic technicians from various federal, State, with the other federal cyber centers many
and local agencies present within the office’s times each day. CyWatch provides contin-
territory. The CTFs not only serve as a force uous connectivity to interagency partners to
multiplier, but also provide a forum for co- facilitate information sharing, and real-time
ordination amongst local partners for more incident management and tracking, as part
effective incident response. This model also of an effort to ensure that all relevant agen-
allows the FBI to draw on the relationships, cies are in communication.
expertise, authorities, and tools of the task
force members. 3. Significant Incident Response
In addition to these cyber-specific resources, As directed by PPD-41, the FBI activates cer-
the FBI has other technical assets it can use tain “enhanced coordination procedures” in
as needed to combat cyber threats. The FBI’s the event of a “significant cyber incident.”5
Operational Technology Division develops These procedures include naming an ac-
and maintains a wide range of sophisticat- countable senior executive to manage the
ed equipment, capabilities, and tools to sup- response and establishing a dedicated com-
port investigations and to assist with techni- mand center with a full array of communica-
cal operations. While every FBI field office tion capabilities.
has a computer forensics laboratory, certain
field offices host a larger Regional Comput- Members of the local FBI Cyber Task Force
er Forensic Laboratory. These resources can will respond to the significant incident and a
be leveraged throughout the FBI’s response designated special agent will serve as the U.S.
and investigative cycle to respond to cyber government’s point of contact to the victim
threats. throughout the response. Nearby FBI field
90
Tips for Cooperative Cyber Incident Response

Tips for Cooperative Cyber Incident Response
Preparation
•Develop a response plan that incorporates notifying and collaborating with law enforcement.
•Establish a relationship with your local FBI Cyber Task Force and U.S. Attorney’s Office in
advance of an incident; invite them to participate in exercises.
•Understand the threats and trends that may affect your organization and adjust defenses
accordingly; FBI and DHS regularly publish relevant reports.
Discovery & Response
•Notify the FBI* when you experience an incident; your issue may be part of a larger adversary
campaign.
•Preserve key evidence that will enable investigators to attribute the incident and pursue the
actors (e.g., logs and artifacts, affected devices, analysis reports).
•Discuss options for leveraging advice and other services offered through other government
agencies including DHS with the responding FBI team.
Recovery & Follow-up
•Share feedback on your experiences with the local DOJ and FBI representatives. Consider
conducting an after-action review to discuss learnings to improve plans and performance in
anticipation of future events.
* Notify the FBI through the local Cyber Task Force or CyWatch (24/7) at 855-292-3937 or
CyWatch@fbi.gov * Notify the FBI through the local Cyber Task Force or
CyWatch (24/7) at 855-292-3937 or CyWatch@fbi.gov
offices can provide surge support and exper- dents. CAT’s management and core team are
tise as necessary, as each field office maintains based in the Washington, D.C. metro area
personnel specifically trained on responding and are supplemented by carefully selected
to incidents involving critical infrastruc- and highly trained field personnel. The FBI
ture and control systems. The response team also has technical analysis and operations
may be further augmented by specialty sup- units that directly support the response team
port from FBI headquarters. For example, through deep-dive malware analysis and
the FBI Cyber Action Team (“CAT”) is the digital forensics, and by implementing cus-
agency’s elite rapid response force. On-call tom-built technical solutions to advance an
CAT members are prepared to deploy glob- investigation.
ally to bring their in-depth cyber intrusion
expertise and specialized investigative skills If a cyber incident generates physical impacts
to bear in response to significant cyber inci- rising to the level of a crisis, the FBI has ex-
91
tensive crisis management capability. The Conclusion

FBI Crisis Management Unit coordinates
the FBI’s tactical and disaster relief efforts. The Department stands ready to assist vic-
The unit also provides the capability to acti- tims of cyberattacks. By leveraging our
vate command posts anywhere in the United field-centric model, investigative expertise,
States, and coordinates the FBI’s vast inves- and partnerships at home and abroad, the
tigative resources and infrastructure to sup- Department works to pursue malicious cy-
port large-scale incidents regardless of type. ber actors and to predict and prevent future
attacks. We must continue to build trusting
Finally, the FBI maintains a fleet of aircraft to relationships and to work collaboratively to
support deployments when an immediate re- address the global cyber threat, and to im-
sponse is necessary, as well as command post pose costs on nation states, cybercriminals,
vehicles to support on-scene operations. and other malign cyber actors.
92
NOTES
1
See “Sector Specific Agencies,” U.S. Dept. of June 29, 2018) (defining a “cyber incident” as
Homeland Security (July 11, 2017), available “[a]n event occurring on or conducted through
at: https://www.dhs.gov/sector-specific-agencies a computer network that actually or imminently
(last accessed June 29, 2018) (describing the “16 jeopardizes the integrity, confidentiality, or avail-
critical infrastructure sectors whose assets, sys- ability of computers, information or communi-
tems, and networks, whether physical or virtual, cations systems or networks, physical or virtual
are considered so vital to the United States that infrastructure controlled by computers or infor-
their incapacitation or destruction would have a mation systems, or information resident thereon.
debilitating effect on security, national economic For purposes of [PPD-41], a cyber incident may
security, national public health or safety, or any include a vulnerability in an information system,
combination thereof,” and listing the “Sector-Spe- system security procedures, internal controls,
cific Agency” associated with each of these criti- or implementation that could be exploited by a
cal infrastructure sectors). threat source.”).
2
“The Cost of Malicious Cyber Activity to the 4
See “NCCIC Cyber Incident Scoring Sys-
U.S. Economy,” Council of Econ. Advisors, tem,” U.S. Computer Emergency Readiness
Exec. Office of the President, at 33 (Feb. Team, available at: https://www.us-cert.gov/
2018), available at: https://www.whitehouse.gov/ NCCIC-Cyber-Incident-Scoring-System (last ac-
wp-content/uploads/2018/02/The-Cost-of-Ma- cessed June 29, 2018).
licious-Cyber-Activity-to-the-U.S.-Economy.pdf
(last accessed June 29, 2018). 5
A “significant” cyber incident is one “that is
likely to result in demonstrable harm to the na-
3
See “Presidential Policy Directive—United tional security interests, foreign relations, or
States Cyber Incident Coordination,” The White economy of the United States or to the public
House (July 26, 2016) (“PPD-41”), available at: confidence, civil liberties, or public health and
https://obamawhitehouse.archives.gov/the-press- safety of the American people.” See PPD-41, su-
office/2016/07/26/presidential-policy-direc- pra note 3.
tive-united-states-cyber-incident (last accessed
93
TRAINING AND MANAGING OUR WORKFORCE
Chapter 5
Training and Managing Our Workforce
T
o appropriately identify, disrupt, dis- cal background and experience necessary
mantle, and deter computer intru- to make appropriate decisions in technolo-
sions and cyber-enabled crimes, the gy cases. Second, we seek to retain a group
Department must develop and maintain a of non-lawyer professionals whose prima-
broad cadre of highly trained prosecutors, ry expertise is technology. These comput-
agents, and analysts. Whether identifying er scientists, engineers, and digital forensic
and locating cyber threat actors; collecting investigators collaborate with attorneys and
vital evidence through lawful process; or de- investigators, together forming a team with
veloping the latest tools to overcome sophis- all necessary skills. Cultivating a workforce
ticated technologies criminals use to conceal of technologically-savvy employees requires
their activities, Department personnel must care in hiring and training, but also, crucial-
understand how technology both facilitates ly, requires that the Department make the
criminal activity and can be used to detect, right decisions about how it manages and
disrupt, and dismantle the same activity. organizes its employees.
Investigators, for example, require advanced How the Department internally organiz-
tools and resources to stay at least one step es itself, and especially how it assigns cyber
ahead of increasingly sophisticated ano- work, is a central part of the strategy to carry
nymizing technologies that criminals and out its critical cyber mission and to recruit,
other adversaries exploit to avoid detection. train, and retain a technologically-expert
Meanwhile, forensic analysts must possess workforce. In some respects, this challenge
the latest know-how to extract key evidence is not new. For example, prosecuting envi-
from sophisticated electronic media, such ronmental crimes requires mastery both of
as encrypted cell phones and hard drives. a complex area of law and of relevant sci-
Finally, prosecutors must tackle complex entific facts; likewise, prosecuting antitrust
questions regarding legal authorities, juris- and other complex business cases requires
diction, privacy, and other issues raised by in-depth knowledge of how industries op-
investigating cybercrime and prosecuting erate. The Department’s solution to these
those responsible for it. challenges has been to build headquarters
components and networks of attorneys and
The Department pursues two objectives in investigators that specialize in these tech-
developing its workforce and specialized nical areas of law enforcement. A similar
training initiatives. First, we seek to cultivate strategy has worked well for cyber cases:
a multitude of attorneys who, in addition to the Department has concentrated its work
superior legal skills, have the technologi- of identifying, dismantling, disrupting, and
95
deterring computer intrusions and other than if the work were dispersed indiscrimi-
cyber-enabled crimes into a select number nately around the Department.
of headquarters components and into net-
works of specialized attorneys and investiga- Finally, the Department is constantly work-
tors. This method of organization yields at ing to retain experienced attorneys and in-
least three benefits for recruitment, training, vestigators in government employment. The
and retention—which, in turn, benefits the skills of cyber investigators and attorneys are
investigation and prosecution of cyber cases. in heavy demand in the private sector, where
salaries are much higher. The Department
First, despite ever-increasing competition in will lose this competition for talent if the only
the technology job market, the Department consideration is salary. Fortunately, that is
can attract skilled prospects who are inspired not the only consideration for most employ-
by our mission. The Department now has ees. Only public service provides employees
employees who, in addition to being excel- with so great an opportunity to protect and
lent lawyers or investigators, also have deep defend their country; in many ways, the work
experience in network defense, computer is itself a reward. To make maximum use
forensics, and software engineering. These of that reward, however, the Department’s
employees very often came to work at the talented cyber workforce needs to be given
Department precisely because they wanted regular opportunities to work on the cases
to work on cyber cases. Offering prospective and subject matter they feel most passionate
employees the chance to work exclusively (or about. Only an arrangement of specialized
near-exclusively) in the rewarding and chal- offices can offer that benefit.
lenging field of computer crime is a signifi-
cant recruiting advantage. But making that In this spirit, the Department’s criminal law
promise is credible only if the Department enforcement entities, its United States Attor-
can offer employment in specialized units, neys’ Offices, and its relevant litigation di-
where cyber work has been concentrated. visions have dedicated workforce units and
training initiatives that anchor the Depart-
Second, training employees in cyber cases ment’s broader strategy to recruit, train, and
requires far more than classroom instruction retain a technologically expert workforce
or reading from textbooks. Every seasoned in order to carry out its core cyber mission.
attorney and investigator knows that the These units and their specialized training
bulk of his or her expertise came from prac- initiatives are described below.
tical, on-the-job experience. Because the
Department’s specialized cyber units both
1. Federal Bureau of Investigation
at headquarters and in the field expose at-
torneys and investigators to cyber investiga- As described in Chapter 4, the FBI is often a
tions, and do so repeatedly, they build skills “first responder” to a cyber incident. With
and human capital much more effectively Cyber Task Forces located in each of its 56
96
field offices across the country, the FBI is home agencies. The NCIJTF coordinates,
prepared to respond to and investigate cy- integrates, and shares cyber threat infor-
berattacks and intrusions wherever they mation to support investigations and oper-
may occur. Its agents serve both as inves- ations for the intelligence community, law
tigators and high-tech specialists, capable enforcement, military, policy makers, and
of applying the most current technological trusted foreign partners in the fight against
know-how to collect evidence at the scene of cyber threats. The NCIJTF is responsible for
a cyberattack or intrusion, analyze data fo- coordinating whole-of-government cyber
rensically, and trace a cybercrime to its ori- campaigns, integrating domestic cyber data,
gins. Through its Cyber Division located at and sharing domestic cyber threat informa-
FBI headquarters in Washington, D.C., and tion.
the Operational Technology Division locat-
ed at Quantico, Virginia, the FBI provides The FBI Criminal Investigative Division has
leadership to its global efforts to investigate created the Hi-Tech Organized Crime Unit
cyber threats, whether they stem from crim- (“HTOCU”) to launch a long term, proac-
inal or national security actors. The Cyber tive strategy to target transnational orga-
Division has organized itself, both at head- nized crime groups using advanced technol-
quarters and in FBI field offices, to focus its ogy to conduct large scale computer-enabled
investigations and operations exclusively on and computer-facilitated crime. HTOCU
computer intrusions and attacks, and related works to bring traditional organized crime
online threats. techniques, tradecraft, and strategies to bear
on transnational criminal enterprises that
The FBI is also responsible for the operation use high technology to perpetrate crimi-
of the National Cyber Investigative Joint nal activity. HTOCU, in coordination with
Task Force (“NCIJTF”), a multi-agency cy- the FBI’s Cyber Division and the Money
ber center that serves as the national focal Laundering Unit, has developed and imple-
point for coordinating cyber investigations mented strategies to dismantle transnational
across government agencies. The NCIJTF criminal enterprises engaged in large-scale
is comprised of 30 plus partnering agencies fraudulent activity. Furthermore, HTOCU
from across law enforcement, the intelli- works to identify new sources, technical vul-
gence community, and the Department of nerabilities, collection opportunities, and
Defense, with representatives who are co-lo- emerging trends in cyber-enabled transna-
cated and work jointly to accomplish the tional organized criminal activity.
organization’s mission from a whole-of-gov-
ernment perspective. Members have access The Joint Criminal Opioid Darknet Enforce-
to and analyze data that provides a unique, ment (“J-CODE”) Team is a new FBI initia-
comprehensive view of the Nation’s cyber tive, announced by Attorney General Sessions
threat while working together in a collabo- in January 2018, to target drug trafficking—
rative environment in which they maintain especially fentanyl and other opioids—on
the authorities and responsibilities of their the Dark Web. Building on the work that
97
began with the government’s dismantling of the technological landscape rapidly evolves.
Silk Road and AlphaBay, the FBI is bringing For instance, the FBI is implementing the
together agents, analysts, and professional “Cyber Certified” training and certification
staff with expertise in drugs, gangs, health program for investigators, intelligence an-
care fraud and more, as well as federal, State, alysts, technical specialists, and attorneys,
and local law enforcement partners from whether currently in the Cyber Program or
across the U.S. government, to focus on dis- working in other mission areas. These em-
rupting the sale of illegal drugs via the Dark ployees will be observed for future training
Web and dismantling criminal enterprises and development activities.
that facilitate this trafficking. The J-CODE
will create a formalized process to prioritize In an attempt to rapidly increase the level
dark markets, vendors, and administrators of cyber knowledge shared throughout the
for strategic targeting; to develop strategies organization, and in an effort to infuse cy-
to undermine confidence in the Dark Web; ber knowledge into traditionally non-cy-
and to formulate de-confliction and oper- ber programs, the FBI has also created the
ational requirements with other domestic Workforce Training Initiative (“WTI”). The
and international partners. WTI is designed to increase the number of
employees who are capable of responding
In accordance with the requirements set to, investigating, and analyzing a variety of
forth in the Federal Cybersecurity Work- cyber-related cross-programmatic matters,
force Assessment Act of 2015, the Depart- and its courses cover the breadth of cy-
ment, including the FBI, is identifying and ber-related topics.
coding federal positions that perform infor-
mation technology, cybersecurity, and other The On the Job Training (“OJT”) initiative
cyber-related functions based on the work is a combination of classes and real world
roles described in the National Initiative for experiences encountered daily on a cyber
Cybersecurity Education Framework.1 This squad. The OJT program takes place over
analysis will underpin an effort to prioritize a six-month period and requires a full-time
areas of critical need within the workforce, commitment from participants. The partic-
and support possible recommendations for ipants are reassigned to a cyber squad and
introducing new job roles that will improve are expected to work cyber cases under the
the FBI’s ability to respond to Internet-en- mentorship of cyber-skilled professionals.
abled crimes and technologically advanced At the conclusion of the six-month pro-
threat actors. gram, participants return to their original
squads with enhanced cyber skills to ad-
With respect to training, the FBI has a num- dress cyber threats within that program and
ber of programs to ensure its workforce to share their knowledge. Upon completion
possesses the key cyber skills and tools to of this program, participants will be desig-
succeed in their investigations, especially as nated Cyber Certified.
98
The FBI Digital Forensics program offers sis of Windows, Macintosh, UNIX, and mo-
digital evidence related training and cer- bile operating systems, Internet artifacts,
tifications to personnel dedicated to man- secure device access, vehicle forensics, and
aging digital evidence challenges, and also Internet of Things related challenges.
offers technical training to the broader FBI
workforce which familiarizes them with the
2. The Criminal Division
challenges of properly preserving and han-
dling digital evidence. The Forensic Exam- Computer Crime and Intellectual
iner certification program includes over ten Property Section
weeks of total training, practical exercises,
mentorship, and a moot court which in- In 1996, the Department consolidated the
cludes Department attorneys and senior ex- Criminal Division’s expertise in computer
aminers. crime matters into a single office called the
Computer Crime and Intellectual Property
The FBI’s Cyber Executive Certification Section (“CCIPS”), with prosecutors devot-
Program provides high-level cyber training ed to pursuing computer crime prosecutions
and prepares executives for their role in the fulltime. Over the years, CCIPS’s mission
cyber investigation process. Participants has grown beyond prosecution to include
have the opportunity to obtain two industry spearheading cyber policy and legislative
standard certifications, in addition to the initiatives, training and support, public out-
internal FBI certificate. Additionally, the reach, and cybersecurity guidance. CCIPS
digital evidence program offers advanced consists of a team of specially trained attor-
training to personnel supervisors of digital neys dedicated to investigating and prose-
evidence workforce, preparing them to en- cuting high-tech crimes and violations of
sure the technical requirements of FBI in- intellectual property laws, and to advising on
vestigation are met by the digital evidence legal issues concerning the lawful collection
staff. of electronic evidence.
Finally, FBI-led cyber training takes place at Today, CCIPS is responsible for implement-
Cyber Academy campuses located at differ- ing the Department’s national strategies to
ent points in the country, while digital evi- combat computer and intellectual proper-
dence training occurs at Regional Computer ty crimes worldwide by working with other
Forensics Laboratories, and at FBI head- Department components and government
quarters. Cyber training ranges from the agencies, the private sector, academic insti-
Cyber Basic School, a two-week curriculum tutions, and foreign counterparts, among
designed to instill cybersecurity fundamen- others. Section attorneys work to improve
tals in all employees, to advanced training the domestic and international legal, techno-
for seasoned cyber investigators. Digital ev- logical, and operational legal infrastructure
idence training includes guidance in analy- to pursue network criminals most effective-
99
ly. Working in support of and alongside the necessary search warrants and court orders,
94 U.S. Attorneys’ Offices (“USAOs”), CCIPS collect electronic evidence, and ultimately,
prosecutes violations of federal law involving build a criminal case. Pursuant to depart-
computer intrusions and attacks. CCIPS has mental regulation, U.S. Attorneys are re-
also worked with the Treasury Department’s sponsible for ensuring that experienced and
Office of Foreign Asset Control to use new technically-qualified AUSAs serve as the dis-
authorities under Executive Order 13694 trict’s CHIP prosecutors; ensuring that CHIP
to bring sanctions against foreign nationals resources are dedicated to CHIP program
for malicious cyber-enabled criminal activ- objectives; ensuring that the USAO notifies,
ities. In conjunction with the Executive Of- consults, and coordinates with CCIPS and
fice for United States Attorneys (“EOUSA”), other USAOs; and promoting and ensuring
described below, CCIPS conducts at least effective interaction with law enforcement,
four multi-day in-person trainings and up to industry representatives, and the public in
twelve webinars a year. It also maintains an matters relating to computer and intellectual
internal website with information available property crime.
to all Department components that is visit-
ed more than 90,000 times a year, and has a
Money Laundering and Asset
rotating daily duty-attorney system that re-
Recovery Section
sponds to approximately 2,000 calls for ad-
vice a year. The Criminal Division’s Money Launder-
ing and Asset Recovery Section (“MLARS”)
In addition, the Criminal Division estab- leads the Department’s asset forfeiture and
lished the Computer Hacking and Intellectu- anti-money laundering enforcement ef-
al Property (“CHIP”) coordinator program forts. MLARS is responsible for, among
in 1995 to ensure that each USAO and litigat- other things, coordinating complex, sensi-
ing division has at least one prosecutor who tive, multi-district, and international money
is specially trained on cyber threats, elec- laundering and asset forfeiture investigations
tronic evidence collection, and technologi- and cases; providing legal and policy assis-
cal trends that criminals exploit. The CHIP tance and training to federal, State, and local
network now includes approximately 270 prosecutors and law enforcement personnel;
prosecutors from USAOs and Main Justice, and assisting Departmental and interagency
and aids in the coordination of multi-dis- policymakers by developing and reviewing
trict prosecutions involving cyber threats. legislative, regulatory, and policy initiatives.
Specialized CHIP units exist in 25 designat-
ed USAOs. CHIP Assistant U.S. Attorneys With respect to cyber-enabled threats in
(AUSAs) work with law enforcement part- particular, MLARS has established a Digital
ners from multiple law enforcement agencies Currency Initiative that focuses on provid-
at the outset of an investigation, often in con- ing support and guidance to investigators,
sultation with CCIPS, to provide legal guid- prosecutors, and other government agencies
ance, help craft an investigative plan, obtain on cryptocurrency prosecutions and forfei-
100
tures. The Digital Currency Initiative will and law enforcement agencies on the use of
expand and implement cryptocurrency-re- electronic surveillance. They also assist in
lated training to encourage and enable more developing Department policy on emerging
investigators, prosecutors, and Department technology and telecommunications issues.
components to pursue such cases, while de-
veloping and disseminating policy guidance
Office of International Affairs
on various aspects of cryptocurrency, includ-
ing seizure and forfeiture. Through the Ini- The Criminal Division’s Office of Interna-
tiative, MLARS will also advise AUSAs and tional Affairs (“OIA”) returns fugitives to
federal agents on complex questions of law face justice, and obtains essential evidence
related to cryptocurrency to inform charging for criminal investigations and prosecutions
decisions and other prosecutorial strategies. worldwide by working with domestic part-
ners and foreign counterparts to facilitate
Office of Enforcement Operations, the cooperation necessary to enforce the law,
Electronic Surveillance Unit advance public safety, and achieve justice.
Drawing upon a vast network of internation-
Electronic surveillance is one of the most al agreements and its expertise in extradition
effective law enforcement tools for investi- and mutual legal assistance, OIA in recent
gating many types of criminal enterprises, years has worked with domestic and foreign
including cyber-based criminal enterprises law enforcement to hold cybercriminals ac-
that use electronic media and Internet-based countable in U.S. courts and obtain the evi-
technologies to perpetrate their crimes. The dence needed to untangle complex transna-
Electronic Surveillance Unit (“ESU”) in the tional cybercrime schemes.
Criminal Division’s Office of Enforcement
Operations is responsible for reviewing all In addition to its work supporting investi-
federal requests to conduct interceptions gations and prosecutions of cybercriminals,
of wire, electronic, or oral communications OIA uses mutual legal assistance to obtain
pursuant to the Wiretap Act. ESU’s special- electronic evidence for foreign and domestic
ized attorneys provide suggested revisions law enforcement personnel. As the need to
and offer guidance to ensure that electron- obtain electronic evidence in virtually every
ic surveillance applications meet all consti- type of criminal case has burgeoned, OIA
tutional, statutory, and Department policy has worked to modernize its practice in this
requirements. Every federal wiretap appli- area by creating a team of attorneys and sup-
cation must be approved by a senior Depart- port personnel specially trained in obtaining
ment of Justice official before it is submitted electronic evidence, and by implementing
to a court, and ESU makes recommenda- process efficiencies to ensure swift attention
tions to those officials based on its review. to requests from prosecutors and police.
Additionally, ESU attorneys regularly con- OIA is also actively engaged in the policy,
duct webinars and in-person trainings, and legislative, and multilateral arenas in which
provide legal advice to federal prosecutors topics concerning access to electronic evi-
101
dence and law enforcement cooperation are ees, which is taught by NSD and CCIPS at-
discussed and debated to ensure that the De- torneys.
partment’s mission is advanced and that our
law enforcement personnel get the tools they In addition, in 2012, NSD launched the Na-
need to keep pace with ever-evolving threats. tional Security Cyber Specialist (“NSCS”)
Consistent with these goals, OIA conducts network to equip USAOs around the Nation
regular training for U.S. prosecutors on the with prosecutors trained on national security
tools available to them to obtain evidence lo- cyber threats, such as nation-state cyber es-
cated overseas and to secure the return of fu- pionage activities and terrorists’ use of tech-
gitives. OIA also provides frequent regional nology to plot attacks. NSCS-Main is com-
and bilateral trainings to our foreign part- prised of lawyers and other experts drawn
ners to bolster their ability to stop criminal from NSD’s component sections and offices,
activity before it reaches our shores. as well as from CCIPS and ESU in the Crim-
inal Division. NSCS-Main also coordinates
as needed with other Department headquar-
3. The National Security Division
ters components, including the Civil Divi-
The investigation, disruption, and deterrence sion, the Antitrust Division, the Office of
of national security cyber threats are among Legal Policy, and the Office of Legal Counsel,
the highest priorities of the Department’s and works closely with the Department’s in-
National Security Division (“NSD”). These vestigative components, including the FBI.
priorities come from a recognition that net-
work defense alone is not enough to counter The NSCS Network also includes AUSAs
the threat. To the contrary, we must also im- in each of the USAOs; these AUSAs serve
pose costs on our adversaries using all of the as their offices’ primary points of entry for
U.S. government’s lawfully available tools. cases involving cyber threats to the national
This “all-tools” approach informs NSD’s ef- security and coordinate closely with NSCS-
forts to combat cyber threats to our national Main. NSD and CCIPS, in conjunction with
security, with the goal of deterring and dis- EOUSA, provides annual training for NSCS
rupting cyber-based intrusions and attacks. members. The NSCS training covers a num-
In this context, national security cyber cases ber of national security cyber topics to en-
are those perpetrated by nation states, ter- hance the education of the prosecutors who
rorists, or their agents or proxies, or cases handle these matters. In addition, through
involving the targeting of information that is the National Security/Anti-Terrorism Advi-
controlled for national security purposes. sory Council, there are approximately seven
training courses conducted annually for na-
All NSD attorneys must take a cyber course tional security prosecutors. Those trainings
within two years of joining the division. generally include a number of cyber-related
NSD also conducts annually a one-day cy- sessions for national security prosecutors.
ber training in-house for all NSD employ-
102
Finally, this year, for the first time, NSD is of- of technology to plan attacks. The USAOs
fering a Cyber Fellowship for those selected also coordinate as needed with Department
attorneys who applied to further their edu- headquarters components, such as the Crim-
cation on technology-related issues. Five at- inal and National Security Divisions, in a
torneys were selected to participate in 2018 further effort to ensure the effectiveness of
and have been attending a series of trainings such cyber-oriented investigations and pros-
offered by the FBI, the CIA, Carnegie Mellon ecutions.
University, and the SANS Institute. Those
selected have also agreed to assist with train- EOUSA provides executive and administra-
ing and other cyber initiatives at NSD. tive support for the 93 United States Attor-
neys. Such support includes legal education,
administrative oversight, technical support,
4. United States Attorney’s Offices /
and the creation of uniform policies, among
Executive Office for United States
Attorneys other responsibilities.
The United States Attorneys serve as the na- The National Advocacy Center, which EO-
tion’s principal litigators, under the direction USA operates, provides numerous courses
of the Attorney General. There are 93 Unit- every year addressing a wide variety of cy-
ed States Attorneys stationed throughout ber-related topics. These courses are attend-
the United States, Puerto Rico, the Virgin ed by prosecutors from across the country
Islands, Guam, and the Northern Mariana and are tailored to address the training needs
Islands.2 Each United States Attorney is the of attorneys with varying levels of experi-
chief federal law enforcement officer of the ence handling cyber matters. Working with
United States within his or her particular ju- CCIPS and the National Security Division’s
risdiction. United States Attorneys conduct Counterterrorism and Counterespionage
most of the trial work in which the United sections, these cybercrime courses range
States is a party. Although the distribution from introductory to advanced level and
of caseloads varies between districts, each have included training addressing the na-
USAO deals with every category of cases, ture of computer forensics, the investigation
including cybercrime prosecutions. As ref- of computer intrusions, and the use of elec-
erenced above, the role of the CHIP AUSA tronic evidence, among other related topics.
was established to ensure that each USAO In short, each year, the Department trains
has personnel trained on cyber threats, elec- hundreds of federal prosecutors in cyber-
tronic evidence collection, and technolog- crime and national security cyber matters.
ical trends exploited by criminals. Similar-
ly, the NSCS program discussed above was In addition to these in-person training pro-
designed to equip USAOs around the nation grams, EOUSA, through the Office of Legal
with prosecutors specially trained on nation- and Victim Programs and the Office of Le-
al security cyber threats, such as nation state gal Education (“OLE”), sponsors additional
cyber espionage activities and terrorists’ use cyber training, including webinars that are
103
broadcast nationwide. These webinars allow seminates to the field guidance relating to
the Department to provide supplemental these issues. STSO is attempting to bring
cutting-edge training and allow prosecutors DEA employees into a more advanced
to view these presentations from their own awareness of today’s cyber world, so they
offices, while still enabling them to remote- can adapt to that environment while per-
ly ask the presenters questions and down- forming the daily tasks of Internet research
load related materials. For example, EOUSA and investigations.
sponsored a webinar discussing new provi-
sions of a Federal Rule of Evidence relating
6. INTERPOL
to electronic evidence, immediately after
those provisions became effective. Almost The mission of INTERPOL Washington
1,000 Department employees viewed that (United States National Central Bureau), is to
program. Working closely with CCIPS and advance the law enforcement interests of the
OEO, additional notable webinars have in- United States as the official representative to
cluded programs addressing legal standards the International Criminal Police Organiza-
for obtaining cell phone location information (INTERPOL); to share criminal justice,
tion, searching and seizing computers and humanitarian, and public safety information
other digital devices, cryptocurrency, and between our Nation’s law enforcement com-
social media and online investigations, to munity and its foreign counterparts; and to
name just a few. facilitate transnational investigative efforts
that enhance the safety and security of our
OLE, working with CCIPS, has also issued Nation.
standalone written materials that prosecu-
tors can use for training and law enforce- INTERPOL Washington leverages a network
ment purposes. of 192 countries connected by a secure com-
munications platform to share information
5. Drug Enforcement Administration for the purpose of enhancing international
cooperation in all areas of criminal investi-
The DEA enforces the Nation’s controlled gation, including cybercrime investigations.
substance laws and regulations. Through its INTERPOL Washington maintains an of-
participation in J-CODE and beyond, DEA fice dedicated to advancing the cybercrime
is developing its expertise in Dark Market investigations of U.S. law enforcement by
investigations. DEA’s Operational Support establishing and maintaining relationships
Unit (“STSO”) serves as the point of contact with the heads of cybercrime units of other
between DEA offices and the technology countries; sharing information through the
and communications industry, in order to secure communications platform to assist
identify, address, and resolve subpoena and cybercrime investigations conducted by the
related compliance issues, as well as other agencies of the Department of Justice and
legal and regulatory issues. STSO also dis- the Department of Homeland Security; and
104
providing support to other federal, State, lo- thereby also increasing our own capacity to
cal, and tribal law enforcement agencies. thwart cyber threats.
7. Foreign Government Training 8. Department-Wide Cybersecurity

Initiatives Awareness Training
In addition to training its own personnel, In addition to the specialized units and
the Department also provides training and training described above, the Department
technical assistance to foreign governments recognizes that cybersecurity effectiveness
to ensure that they are equipped to address depends on everyone in the organization.
their own domestic cyber threats. As coun- Users are still one of the most attacked enti-
tries develop their own capacity to address ties in the organization. Social engineering
cyber issues, they are also better equipped attacks (described in more detail in Chapter
to assist the United States in investigations 2) come in many forms, are still effective,
involving criminal conduct emanating from and can target anyone in the Department.
within their own borders. The Department As such, all Department employees must
has maintained a robust program for en- have a basic understanding of their respon-
couraging foreign governments to develop sibilities when handling the Department’s
their criminal and procedural laws to address information and accessing its information
emerging cybercrime threats and capabilities, system, while being held accountable for
consistent with the Budapest Convention on abusing those responsibilities.
Cybercrime. As discussed in Chapter 3, the
Budapest Convention—which the United All Department personnel receive annual
States ratified over ten years ago—provides a cybersecurity awareness training. In ad-
legal framework for criminalizing key types dition, all employees and contractors must
of cybercrime, developing the tools necessary sign the “Department of Justice Cybersecu-
to investigate such crime, and establishing rity and Privacy Rules of Behavior (ROB) for
the network for rapid international cooper- General Users” agreement, which confirms
ation that must exist to investigate and pros- that the employee or contractor completed
ecute cyber actors wherever they are located. the training and understands the applicable
cybersecurity requirements and responsibil-
Using a balanced approach of frank policy ities. As the agreement makes clear, “each
discussions with countries that have techni- [Department] user is responsible for the se-
cal capabilities similar to our own, combined curity and privacy of [Department] informa-
with multilateral training initiatives aimed at tion systems and their data.”
countries whose legal infrastructure for ad-
dressing cyber threats is in earlier stages of Adequate training ensures that everyone
development, the Department has continued within the Department has a basic under-
to improve the capacity of other countries standing of the relevant threats, their role in
to address cyber threats around the world, protecting our information and information
105
systems, and how to detect and respond to issues. In addition, the Department’s Office
cybersecurity events. Typical web-based of the Chief Information Officer hosts an
training is most common; however, many annual Cybersecurity Symposium, which
training delivery mechanisms are used to get provides a forum for employees to gain an
the broadest penetration of the material. For understanding of the latest trends in cyber-
example, phishing exercises are conducted security from federal and industry leaders.
throughout the year, and in-person briefings These events help educate the Department’s
and topic-specific training sessions are of- workforce on the most current trends in in-
fered for special audiences and material. formation security and privacy.
Finally, the Department has also hosted a While the Department employs a robust
number of Department-wide trainings and training program, we can do more to carry
awareness campaigns to educate the Depart- the Department into the future. Training
ment’s workforce on privacy and cybersecu- can reinforce best practices, enable advanced
rity. The Office of Privacy and Civil Liberties threat detection, and improve security and
organizes an annual Privacy Forum, which safety across the Department as we all work
gathers the Department’s privacy officials to carry out its critical cyber mission.
to discuss current privacy and civil liberties
106
NOTES
1
See National Institute for Standards and Tech- 2
One United States Attorney is assigned to
nology, Special Publication 800-181, National each of the 94 judicial districts, with the excep-
Initiative for Cybersecurity Education (NICE) Cy- tion of Guam and the Northern Mariana Islands,
bersecurity Workforce Framework (Aug. 2017), where a single United States Attorney serves in
available at: https://nvlpubs.nist.gov/nistpubs/ both districts.
SpecialPublications/NIST.SP.800-181.pdf (last
accessed June 29, 2018).
107
LOOKING AHEAD
Chapter 6
Looking Ahead
T
his report describes the most signif- 1. Challenges in Preventing and
icant cyber threats our Nation faces, Responding to Cyber Incidents
and catalogs the ways in which the
Department confronts and combats those Working with the Private Sector
threats. As the discussion in previous chap-
ters reveals, the Department has had many Virtually every instance of cyber-related
successes. At the same time, we face a num- crime implicates the private sector in some
ber of challenges. way, whether the private sector is the target
of malicious cyber activity, the provider of
In this chapter, we further explore those technology or services through which cyber-
challenges and identify specific areas for ad- crimes are committed or concealed, or the
ditional inquiry. We also outline eight key repository of evidence (such as communi-
areas of future effort that will define the De- cations) relating to cyber-enabled criminal
partment’s work in the months ahead. activity. As such, the relationship that the
Department, including the FBI, builds and
Specific Challenges maintains with the private sector is critical
to our efforts to combat cybercrime. Fortu-
Each part of the Department’s efforts to con- nately, the Department and the private sec-
front cyber threats—(1) preventing and re- tor already have engaged in numerous for-
sponding to cyber incidents (Chapter 4); (2) mal and informal collaborations. Even so,
investigating and prosecuting cyber-related the Department must deepen these relation-
crimes (Chapter 2); and (3) dismantling, ships, particularly as technology evolves and
disrupting, and detering malicious cyber the cast of service providers and technology
threats (Chapter 3)—bears its own unique manufacturers continues to change.
challenges.1
a. The Computer Security Research
Here, we describe those challenges and, Community
where applicable, discuss how the Depart-
ment has begun addressing the challenge or The computer security research communi-
what actions we may yet take to sharpen our ty—which is comprised of not only computer
efforts. Where appropriate, we also highlight security companies but also individuals and
issues that require further consideration and organizations with expertise in computer
development due to the complex or evolving security—has made valuable contributions
nature of the threat. to combating cyber threats by discovering
109
significant exploitable vulnerabilities affect- even more important as IoT devices prolifer-
ing, among other things, the confidentiality ate, perform more household tasks, and col-
of data, the safety of Internet-connected de- lect more data capable of being monetized by
vices, and the security of automobiles. Some criminals.
security researchers have also been allies in
law enforcement efforts to dismantle cyber The Copyright Office has initiated its next
threats. For example, assistance with mal- rulemaking process to evaluate extending
ware analysis and mitigation techniques has the DMCA exemptions. The Department
helped law enforcement conduct operations has submitted input to the Copyright Office
against various cybercriminals, including in support of extending and expanding the
through botnet takedowns. current security research exemption, with
caveats intended to protect public safety
Even so, some in the computer security re- and avoid confusion over legal research ac-
search community harbor concerns that law tivities.4 At the same time, the Department
enforcement may misconstrue as criminal should continue evaluating existing laws and
activity their methods of searching for and regulations to identify other opportunities to
analyzing vulnerabilities. Some researchers support and encourage legitimate computer
have even expressed anxiety that such con- security research. Finally, the Criminal Di-
cerns have chilled legitimate security re- vision’s Cybersecurity Unit should conduct
search. additional outreach to the computer securi-
ty community. In doing so, the Unit should
To ensure the Department maintains and seek out opportunities to: (1) explain how the
fosters a positive, collaborative working rela- Department’s policies and practices address
tionship with computer security researchers, concerns about unwarranted prosecutions
the Department should consider potential for legitimate security research; and (2) bet-
legal options to encourage and protect legit- ter educate the computer security research
imate computer security research. For in- community about the federal criminal laws
stance, a three-year exemption to the Digital implicated by computer security activities.
Millennium Copyright Act (“DMCA”)2—the
result of rulemaking by the U.S. Copyright b. Encouraging Private Sector Reporting
Office3—has allowed researchers to conduct of Cyber Incidents
vulnerability research on consumer prod-
ucts, including Internet of Things (“IoT”) Another important component of the De-
devices. IoT devices are prime targets of cy- partment’s collaboration with the private
bercriminals for use in illicit activities like sector is the public-private work on infor-
distributed denial of service attacks. Finding mation sharing and threat assessment. As
and repairing vulnerabilities in consumer discussed in Chapter 4, the FBI disseminates
devices is important and will likely become numerous reports directly to members of
110
LOOKING AHEAD
the private sector to inform them of cyber ger civil or even criminal liability, or may
threats. This information sharing provides impact U.S. foreign relations. Regardless of
the private sector with actionable intelli- the reason, lack of reporting is a significant
gence that enables them to take appropriate impediment to the Department’s efforts to
precautions. thwart cybercriminals and to address threats
to national security—particularly when new
Information sharing, however, is most effec- threats are emerging.
tive when it flows two ways. When a private
sector entity reports a breach or attempted Encouraging reporting from private sector
intrusion, the Department gains valuable in- victims is thus critical to enhancing the De-
sights into threat activity that can help direct, partment’s ability to prevent, deter, investi-
in real time, law enforcement efforts to in- gate, and prosecute (or otherwise disrupt)
vestigate and disrupt the malicious activity. cybercrimes. To facilitate reporting, the De-
Prompt reporting also provides information partment should consider not only how to
that officials can accumulate and share with build deeper trust with the private sector, but
other private sector entities to facilitate ap- also understand and address the private sec-
propriate security measures. Indeed, efforts tor’s needs and concerns related to report-
by the Department and FBI to help manage ing. This assessment should include under-
cyber incidents and, later, to bring perpetra- standing how best to incentivize reporting as
tors to justice through prosecution are best well as how to eliminate obstacles or barri-
accomplished when the victim—who may be ers. The Department should also continue
the first to discover an incident—reports the its outreach to the private sector to identify
incident or intrusion in a timely manner. additional areas for collaboration, especial-
ly with respect to reporting and information
Unfortunately, many cyber incidents in the sharing. In the past, such outreach has re-
United States are never reported to law en- sulted in industry-targeted guidance such as
forcement. Victims—especially businesses— the Criminal Division Cybersecurity Unit’s
often decide not to report cyber incidents Best Practices for Victim Reporting and Re-
for a variety of reasons, including concerns sponding to Cyber Incidents.5
about publicity and potential harm to the
company’s reputation or profits, and even The Department must also consider the role
concerns of retaliation by a nation state where that DHS and other government agencies
they wish to do business. Some victims may play in working with the private sector to en-
simply not know how to report the incident sure federal agencies’ efforts are complemen-
to appropriate authorities. And still others, tary and cooperative. In addition to DHS
particularly larger companies, may try to act and other federal partners, the Department
on their own to pursue, confront, or disrupt should continue to work with the agencies
the perpetrator, though doing so may trig- that regulate the private sector to evaluate
111
expectations and encourage clear thresholds of the harm—the Department should review
for reporting. the AG Victim Guidelines to ensure, among
other things, that the guidelines, and any re-
The Department’s additional efforts on pri- lated victim notification policies and practic-
vate sector reporting should also include at- es, appropriately account for the unique and
tention to statutory data breach notification often nuanced nature of cybercrime.
requirements. Currently, all 50 States have
enacted separate notification laws setting Preventing Cyber-Related Vulnerabilities
standards governing notification by private in Connection with Foreign Investment
entities when a data breach occurs, but there and Supply Chains
is no federal reporting requirement or stan-
dard. As such, companies must navigate and As part of its efforts to prevent cybercrime,
comply with the varying requirements in 50 the Department is concerned with mitigat-
State jurisdictions.6 In the wake of recent ing vulnerabilities that threaten national
high-profile data breaches exposing Ameri- security. Such areas concern foreign invest-
cans’ personal information, Congress has a ment in domestic assets and foreign supply
revived interest in national notification re- chains.
quirements. A national data breach standard
could increase federal law enforcement’s ef- For example, a March 22, 2018 Presidential
fectiveness to pursue hackers and prevent Memorandum observed that “China directs
data breaches. and facilitates the systematic investment in,
and acquisition of, U.S. companies and assets
c. Reviewing Guidance on Victim by Chinese companies to obtain cutting-edge
Notification technologies and intellectual property and
to generate large-scale technology transfer
In 2012, the Attorney General issued Gen- in industries deemed important by Chinese
eral Guidelines for Victim and Witness As- government industrial plans.”7 Under ambi-
sistance (“AG Victim Guidelines” or “guide- tious industrial policies, China aims to use
lines”) that, among other things, discussed foreign investment as a means of dominating
two statutes—the Victims’ Rights and Resti- cutting-edge technologies like advanced mi-
tution Act, 42 U.S.C. § 10607, and the Crime crochips, artificial intelligence, and electric
Victims’ Rights Act, 18 U.S.C. § 3771—which cars, among others.
accord certain rights to individuals who meet
the statutory definition of “victim.” The AG Currently, the Department responds to
Victim Guidelines also address when FBI threats posed by foreign investment in the
notification to victims and witnesses is ap- United States and the export of sensitive
propriate and warranted. Given the evolving technology by enforcing U.S. export con-
nature of cyber-enabled crimes—including trols and through the Committee on Foreign
the fact that it is not always easy to identify Investment in the United States (“CFIUS”),
a cybercrime “victim” or the extent or nature a statutorily-established body that has au-
112
LOOKING AHEAD
thority to review transactions that could re- 2. Challenges in Investigating and

sult in control of a U.S. business by a foreign Prosecuting Computer Crime
person. As the March 22, 2018 Presidential
Memorandum indicates, further coordina- Accessing Data in the United States
tion through CFIUS, enforcement of exist-
ing technology transfer controls, and other Data not only is key to understanding the
interagency efforts will be necessary to tackle nature of cybercrime and the identity of per-
risks from foreign investment in sensitive in- petrators, but also is a primary source of ev-
dustries and technologies. idence for prosecution. Unfortunately, the
relevant data is often hard to reach, hidden
In addition to foreign investment, the De- on computers in different States or even in
partment is generally concerned with hard- countries half a world away, lurking on dark
ening supply chains. Technology supply markets, or protected by anonymized host
chains are especially vulnerable, because the servers or encryption. Recognizing that ac-
hardware components and software code cessing data is the starting point and often
that go into technology products often come the cornerstone of computer crime investi-
from foreign sources, including develop- gations and prosecutions, the Department
ers in Russia and China.8 To address these has made concerted efforts to improve its
concerns, the Department coordinates with ability to collect data related to criminal ac-
other government agencies and the private tivity. However, several challenges to access-
sector to effectively manage and mitigate cy- ing data remain and require further collabo-
bersecurity risks in U.S. supply chains. ration with federal, State, and private sector
partners.
For example, the Department contributes to
Team Telecom, an ad hoc interagency work- One such challenge is the reality that cy-
ing group that considers the law enforce- bercrime often does not take place in one
ment, national security, and public safety identifiable, physical location. Sophisticated
implications of applications for licenses from cybercriminals can control botnets spread
the Federal Communications Commission throughout several States or countries and
involving a threshold percentage of foreign can hide their illegal activities on proxy net-
ownership or control. Moving forward, the works. The rules governing law enforcement
Department should continue to engage with efforts, however, have largely not kept pace
these and other interagency efforts to deter- with these criminal realities. For this reason,
mine the best ways to strengthen defenses the Department proactively engaged with
against national security risks. the Federal Rules Committee and on Decem-
ber 1, 2016, an amended version of Rule 41
of the Federal Rules of Criminal Procedure
went into effect. (That new Rule is discussed
in detail in Chapter 3.)
113
The circumstances that the amendments to mation subject to a court order that is within
Rule 41 address are important, but they do their “possession, custody, or control,” even
not cover all instances where data related if the electronic servers containing that in-
to criminal activity are stored in varying or formation are located overseas. The CLOUD
unknown locations within the United States. Act also authorizes our government to enter
The Department should identify any addi- into formal agreements with other nations
tional common or recurring circumstances that remove legal barriers that would other-
where current legal authorities fall short of wise create conflict of laws problems where
providing law enforcement with the tools a provider is subject to a foreign court order
necessary to access relevant data within the to produce data stored in that other coun-
United States and determine whether chang- try. The Act requires both governments to
es similar to the recent Rule 41 amendments “certify” that the laws and practices of the
would be effective. other country provide adequate protections
for human rights and personal privacy. The
Accessing Data Abroad agreements must also implement transpar-
ency measures and periodic reviews to en-
The Department faces similar challenges in sure ongoing compliance. The Department
accessing data located outside the United is currently considering how it should imple-
States. As with the Rule 41 amendments ment such agreements.
in the domestic context, the Department
recently engaged with partners to enhance Challenges remain, however, when inves-
our investigative authority in such circum- tigating computer crimes that extend over-
stances. In particular, as the result of a joint seas, particularly because the CLOUD Act
effort between the private sector and the addresses only those instances where the
Department to bring clarity to investiga- relevant overseas data is possessed or con-
tive demands for data stored overseas, the trolled by an entity subject to U.S. jurisdic-
Clarifying Lawful Overseas Use of Data Act tion. Many types of evidence fall outside
(“CLOUD Act”) became law on March 23, those criteria, and traditional mutual legal
2018. (The CLOUD Act is also discussed in assistance treaty (“MLAT”) procedures may
Chapter 3.) also fall short.
Passage of the CLOUD Act institutes a frame- For those reasons, the Department contin-
work for technology companies to comply ually aims to improve its international out-
with investigative demands for data stored reach efforts and to engage with internation-
outside of the requesting country’s territory, al Internet governance bodies to encourage
and creates processes to resolve thorny con- them not to apply rules that unreasonably
flict of laws problems. The Act clarifies that restrict or interfere with valid investigations.
the U.S. government’s traditional authority For example, the Department is currently
in this area remains in force: communica- monitoring and assessing the impact of the
tions service providers must disclose infor- European Union’s sweeping General Data
114
LOOKING AHEAD
Protection Regulation (“GDPR”), which risk associated with noncompliance with the
went into effect on May 25, 2018. GDPR, however, the private organization
responsible for maintaining WHOIS has de-
Broadly speaking, the GDPR regulates how cided to remove much of the registrant data
private companies and governments process, from the publicly-available segments of the
store, and transfer data concerning E.U. resi- system while the organization works with
dents, including how such data and informa- stakeholders, including the Department, to
tion is handled and transferred into and out develop a GDPR-compliant system.
of the E.U. Violators could be subject to fines
up to 4% of their gross revenue worldwide or This is only one example of how the GDPR
20 million Euros, whichever is greater, creat- may be interpreted to impede the ability of
ing a serious financial incentive for covered law enforcement authorities to obtain data
entities not to violate the new regulation. Ex- critical for their authorized criminal and
ceptions written into the GDPR should en- civil law enforcement activities. Uncertainty
sure that it does not affect the ability of U.S. about the GDPR also has placed in question
law enforcement to obtain evidence through not only voluntary disclosures of informa-
MLATs. Also, law enforcement-to-law en- tion about criminal activity—e.g., by their
forcement sharing is covered by a separate employees, contractors, or customers—to
directive and is thus outside of the scope of U.S. law enforcement agencies, but also may
the GDPR. Still, significant questions and cause companies with a significant E.U. pres-
uncertainties exist about the GDPR, which ence to become reluctant to comply even
could negatively affect law enforcement, in- with disclosures required by legal process,
cluding by impeding information sharing. such as warrants and subpoenas, for fear that
such a disclosure would be in violation of the
For example, some interpret the GDPR to GDPR. Absent official guidance, companies
require that the publicly-available WHOIS with significant E.U. business may become
system remove information about the regis- reluctant to participate in mandatory data
trants of Internet domain names from pub- transfers to U.S. law enforcement and regula-
lic access, thereby necessitating the building tory authorities, which would impede effec-
and maintenance of secured law enforce- tive tax collection, limit the ability of agencies
ment portals to access that information. As to stop anti-competitive business practices,
described in Chapter 3, prosecutors and law impair the work of public health and safety
enforcement agencies around the world use agencies, and undermine the integrity of
the WHOIS system thousands of times a day global banking, securities, and commodi-
to investigate crimes ranging from botnets to ties markets. This could also undercut the
online fraud. The registrant data in WHOIS Department’s mitigation programs for busi-
can create crucial leads to targets’ identities, nesses and individuals that wish to cooperate
locations, and other pieces of their criminal in areas such as fraud, bribery, money laun-
infrastructure. This data can also help iden- dering, sanctions violations, and antitrust
tify additional victims. Due to the significant matters—programs that yield information
115
that often results in criminal referrals, and wiretap orders. In the past several years, the
thus relate to the Department’s core mission. Department has seen the proliferation of de-
fault encryption where the only person who
In short, given the uncertainty that the can access the unencrypted information is
GDPR presents in certain key areas, the De- the end user. The advent of such widespread
partment (as well as the U.S. government as and increasingly sophisticated encryption
a whole) must continue to collaborate with technologies that prevent lawful access poses
European authorities and stakeholders to a significant impediment to the investigation
carefully monitor the GDPR’s impacts. of most types of criminal activity, including
violent crime, drug trafficking, child ex-
The “Going Dark” Problem ploitation, cybercrime, money laundering
One of the most significant challenges to the (including through cryptocurrencies), and
Department’s ability to access investigative domestic and international terrorism.
data is the “Going Dark” problem. “Going
Dark” describes circumstances where the Faced with the challenges posed by encrypt-
government is unable to obtain critical infor- ed information, investigative agencies have
mation in an intelligible and usable form (or sometimes looked to other sources of infor-
at all), despite having a court order authoriz- mation and evidence, which can be costly to
ing the government’s access to that informa- procure and maintain. While these efforts
tion. The problem impacts a range of issues, have occasionally been successful, evidence
including data retention;9 anonymization; and information lost to encryption often
provider compliance (or absence thereof); cannot be replaced solely by pursuing other
foreign-stored data; data localization laws; sources of evidence. For example, communi-
tool development and perishability; and oth- cations metadata, such as non-content infor-
er similar issues. The challenges posed by mation about who contacts whom in phone
the Going Dark issue have achieved greatest records, can be helpful in putting the pieces
prominence in the context of encryption. together, but it provides less information than
the content of data and communications—a
These challenges have significantly grown in difference that can prove outcome-deter-
recent years as the sophistication of encryp- minative in the context of a criminal in-
tion has increased. In the past, only the most vestigation, where prosecutors must prove
sophisticated criminals encrypted their com- guilt beyond a reasonable doubt. Moreover,
munications and data storage; today the av- metadata is also often simply unavailable be-
erage consumer has access to better technol- cause there is no mandate for providers to
ogy than sophisticated criminals had twenty be able to access it. Relatedly, in the context
years ago. Previously, providers used en- of a judicial order authorizing the real-time
cryption of some sort but generally retained interception of communications, the court
a way of accessing the unencrypted data if must find, by law, that alternate sources of
necessary or desired, including to comply data do not exist or are insufficient to meet
with law enforcement search warrants or the investigation’s goals.
116
LOOKING AHEAD
Going Dark
Warrant-proof encryption poses a serious challenge to effective law enforcement.
“We have engaged the tech com-

munity aggressively to help solve
this problem. You cannot take an “While convinced of the prob-
“To those of us charged with the absolutist view on this. So if your lem, I’m open to all constructive
protection of public safety and argument is strong encryption, solutions, solutions that take the
national security, encryption techno matter what, and we can and public safety issue seriously. We
nology and its application…will should, in fact, create black boxes, need a thoughtful and sensible ap-
become a matter of life and death then that I think does not strike proach, one that may vary across
which will directly impact our the kind of balance that we have business models and technologies,
safety and freedoms.” lived with for 200, 300 years.” but . . . we need to work fast.”
– FBI Director Louis Freeh – President Barack Obama – FBI Director Christopher Wray
July 9, 1997 March 11, 2016 March 7, 2018
1997 2016 2018
“To be very clear — the [U.K.] government supports strong encryp-

tion and has no intention of banning end-to-end encryption. But
the inability to gain access to encrypted data in specific and tar-
geted instances is right now severely limiting our agencies’ ability
to stop terrorist attacks and bring criminals to justice.”
– U.K. Home Secretary Amber Rudd
August 1, 2017
“Few issues have vexed law enforcement agencies more than this
one. They can’t get access to the data they need to stop crime and
hold criminals to account. 95 per cent of [our intelligence orga-
nization’s] most dangerous counter-terrorism targets actively use
encrypted messages to conceal their communications. We need
access to digital networks and devices, and to the data on them, when
there are reasonable grounds to do so. These powers must extend beyond traditional in-
terception if our agencies are to remain effective and pre-empt and hold to account crimi-
nal activity. There will also need to be obligations on industry – telecommunications and
technology service providers – to cooperate with agencies to get access to that data . . . . ”
– Australian Minister for Law Enforcement & Cybersecurity Angus Taylor
June 6, 2018
117
Exploiting software vulnerabilities can be ment purposes will likely require significant-
another way to access encrypted (or other- ly higher expenditures—and in the end it
wise inaccessible) data on a phone or other may not be a scalable solution. All vulnera-
bilities have a limited lifespan and may have
a limited scope of applicability. Software
developers may discover and fix vulnera-
bilities in the normal course of business, or
yption can
the government’s use of a vulnerability could
nly with alert developers to its existence. Finally, each
amples vulnerability might have very limited appli-
erating cations—limited, for example, to a particular
combination of phone model and operating
system.
The challenges posed by the Going Dark

“Responsible encryption is achievable. problem are among law enforcement’s most
Responsible encryption can involve effec- vexing. To address these challenges, the De-
tive, secure encryption that allows access partment’s efforts should include: (1) consid-
only with judicial authorization. Such en- ering whether legislation to address encryp-
cryption already exists. Examples include tion (and all related service provider access)
the central
nced of the problem, I’m openmanagement of security keys
to all constructive challenges should be pursued; (2) coordi-
and operating system updates…” nating with international law enforcement
lutions that take the public safety issue seriously. We counterparts to better understand the in-
ghtful and sensible approach, one—Deputy
that mayAttorney
vary across
General ternational legal, operational, and technical
dels and technologies, but – and I cant stress this
Rod Rosenstein, challenges of encryption; (3) collecting accu-
need to work fast.” October 10, 2017 rate metrics and case examples that demon-
strate the scope and impact of the problem;
(4) working to use technical tools more ro-
ctor Christopher Wray, March 7, 2018 bustly in criminal investigations; (5) insist-
device. The Department has, in some in- ing that providers comply with their legal ob-
stances, lawfully exploited security flaws to ligations to produce all information in their
0
access electronic data, including data stored possession called for by compulsory process,
on smartphones. This is a promising tech- and holding them accountable when they do
nique, and the Department should expand not; (6) working with State and local part-
its use in criminal investigations. However, ners to understand the challenge from their
so-called “engineered access” is not a re- perspective and to assist them technological-
placement for all the evidence, including ev- ly in significant cases; and (7) reaching out
idence subject to a court order, that is lost. to academics, industry, and technologists to
Moreover, expanding the government’s ex- fully understand the implications and possi-
ploitation of vulnerabilities for law enforce- bilities for lawful access solutions.
118
LOOKING AHEAD
Additional Investigative Authorities telephone calls10—in national security inves-

tigations. ECTRs do not include the content
The Department has identified at least two of communications, but they can provide
additional legal authorities it needs to sup- crucial evidence early in national security
port cyber-related investigations. First, ex- investigations, when investigators do not yet
ceptions to the court order requirements of have a clear indication of a subject’s network
the Pen Register statute, 18 U.S.C. § 3121, are of contacts. Information obtained from EC-
unnecessarily narrow. That statute governs TRs, such as e-mail addresses, can help es-
the real-time collection of non-content “di- tablish the probable cause necessary to get a
aling, routing, addressing, or signaling infor- Foreign Intelligence Surveillance Act order
mation” associated with wire or electronic or search warrant to allow the FBI to obtain
communications. This information includes the content of stored communications, iden-
phone numbers dialed as well as the “to” and tify a potential confidential human source
“from” fields of e-mail. In general, the statute who may be able to provide valuable intelli-
requires a court order authorizing collection gence, or help eliminate a subject from sus-
of such information on a prospective basis picion. As electronic networks increasingly
unless the collection falls within a statutory have supplanted telephone networks as the
exception. The exceptions to the Pen Regis- means for terrorists and foreign agents to
ter statute, however, are not coextensive with communicate, the ability to access these re-
the exceptions to the Wiretap Act, codified at cords efficiently has become even more im-
18 U.S.C. § 2511 et seq, which generally gov- portant to the FBI’s work.
erns wiretaps to obtain the content of wire
or electronic communications. This results Under 18 U.S.C. § 2709, electronic commu-
in the illogical situation where non-content nication service providers are obliged to pro-
information associated with a communica- vide ECTRs in response to certain requests—
tion is subject to more extensive protection sometimes called National Security Letters
than the content of the communication it- (“NSLs”)—made in connection with qualify-
self. Moreover, the Pen Register statute’s ing national security investigations. Compa-
consent provision could be clarified to allow nies, however, have invoked an omission in
users to provide direct, express consent for section 2709 to refuse to provide ECTRs in
implementation of a pen/trap device by the response to NSLs. The statute states in para-
government to facilitate cooperative investi- graph (a) that wire or electronic communica-
gation efforts. The Department stands ready tion service providers have a duty to provide
to assist Congress in developing legislation ECTRs in response to a request made by the
to implement this needed improvement. Director of the FBI under paragraph (b). But
paragraph (b) fails expressly to include EC-
Second, the Department faces similar prob- TRs in the categories of information the Di-
lems in obtaining electronic communica- rector may request, even though paragraph
tion transactional records (“ECTRs”)—the (a) explicitly references ECTRs.
e-mail equivalent of toll billing records for
119
Clarifying the statutory authority would proceedings against, a criminal defendant.

strengthen the Department’s ability to con- Prior to the amendment, Rule 4 did not ex-
duct counterintelligence investigations and plicitly provide a method to serve process on
to identify and disrupt terrorist plots in the an organization with no physical presence in
United States. Law enforcement has ob- the United States, an artifact of the pre-cyber
tained equivalent telephone records with a era when organizations could hardly commit
simple subpoena for decades, and the courts crimes in the United States without having
have held that non-content metadata of this a physical presence here. As discussed in
kind, held by third-party service providers, Chapters 2 and 3, today, technology allows
is not protected by the Fourth Amendment.11 foreign actors to commit intellectual proper-
A proposal to clarify that the FBI may ob- ty and computer crimes in the United States
tain ECTRs by issuing NSLs would reaffirm from virtually anywhere in the world.
a similar type of authority to the equivalent
type of electronic communications informa- Rule 4, amended as of December 1, 2016, now
tion. provides prosecutors with a “non-exhaustive
list of methods” for serving “an organization
Apprehending Criminals Located Abroad not within a judicial district of the United
States.” Most importantly, the amended Rule
Even when accessible data allows law en- 4 allows the government to serve a foreign
forcement to understand the nature of the organization “by any . . . means that gives
crime, to identify potential perpetrators, and notice.” For example, the government has
to build a case for prosecution, holding the relied on the amended Rule 4 to serve for-
guilty party or parties accountable can still eign organizations by mailing and e-mailing
be a challenge. While the Department has process to the foreign organization’s U.S.-
made several advances to enhance its ability based defense counsel. The government has
to prosecute sophisticated cybercriminals, also served foreign organizations by mailing
difficulties apprehending criminal suspects, process to the registered agent for a recently
as well as the need for additional prosecuto- dissolved U.S. subsidiary of the foreign or-
rial authorities, continue to hinder our efforts ganization or, in another case, by personal-
to bring malicious cyber actors to justice. ly serving process on the president of a U.S.
organization that shared a common “parent”
For example, as with our successful effort organization with the subject of the sum-
to amend Rule 41, the Department worked mons. This change is particularly important
with the Federal Rules Committee to tackle in situations where a state-owned enterprise
the problem of serving criminal defendants is charged with a crime but the foreign juris-
accused of committing computer crimes. diction is unwilling to assist with efforts to
Rule 4 governs the service of criminal pro- serve process.
cess upon individuals and organizations—
essentially the process by which prosecutors Service, however, is only one facet of the
give notice of charges to, and initiate court problem that the Department faces in at-
120
LOOKING AHEAD
tempting to hold sophisticated cybercrimi- partment prosecute and deter malicious cy-
nals accountable. As noted throughout this ber activity.
report, attributing a cyber-incident to an
individual or group of actors is difficult due a. Protecting Election Computers
to anonymizing technologies and encryp- from Attack
tion techniques that allow cybercriminals
to remain hidden from law enforcement. The principal statute used to prosecute hack-
Additionally, there are cybercriminals who, ers—the Computer Fraud and Abuse Act
though identified, manage to remain beyond (“CFAA”)—currently does not prohibit the
the reach of U.S. law enforcement, especially act of hacking a voting machine in many
when they are located abroad. While the De- common situations. In general, the CFAA
partment has several mechanisms to bring only prohibits hacking computers that are
cybercriminals to the United States to face connected to the Internet (or that meet oth-
trial, including extradition treaties and col- er narrow criteria for protection). In many
laborative relationships with other countries conceivable situations, electronic voting ma-
(see Chapter 3), these efforts are not always chines will not meet those criteria, as they
successful. Some foreign sovereigns choose are typically kept off the Internet. Conse-
not to cooperate or will do so only after im- quently, should hacking of a voting machine
posing unreasonable limitations on law en- occur, the government would not, in many
forcement. Other countries may not punish conceivable circumstances, be able to use the
perpetrators for the specific computer crime CFAA to prosecute the hackers. (The con-
the United States is seeking to prosecute or duct could, however, potentially violate oth-
may lack sophisticated domestic cybercrime er criminal statutes.)
law enforcement capabilities. In addition to
continuing to build strong relationships with b. Insider Threat/Nosal Fix
other countries and assisting their efforts to
meet the requirements to join the Budapest Until recently, the Department regularly used
Convention (also discussed in Chapter 3), the CFAA’s prohibition on “exceeding autho-
the Department should continue to identify rized access” to prosecute insider threats—in
necessary additional authorities and poten- particular, employees who abused permitted
tial mechanisms for bringing foreign-based access to their employers’ systems by steal-
cybercriminals to justice. ing proprietary information or accessing in-
formation for their own illicit purposes and
Additional Criminal Prohibitions gain. The Department, for example, prose-
cuted police officers who sold their access to
Once malicious cyber actors are identified, confidential criminal records databases, gov-
it is important for the Department to have ernment employees who accessed private tax
the authorities necessary to prosecute those and passport records without authority, and
individuals for the illicit activity. Addition- bank employees who abused access to steal
al criminal prohibitions would help the De- customers’ identities. These employees had
121
some right to access those computers, but access for illicit means. Any such authori-
their conduct was a crime under the CFAA ty should also ensure appropriate consider-
because they intentionally exceeded their ation and treatment of legitimate privacy-re-
employer’s computer use rules. lated concerns.
Decisions in the Second, Fourth, and Ninth c. CFAA as RICO Predicate

Circuit Courts of Appeals, however, have
limited the definition of “exceeds authorized As discussed in Chapter 3, the Racketeer
access” in section 1030(e)(6) of the CFAA. Influenced and Corrupt Organizations Act
In United States v. Nosal, 676 F.3d 854 (9th (“RICO”) is an important prosecutorial tool
Cir. 2012) (en banc), the Ninth Circuit held for charging organizations engaged in a pat-
that an indictment did not state a violation tern of criminal activity because RICO vio-
of the CFAA when it alleged that a former lations carry substantial sentencing penal-
employee had asked current employees to ties as well as the ability for the government
access information in a proprietary data- to seize assets of the criminal organization.
base to aid him in starting a new firm. The RICO requires proof of, among other things,
company had computer policies that limited a pattern of “racketeering activity,” which is
employee access to legitimate work purpos- defined as violations of two or more qualify-
es. Although the employees’ efforts to access ing predicate criminal acts.
information for the benefit of the former
employee’s new firm violated the company’s Currently, computer fraud under the CFAA
policies, the court held such an activity did does not qualify as a predicate act under the
not violate federal criminal law. According RICO statute, whereas similar conduct, such
to the Nosal court, the definition of “exceeds as wire fraud and mail fraud, does qualify.
authorized access” in section 1030(e)(6) “is Adding the CFAA as a predicate offense for
limited to violations of restrictions on access RICO purposes could increase our ability to
to information, and not restrictions on its fight cybercrime and take down criminal or-
use.” Id. at 863-64.12 ganizations engaged in such activities.
Such decisions have caused grave damage d. Combating Sextortion

to the government’s ability to prosecute and
protect against serious insider threats. If “Sextortion” and related offenses are dis-
the CFAA can be used only against outsid- cussed in Chapter 2. Although such conduct
ers with no right at all to access computers, may implicate certain existing criminal laws,
many insider threats—including those in the there are no federal criminal statutes specif-
intelligence and law enforcement communi- ically addressing sextortion and non-con-
ties with access to extremely sensitive infor- sensual pornography. Additionally, while
mation—may go unpunished. Prosecutors stalking, bullying, and harassment have
should have adequate statutory authority to more commonly been dealt with by local law
pursue insiders who abuse their computer enforcement or outside the criminal justice
122
LOOKING AHEAD
system, the use of computers and mobile munications sent from computers running
networks has turned many such crimes into Tor, and second, by allowing individuals to
multi-jurisdictional and even multi-national operate websites on the Dark Web called Tor
offenses.13 The increasingly expansive na- “Hidden Services” without divulging loca-
ture of these crimes, in addition to the use tion information of the websites’ servers.
of new technologies, may merit a federal re-
sponse. New federal criminal offenses spe- While sometimes used for innocuous and
cifically targeting sextortion and non-con- even beneficial purposes, the anonymity af-
sensual pornography, as well as possible new forded by Tor also poses a unique and signif-
sentencing enhancements for such offenses icant threat to public safety. The anonymiz-
under existing authorities, could have merit. ing technology is effective, making it difficult
to identify the physical location of dark mar-
3. Challenges in Connection with ket websites either to shut them down or to
Other Legal Actions to Dismantling, identify who is administering them. The re-
Disrupting, and Deterring Malicious sult is that law enforcement investigators can
Cyber Conduct observe and document the fact that disturb-
ing criminal activity is occurring, but they
As described in Chapter 3, in addition to tra- cannot use the sort of investigative steps that
ditional investigation and prosecution, the ordinarily would allow them to determine
Department has an array of other techniques who is perpetrating the crimes.
and tools to dismantle, disrupt, and deter cy-
ber threats, including a blend of civil, crim- Combating criminals’ abuse of Tor and their
inal, and administrative powers. The De- exploitation of dark markets requires a con-
partment has employed these tools to disable certed effort. The Department should work
botnets, disrupt dark markets, and pursue with partners to develop new technological
sanctions against specified malicious actors. tools that will enable law enforcement to
As with our investigation and prosecution identify the true location of Hidden Services
activities, however, the Department needs websites engaged in criminal activity. Effec-
additional tools and authorities to maximize tive development and use of these tools will
effectiveness. enable law enforcement to locate and law-
fully seize servers hosting such sites, and to
Tackling Tor/Dark Markets identify the administrators, vendors, buyers,
and participants who use them. In addition,
The Department cannot disrupt cyber activi- the federal government should carefully
ty that it cannot find. This makes Tor and the evaluate its role in funding these anonymiz-
existence of dark markets one of the greatest ing technologies, as currently the U.S. gov-
impediments to our efforts. As discussed in ernment is the primary source of funding for
detail in Chapter 2, Tor provides anonymi- the Tor Project, the organization responsible
ty in two ways—first, by anonymizing com- for maintaining the Tor software.
123
Enhancing Our Ability to Disrupt Botnets Unfortunately, botnets can be and often are
used for many other types of illegal activity
On May 22, 2018, DHS and the Department beyond fraud or illegal wiretapping. As ex-
of Commerce released a joint report titled, plained in Chapter 2, for example, malicious
“A Report to the President on Enhancing the actors can employ botnets to steal sensitive
Resilience of the Internet and Communica- corporate information, to harvest e-mail ac-
tions Ecosystem Against Botnets and Other count addresses, to hack other computers, or
Automated, Distributed Threats.”14 The re- to execute DDoS attacks against websites or
port encourages collaboration between the other computers. When these crimes do not
government and private industry, recogniz- involve fraud or illegal wiretapping, courts
ing that addressing the global botnet prob- may lack the statutory authority to issue an
lem requires further discussions on market injunction to disrupt the botnet. The De-
incentives and on securing products at all partment should evaluate the merits of cre-
stages of their life cycle. The Department ating a more comprehensive authority for
should play an active role in these efforts. courts to address all types of illegal botnets.
Despite being the principal law enforcement Advancing a CFAA Forfeiture Fix
agency tasked with disrupting and disman-
tling botnets, the Department’s current stat- As discussed in Chapter 3, the Department
utory authority is limited. As it stands today, in recent years has regularly used civil for-
the law gives federal courts the authority to feiture authorities to disrupt cybercriminal
issue injunctions to stop the ongoing com- groups by seizing valuable assets such as
mission of specified fraud crimes or illegal computer servers and domain names used
wiretapping through the use of botnets, by to operate botnets, as well as profits derived
authorizing actions that prevent a continu- from illegal activity.15 These actions are per-
ing and substantial injury. The Department missible even when it is not yet possible to
used this authority effectively in its success- arrest the offenders. Expanding forfeiture au-
ful disruption of the Coreflood botnet in thority to CFAA offences could enhance the
2011 and of the Gameover Zeus botnet in Department’s capacity to dismantle, disrupt,
2014. See Appendix 2. Because the criminals and deter cyber threats by targeting the in-
behind these particular botnets used them to struments of, and profits from, cybercrime.
intercept communications containing online
financial account information and, with that Issues for Further Evaluation
information, committed fraud, the existing
law allowed us to obtain court authority to In addition to helping facilitate action on the
disrupt the botnets by stopping the crimi- specific recommendations made above and
nals’ commands from reaching the infected elsewhere in this report, the Department
computers. should initiate a deeper evaluation of sever-
al key areas where strategic coordination is
124
LOOKING AHEAD
especially important. Some of these evalu- dressing the complex issues raised by the
ations are already underway; others will be legal and technical barriers that prevent law
part of the Department’s ongoing efforts to enforcement from obtaining information in
evaluate its authorities, practices, and re- electronic form is another Department pri-
sources. ority. As discussed above, it is critical that
the Department maintain the ability to iden-
The eight non-exclusive areas for deeper tify those who employ technology for illicit
evaluation include: means and, with appropriate legal authority,
to obtain evidence to bring criminals to jus-
1. Strengthening Our Own Defenses: tice. The Department should continue to de-
Consistent with the President’s May 2017 Ex- velop a framework to ensure that these pub-
ecutive Order on Strengthening the Cyber- lic safety and national security objectives can
security of Federal Networks and Critical In- be met even as encryption and anonymizing
frastructure,16 the Department is continually technologies continue to evolve. In addition,
reassessing how best to defend its networks the Department should explore and, as ap-
and reduce vulnerabilities. The Department propriate, adopt new investigative methods
should consider next steps and a longer-term to replace the investigative opportunities
strategy to maintain the security of its own that have been lost.
defenses.
4. Addressing Malign Foreign Influence
2. Enhancing Effective Collaboration Operations: As discussed in Chapter 1, hos-
with the Private Sector: The Department’s tile foreign actors exploit the Internet and
ability to work collaboratively and effective- social media platforms to conduct influence
ly with the private sector will continue to operations against our Nation, including by
be one of the most critical elements of our spreading disinformation and propagan-
strategy to fight cybercrime. In the coming da online on a scale greater than has ever
months, the Department should engage in a been observed before. In addition to imple-
more extensive evaluation of our work with menting the disclosure policy discussed in
the private sector by seeking specific input Chapter 1, the Department should consid-
from private sector participants. Where ap- er additional ways to improve our ability to
propriate, we will make recommendations respond to malign foreign influence opera-
to enhance these collaborative efforts, in- tions, including whether new criminal stat-
cluding with regard to information-sharing, utes aimed directly at this threat are needed,
threat and incident notification, data breach and whether there are new ways we can work
notification standards, and frameworks for with the private sector in this area. Because
joint disruptive efforts, such as botnet take- this problem requires a whole-of-govern-
downs. ment solution, the Department should also
consider how best to use existing or addi-
3. Addressing Encryption and Anonym- tional interagency coordination mechanisms
ity (the Going Dark Array of Issues): Ad- to address the threat.
125
5. Addressing the Global Nature of Cy- 7. Sharpening Departmental and Inter-

ber-Enabled Crime: A hallmark of technol- agency Organization of Efforts to Fight Cy-
ogy-enabled crime is that it increasingly cuts ber-Enabled Crime: The Department’s cy-
across international boundaries, even when ber-related mission requires effort and ex-
less sophisticated actors are behind the mali- pertise from many components. Similarly,
cious activity. As discussed above, the global the Department’s efforts make up just one
nature of cybercrime carries with it numer- part of the U.S. government’s approach to
ous impediments—both technological and cyber issues. As such, the Department must
arising out of foreign laws and internation- continuously review its internal coordina-
al agreements—to the Department’s ability tion approach and resources, as well as how
to identify and locate malicious actors and it interacts with its interagency partners, to
bring them to justice. These impediments determine if any improvements or adjust-
bear no easy solutions and may only grow as ments are needed. Relatedly, the Depart-
technology continues to evolve. The Depart- ment should continue evaluating how most
ment should continue evaluating this set of effectively to recruit and retain attorneys,
challenges and make additional recommen- investigators, and professional staff with the
dations to improve its global investigative necessary skills and mission-oriented mind-
and prosecutorial reach. set to ensure it has the human capital it needs
to confront evolving cyber threats.
6. Preparing for Emerging and Future
Technology: The technology behind current 8. Strengthening the Department’s Tools
cyber-enabled threats will continue to evolve. and Authorities: This report has described
The Department must ensure that its contin- numerous additional recommendations to
ued recalibration of efforts and resources not strengthen the Department’s tools and author-
only aims at the major threats of today, but ities. Where such improvements are already
also prepares it for the emerging threats of known, the Department should seek ways to
tomorrow. The Department should continue advance those improvements, including by
to evaluate how its investigative and prosecu- seeking interagency approval to advocate for
torial abilities can keep pace with, and even legislation, where appropriate.
stay ahead of, the evolving technological
threat. For example, the Department should In each of these key areas, the Department
continue evaluating the emerging threats should not be merely reactive to known
posed by rapidly developing cryptocurren- challenges and obstacles, but rather should
cies that malicious cyber actors often use, pursue a strategic and forward-looking ap-
and autonomous vehicle technology, which proach.
has both ground and aerial applications (e.g.,
unmanned aircraft systems).
126
LOOKING AHEAD
NOTES
1
Challenges specific to foreign influence op- gress (June 28, 2018), available at: https://www.
erations are discussed in detail in Chapter 1 and justice.gov/criminal-ccips/page/file/1075496/
so are not repeated here. download (last accessed June 29, 2018). To date,
the Department is unaware of any claims that the
2
The Digital Millennium Copyright Act, current security research exemption has thwart-
codified at 17 U.S.C. § 1201, prohibits the cir- ed or interfered with criminal investigations or
cumvention of technological controls, such as prosecutions.
encryption and password protocols, that protect
copyrighted works. Section 1201 also includes a 5
Available at: https://www.justice.gov/
rulemaking process that recognizes that, in some s it e s / d e f au lt / f i l e s / c r i m i n a l - c c ip s / l e g a -
cases, exceptions to the general prohibition may cy/2015/04/30/04272015reporting-cyber-inci-
be justified. Section 1201 requires the Copyright dents-final.pdf (last accessed June 29, 2018).
Office to conduct a rulemaking every three years
to evaluate proposed exemptions proposed by 6
See “Alabama Rolls with Tide as Last State
the public to the anti-circumvention provision to Adapt Breach Notification Law,” Taft Stettin-
and to recommend appropriate proposals for ius & Hollister LLP (Apr. 30, 2018), available at:
adoption by the Librarian of Congress. The ex- https://www.lexology.com/library/detail.aspx-
emptions last only three years unless they are re- ?g=cc0e9bb3-fe24-4211-b9dc-1fbfd350637f (last
newed in a subsequent proceeding. accessed June 29, 2018).
3
The last rulemaking process conducted in 7
“Presidential Memorandum on the Actions
2016 resulted, inter alia, in a three-year exemp- by the United States Related to the Section 301
tion for “security research” conducted on partic- Investigation,” The White House (March 22,
ular categories of devices, including machines 2018), available at: https://www.whitehouse.
designed for use by individual consumers, mo- gov/presidential-actions/presidential-mem-
torized land vehicles, and certain medical devic- orandum-actions-united-states-related-sec-
es. Security research included “good faith testing tion-301-investigation/ (last accessed June 29,
for and the identification, disclosure and correc- 2018).
tion of malfunctions, security flaws and vulnera-
bilities in computer programs.” See generally U.S. 8
For example, due to such concerns, DHS in
Copyright Office, “Section 1201 Rulemaking: September 2017 issued a directive requiring fed-
Sixth Triennial Proceeding to Determine Ex- eral agencies to remove and discontinue use of
emptions to the Prohibition on Circumvention,” antivirus software provided by Moscow-based
(Oct. 2015), available at: https://www.copyright. Kaspersky Lab. Several months later, Congress
gov/1201/2015/registers-recommendation.pdf enacted a government-wide ban on Kaspersky
(last accessed June 29, 2018). products and services that exceeded the scope
of the DHS prohibition. Both measures came in
4
See John T. Lynch, Jr., Chief, Department of response to growing national security concerns
Justice Computer Crime and Intellectual Proper- presented by the presence of Kaspersky products
ty Section, to Regan Smith, General Counsel and on U.S. information systems. Kaspersky chal-
Associate Register of Copyrights, Library of Con- lenged both measures in court, and both suits
127
were dismissed at the pleading stage. Litigation to access for any purpose which is located on a
continues in the court of appeals. Also in 2017, computer that he is otherwise authorized to ac-
Congress amended 10 U.S.C. § 491 to restrict cess”).
Department of Defense procurement of certain
telecommunications equipment or services with 13
For instance, a criminal in one State can
particular Chinese or Russian origins. easily disseminate graphic images and person-
ally-identifying information of his victim in an-
9
Accessing data is further complicated in other State or around the world. He can store the
some circumstances by the lack of any uniform images and information on servers in unfriendly
data retention standards or requirements for ser- foreign jurisdictions, using proxy technology to
vice providers. Without such requirements, data conceal his true location. He can threaten and
that is potentially critical to law enforcement extort the victim using end-to-end encrypted
investigations is simply not retained or in some communication applications that store little or
cases is not retained long enough to be useful. no information about subscribers. Without leav-
ing home, the perpetrator can commit an elab-
Telephone toll billing records include the
10
orate and hard-to-trace scheme using technolo-
originating phone number, the phone number gy easily accessible to anyone. Worse, someone
called, and the date, time, and length of the call. with no technical sophistication at all can hire
ECTRs for e-mail show the sending e-mail ad- someone to do the harassment for him from a
dress, the e-mail recipients, and the date, time, dark market online.
and size of the e-mail message.
14
“A Report to the President on Enhancing
11
See, e.g., United States v. Forrester, 512 F.3d the Resilience of the Internet and Communi-
500, 510 (9th Cir. 2008) (holding that e-mail and cations Ecosystem Against Botnets and Other
Internet users have no reasonable expectation of Automated, Distributed Threats,” U.S. Dept. of
privacy in to/from addresses of their messages or Commerce & U.S. Dept. of Homeland Secu-
in IP addresses of websites visited). rity (May 22, 2018), available at: https://www.
commerce.gov/sites/commerce.gov/files/media/
12
See also WEC Carolina Energy Solutions files/2018/eo_13800_botnet_report_-_finalv2.
LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) pdf (last accessed June 29, 2018).
(“[W]e reject an interpretation of the CFAA that
imposes liability on employees who violate a use 15
18 U.S.C. §§ 981-83.
policy[.]”); United States v. Valle, 807 F.3d 508
511 (2d Cir. 2015) (an individual “‘exceeds au- Exec. Order No. 13,800, 82 Fed. Reg. 22391
16
thorized access’ only when he obtains or alters (May 16, 2017).

information that he does not have authorization
128
APPENDIX 1
131
132
APPENDIX 2
Appendix 2
Recent Successful Botnet Disruptions
VPNFilter Kelihos
In May 2018, the Department took steps to dis- On April 10, 2017, the Department announced
rupt the operation of a global botnet of hun- an extensive effort to disrupt and dismantle the
dreds of thousands of infected home and office Kelihos botnet—a global network of tens of thou-
(“SOHO”) routers and other networked devices sands of computers infected with the Kelihos
under the control of a group of actors known malware.3 Under the control of a cybercriminal,
as the “Sofacy Group” (also known as “apt28,” Peter Levashov, that botnet facilitated a range of
“sandworm,” “x-agent,” “pawn storm,” “fancy malicious activities, including harvesting login
bear” and “sednit”).1 The botnet, which the FBI credentials, distributing hundreds of millions
and cybersecurity researchers called “VPNFil- of spam e-mails, and installing ransomware and
ter,” targets SOHO routers and network-access other malicious software. The enormous vol-
storage devices. In order to identify infected de- ume of unsolicited spam e-mails sent by the bot-
vices and facilitate their remediation, the U.S. At- net advertised counterfeit drugs, work-at-home
torney’s Office for the Western District of Penn- scams, and a variety of other frauds, including
sylvania applied for and obtained court orders deceptively promoted stocks in order to fraudu-
authorizing the FBI to seize a domain that is part lently increase their price (so-called “pump-and-
of the malware’s command-and-control infra- dump” stock fraud schemes).
structure. The FBI also put out a public service
announcement urging individuals and organiza- To liberate the victim computers from the bot-
tions to reset their routers.2 net, the Department obtained civil and criminal
court orders that authorized measures to neu-
The cumulative effect of these actions would be tralize the Kelihos botnet by (1) seizing domain
to purge parts of the malware from the routers names that the botnet used to communicate with
that were reset, and to direct attempts by the the command-and-control servers, (2) establish-
remaining malware to reinfect the device to an ing substitute servers that received the automated
FBI-controlled server, which captured the Inter- requests for instructions so that infected comput-
net Protocol (“IP”) address of infected devices. ers no longer communicated with the criminal
A non-profit partner organization agreed to dis- operator, and (3) blocking any commands sent
seminate the IP addresses to those who can assist from the criminal operator attempting to regain
with remediating the botnet, including foreign control of the infected computers. As described
CERTs and Internet service providers. in Chapter 3, Levashov was arrested in Spain and
extradited to the U.S. to face justice.
Although the devices would remain vulnerable
to reinfection while connected to the Internet, Avalanche
these efforts maximized opportunities to identi-
fy and remediate the infection worldwide in the On November 30, 2016, the Department, in co-
time available before Sofacy actors learned of the ordination with German state and federal police,
vulnerability in their command-and-control in- Europol, and various other countries and enti-
frastructure. ties, conducted a takedown operation against
133
the Avalanche malware infrastructure. This This operation required an unprecedented level
takedown led to the disabling of seven botnets of international coordination to seize, block, and
that relied on this infrastructure and impacted sinkhole over 800,000 malicious domains associ-
approximately 10 different malware families that ated with the Avalanche network. These domains
had utilized the Avalanche network. had been used to send commands to infected
devices, pass banking credentials to cyber crim-
The Avalanche network offered cybercriminals inals, and obfuscate efforts by law enforcement
a secure infrastructure, designed to stand in the to investigate this conspiracy. The USAO for the
way of detection by law enforcement and cyber Western District of Pennsylvania and the Com-
security experts, over which the criminals con- puter Crime and Intellectual Property Section
ducted malware campaigns as well as money obtained a temporary restraining order which
laundering schemes known as “money mule” greatly assisted in this effort. The Department
schemes. Access to the Avalanche network was continues to build on the success of this opera-
offered to the cybercriminals through postings tion, using information obtained through seized
on exclusive underground online criminal fo- infrastructure to identify and arrest criminals re-
rums. In these schemes, highly organized net- sponsible for the creation of the malware distrib-
works of “mules” purchased goods with stolen uted via Avalanche.
funds, enabling cybercriminals to launder the
money they acquired through malware attacks Gameover Zeus & Cryptolocker
or other illegal means.
In 2014, the Department led a coalition of
The types of malware and money mule schemes nearly a dozen foreign countries and a group
operating over this network varied. Ransomware, of elite computer security firms to disrupt and
such as Nymain, encrypted victims’ computer dismantle the highly-sophisticated “Gameover
files until the victim paid a ransom (typically in Zeus botnet.”4 At its peak, that botnet consist-
a form of electronic currency) to the cybercrim- ed of a global network of between 500,000 and
inal. Other malware, such as GozNym, was de- 1 million computers infected malware that used
signed to steal victims’ sensitive banking creden- keystroke logging to collect online financial ac-
tials, which were directed through the intricate count information and, in turn, inflicted more
network of Avalanche servers to backend servers than $100 million of losses to individuals in the
controlled by the cybercriminals and used to ini- United States. The Gameover Zeus network
tiate fraudulent wire transfers. was also used to spread the Cryptolocker ran-
somware, which used cryptographic key pairs
to encrypt the computer files of its victims and
The Avalanche network, which had been operat-
often left victims with no choice but to pay hun-
ing since at least 2010, was estimated to involve
dreds of dollars to obtain the decryption keys
hundreds of thousands of infected computers
needed to unlock their files. As of April 2014,
worldwide. The monetary losses associated with
security researchers estimated that Cryptolocker
malware attacks conducted over the Avalanche
had infected more than 234,000 computers and,
network were estimated to be in the hundreds
according to one estimate, caused more than
of millions of dollars worldwide, although exact
$27 million in ransom payments in its first two
calculations are difficult due to the high number
months in circulation.
of malware families present on the network.
134
APPENDIX 2
To disrupt both the Gameover Zeus botnet and be controlled remotely to steal private personal
the Cryptolocker malware, the Department de- and financial information from unsuspecting
ployed a combination of criminal and civil tools computer users. The botnet’s administrators, in
available to law enforcement. As an initial mat- turn, used the stolen information for a variety of
ter, a federal grand jury indicated a key admin- criminal purposes, including stealing funds from
istrator of the botnet (Evgeniy Bogachev) with a the compromised accounts. In one example de-
14-count indictment, and the Department filed a scribed in court filings, for instance, Coreflood
separate civil injunction against Bogachev as the leveraged information gleaned through illegal
leader of a tightly-knit gang of cyber criminals monitoring of Internet communications be-
based in Russia and Ukraine responsible for both tween a user and the user’s bank to take over an
the Gameover Zeus and Cryptolocker schemes. online banking session and cause the fraudulent
Further, as in Kelihos, the Department obtained transfer of funds to a foreign account.
civil and criminal court orders authorizing mea-
sures to redirect requests for instructions by The Department employed a multi-prong en-
computers victimized by the two schemes away forcement strategy to dismantle the Coreflood
from the criminal operators to substitute serv- botnet. It obtained search warrants to seize five
ers established pursuant to court order. The FBI command-and-control servers that remotely
was also authorized to obtain the IP addresses of controlled hundreds of thousands of infected
the victim computers reaching out to the substi- computers, and a seizure warrant to secure 29
tute servers, and to provide that information to domain names that the botnet used to commu-
DHS’s Computer Emergency Readiness Team nicate with the command-and-control servers.
(US-CERT) to help victims remove the Game- Federal authorities also obtained a temporary
over Zeus malware from their computers.5 restraining order that authorized the govern-
ment to replace the illegal command-and-con-
To identify servers as command-and-control trol servers with substitute servers. To prevent
hubs for the Gameover Zeus botnet and Cryp- the defendants from reconstituting the botnet
tolocker malware, and to subsequently facilitate through new servers, domains, and updated soft-
victims’ efforts to remediate the damage to their ware, the TRO also authorized the government
computers, the Department also enlisted the as- to respond to routine requests for direction from
sistance of numerous computer security firms the infected computers in the United States with
and leading universities. a command that temporarily stopped the Core-
flood malware from running on the infected
Coreflood computers. By limiting the defendants’ ability to
control the botnet, computer security providers
In 2011, the Department disrupted and disabled and victims were given the time and opportunity
the decade-old “Coreflood” botnet through a to remove the malware from infected comput-
civil complaint, search warrants, a criminal sei- ers. The Department also filed a civil complaint
zure warrant, and a temporary restraining order.6 against 13 “John Doe” defendants associated
with the botnet.
This botnet was a global network of 100,000
computers infected with a particularly harmful
type of malware named Coreflood, which could
135
NOTES
1
Press Release, “Justice Department Announc- 4
Press Release, “U.S. Leads Multi-National Ac-
es Actions to Disrupt Advanced Persistent Threat tion Against “Gameover Zeus” Botnet and “Cryp-
28 Botnet of Infected Routers and Network Stor- tolocker” Ransomware, Charges Botnet Admin-
age Devices,” U.S. Dept. of Justice (May 23, istrator,” U.S. Dept. of Justice (June 2, 2014),
2018), available at: https://www.justice.gov/opa/ available at: https://www.justice.gov/opa/pr/
pr/justice-department-announces-actions-dis- us-leads-multi-national-action-against-game-
rupt-advanced-persistent-threat-28-botnet-in- over-zeus-botnet-and-cryptolocker-ransomware
fected (last accessed June 29, 2018). (last accessed June 29, 2018).
2
Federal Bureau of Investigation, “For- 5
At no point during the operation did the FBI
eign Cyber Actors Target Home and Office Rout- or law enforcement access the content of any of
ers and Networked Devices Worldwide” (May the victims’ computers or electronic communi-
25, 2018), available at: https://www.ic3.gov/ cations.
media/2018/180525.aspx (last accessed June 29,
2018). 6
Press Release, “Department of Justice Takes
Action to Disable International Botnet,” U.S.
3
Press Release, “Justice Department An- Dept. of Justice (Apr. 13, 2011), available at:
nounces Actions to Dismantle Kelihos Botnet,” https://www.justice.gov/opa/pr/department-jus-
U.S. Dept. of Justice (Apr. 10, 2017), available tice-takes-action-disable-international-botnet
at: https://www.justice.gov/opa/pr/justice-de- (last accessed June 29, 2018).
partment-announces-actions-dismantle-keli-
hos-botnet-0 (last accessed June 29, 2018).
136
APPENDIX 2
Appendix 3
Recent Successful Dark Web Disruptions
AlphaBay & Hansa sweep up all those new users who were displaced
from AlphaBay and needed a new trading plat-
On July 20, 2017, the Department announced the form. The success of this joint operation stands
seizure of AlphaBay, an online criminal market- out as yet another example of what international
place that had operated for over two years on the law enforcement can accomplish when working
dark web and facilitated the sale throughout the closely together to neutralize a cybercrime mar-
world of deadly illegal drugs, stolen and fraudu- ketplace.
lent identification documents and access devices,
counterfeit goods, malware and other computer
Silk Road
hacking tools, firearms, and toxic chemicals.
Around the time of its takedown, AlphaBay was In late 2013, the Department joined with various
the largest criminal marketplace on the Inter- law enforcement partners across the government
net. Indeed, prior to the site’s disruption, one to disrupt the hidden “Silk Road” website, and to
AlphaBay staff member claimed that it serviced prosecute its creator and owner, Ross Ulbricht.1
over 200,000 users and 40,000 vendors. Alpha-
Bay operated as a hidden service on the “Tor” For the two years leading up to the Department’s
network, and used cryptocurrencies including actions, Silk Road stood out as the most sophisti-
Bitcoin, Monero, and Ethereum in order to hide cated and extensive criminal marketplace on the
the locations of its underlying servers and the Internet, serving as a sprawling black-market ba-
identities of its administrators, moderators, and zaar where unlawful goods and services, includ-
users. Based on law enforcement’s investigation ing illegal drugs of virtually all varieties, were
of AlphaBay, authorities believe the site was also regularly bought and sold. At its height, several
used to launder hundreds of millions of dollars thousand drug dealers and other unlawful ven-
deriving from illegal transactions on the website. dors used the site to distribute hundreds of kilo-
grams of illegal drugs and other unlawful goods
The operation to seize the AlphaBay site coin- and services to well over 100,000 buyers, and to
cided with efforts by Dutch law enforcement to launder hundreds of millions of dollars deriving
investigate and take down the Hansa Market, an- from these unlawful transactions.
other prominent dark web market. Like Alpha-
Bay, Hansa Market was used to facilitate the sale To remain outside the reach of law enforcement,
of illegal drugs, toxic chemicals, malware, coun- Silk Road’s administrators anonymized the site’s
terfeit identification documents, and illegal ser- transactions by operating it on the Tor network
vices. To maximize the disruptive impact of the and including a Bitcoin-based payment system
joint takedowns, Dutch authorities took covert designed to conceal its users’ identities and lo-
control over the Hansa Market during the peri- cations. Despite these efforts, law enforcement
od when AlphaBay was shutdown. That covert ultimately pierced Silk Road’s cloak of anonym-
control not only allowed Dutch police to iden- ity and seized control of the website, its domain,
tify and disrupt the regular criminal activity on its servers, and 29,655 Bitcoins residing on those
Hansa, but then also allowed the authorities to servers (worth approximately $28 million at the
137
time of seizure). The creator and administrator trators associated with these Dark Web markets
of Silk Road, Ross Ulbricht, was also arrested were criminally prosecuted.
and ultimately convicted of seven charges relat-
ing to money laundering and computer hacking, Darkode
among others, and sentenced to life in federal
prison. The government seized an additional On July 15, 2015, the Department announced
144,336 Bitcoins from Ulbricht’s computer hard the dismantling of a computer hacking forum
drive (worth approximately $130 million at the known as “Darkode” as part of a coordinated law
time of seizure). enforcement action across 20 countries that led
to the search, arrest, or charging of 70 Darkode
Operation Onymous members and associates.3
Building on the success of the Silk Road take- At the time of its takedown, the Darkode forum
down, in November 2014, U.S. and European represented a uniquely grave threat to the integ-
authorities took joint action against the under- rity of data on computers because it provided a
ground website known as “Silk Road 2.0,” as well platform where highly-sophisticated cybercrim-
as dozens of additional dark market websites that inals congregated to buy, sell, and trade malware,
were facilitating the sale of an astonishing range botnets, and PII used to steal from U.S. citi-
of illegal goods and services on hidden services zens and individuals around the world. Before
within the Tor network, including weapons, becoming a member of Darkode, prospective
drugs, murder-for-hire services, stolen identifi- members were allegedly vetted through a pro-
cation data, money laundering, hacking services, cess in which an existing member invited a pro-
and others.2 Silk Road 2.0 was created in Novem- spective member to the forum for the purpose of
ber 2013 to fill the void left by the government’s presenting the skills or products that he or she
seizure of the Silk Road website in October 2013. could bring to the group. As part of Operation
As with Silk Road, the Department used civil for- Shrouded Horizon, the FBI was able to disrupt
feiture authorities to seize control over 400 Tor and dismantle Darkode by infiltrating the fo-
website addresses known as “.onion” addresses, rum’s membership.
as well as the servers hosting them. Adminis-
138
APPENDIX 3
NOTES
1
Press Release, “Manhattan U.S. Attorney An- Conjunction with the Arrest of the Operator of
nounces Seizure of Additional $28 Million Worth Silk Road 2.0,” Federal Bureau of Investiga-
of Bitcoins Belonging to Ross William Ulbricht, tion (Nov. 7, 2014), available at: https://www.
Alleged Owner and Operator of “Silk Road” fbi.gov/contact-us/field-offices/newyork/news/
Website,” Federal Bureau of Investigation press-releases/dozens-of-online-dark-markets-
(Oct. 25, 2013), available at: https://archives. seized-pursuant-to-forfeiture-complaint-filed-
fbi.gov/archives/newyork/press-releases/2013/ in-manhattan-federal-court-in-conjunction-
manhattan-u.s.-attorney-announces-sei- with-the-arrest-of-the-operator-of-silk-road-2.0
zure-of-additional-28-million-worth-of-bit- (last accessed June 29, 2018).
coins-belonging-to-ross-william-ulbricht-al-
leged-owner-and-operator-of-silk-road-website 3
Press Release, “Major Computing Hacking
(last accessed June 29, 2018). Forum Dismantled,” U.S. Dept. of Justice (July
15, 2015), available at: https://www.justice.gov/
2
Press Release, “Dozens of Online ‘Dark opa/pr/major-computer-hacking-forum-dis-
Markets’ Seized Pursuant to Forfeiture Com- mantled (last accessed June 29, 2018).
plaint Filed in Manhattan Federal Court in
139
APPENDIX 4
Appendix 4
Attorney-Work Product/Deliberative/Pre-decisional/Draft/Privileged and
Confidential 4/29/18 Glossary of Key Terms
Appendix 4: Glossary of Terms
Acronym Meaning
AECA Arms Export Control Act
AUSA Assistant United States Attorney
BEC Business Email Compromise
Boyusec Guangzhou Bo Yu Information Technology Company Limited
C&C Command-and-Control
C.F.R. Code of Federal Regulations
C2 Command and Control
CAATSA Countering America’s Adversaries Through Sanctions Act
CAN-SPAM Controlling the Assault of Non-Solicited Pornography and Marketing
CAT Cyber Action Team
CCIPS Computer Crime and Intellectual Property Section
CFAA Computer Fraud and Abuse Act
CHIP Computer Hacking and Intellectual Property
CFIUS Committee on Foreign Investment in the United States
CISO Chief Information Security Officer
CLOUD Clarifying Lawful Overseas Use of Data
CNN Cable News Network
CTF Cyber Task Force, Federal Bureau of Investigation
DDoS Distributed Denial of Service
DEA Drug Enforcement Administration
DHS Department of Homeland Security
DMCA Digital Millennium Copyright Act
DOJ Department of Justice
DSAC Domestic Security Alliance Council
141
1
Attorney-Work Product/Deliberative/Pre-decisional/Draft/Privileged
CYBER-DIGITAL TASK FORCE REPORT and
Confidential 4/29/18
Acronym Meaning
EAR Export Administration Regulations
ECPA Electronic Communications Privacy Act
ECTR Electronic Communication Transactional Record
EEA Economic Espionage Act
EOUSA Executive Office for United States Attorneys
ESU Electronic Surveillance Unit
FBI Federal Bureau of Investigation
FinCEN Financial Crimes Enforcement Network
FISA Foreign Intelligence Surveillance Act
FLASH FBI Liaison Alert System
FSB Russian Federal Security Service
GDPR General Data Protection Regulation
HTOCU Hi-Tech Organized Crime Unit
IC3 The Internet Crime Complaint Center
IEEPA International Emergency Economic Powers Act
INTERPOL International Criminal Police Organization
IoT Internet of Things
IP (address) Internet Protocol
IPR Intellectual Property Rights
IRS Internal Revenue Service
ISIL Islamic State of Iraq and the Levant
ISP Internet Service Provider
JAR Joint Analysis Report
J-CODE Joint Criminal Opioid Darknet Enforcement
JITs Joint Investigative Teams
JTA Joint Technical Advisory
KAT Kickass Torrents
142
2
APPENDIX 4 and
Acronym Meaning
MLARS Money Laundering and Asset Recovery Section, Criminal Division
MLAT Mutual Legal Assistance Treaty
MUCD Military Unit Cover Designator
NCCIC National Cybersecurity and Communications Integration Center
NCFTA National Cyber-Forensics and Training Alliance
NCIJTF National Cyber Investigative Joint Task Force
NDCAC National Domestic Communications Assistance Center
NICE National Initiative for Cybersecurity Education
NITs Network Investigative Techniques
NSCS National Security Cyber Specialists
NSD National Security Division
NSL National Security Letter
OFAC Office of Foreign Assets Control
OIA Office of International Affairs, Criminal Division
OJT On the Job Training
OLE Office of Legal Education
P2P Peer-to-Peer
PII Personally Identifiable Information
PINs Private Industry Notifications
PLA People’s Liberation Army
PPD Presidential Policy Directive
PRC People’s Republic of China
PRTT Pen Register and Trap and Trace
PSA Public Service Announcement
RICO Racketeer Influenced and Corrupt Organizations Act
ROB Rules of Behavior
SCADA Supervisory Control and Data Acquisition
143
3
CYBER-DIGITAL TASK FORCE REPORT and
Acronym Meaning
SPE Sony Pictures Entertainment
STSO Operational Support Unit (Drug Enforcement Administration)
SUA Specified Unlawful Activity
Tor The Onion Router
TRO Temporary Restraining Order
USAO United States Attorney’s Office
USNCB United States National Central Bureau (INTERPOL)
US-CERT United States Computer Emergency Readiness Team
USTR United States Trade Representative
VRRA Victims’ Rights and Restitution Act
WTI Workforce Training Initiative
144

Cyber-Digital Task Force Report

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cyber-Digital Task Force Report

Transféré par

Droits d'auteur :

Formats disponibles

U.S.

Letter from the Deputy Attorney General ............................... i

Attorney General’s Cyber-Digital Task Force ....................... vii

ATTORNEY GENERAL’S CYBER-DIGITAL TASK FORCE

Task Force Members

Sujit Raman, Chair

John P. Cronan Andrew E. Lelling

John C. Demers David T. Resch

Carl Ghattas Beth A. Williams

John M. Gore Peter A. Winn

Task Force Contributors

Elizabeth Aloi Brendan Groves Erica O’Neil

And representatives from:

Bureau of Alcohol, Tobacco, Firearms, and Explosives Office of Strategic

The Department of Justice’s primary mission is to keep the American

How We Succeed crimes and to help identify cyber threats; and

Credit: Amy Mathers, U.S. Department of Justice

Foreign cyber-enabled and other active ef- Malign Foreign Influence

Identifying Potential Targets of Election Interference

Credit: Cyber Threat Intelligence Integration Center

(703) 235-5273 • nccic@hq.dhs.gov (855) 292-3937 • cywatch@fbi.gov

DEPARTMENT OF JUSTICE PROGRAM

tion results. To our knowledge, no foreign to discredit or embarrass candidates, un-

divisive narratives and political positions relating to espionage, sabotage, subversive

operations on those platforms, share infor- coordinating the Department’s counter-for-

Department of Justice Framework to Counter Malign Foreign Influence Operations

DEPARTMENT OF JUSTICE POLICY REGARDING

terests sometimes at stake, the Department in addressing foreign influence operations

DEPARTMENT OF JUSTICE POLICY ON DISCLOSURE

• To alert victims of federal crimes arising out of foreign influence operations,

• To alert unwitting recipients of foreign government-sponsored covert support,

• To alert technology companies or other private sector entities to foreign influ-

DEPARTMENT OF JUSTICE POLICY ON DISCLOSURE

• To alert relevant Congressional committees to significant intelligence activities,

• In considering whether and how to disclose foreign influence operations, or

• Where a criminal or national security investigation during an election cycle is

and Witness Assistance (May 2012), available at:

Figure 1: The Anatomy of a Ransomware Attack

Credit: FBI Cyber Division

Credit: FBI Cyber Division

WANG DONG SUN KAILIANG WEN XINYU

HUANG ZHENYU GU CHUNHUI

Figure 2: Chinese Military Officers Charged with Hacking and

information available to affected sectors most important responsibility is to keep

CYBER-DIGITAL TASK FORCE REPORT

October 16, 2016 – Hajime – April 5, 2017 – Brickerbot –

July 2016 – Mirai – Most significant November 16, 2016 – RSOCKS

CATEGORIZING SOPHISTICATED CYBER SCHEMES

November 2017 – Nexus_Mirai –

THE ONION ROUTER (TOR)

Tor operates by routing of the Tor network. Com-

treasury.gov/press-center/press-releases/Pages/ White House (Feb. 15, 2018), available at:

published-prd.lanyonevents.com/published/ WannaCry Malware Attack to North Korea,”

at: https://www.whitehouse.gov/briefings-state- 47,000 Social Security Numbers, Security Firm

http://www.nbcnews.com/storyline/sony-hack/ Dept. of Justice (November 28, 2017), avail-

June 29, 2018). er Sentenced to 20 Years in Prison,” U.S. Dept.

2018). & PricewaterhouseCoopers LLP, Economic Im-

CREATe.org-PwC-Trade-Secret-Theft-FINAL- Acts, Policies, and Practices related to Technol-

office/2015/09/25/fact-sheet-president-xi-jin- ness Fraud,” available at https://www.fbi.gov/

available at: https://www.justice.gov/opa/pr/ See id.

han, “FBI, This Week: Social Engineering,” Fed-

Federal Bureau of Investigation, 2017

Press Release, “Ross Ulbricht, The Creator

And Owner Of The “Silk Road” Website, Found