tv The Communicators Sujit Raman Fmr. Associate Deputy Attorney General CSPAN July 19, 2021 8:00am-8:33am EDT
infrastructure, upgrading technology and empowering opportunity in communities big and small. charter is connecting us. ♪ ♪ >> charter communications supports c-span as a public service along with the other television providers giving you a front-row seat to democracy. ♪ ♪ ♪ .. .. i served as associate deputy attorney general for my portfolio focusing on cyber issues about half my portfolio was active investigations, prosecutions, those of cyber criminals as well as nation state actors and the other half related to policy issues, data
protection, cyber issues, cryptocurrencies, encryption. essentially anything dealing with digital information or merging technologies. >> host: how did you get into that? >> guest: it's a long story. i started as a prosecutor in the district of maryland and as part of my work i started which on technology and privacy issues as part of my everyday prosecution job. as time went on i i started gravitating more and more towards fourth amendment issues, electronic evidence issues, national security issues and i worked for rod rosenstein who was abuse attorney in maryland for many years. when he became the deputy attorney general the asked me to join them at main justice at headquarters to work on the cyber portfolio. >> host: now that you've left doj what are you doing? >> guest: i am a partner at the law firm, an international law firm. i am based here in washington, d.c. office but have clients in matters of work on around the
globe. >> host: what kind of matters are you working on? >> guest: i have translated the expertise i develop in the government to the private sector. we have clients that you with technology-related issues, internal investigations, corporate investigations involving the government, corruption issues, crypto currency issues, anti-money laundering, all of which have a technology mixes. half my job is focusing on those corporate internal investigations, defending companies against the government and the other half is helping companies deal with policy issues including many of the issues i suspect we will be talked about today. >> host: to get into this policy issues how widespread is cybersecurity threats and issues today? >> guest: very widespread. what we see in the newspapers is just the very top of the edge. you think about ransomware attacks, think about cybercrime, the cost of intellectual property theft, either crime has been an issue for many, many years. it's becoming more serious
particularly as nationstate actors give even more engaged on the issue. it's a very significant issue for companies, boards of directors, chief executive officers as well as for everyday americans. >> host: we invited sam sabin from political to be our guest reporter. she covers cybersecurity issues for that publication. >> thank you, peter and thank you, sujit raman for being here and for entertaining my questions about some of that many cyber threats we're reckoning with in recent weeks. i would love to start may be by answering what might seem an obvious question before anyone is new to cyber was just to hang the term ransomware or a my god my guess is that is why because of a cyber attack, what a weird thing. sujit which might telling us about how is it that cyber criminals or nationstates are
able to have things that are so big and consequential in our daily lives like the colonial pipeline which provides so many people so much gas on the eastern seaboard or even other ransomware attacks in the past few months. >> guest: it's a great question. ransomware is a very simple concept. it's basically when cyber criminals essentially infiltrate somebody's computer and hold the data on the computer hostage. the way they are able to get in is often very simple as well. probably the most common factor is a phishing e-mail. i think everyone who is watching the show is probably where of the concept. it's basically a criminal send you an e-mail that has malware attached to it. if you click on the link you essentially download the malware onto your machine and then the criminals are into your network. the weight and ransomware works is once you install that malware
unintentionally as a user on your system it encrypts the data and a demand essentially an extortion payment to release the data. if you pay typically crypto currency a certain amount of money the criminals at least in theory will release your data back to you and you can go back to business. the reason why ransomware has become such a problem is it is becoming huge threat not only a cyber criminal threat but also as you mentioned because of the implications for critical infrastructure like pipeline companies are the largest meatpacking, meat supplier in the country, these are very significant targets and they've increasingly become something that cyber criminals are targeting. ransomware at the concept is pretty simple. unfortunately defending against it has become increasing complex. >> that's a a great segue inty next question which is diving deeper into those complexities. if you are in the biden
administration are sitting in congress, what are some of those intricacies or complications you have to think through when you are thinking about how to respond to, an instance of colonial and j. b. esko how to respond to the cyber criminal organizations that are behind these? how do you start to think about. >> guest: it's a tough issue. one significant thing to think about is many of the organizations that engage in these ransomware attacks are organized cyber criminal enterprises. many of them are based and other parts of the world, often in russia or in other countries that essentially harbor cyber criminals. one of the biggest challenges we all face is even when were able to attribute the behavior, in other words, even when they know who did it, it's often very difficult to get our hands on those people because they're essentially protected by their domestic governments. why do domestic governments to?
number one it's an opportunity for those of the countries to essentially punch above their weight. it they can victimize american companies, if they can hold up american companies, hold them for ransom, export them, millions of dollars come if they can disrupt their operations, if you are a second-tier or third tier geopolitical power, this is one way you for you to punch above your weight and try to bring the united states a little bit data size. that's one of the biggest challenges even when were able to figure out who is behind these ransomware attacks they te often parts of the world where it's very typical for us to get our hands on them and arestin or to stop the. >> host: sujit raman, when you look at nationstates such as russia or china or north korea, is this were a lot of this is originating? >> guest: the short answer is yes. much of the ransomware activity we're seeing is originating in other parts of the world. russia is at the very top of the list but some of the other countries you mentioned are equally culpable.
north korea is a regime that is essentially raised funds to these kind of ransomware attacks. if you are a rogue regime, under international sanctions and are legitimate ways for you to raise money, often you turn to criminality. north korea and this is publicly known, in fact, the justice department has brought a number of indictments charging north korean actors, chinese d russian actors and iranian actors, these are always for our geopolitical adversaries to try to as i mentioned punch above their weight and try to bring the united states down to size. >> host: the u.s. recently shut down some of iranian related news sites. is it possible that the u.s. has the same tools to infiltrate and disrupt worldwide? >> guest: the short answer is yes. one of the great strengths of america is that much of the world to digital infrastructures something that we have helped build. the iranian new site you mentioned, the reason why that's
possible is that essentially american actors have access to the digital infrastructure. short answer is yes. there are publicly known campaigns that the u.s. government has undertaken to essentially deprived malign cyber actors of that digital infrastructure, whether it's pulling down botnets, whether it's targeting the servers and taking them off-line, whether it's damaging particular servers that are used to create problems here in the u.s. those are all publicly affirmed operations that various organs in the u.s. government have undertaken over the past months and years. >> host: sam sabin. >> and maybe on that note, there's been a lot of talk especially in congress about getting the u.s. cyber command involved, and maybe employing some of these effective cyber strategies you were just talking about in response to some of the
recent ransomware attacks on colonial and j. b. is that even link to cyber criminal groups that are based in russia are suspected to be based in russia around the area. i'm curious if you think there is a role for cyber command here or if any sort of effective stretch would be best to handle by other agencies that are involved in this? >> guest: what i say is that any response to the cyber threat, this global cyber threat, requires and all tools approach in this is something the u.s. government has been quite consistent about for many years across administrations. it takes a combination of diplomatic efforts to the state department, law enforcement efforts, fbi and department of justice, through economic efforts, the treasury department levying sanctions and as well when appropriate the defense department acting through offensive cyber operations. all of those organs of national power have a role in this situation but certainly there is
a need and there has been a need for the last few years for the united states to be a little more aggressive externally outside of its networks essentially to keep the adversaries at bay. if you were always on defense you often expose yourself in a very unfortunate way. sometimes you have to defend forward to make sure you are giving yourself safe at home. >> i guess maybe with that i'm thinking about all of this in the context of the recent meeting between president joe biden and russian president vladimir putin where a big topic of conversation was cyber and in particular the recent winsome work doesn't ransomware attacks. i guess biden mentioned a few things where he said he warned putin about the significant cyber capabilities of the united states has and asked questions around the lines of how would you feel if your pipeline was taken down? it all seemed like thinly veiled
warnings to russia, and yet despite those threats are warnings following that meeting it feels like even the present included are kind of most people are kind of in this wait-and-see approach, to see if that meeting will change anything about russian policy or if anything will change with regard to cyber before launching some sort of offensive strike back. i guess i'm curious if that wait-and-see approach how meaningful that can be when it does feel like so many people in washington, including lawmakers can want to see aggressive action like yesterday. >> guest: that's a great question. i don't think mr. putin underestimates the u.s. capabilities in this area. the fact that the the presit pointed it out is obviously something that was not a secret to anyone.
as far as what the right policy is, we do have to wait and see to some extent. the russian government has profited from this kind of activity. as a mention we have not seen a direct link between russia and the particular incident the clone a pipeline incident, the russian government. but again the u.s. government has the treatment of that behavior to criminals operating within russia and russian is a very tightly operator space. it is an authoritarian country. nothing is happening and russian with the people at the very top knowing about it. the real question now is having called out the russian government publicly, and this is been going on for number of years, in fact, the justice department when i served in the government levied a number of indictments charging russian intelligence officers, russian individuals for engaging in malign cyber activity that had l sorts of impacts across american life. we've and called them out for quite some time. the real question is, is the behavior going to change? and if not it probably does make
sense to be a a bit more aggressive in our approach enjoys want to be measured. you want to be firm, tough, which also to understand that might be second and third order effect. it is important for us to call out the behavior. i don't think mr. putin again is harboring any illusions about what the u.s. government is capable of doing. the question now becomes sort of geopolitically what is that that that he makes? i think we will have to wait and see. >> host: sujit raman, given your time in the trump administration department of justice and president joe biden's improving the nation's cybersecurity executive order, is there a difference in policy? >> guest: so i would say it's more of a progression, peter. president biden as you mentioned issued a pretty ambitious cybersecurity executive order a couple weeks ago. it's a step in the right direction. it only applies to u.s. government, government agencies.
it raises standards which i think is very, very important. it also requires private sector entities that interact with the government, that contract with the government, that provide i.t. services to the government to raise their game and should notify the government is their incidence of cyber breaches. i see it as a progression but it's a very important progression to make sure the federal government has the threat information it needs. so much of this countries infrastructure is enhanced of the private sector, and we don't really have obligation for private industry to notify the government when it's been victimized whether it's a ransomware attack or any other kind of cyber incident. to the extent president biden through executive order has increased that sort of sharing of information i think it's a step in the right direction. >> sujit i guess maybe you know you brought up kind of inclination happening now toward mandatory incident reporting which is where a company or it
depends on the legislation, maybe it's all the companies are all contractors, et cetera, would be required in a certain timeframe to report a cyber attack to the federal government. there are so many policies happening right now that i'm tracking, whether in congress or tsa for the biden executive order about this that are rolling out right now. with regard to reporting. i'm curious, each of them when i sit down and look at them has a different timeframe. the tsa just rolled up rules in the last few weeks following the closing of a taxing okay, if you're a pipeline operator, within 12 hours we need you to notify us of any cyber attack. congress has a draft bill circulating that they are working on a a legislation tht they're moving toward that would require contractors and digital security firms to report within
24 hours. i guess, what is the significance of reporting quickly and also what may be limits could be if you are one of these effective entities that never has to report so quickly and you are not used to it? >> guest: it's a great question, sam, and really the devil is in the details. quick reporting has the benefit of essentially looping in the federal government and its expert as soon as possible. colonial pipeline is a good example of that. the fbi has publicly announced colonial pipeline essentially informed federal law enforcement the day that it had been attacked by a ransomware attack. that helped the fbi attribute that conduct and attribute that behavior almost immediately. from what i understand within three days the fbi was able to point to the dark side criminal network which is essentially perpetrated the attack. within a few weeks after that the fbi was in an extraordinary
operation, able to seize the past vast amount of the crypto currency that colonial pipeline had paid as ransom. so that shows you the benefits of prompt reporting, particularly to federal law enforcement so you can track and exactly who did it and maybe potentially try to recover in payments. with that said, reporting to quickly for notification requirements that are too onerous on industry do threaten to essentially washed the government in data. what you want to avoid is a situation where there's just lied reporting being made, it's not really thought through, it's just a huge amount of paperwork and that creates more issues for the government rather than less. so finding that right timeframe is going to be important. i suspect that's what a lot of negotiations on the hill taken with industry is going to focus on. i do think it's important for notification requirements to be in place. the question is, what kind of notifications help companies
create collective defense because that's what this is all about, and what kind of notifications will help the government get to the answer rather than just creating a whole bunch of extra paperwork or bureaucracy. >> yeah, i was just thinking about that because it seems like every time this conversation has come up and is, often in recent years about whether to require or set mandatory guidelines or voluntary ones. each time it feels like the industry and private sector are nervous, right? in part because they are worried about who is going to see all this data, what data they have to send in, if they have the mechanisms to get it in in ia certain timeframe that's required. i i'm curious if you can elabore on what are some of the things may be the federal government can be doing whether even the messaging around this to ease those concerned or make the
private sector of little less nervous about having to get to the federal government traffic one important thing is confidentiality. as you mention is a reputational harm that comes with being hacked. companies are often in the business of protecting people's personal information. when you hear a big company has been hacked, as a consumer you are concerned about it. companies are concerned about it because they don't want to lose their reputational value in the marketplace. related to that is this idea confidentiality, actual business secrets, trade secrets, intellectual property. there's a concern that when you bring the government and party to disclose information to the government that your competitors might somehow get their hands on it. there are many enterprising companies, lawyers who represent this companies who will try to get their hands on that confidential information. that's what often companies are very wary of reporting to the government because they feel
like they can contain the harm, perhaps pay off the ransom and get back to operating their business without exposing themselves to reputational harm or lighting the government in with all the intrusiveness that comes with it. any solution in this context is going to have to address that concern. does it create immunity for the company if it provides that information to the cabin? meaning when a protected either from the government come after the company for whatever negligence or whatever mistakes it might have made so it was in a position to get hacked? or whether the protections against civil lawsuits from third parties that might try to see because particular information was stolen or taken away? those are some of the nuances but very important issues for companies as they decide whether or not to support this broader legislative effort. there is a model for this. in 2015 there was a statute called cisa, separate get information sharing act, which
essentially did create certain safe harbors for companies to share information with the government and it created a safe space, safe harbor for doing that. if you engage with the government and provide threat indicators or other kinds of information being attacked t would create a safe space for you. that's a model that exist in the law and it's one i think congress should consider seriously as it thinks about broader notification requirements. >> host: sujit raman, before we run out of time we got about five minutes left i want to talk about crypto crunchies. how regulated are they? in your view should they be legal, and how are they used today? >> guest: it's a great question. i should be very clear. crypto crunchies are legal certainly in the u.s. it's an open question in other parts of the world. for folks who follow the news china has become much more aggressive in its regulation of crypto currency, and as a matter
of national policy has cracked down on a lot of crypto currency exchanges, individuals, et cetera. here in the u.s. crypto crunchies are basically legal. of course you can't use crypto crunchies for illicit purposes because that's when you get a call from the fbi or the justice department but there's a lot of thinking going on in the space. we have a number of regulatory agencies that are tangentially involved with there's the securities and exchange commission, the commodity futures trading commission, fincen has role in all of this. the justice department when there are violations of criminal law. so it's a very interesting time. in the last year or so there's been an incredible rise of interest in cryptocurrencies. so investors, , individual investors but also institutional investors are increasingly getting into this space. it's a very active space right now. it will be interesting to see what the new administration does about crypto currency in general. >> host: how are the regulated today, if at all?
>> guest: so there is very light regulation. particular offerings might qualify as security in which case you would be regulated by the sec and subject to the appropriate regulations. the cftc which another agency and i mentioned does take the position that certain products involving cryptocurrencies qualify as derivatives and thus are regulated as derivatives. i got to be honest there's a lot of open questions in this area, and industry is very fast-moving. you've got entrepreneurs who are thinking about financial technology, thinking about democratizing financial technology. that's a very powerful movement in this country and around the world. the real challenge for regulators is keeping up with that innovation because the things that the sec might be looking at today are innovations that happened six months ago or a year ago, staying in front of that is what i think is very
much the challenge for our government now. >> host: sam sabin, time for two were questions. >> awesome. i'm going to keep the ball rolling with crypto currency. the reason we're asking is so many companies into paying a ransom in bitcoin or another crypto currency. we briefly mention that the fbi was able to seize maybe half of the $4.4 million colonial paid to cyber criminals in ransom. by justin is that doesn't normally happen so i'm curious with her back when if you walk us through what were some of the circumstances that led to this? >> guest: first of all it was a great work by the fbi. the fbi has been prioritizing crypto currency enforcement issues over the last several months. this isn't something that just happened one fine morning. this is something the fbi has
put resources into, has trained agents, , has developed partnerships with the private sector to trace payments across the blockchain. the fact the fbi was able to recover substantial proceeds from the colonial pipeline ransomware is a real credit to the work of the agents at the fbi. i will also say there were some breaks that went their way. number one, the criminals demanded payment in bitcoin and as folks might know bitcoin is actually traceable on it publicly distributed ledger. unlike certain other crypto crunchies which are harder to trace, bitcoin is something that law enforcement with appropriate tools and again if the brakes go that way, can trace. the fact the fbi was able to recover those payments is a combination of great detective work, very hard-working agents, and a little bit of luck. i will say i saw an article just in the financial times earlier today that increase the criminals are demanding payment and other forms of crypto currency which are more
difficult to trace because they are not found on a public blockchain in way that bitcoin is. stay tuned, i think that's were a lot of the energy of these cyber criminals is going to move and governments are going to have to deal with that new trend as well. >> yeah, and last question for you. there's naturally been a resurgence in the debate of whether to ban payments of ransom, saying if the company can't pay ransom the maybe the cyber criminals will go about their business and go somewhere else. do you think we've reached a tipping point where maybe use some sort of action in the federal government or perhaps in congress even to start inching towards regulating in the space? maybe not calling for an outright ban because it's tough to do, but maybe moving towards finding some sort of way to be transparent for making these payments or anything along those lines beyond just having the
conversation? >> guest: one thing i will say, sam, is this is the first time i for any serious discussion about banning ransom payments. that itself is a significant moment. it's a significant trend. i tend to agree. it's difficult to criminalize the payments outright because sometimes the people making the payments hospital systems or institutions where there might be literally ice and death at stake. if you don't pay the ransom, the criminal threatens to turn off all the ventilators in a ward. no responsible corporate executive is going to make a decision not to pay in that situation. what might be interesting though is the question of whether or not the company was in a position to be ransomed or extorted in the first place the new national cyber director confirmed just a few days ago had mentioned in his confirmation hearing that he personally is unlikely to hold or to support legislation that would criminalize ransomware payments but there might be
obligations on companies that find themselves in the situation in the first place. maybe that's one way to think about it. it might be hard to ban these payments outright because against the human element, but there might be things to think about about holding folks responsible if they are not responsible about the cybersecurity in the first place. >> host: sujit raman is a a partner with sidley austin, former associate deputy attorney general in the trump administration. sam sabin is with "politico" where she covers cybersecurity. thank you both for being on "the communicators." >> thank you. >> tonight on "the communicators" ." >> the reason why ransomware has become such a bum is it is become a huge threat. not only cyber criminal threat also as you mentioned because of the implications for critical infrastructure like pipeline companies are the largest meatpacking come supplier in the country, is a very significant
targets, and they've increasingly become something that cyber criminals are targeting. ransomware of the concept is pretty simple. unfortunately the finish against it has become increasingly complex. >> sujit raman oversaw the justice department's national security and cybercrime investigations during the trump administration. he discusses recent ransomware attacks and other cyber threats tonight on "the communicators" at 8 p.m. eastern on c-span2. >> this week in congress the house returns to its fourth of july break with work possible on government spending, infrastructure and voting rights. they will vote later on the bill that would speak up the visa process for afghans that work with the u.s. government as u.s. troops withdraw from that country. in the senate, majority leader schumer plans to move along a bipartisan infrastructure measure with a key vote possible as early as wednesday.
he also set a a wednesday deae for democrats to agree on a $3.5 trillion budget resolution. watch the senate live on c-span2 and the house live on c-span. >> weekends on c-span2 are an intellectual feast. every saturday you'll find events and people that explore our nation's pass on american history tv. on sundays booktv brings you the latest in nonfiction books and authors. it's television for serious readers. learn, discover, explore. weekends on c-span2. c-span is unfiltered view of government here we are funded by these television companies and more including comcast. >> are you thinking this is just
a community center? it's way more than that. >> contessa sporting with 1002 dissenters to create wi-fi enabled the two sounds so students from low income families can get the tools they need to be ready for anything. comcast support c-span as a public service along with these other television providers give you a front-row seat to democracy. >> next test went on improving management and operations at the homeland security department with national security expert and former federal officials. they discussed workforce morale, cyber threats and border security. from the house homeland security committee this is just over two and half hours. >> the committee on homeland security will come to order. the committee is meeting today to receive testimony on securing the homeland, reforming dhs to meet today's threats. without objection the chair is authorized to declare the committee