The Department of Justice is urging its prosecutors and investigators to place less of an emphasis on prosecutions when it comes to cyberattacks and to focus more on disruption and prevention, US Deputy Attorney General Lisa Monaco told attendees at the RSA Conference.
Monaco backed having a “bias toward action to disrupt and prevent, to minimize harm if it’s ongoing […] and to take that action to prevent the next victim.”
That “will not always yield a prosecution,” said Monaco, who quipped that’s hard for a prosecutor to say. “We’re not measuring our success only with courtroom actions and courtroom victories.”
The need for this shift comes as nation-states are increasingly working with criminal groups to enable cyberattacks around the world. “We took a hard look in the Justice Department and said, ‘how can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'” she said. “We needed to pivot to disruption and prevention. We needed to put victims at the center of our approach.”
As an example, Monaco pointed to DOJ’s response to the Colonial Pipeline attack. In that case, the operators of an oil pipeline paid ransomware operators in the hopes of unlocking their infected systems. The DOJ used existing tools—a forfeiture warrant, according to Monaco—to track down Colonial’s payment in the blockchain and return that money to the company.
She also pointed to an operation where DOJ, the FBI, and European law enforcement infiltrated the Hive ransomware group for seven months before seizing the group’s infrastructure. They were able to obtain the decryption keys to recover access to victims’ files and machines but no arrests were made. “In days gone by, that might have been heresy,” said Monaco.
The Hive group was notable for having attacked over 1,500 victims, earning a reported $100 million in ransom. Monaco claimed that taking the Hive group offline prevented another $130 million in additional ransom payments.
Recommended by Our Editors
Throughout the talk, Monaco emphasized DOJ’s desire to work with industry in a non-adversarial way. She was then asked by Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency (CISA), if that trust was broken by the prosecution of former Uber CSO Joe Sullivan. In that case, Sullivan used a bug bounty payout system to disguise payments made to attackers who had obtained data from Uber’s internal systems. The move wasn’t disclosed until after a change in Uber’s leadership a year later. Sullivan was found guilty of obstruction of justice(Opens in a new window), among other charges, in October 2022.
Although other companies had made ransom payments before—including during the Colonial Pipeline attack—Monaco said Sullivan’s case was different because his actions were “intentional acts as was proved at trial and as the jury found,” said Monaco. “Very, very different from and not a mistake made by a CISO or a compliance officer in the heat of a very stressful time.”
Krebs and Monaco noted that Sullivan’s sentencing is scheduled for May 4.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
