US to focus on stifling online attacks rather than snagging criminal convictions

RSA Conference US prosecutors are going to focus more on disrupting online attacks, even if it means losing out on a criminal conviction, according to Deputy Attorney General Lisa Monaco.

Speaking at a Monday keynote at the RSA Conference, Monaco said the instruction given to prosecutors and investigators is to disrupt any active attack first to minimize further harm, and worry about trying to get a criminal prosecution later.

"You've got to have a bias towards action to disrupt and minimize the harm that's ongoing and take that action to prevent the next victim," she said. "This won't always lead to a prosecution, and it's tough for a prosecutor to say, 'That's fine,' but we're not measuring our success on courtroom action or victories. This is about preventing and disrupting and putting the victims at the center."

She cited the May 2021 Colonial Pipeline ransomware attack as a case in point. Criminals took down one of the main movers of petroleum in the US and its pipelines were shut down for days, leading to panic buying and reported fistfights on forecourts.

The company apparently paid a $5 million ransom to get its systems back online, but because it was working with the government the harm was minimized and they were able to get most of the money back within a month or so. This was only possible because the company went straight to law enforcement, asked for help, and didn't hold back, Monaco said.

Investigators used an old-fashioned forfeiture warrant to "follow that money through the blockchain" and grab it back and give it to the company. But the only way they could do that, she explained, was because Colonial worked with the Feds from the start.

• US cyber chiefs warn AI will help crooks, China develop nastier cyberattacks faster
• Biden now wants to toughen up chemical sector's cybersecurity
• When are we gonna stop calling it ransomware? It's just data kidnapping now
• New FCC boss leaps into action by… creating three committees to look at longstanding problems and come back at some point

By contrast, she pointed out, Uber's erstwhile chief security officer, Joe Sullivan, covered up the 2016 security snafu that saw 57 million customer and driver records stolen, and then paid off the criminals calling it a bug bounty. He then lied about the incident to federal investigators, and was found guilty of obstruction of justice and concealing a felony from law enforcement, and will be sentenced next week.

"Joe Sullivan went to trial, as was his right, and was convicted," she said. "Those were intentional acts, and as was proved at trial, as the jury found, that's very, very different from and not a mistake made by a CISO in the heat of a very stressful time."

Monaco has some serious chops in the security community. She moved from the NSA to serve as National Security Advisor to President Obama from 2013 to 2017, and now advises President Biden on the digital state of play. She noted that the old days of nation state hacking squads she'd encountered 10 years ago had been augmented by them with criminal gangs.

These made money for regimes, she explained, but there's also been a shift from pecuniary purposes to go after core data repositories. In February the DoJ, in cooperation with the DHS and Commerce department, launched the "Disruptive technology strike force," with 14 specialized units around the country (one in SF of course) to prepare for the next attack. And it's going to come. ®