For the first time, DOJ describes how it will respond to influence plots like Russia’s interference in the 2016 presidential race.
“That policy reflects an effort to articulate neutral principles so that when the issue that the government confronted in 2016 arises again — as it surely will — there will be a framework to address it," said Deputy Attorney General Rod Rosenstein.
The Justice Department on Thursday issued a wide-ranging report (Cyber Digital Task Force) describing the cyber threats facing the United States and the department’s tactics for investigating, disrupting and deterring those risks.
Most significantly, the report contains the first public description of how the DOJ will assess and respond to foreign influence operations like Russia’s 2016 election meddling.
“That policy reflects an effort to articulate neutral principles so that when the issue that the government confronted in 2016 arises again — as it surely will — there will be a framework to address it," Deputy Attorney General Rod Rosenstein said in unveiling the report at the Aspen Security Forum.
The report also describes a range of challenges hampering the government’s ability to fight more traditional cybercrime and recommends possible solutions.
The challenge that receives the most attention is encryption and other technological impediments to accessing investigative data. The spread of easy-to-use, often-invisible encryption “poses a significant impediment to the investigation of most types of criminal activity,” the report warns.
For years, the government has urged tech companies to voluntarily use warrant-compatible encryption, but in recent years Silicon Valley has moved in the opposite direction. The report recommends seven ways for DOJ to respond to this problem, including “considering whether legislation to address encryption (and all related service provider access) challenges should be pursued.”
The lengthy chapter on foreign influence operations describes five categories of meddling, from hacking election infrastructure to spreading disinformation. It also lays out a policy for disclosing foreign meddling investigations to their targets, tech companies whose platforms are involved, lawmakers and the public.
This meddling “may violate a number of federal laws on which the Department may base criminal investigations and prosecutions,” the report says, but DOJ is “also considering whether new criminal statutes aimed more directly at this type of activity are needed.”
In addition to foreign influence campaigns, the report also covers the more prosaic cybercrime schemes that prosecutors and agents deal with on a daily basis. Chapter 2 discusses the types of cybercrime that the department investigates, from distributed denial-of-service attacks to ransomware infections. Chapter 3 explains how the government fights back, including prosecution tools like the Computer Fraud and Abuse Act, techniques like surveillance of suspects and other response options like dismantling botnets. Chapter 4 describes the government’s private-sector partnerships, information-sharing channels and interagency response plans. And Chapter 5 explains how different DOJ components are training and retaining cybersecurity experts.
Chapter 6 lays out the challenges for cybercrime investigations and prosecutions. Among them are the reticence of victims to report breaches, the government’s sometimes tense relationship with security researchers and gaps in DOJ’s legal authority to access data controlled by foreign companies.
In the encryption section, DOJ notes that it cannot rely solely on purchasing workarounds like Cellebrite or GrayKey.
“Expanding the government’s exploitation of vulnerabilities for law enforcement purposes will likely require significantly higher expenditures — and in the end it may not be a scalable solution,” the report warns. “All vulnerabilities have a limited lifespan and may have a limited scope of applicability.”
Another problem relevant to election security is that the Computer Fraud and Abuse Act only empowers DOJ to prosecute people who hack internet-connected devices.
“In many conceivable situations, electronic voting machines will not meet those criteria, as they are typically kept off the Internet,” the report notes. “Consequently, should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.”
At the Aspen event, Rosenstein said the report underscored how DOJ “must continually adapt criminal justice and intelligence tools to combat hackers and other cybercriminals.”
The DOJ began compiling the report in February, after Attorney General Jeff Sessions, under fire from congressional Democrats for not appearing to prioritize election security, created a Cyber-Digital Task Force to study DOJ-related cyber issues and “identify how federal law enforcement can more effectively accomplish its mission in this vital and evolving area.”
The report mostly summarizes previously known information about DOJ, its headquarters components like the National Security Division and its agencies like the FBI.
In some cases, the report copies and pastes text directly from federal websites, including in a section describing INTERPOL Washington.