US Deputy AG: Aiding Victims Takes Precedence Over ArrestsLisa Monaco Says Justice Department Values Stopping Cybercrime Over Court Victories
SAN FRANCISCO - Preventing and disrupting cybercrime now takes priority over courtroom victories, said the United States' second-highest-ranking prosecutor.
Deputy Attorney General Lisa Monaco said the Department of Justice has in recent years put victims at the center of its cybercrime response. Actions taken under this playbook include recovering ransom payments made by Colonial Pipeline and accessing infrastructure used by the Russian military to delete malware that would have allowed a botnet to be activated, Monaco said.
"You've got to have a bias toward action to disrupt and prevent, to minimize what the adversary is doing, and take that action to prevent the next victim," Monaco said during a keynote address at RSA Conference 2023. "And doing so will not always yield a prosecution."
Nation-state actors have stepped up their game by joining forces with local criminal groups, a development that prompted Monaco and the Justice Department to conduct a comprehensive review of how to maximize the legal tools at their disposal (see: ISMG Editors: Opening Day Overview of RSA Conference 2023).
"We've used very old and familiar tools like a forfeiture warrant to go out and follow that money through the blockchain, seize it back, and give it back to the victim," Monaco said.
Using the Law to Stop Threat Actors in Their Tracks
Monaco said Justice wants to work closely with the private sector and give it as much information as possible about threats. When companies don't take as much remedial action as federal officials would like, Monaco said prosecutors may step in with court proceedings.
In last year's Cyclops Blink operation, Monaco said, Russia's military intelligence took over a zombie group of computers in the United States. In consultation with international partners, she said, the department used a legal process to access the infrastructure, delete malware and close the backdoors to the compromised devices before Russia's military could activate the botnet.
"Partnership has to be more than just passive outreach to entities. We got to be willing to really put our tools on the table to help them see what we're seeing and then work together to take that action," Monaco said.
Monaco said the Justice Department's involvement in the Hive ransomware takedown would have been considered "heresy" under the previous way of fighting cybercrime, since no arrests were made (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).
Instead, Monaco said, Justice officials used their legal authority to conduct a "21st-century cyber stakeout," gaining access to Hive's network and patiently lying in wait. Federal officials were able to swipe the crypto keys in Hive's possession and give them to the victims. As a result, she said, more than $130 million worth of ransomware payments weren't made.
"Doing more and more of that is what we're all about," Monaco said. "We can't get after this correctly if we're not working together."