tv The Communicators Sujit Raman Fmr. Associate Deputy Attorney General CSPAN July 16, 2021 10:30pm-11:01pm EDT
morning and be sure to join the discussion with your phone calls, facebook comments, text, and tweets. >> c-span is your unfiltered view of government. we are funded by these television companies and more, indicating charter communications. >> broadband is a force for empowerment. that is why charter has invested billions, building infrastructure, upgrading technology, empowering opportunity in communities big and small. charter is connecting us. >> charter communications supports c-span as a public service along with these other television providers, giving you a front-row seat to democracy. peter: sujit raman is a former assistant deputy attorney general in the trump administration and is our guest this week on ". the communicators" what was? ? in your portfolio at the justice
department sujit: -- justice department? sujit: next raven me. i served as assistant deputy and associate deputy attorney general and my portfolio focused on cyber issues, prosecutions and investigation of cyber criminals a nation state actors. the other half related to policy issues on the cyber front, data protection, cyber issues, cryptocurrency, encryption, anything dealing with digital information or immersion -- or emerging technologies. peter: how did you get into that? sujit: i started my career as a prosecutor in the district of maryland. i increasingly started working on technology and privacy issues as part of my prosecution job. as time went on, i started gravitating more toward fourth amendment issues, electronic evidence issues, national security issues, and i work for rod rosenstein, u.s. attorney in
maryland for many years. he became deputy attorney general, he asked me to join him at main justice headquarters to work on the cyber portfolio. peter: now that you have left doj, what are you doing? sujit: i am a partner at a law firm, and international law firm. i am based in the washington dc office but have clients and matters i work on around the globe. peter: what kind of matters are you working on? sujit: i have translated expertise i developed in the government to the private sector. we have clients that deal with technology issues, internal investigations, corporate investigations involving the government, corruption issues, cryptocurrency issues, money laundering, all of which have a technology nexus. half my job is focusing on corporate internal investigations, defending companies against the government. the other half is helping companies deal with policy issues, including many i suspect we will be talking about. peter: to get into those policy
issues, are widespread is cybersecurity threats and issues today? sujit: peter, they are very widespread. what we see in the newspapers is just the top of the edge. think about ransomware attack's, cybercrime, the cost of intellectual property theft, cybercrime has been an issue for many years. it is becoming more serious, particularly as nationstate actors become more engaged on the issue. it is very significant for companies, boards of directors, chief executive officers as well as everyday americans. peter: we invited sam sabin from politico to be our guest reporter. he covers cybersecurity issues for that publication. -- she covers cybersecurity issues for that publication. sam: thank you for being here, sujit, for entertaining my questions.
i would like to start by answering what might seem like an obvious question, but anybody knew to cyber who is just hearing the term ransomware, or gas is not in supply because of a cyberattack, would you mind telling us about how is it that cyber criminals or nationstates are able to hack things that are so big inconsequential in our daily lives, like alone eel pipeline which provides so much gas on the eastern seaboard, or meat supplier jbs, which also fell victim to a ransomware attack in the past few months. sujit: great question. it is a simple concept. it is when cyber criminals infiltrate somebody's computer at home the data on the computer hostage. that way they get in is often very simple. probably the most common factor is a fishing email -- phishing
email. i think everyone watching is aware of the concept. it is when a criminal sends you email that has malware attached. if you click the late, you essentially down load the malware onto your machine of the criminals are suddenly into your network. the way ransomware works is that once you install that ransomware unintentionally on your system, it encrypts the data. and they amend an extortion payment to release the data. if you pay, typically in cryptocurrency, a certain amount, the criminals at least in theory will release her data back to you and you can go about your business. the reason ransomware has become such a problem is that it has become a huge threat, not only a cyber criminal threat, but also because of the implications for critical infrastructure like pipeline companies or the largest meat supplier in the
country, these are very significant targets. and they have increasingly become something cyber criminals are targeting. so ransomware is a concept is pretty simple. unfortunately, defending against it has become increasingly complex. sam: that is a segue into my next question, diving deeper into those complexities. if you are in the biden administration or congress, what are some intricacies or complications you have to think through what you are thinking about how to bond to, in the instance of colonial and jbs, how to respond to criminal organizations that are behind these? sujit: it is a tough issue. one significant thing is, many organizations that engage in these ransomware attack's are organized cyber criminal enterprises. many are based in other parts of the world, often in russia or
countries that essentially harbor cyber criminals. one of the biggest challenges we all face is that even when we are able to attribute the behavior, in other words, when we know who did it, it is often very difficult to get our hands on those people because they are essentially protected by the domestic covenants. -- domestic governments. why do the domestic governments do it? number one, it is an opportunity for those countries to punch above their weight. if they can victimize american companies, hold them for ransom, extort them, millions of dollars, disrupt their operations, if you are a second-tier geopolitical power, this is one way for you to punch above your right and try to bring the u.s. down to size. that is where the biggest challenges. even when we are able to figure out who is behind these attacks, they are often in parts of the world where it is difficult to arrest them or stop them.
peter: sujit raman, when you look at nationstates like russia, china, north korea, as this were? a lot of this is originating? sujit: the short answer come up -- is this where a lot of this is originating? sujit: the short answer, peter, is yes. russia is at the top of the list. but other countries you mentioned are probable. north korea -- you mentioned are culpable. north korea is a country that has raised funds these kinds of attacks. if you are a rogue regime, if you are under international sanctions on the rental legitimate ways for you to raise money, often you turn to criminality. north korea, this is publicly known, the justice department has broadened dykman's charging north korean, chinese actors, russian actors, iranian actors, these are ways for our geopolitical adversaries to try and punch above their weight and bring the united states to emphasize. peter: the u.s. recently shut down some iranian-related news
sites. is it possible the u.s. is the same tools to infiltrate and disrupt worldwide? sujit: yes. one of the great strengths of america is that much of the world's digital infrastructure is something we have helped build. the arabian news sites -- the iranian news sites you mentioned, the reason that is even possible is that essentially, americans had access to the digital infrastructure. there are publicly-known campaigns of the u.s. government has undertaken to essentially deprive malign cyber actors of the digital infrastructure, whether it is pulling down bot nets, whether targeting servers, damaging servers that are used to create problems here in the u.s., those are all publicly affirmed operations that various
organs of the u.s. government have undertaken. peter: sam sabin? sam: there has been a lot of talk, especially in congress, about getting the u.s. cyber command involved, and maybe employing some of these things you were just talking about in response to the recent ransomware attack slinked to cyber criminal groups that are based in russia, or effectively based in russia or around that area. i am curious if you think there is a role for cyber command here, or if any sort of defensive strategy would be best handled by other agencies? s -- sujit: any response to this global cyber threat requires an all-tools approach. this is something the government's been consistent about for many years across many
administrations. it takes a combination of diplomatic efforts, law enforcement efforts through fbi and department of justice, economic efforts, the treasury department levying sanctions, and when appropriate, the defense department acting through offensive cyber operations. all those organs of national power have a role in this situation. but there is a need anything there has been a need over the last few years for the united ace to be more aggressive externally, -- united states to be more aggressive externally come outside its networks, to keep adversaries at bay. if you are always on defense, you expose yourself in an unfortunate way. sometimes, you have to defend forward to making sure you keep yourself safe at home. sam: i am thinking about this in the context of the recent meeting between president biden and russian president vladimir putin. a big topic of conversation was
cyber and the recent ransomware attacks. biden mentioned a few things, said he warned putin about significant cyber capabilities the united states has, and asked how would you feel if your pipeline was taken down, and it seemed like they lay veiled warnings to russia that thinly --- findlay-veiled warnings to russia. and despite those, most people are in this wait-and-see approach that this meeting will change anything about russian policy, or if anything will change with regards to cyber before launching some sort of offensive strike back. that wait and see approach, i am curious how meaningful that can
be when so many in washington want aggressive action yesterday. sujit: great question. i don't think putin underestimates u.s. capabilities in this area. so the fact the president pointed it out is something that was not a secret to anyone. as far as the right policy, we have to wait and see to some extent. the russian government has profited from this kind of activity. we have not seen a direct link between russia and a particular incident, colonial pipeline and the russian government, but the u.s. government attribute it that behavior to criminals operating within russia. ed russia is a very tightly-operant base. it is an authoritarian country. nothing is happening in russia without people at the top knowing about it. so the real question now is, having called out the russian government publicly, and this
has been going on for years, in fact in the justice department when i served in the government 11 indictments charging russian intelligence officers, russian individuals, for engaging in malign cyber activity that had all sorts of impact across american life. we have been calling them out for some time. so the question is, is the behavior going to change? and if not, it probably makes sense to be more aggressive in our approach but you always want to be measured. you want to be firm, you want to be tough, but you have to understand there might be second and third-order effects. it is a part us to call out the behavior. i don't think mr. putin is harboring any illusions about what the u.s. government is capable of doing. the question becomes, geopolitically, what is the bet he makes? we will have to wait and see. peter: sujit raman, given your time and the trump administration department of justice and president joe biden's improving the nation's
cybersecurity executive order, is there a difference in policy? sujit: it is a progression. president biden issued a pretty ambitious cybersecurity executive order a couple weeks ago. it is a step in the right direction. it only applies to u.s. government, government agencies. it raises standards, which is important. it also requires private sector entities that interact with the government, that contract with the government, that provide i.t. services to the government, to raise their game and notify the government if there are cyber breaches. it is a progression, but a very important progression to make sure the federal government as the threat information it needs. so much of this country's infrastructure is in the hands of the private sector, and we don't have obligations for private industry to notify the government when it has been victimized, whether a ransomware
attack or other cyber incident. so to the extent president biden, three executive order, has increased that sharing of information, it is a step in the right direction. sam: you brought up the inclination towards mandatory incident reporting, where a company, contractors, etc., depending on the legislation, would be required in a certain timeframe to report a cyber attack to the government. there are so many policies happening right now that i am tracking, whether in congress or tsa or the biden executive order that are rolling out right now with regards to reporting, i am curious, each of them when i look at them has a different timeframe.
tsa rolled out rules in the last few weeks following the colonial attack saying that if you are a pipeline operator, within 12 hours, we need you to notify us about any cyberattack. congress as a draft bill circulating that would require contractors and digital security firms to report within 24 hours. what is the significance? and [indiscernible] if you are one of these effective entities that have to report so quickly and you are not used to it? sujit: the devil is in the details. quick reporting has the benefit of looping in the federal government and its experts as soon as possible. colonial pipeline is a good example of that. the fbi announced colonial pipeline informed federal law enforcement the day it had been
attacked by a ransomware attack. that helped the fbi attribute that behavior almost immediately, from what i understand, within three days, the fbi was able to point to the darkside criminal network, which perpetrated the attack. a few weeks after that, the fbi was in an extraordinary operation, able to seize the vast amount of cryptocurrency that colonial pipeline had paid as ransom. that shows you the benefits of prompt reporting, particularly to federal law enforcement, so you can track down who did it and it may be recovered any payments. that said, reporting too quickly for notification requirements that are onerous on industry threatened to wash the government in data. you want to avoid a situation where there is blind reporting, it is not thought through, just
a huge amount of paperwork. that creates more issues for the government rather than less. so finding that right timeframe is important. i suspect that is what negotiations on the hill, particularly with industry, is going to focus on. it is important for notification requirements to be in place. the question is, what kinds of notifications help companies create collective defense, and what kind of notifications will help the government get the answer, rather than create extra paperwork? sam: yeah, i was just thinking about that because it seems like every time this conversation has come up about whether to require mandatory guidelines or voluntary ones, each time it feels like the industry and private sector are nervous, in part because they are worried about who is going to see the
data, what data they have to send in, if they have the mechanism to get it in, in a certain timeframe that is required. i am curious if you can elaborate on what things the government can be doing, even in messaging around this, to ease those concerns and make the private sector less nervous? sujit: one important thing is confidentiality. there is reputational harm that comes with being hacked. companies are often in the business of protecting personal information, so when you hear a big company is hacked, as a consumer, you are concerned. so companies are concerned. they don't want to lose the reputational value in the marketplace. but related to that is confidentiality, business
secrets, trade secrets, intellectual property. there is concerned that when you bring government in or disclose information to the government, that your competitors get their hands on it. they are enterprising companies that will actually try to get their hands on that confidential information. that is why often, companies are wary of reporting to the government. because they feel they can contain the harm, paid the ransom and get back to business without exposing themselves to reputational harm or letting the government in the intrusiveness that comes with that. any solution is going to have to address that concern. does it create immunity for the company if it provides a information of the government? will it protect it from the government coming after the company for whatever mistakes it might have made so that it was in a position to get hacked? or will there be protections
against civil lawsuits from third parties who might sue because information was stolen? those are nuances, but important issues for companies as they decide whether to support this broader legislative effort. there is a model for this. in 2015, there was a statute called the cybersecurity information sharing act, which did create safe harbors for a company to share information with the government. it created a safe space, a safe harbor for doing that. if you engage with the government and provide threat indicators, that would create a safe space for you. that model exists and is one congress should consider seriously as it thinks about broader. notification requirements. peter: sujit: -- notification requirements. peter: sujit raman, i want to
ask about cryptocurrencies. how regulated are they, should they be legal and how are they used? sujit: cryptocurrencies are legal in the u.s.. it is an open question other parts of the world. china has become much more aggressive in regulation of cryptocurrency. and as a matter of national policy, has cracked down on cryptocurrency exchanges, individuals, etc. in the u.s., cryptocurrencies are legal. you can't use cryptocurrencies for illicit purposes, but there is a lot of thinking in this space right now. we have regulatory agencies that are at least involved, whether securities and exchange commission, commodities futures trading commission, fincen, the justice department if there are
violations of law, so it is a very interesting time. there has been incredible rise of interest in cryptocurrency, individual investors but also institutional investors are increasingly getting into the space. so it is very active right now. it will be interesting to see what the administration does about cryptocurrency. peter: how will they regulate it today, if at all? sujit: there is very like regulate -- lights regulation. some offerings might qualify as security, in which case you would be regulated by the sec. the ftc takes the position that certain products involving crypto currency -- cryptocurrency qualify as derivatives and are regulated as derivatives. but there is a lot of questions in this area and the industry is very fast-moving.
you have entrepreneurs thinking about financial technology, thinking about democratizing financial technology, a very powerful movement. the real challenge for regulators is keeping up with innovation. because things the sec might be looking at today are innovations that happened six months ago. staying in front of that is the challenge for our government. peter: sam sabin? sam: i'm going to keep the ball rolling with cryptocurrency. companies end up paying a ransom in bitcoin and another crip currency. the -- another cryptocurrency. the fbi was able to seize test e half of the $4.4 billion colonial paid as ransom.
that doesn't usually happen. what were the circumstances that led to this? sujit: first of all, great work by the fbi. the fbi has been prioritizing cryptocurrency enforcement over the past several months. this isn't something that just happened one morning. this is something the fbi has put resources into, has trained agents, developed partnerships with the private secretary to trace payments across the block chain, so the fact the fbi was able to recover substantial proceeds from the colonial pipeline ransomware is a credit to agents at the fbi. i will also say there were some bricks that went their way. the criminals demanded payment in bitcoin. bitcoin is traceable on a publicly distributed ledger, unlike certain other cryptocurrencies, which are harder to trace. bitcoin is something that law enforcement, with appropriate
tools and if breaks go their way, can trace. the fact the fbi was able to recover those payments is a combination of great detective work and a little bit of luck. i saw an article in "the financial times" today that increasingly, criminals are demanding payment in other forms of cryptocurrency which are more difficult to trace because they are not found on a public block chain in the way bitcoin is. they don't. that is where a lot of the energy of cyber criminals is going to move. and governments are what you have to deal with that new trend. sam: last question for you, there has naturally been a resurgence in the debate of whether to ban payments of ransom. saying that if a company can't pay ransom, maybe the cyber criminals will go somewhere else. have we reached a tipping point
where you will see action to start inching towards regulating this space? maybe not calling for an outright ban, but maybe moving toward being transparent, and anything beyond just having the conversations? sujit: this is the first time i have heard any serious discussion about banding ransom paid -- banning ransom payments. so that is a significant moment. it is difficult to criminalize the payments because sometimes, people making the payments our hospital systems or institutions where there might be life and death at stake. if you don't pay the ransom, the criminal threatens to turn off the ventilators in a ward. no responsible corporate
executive is going to make a decision not to pay in that situation. what might be interesting is the question of whether the company was in a position to be extorted in the first place. the new national cyber director confirmed a few days ago that he isn't likely to hold or support legislation that would criminalize ransomware payments. but there might be obligations on companies that find themselves in that situation in the first lace. it might be hard to ban these payments outright because of the human element, but there might be things to think about about holding folks responsible if they are not responsible for their cybersecurity in the first lace. peter: sujit raman is a partner with sidley austin, former associate deputy attorney general in the trump administration. sam sabin is with "politico," where she covers cybersecurity. thank you, both, for being on
"the communicators." ♪ [captions copyright national cable satellite corp. 2021] [captions performed by national captioning institute] announcer: the house financial services task force on artificial intelligence held a hearing on digital privacy. questions about the future of killing security -- digital security and the use of blockchain technologies. >> the chair is a