DOJ Assistant Attorney General on Fighting Cyber Threats

[00:00:00] Hey Prime Members, did you know that you could be listening to this show ad-free on Amazon Music? With Amazon Music, you get access to the most ad-free top podcasts. Avoid the ads and start listening today. Welcome to Tech News Briefing. It's Friday, July 5th.

[00:00:20] I'm Zoe Thomas for The Wall Street Journal. At WSJ's Tech Live cybersecurity event last month, Matthew Olson, Assistant Attorney General at the U.S. Department of Justice, discussed the heightened risk of cyber attacks and national security threats facing the U.S.

[00:00:38] Olson spoke with our reporter Dustin Volz about how the government is handling these threats and how companies should respond. Here are highlights from their conversation, starting with Dustin. Just looking at the last three years or so, you know, roughly, what do you think about

[00:00:54] in terms of how the landscape has evolved from the national security cyber threat perspective and how has law enforcement's attempts to address or tackle those problems also shifted or evolved? Yeah, I've been in this job at the Justice Department for just about two and a half years

[00:01:08] and what I've seen over the past couple years is the very concerning trend lines continue in terms of nation-state sponsored cyber threats. The trend lines are increasing sophistication, increasing capability, persistence, and really just a determination and intent to use cyber-enabled means to carry out a range of threats.

[00:01:29] We're most concerned about China and Russia, Iran, North Korea, and the range of threats extends from on one end, you know, traditional espionage that's cyber-enabled, going after classified information on government systems, to seeking to obtain innovation and trade

[00:01:45] secrets from some of our leading technology companies through cyber-enabled means. It also includes foreign malign influence activities, using cyber-enabled means to influence policies and elections and to really exploit divisions in American society. Going after diaspora communities, what we call transnational repression, authoritarian

[00:02:05] regimes coming after individuals who are maybe critics of those countries like China and Russia, and then on the sort of the most concerning end, putting our critical infrastructure at risk through cyber. So, you know, that's the threat picture. It's stark and very concerning.

[00:02:20] In terms of the response, probably the evolution that I'm seeing the most, which I think is a really positive one, is an increasing focus on being sort of victim-centric in how the government and the FBI and the Department of Justice thinks about the threat.

[00:02:34] And I think this trend has really accelerated in the past few years where our goal is to be very much a partner to the private sector to treat companies that have been victimized or potentially are victimized by threats as victims that we want to work with, that

[00:02:48] we want to limit the damage to those companies, work with the broader community to prevent further potential damage. Late last year, the SEC, the Securities and Exchange Commission, adopted a rule for material disclosure of material cybersecurity events for publicly traded companies.

[00:03:03] I believe the notification window is within four days of identifying material cyber breach. There is a national security waiver for that disclosure rule in the event that the government determines there could be some national security-related impacts or considerations.

[00:03:19] How has that sort of played out in practice for you? Yeah, so folks here mostly may be aware, as you said, Dustin, the SEC adopted a rule in December that requires public disclosure to the SEC and therefore to the market for publicly

[00:03:32] traded companies of a material cyber breach. And there have been dozens of those disclosures. The rule also, though, includes a waiver or the capacity to delay disclosure if such a disclosure would impose substantial risks on national security or public safety.

[00:03:50] There are occasions where simply disclosing it might actually reveal a vulnerability that hasn't been fully remediated, say a zero-day type attack, right? And I can say here that in fact we have on a number of occasions delayed disclosure.

[00:04:05] And it's an authority that's exercised by the Attorney General, but that authority has been delegated to me. And where again there has been a substantial risk to national security, on a number of occasions we have delayed disclosure in order to take the steps necessary to protect national security.

[00:04:22] It is the case that it's a very compressed timeline. So the companies are required to make that disclosure within four days of identifying a material breach. So one of the key points is if a company identifies a breach, my strong encouragement

[00:04:35] would be to work very quickly and closely with the FBI even before you've made that materiality decision. Because once you determine that there's a material breach, four days is not a long time to make the judgments about whether to seek a delay in disclosure.

[00:04:50] But it's an important part of the rule. It can be extended from 30 days up to 120 days. So it's not unbounded, but it does give the government with the private sector the opportunity to take the necessary steps that we think we need to take to protect either public safety

[00:05:05] or national security. Can you say, you said a number of, I think this is the first time that you've said this publicly, can you say how many delays of disclosure there have been?

[00:05:14] I can't say how many and I can't say anything more in terms of the companies or details, but it has happened on a number of occasions. You wouldn't be able to say if these have been China-related attacks, Russia-related attacks or anything about that? Correct. No more...

[00:05:30] I wouldn't be able to say. No more details. Okay. Well, perhaps in the future if there's some declassification, we'd love to hear more about specific examples about how that's working out. Coming up, what is the U.S. government doing to tackle cybercriminals based in other countries?

[00:05:46] That's after the break. So how do we get AI right? Well, we need the right volume of data, the software to train it and massive compute power or... Another one bites the dust. Are you ready? Hey, are you ready for this?

[00:06:06] Are you hanging on the edge of your seat? But with HPE GreenLake, we get access to supercomputing to power AI at the scale we need, helping generate better insights. Nice teamwork, guys. Search HPE GreenLake.

[00:06:29] Before the break, we heard DOJ Assistant Attorney General Matthew Olson tell WSJ reporter Dustin Volz that on a number of occasions, the government has delayed companies' disclosures of cyber incidents. Olson said making these attacks public would create substantial risks and raise national security concerns.

[00:06:50] Here's more of their conversation from WSJ's Tech Live cybersecurity event, starting with Dustin. Another area that has continued to be extremely important in cybersecurity and in the national security space as well is the unmitigated problem of ransomware.

[00:07:04] And now the Biden administration, after the Colonial Pipeline attack in 2021, basically decided ransomware is a national security threat. They elevated it. Again, these are criminal groups often engaging in ransomware attacks against hospitals and all sorts of different US industries.

[00:07:19] But they largely are emanating from certain part of the globe, Russia, Eastern Europe, Russian-speaking places. And it does appear that there seems to be some safe haven for a lot of these groups. Why is ransomware continuing to be such a huge problem?

[00:07:32] And from the national security perspective, can we solve it if we can't sort of fix, for lack of a better definition, the Russia problem that we have on our hands? Right. So I think you rightly described the problem, Dustin. I mean, it is a very significant challenge.

[00:07:50] Colonial Pipeline is really the preeminent example of a ransomware attack carried out by a Russian-based group. And one of the key challenges, you touched on this, is that these groups are often given safe haven.

[00:08:02] And so even when Russia is aware that they're operating with impunity, they're taking no steps to defeat those groups from being able to effectively operate. So Colonial Pipeline is an example where the US government was able to recover a majority

[00:08:17] of the funds that were paid as part of that ransom. We used our authorities, the very specific and high-end authorities that the US government has and capacity that the US government has that the private sector doesn't have, to understand

[00:08:31] the nature of that threat, to identify the threat actors, and ultimately to enable recovery of some of the funds. So we've had some ability—when you said unmitigated, I would say some mitigation, not totally mitigated, but some mitigation because of the ability to work closely as partners again

[00:08:46] with companies that have been affected by a ransomware attack, and in a number of cases, to recover those funds. And then also to understand the nature of the threat so we can better protect other companies.

[00:08:57] Look, at the end of the day, I do think—and this is the right group to make this message—like ransomware attacks, we often see could have been prevented with some basic cybersecurity actions. China's technology theft issue, AI is an area that we've seen them start to target.

[00:09:12] There was a case where there was an indictment related to somebody at Google actually trying to steal some of their trade secrets related to their AI programs on behalf of China. How large of a problem is attempts to steal AI technology specifically?

[00:09:24] Yeah, so it's not necessarily a cyber threat in and of itself, but we at the Justice Department, we with the Commerce Department have an initiative called the Disruptive Technology Strike Force where we're bringing cases around the country to stop the flow of sensitive technologies outside the United States.

[00:09:40] Think about microprocessors from the United States that are ending up in Iranian-built Shaheed drones that Russia then buys and uses in Ukraine. That's kind of the paradigm that we're trying to stop that from happening. It's illegal for that to happen.

[00:09:54] Now what you're raising is efforts of China to gain access to very sensitive artificial intelligence technology being developed by our leading companies, and we brought a couple of cases, one involving Google and one involving Apple, where we've indicted individuals for

[00:10:08] stealing the sensitive proprietary information relating to artificial intelligence or that type of technology. And so it's a concerted effort and a purposeful effort by the Justice Department to work with those companies to protect this technology that's being built in the United States that

[00:10:25] folks outside the United States, individuals outside the United States are seeking to gain access to that can enable other countries or adversaries to gain an advantage, whether it's on the battlefield or in the economic sphere. Matt, thank you for joining us on stage. Thank you, Dustin. Thanks, everybody.

[00:10:41] Thank you. That was Matthew Olson, Assistant Attorney General at the U.S. Department of Justice, speaking with WSJ reporter Dustin Volz. And that's it for Tech News Briefing. Today's show was produced by Julie Chang. I'm your host, Zoe Thomas. Jessica Fenton and Michael LeBell wrote our theme music.

[00:11:00] Our supervising producer is Catherine Millsop. Our development producer is Aisha Al-Muzlim. Scott Salloway and Chris Zinsley are the deputy editors. And Alana Patterson is The Wall Street Journal's head of news audio. We'll be back this afternoon with TNB Tech Minute. Thanks for listening.