Earlier this month, Deputy Attorney General Lisa O. Monaco spoke on cybersecurity developments at the International Conference on Cyber Security (“ICCS”); the same day, the U.S. Department of Justice (“DOJ”) released its Comprehensive Cyber Review (the “Cyber Review”). At Monaco’s direction last year, the Cyber Review was prepared to respond to escalating cyber threats by providing a thorough review of the DOJ’s cybersecurity-related operations and successes. The Cyber Review aims to counteract “malicious cyber actors becoming more aggressive, more sophisticated, more belligerent and brazen — and an increased blurring of the line between state-sponsored cyberattacks and attacks by criminal groups.”
A resounding takeaway of the Cyber Review: The DOJ expects cooperation from the private sector through prompt self-reporting of cyber incidents and ransomware payments. The DOJ will demand effective compliance programs that continue to serve a direct law enforcement purpose and redefine the status quo. Companies should expect increased enforcement on the cyber front and enhanced scrutiny of compliance programs.
Monaco pronounced: “The answer is that if you report that attack, if you report the ransom demand and payment, if you work with the FBI, we can take action; we can follow the money and get it back; we can help prevent the next attack, the next victim; and we can hold cybercriminals accountable. Those companies that work with us will see that we stand with them in the aftermath of an incident.” [Emphasis added.]
The DOJ’s “All Tools” Approach
Monaco’s remarks at the ICCS revealed the DOJ’s increased collaboration with inter-agency and intra-agency partners, international partners, and other domestic partners across the government and private sector. With bullish proactivity, the DOJ has disrupted significant cyberattacks — efforts that depended on reporting from, and cooperation with, companies that have fallen victim to cyber-attacks.
For example, as early as May 2021, a North Korean state-sponsored group targeted U.S. medical facilities and public health sector organizations with ransomware that encrypted servers containing critical data and operational equipment. A Kansas hospital was given 48 hours to pay the ransom. It not only paid the ransom to continue operations, but also immediately notified the FBI of an unprecedented ransomware strain. With that information, the FBI and the DOJ traced the ransom payment through the blockchain, identified China-based money launderers who were helping partners in North Korea “cash out” ransom payments into fiat currency, located other ransom payments from other medical provider victims, and released an international cybersecurity advisory. The government seized around $500,000 in ransom payments and cryptocurrency used to launder those payments and is now returning stolen funds to victims. Monaco praised the Kansas hospital for “d[oing] the right thing at a moment of crisis and call[ing] the FBI.”
In the Cyber Review and Monaco’s speech at ICCS, the DOJ also highlighted Kaseya, an IT-management company that suffered a “Sodinokibi/REvil” ransomware attack but prevented prolonged encryption of downstream customers’ networks through prompt self-reporting. Through accessing “endpoints” on Kaseya’s global customer networks, the ransomware infected computers all over the world that used Kaseya software. When Kaseya quickly reported the incident to the government, the FBI deployed the decryption key (that it had obtained from actors who conducted the attack on Kaseya and other companies) and enabled mass decryption of Kaseya’s own and its customers’ networks. These efforts resulted in the indictment of two individuals who connected the ransomware. Again praising the private sector, Monaco noted: “And none of this — none of this — would have been possible without Kaseya, which in their darkest hour made the right choice — again, they decided to work with the FBI.”
Recent Government Investments in Cybersecurity
The Cyber Review reports the DOJ’s laser focus on disruption, accountability, and deterrence, which involves building its workforce with systems engineers, cyber-specific prosecutors, cyber policy experts, and special analysts. As we have previously reported, the DOJ has formed a variety of initiatives over recent years, such as the Ransomware and Digital Extortion Task Force, the National Cryptocurrency Enforcement Team (“NCET”), and the Civil Cyber-Fraud Initiative. The DOJ continues building its cyber repertoire.
Even more recently, the FBI created the Virtual Asset Unit (“VAU”) to deepen its cyber and cryptocurrency expertise and partner with NCET. The DOJ added a Cyber Operations International Liaison (“COIL”) position, in which a designated prosecutor will work with DOJ components and European allies to “increase the tempo of . . . disruptive actions against top-tier cyber actors, including charges, arrests, extraditions, asset seizures, and the dismantlement of infrastructure,” according to the Cyber Review. On top of these initiatives, the DOJ announced Monaco’s recent visit to the National Cyber-Forensics Training Alliance (“NCFTA”), a public-private partnership designed to increase information sharing between the private sector and the government. There, she received a briefing from the NCFTA’s managing director, several private sector members, and the FBI on the strategies they are using to tackle malicious cyber actors.
On the legislative front, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) in March 2022, which has directed the Cybersecurity and Infrastructure Security Agency (“CISA”) to complete mandatory rulemaking activities before reporting requirements take effect. Under CIRCIA, covered entities will be required to report cybersecurity incidents and ransomware payments to CISA within 72 and 24 hours, respectively.
All signs point to heightened reporting obligations, heightened scrutiny of compliance programs, and opportunities for cooperation credit with the government.
What This Means for You
The DOJ’s transparency should not be taken lightly. All organizations should prepare for the DOJ’s aggressive approach to cybersecurity by considering the following:
- Create an incident response plan and conduct regular training sessions to ensure that internal teams are ready to activate in case of an emergency;
- Mirror the DOJ’s workforce expansion efforts and create internal task forces, equipped with systems experts, engineers, and legal experts;
- Create policies that require proactive reporting of a variety of cybersecurity threats, from phishing, to malware, to cryptojacking. Include internal and external reporting schemes;
- Stay up-to-date on state-specific reporting requirements and other agencies’ requirements, such as the SEC, which recently proposed new enhanced cybersecurity disclosure obligations that would require disclosure of material cyber incidents within four business days of an occurrence; and
- Review and update your compliance program at regular intervals and learn from cyber-related news events.