The Department of Justice is establishing a new unit within the Computer Crime and Intellectual Property Section of the Criminal Division designed to actually help entities prevent cybercrime, instead of just prosecuting it after it happens, according to a speech at Georgetown University at the Cybercrime 2020 Symposium by Assistant Attorney General (AAG) Leslie R. Caldwell.
The problem here is the dual role that the government has in connection with cyber crime, cyber security, and cyber privacy. That dual role is reflected in just about everything the government does, and why there is a good deal of hesitancy when it comes to locating cybersecurity responses within certain agencies or department of the government.
The New Unit
In her remarks, AAG Caldwell noted that, “I want to make sure that cyber security is receiving the dedicated attention it requires. It is important that we address cyber threats on multiple fronts, with both a robust enforcement strategy as well as a broad prevention strategy. I am, therefore, announcing today the creation of the Cybersecurity Unit within CCIPS. The Cybersecurity Unit will have responsibility on behalf of the Criminal Division for a variety of efforts we are undertaking to enhance public and private cyber security efforts.”
In announcing the role of the new Cybersecurity Unit, AAG Caldwell explained:
Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic surveillance statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of every day Americans. The Cybersecurity Unit will work hand-in-hand with law enforcement and will also work with private sector partners and Congress. This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks.
DOJ also noted that “
rosecutors from the Cybersecurity Unit will be engaging in extensive outreach to facilitate cooperative relationships with our private sector partners” and that they “will be engaging with the public at-large about cyber security issues.”
So, in essence, the Cybersecurity Unit will (1) give legal advice about computer crime and electronic surveillance issues; (2) draft and comment on legislation related to cybersecurity; and (3) engage in outreach with the private sector and the public at large.
Um, this is what CCIPS has been doing since 1996. And what DOJ has been doing in the cyber arena for even longer than that. I know. I was there.
DOJ has a role in both law enforcement (prosecution) and crime prevention. In fact, anything it can do to prevent crime is a good thing. So sharing best practices, giving binding legal advice to agencies or department, providing formal and binding policies on behalf of the federal government – all good things.
For example, CCIPS issued a White Paper in May of this year setting out its legal analysis of whether the Electronic Communications Privacy Act (ECPA) prohibited ISP’s from sharing non-content data about subscribers in order to help share information to prevent attacks. Not surprisingly, the white paper concluded that the DOJ analysis was that the law did not impose such a barrier.
Problem is, the white paper didn’t do the one thing that only DOJ CAN do. Any lawyer could have written a legal analysis of the statute, its wording, history or purpose. Only DOJ could go the extra step and say, “on behalf of the U.S. Government, we will neither investigate nor prosecute anyone under ECPA for sharing information under these guidelines….”
But CCIPS just issued a white paper.
The same is true for other actual or theoretical barriers to information sharing that this new Cybersecurity Unit is supposed to remove. DOJ announced a “policy statement” that it was “highly unlikely” that sharing cybersecurity information such as incident reports, malicious code, or alerts would violate federal antitrust law, and the DOJ issued a “guidance” indicating that “antitrust concerns should not get in the way of sharing cybersecurity information.”
Great. Unless of course, they change their mind. Again, guidance is not a binding legal document precluding both an investigation and a prosecution. It’s not even a promise not to prosecute. It’s a “we probably won’t” prosecute you. And that’s just us. Doesn’t apply to State Attorney’s General or to private antitrust actions. Also, we might conclude that it does violate antitrust laws in the future.
The new Cybersecurity Unit also promises to work on cybersecurity legislation. Whoa. So who has been working on this for the Executive Branch for 30 years? And what does this mean about the role of the Office of the Deputy Attorney General for Congressional Relations?
The new unit will also engage in public outreach on behalf of DOJ. You mean like Infraguard is supposed to already do? (*FBI is part of DOJ, but they don’t like to admit it.)
The roles of crime prevention and prosecution are related but fundamentally different. Imagine having a cop come to your house to inspect your doors, windows, locks and alarms, and give you advice on how to prevent burglaries and thefts. Great idea. Officer Friendly. That’s the crime prevention beat. Magruff the crime dog.
But now imagine that the same cop has another charter – to investigate whether YOU committed a crime. Now his intrusion into your home is not quite as innocuous.
And now imagine that the same cop’s real charter is national security. To make sure that, in the event of a crisis or emergency, the government had the power to break into any house, peer into any window, etc. The officer is not quite as friendly.
NSA has the most sophisticated knowledge of data security in the world. But I am not sure I would invite them in to “protect” my data.
The missions of crime prevention and prosecution are dissimilar enough that they need to be separated. I’m not sure that this is what the DOJ was trying to do here. But I’m also not sure that the Department of JUSTICE is the right agency to give cybersecurity advice. Not saying it is. Not saying it ‘aint. Saying I don’t know. Stay tuned.