The Department of Justice is requesting its prosecutors and investigators to focus less on prosecutions and more on disruption and protection when it comes to cyberattacks, according to US Deputy Attorney General Lisa Monaco, who spoke to attendees at the RSA Conference.
Monaco agreed that there should be a "bias towards action to disrupt and prevent, to minimize harm if it's ongoing [...] and to take that action to prevent the next victim."
That will not always result in a prosecution, Monaco said, adding that it's difficult for a prosecutor to say.
"We're not measuring our success only with courtroom actions and courtroom victories." This transition is necessary because nation-states are increasingly collaborating with criminal organizations to facilitate global cyberattacks.
"We took a hard look in the Justice Department and said, 'how can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'" she said. "We needed to pivot to disruption and prevention. We needed to put victims at the center of our approach."
"We took a hard look at the Justice Department and said, 'How can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'" she explained. "We needed to shift our focus to disruption and prevention.We needed to prioritize victims in our approach."
Monaco cited the Department of Justice's response to the Colonial Pipeline attack as an example. In that case, oil pipeline operators paid ransomware operators in the hopes of unlocking their affected systems. According to Monaco, the DOJ used existing tools—a forfeiture warrant—to locate Colonial's contribution in the blockchain and return that money to the company.
The Hive organization was notorious for attacking over 1,500 individuals and demanding $100 million in ransom. Monaco said that shutting down the Hive group saved another $130 million in ransom payments.
Throughout the discussion, Monaco emphasized the DOJ's desire to collaborate with the industry in a non-adversarial manner. Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency (CISA), then asked her if the prosecution of former Uber CSO Joe Sullivan had violated that trust. In that case, Sullivan concealed payments made to attackers who got data from Uber's internal systems through a bug bounty payout scheme. The move was not made public until a year later after Uber's leadership changed. Sullivan was found guilty of obstructing justice in 2022.
Although other companies had made ransom payments in the past, including during the Colonial Pipeline attack, Monaco said Sullivan's case was unique because his actions were "intentional acts as was proved at trial and as the jury found," he said. "Very, very different from and not a mistake made by a CISO or compliance officer in the heat of a very stressful time."
Sullivan's sentencing is set for May 4, according to Krebs and Monaco.
