With nation-state cyberattacks increasingly targeting businesses, the Federal government must take action to collaborate and communicate with the private sector in a whole-of-government approach, said current and former officials from the Department of Justice on Tuesday.
Speaking at an event hosted by the Center for Strategic and International Studies, John Carlin, former assistant attorney general in the National Security Division, and John Demers, current assistant attorney general in the National Security Division, emphasized the importance of spreading awareness of the risks in cyberspace for economic and national security reasons.
“All those reforms that we put in place, those billions of dollars that were focused on sharing information within and between governments, they won’t work with the new threat that we face. They’re necessary, but not sufficient,” said Carlin. “With the new threats that we’re facing, where companies are on the front lines, whether it’s nation states or terrorist groups or organized criminal groups, we need to share information at speed and scale with the private sector, and incentivize the private sector to come in and share information at speed and scale back to the government.”
Agreeing with Carlin, Demers said, “We need the help of the private sector do these cases. We can also provide a tremendous amount of benefit, I think, to the private sector.”
Demers referred to the recent indictment against hackers stealing intellectual property from Micron as an example of both a positive outcome and a strong response.
“The reason why I like that case so much is that it’s a case in which ultimately our indictment went together with the Commerce Department’s use of its authorities, and this is definitely an area where all the parts of the government need to be working together” he said. “[Commerce] used their authority to block the would-be competitor of the American company from buying the products that they needed to develop the product for which they had stolen the intellectual property.”
Demers further emphasized the importance of a larger government response to nation-state cyberattacks.
“We are just a piece of this puzzle. You don’t change behavior just by five to ten indictments a year, but we do if we’re raising awareness, if the Treasury Department is using its authorities, if the Commerce Department is using its authorities, and of course, if the State Department is able to then use all of this information in dealing with the countries that are doing this” he said.
Carlin called for more sanctions against companies that benefit from stolen secrets, noting that it would promote fairness against economic espionage, a power that rests with the President under executive order.
When asked about the effectiveness of indictments against foreign, state-supported actors, both Demers and Carlin pointed to successful cases of extradition and extolled the other benefits of bringing accused attackers to trial.
“Indictments are a unique element of the way the government can speak, because what the government is saying is not only that we think this is happening or that we assess with a high likelihood this is happening. It’s saying, ‘I can get up in court and prove every element of what I’ve laid out in this indictment beyond a shadow of a reasonable doubt.’ I can tell you there are a lot of things we know that we can never get there on,” said Demers.