National Security Cyber Threats

>> Jack Goldsmith: Welcome, everyone. Thanks for coming. Nation states and their proxies increasingly use cyber means to threaten our institutions, including stealing technology and trade secrets and personal secrets, engaging in covert influence campaigns and disrupting critical infrastructure. The Department of Justice's national Security division is charged with countering this threat, among its other tasks.

Today, Hoover institutions National Security and Technology Group is pleased to host Matthew Olsen, who is the assistant attorney general in charge of the National Security Division. Matt was there at the beginning in the national Security Division when it was founded in 2006. He's been in the Department of Justice, he served for 18 years.

He was the head of the counterterrorism center. He was the general counsel of the NSA, and now he's running NSD. So, Matt, we're really pleased and honored that you're here to speak on this topic, and we look forward to it. Thank you.

>> Matthew Olsen: Thank you so much, Jack.

I appreciate that introduction, and I have been doing this for a while. You reminded me that I'm old, but I wanna thank you and thank Hoover for hosting this discussion about the national security cyber threats we face and how we're responding to those threats. I've been in the Justice Department for a long time in various stints, but I've been in this job as the assistant attorney general for national security for about a year and a half.

And I have to say just about every day I sit with the attorney general and the FBI director, and we get the morning threat briefing, including the presidential daily brief. And it's a daily case that every day, pretty much, and certainly every week, the intelligence reporting that we're getting is detailing the really astonishing pace, the scale, and the sophistication of the cyber threats that we're facing from nation states here in the United States.

Just to touch on that threat landscape for a moment. What we're seeing is that our adversaries, hostile nation states are accelerating. Over time, they've accelerated their use of cyber enabled means to carry out a range of threatening activity. And that range of activity includes stealing sensitive technologies, trade secrets, intellectual property, personally identifiable information for Americans, exerting malign influence and exporting repression into the United States.

And then third, holding our critical infrastructure at risk to both disruptive and destructive types of attacks. But you actually don't need to have access to the classified intelligence to understand what we're up against. We can read that in a newspaper, and it's from the standard list of countries that we're concerned about, China, Russia, Iran, North Korea.

And let me just take a few examples or snippets from the public intelligence community's annual threat assessment. Every year, they do this annual threat assessment publicly, and this year, again, just to take a few snippets. China has compromised our telecommunications firms. China conducts cyber intrusion, targeting journalists and dissidents in order to suppress the free flow of information.

And the PRC is capable of launching cyber attacks that could disrupt US critical infrastructure. Russia. Russia is bolstering its ability to compromise critical infrastructure, such as industrial control systems. And that's really, in part, to demonstrate its ability to inflict damage during a crisis. Iran continues to be an aggressive cyber actor, taking advantage of the inherently asymmetric nature of cyberattacks.

And then North Korea has turned to illicit cyber activities to steal the funds and technical knowledge that it needs to support its military aspirations and its WMD programs. So our adversaries beyond that also imperiled the United States by acting as safe havens for cybercriminals who carry out ransomware attacks and digital extortion for personal profit.

And so that's just what the intelligence community has said publicly about what we're up against. And, of course, it's not a pretty picture. So the good news is, and there is good news here. The good news is that our response to nation state cyber threats has gotten dramatically more effective in recent years, and we're putting some hard earned lessons into practice.

One lesson, as you all know, that we've learned from the counterterrorism fight after 911 is the importance of ensuring that agencies like the FBI, DHS, the intelligence community, the Department of Defense, are working as one team, sharing information and deploying our authorities in a coordinated fashion. We're also coordinating government actions with foreign governments and the private sector as well, to empower technical operations and also to take advantage of our sanctions authorities and other types of remedies and to join in diplomatic efforts along with other like minded countries.

Another lesson that we're applying is that effectively combating nation state cyber threats requires that we shore up our private sector cybersecurity. The vast majority of the critical infrastructure in this country, over 90%, is in the hands of the private sector, not the public sector, really distinguishing cybersecurity from counterterrorism, for example.

And the private sector has shored up its abilities over the past, its cyber capabilities over the past several years, making us collectively less vulnerable. Again, as many of you know, just this past March, the White House released the national cybersecurity strategy in order to drive a, quote, more intentional, more coordinated, and more well resourced approach to cyber defense.

So, at the Department of Justice, we are putting that vision into practice. And I emphasize the word practice. Federal law enforcement and the Department of Justice, we wield some of the most powerful tools in the federal government's arsenal. And in recent years we've achieved some significant successes in deploying those tools.

And now we need to build on those successes. So let me talk a little bit about the playbook as I see it for the Department of Justice. So first as you would expect, we're prosecutors. So we enforce the US criminal law, investigating and prosecuting individuals for illegal cyber activity.

Imposes costs on them and it imposes or hopefully creates deterrence more broadly. And let me just give you a few examples of that type of work. The prosecution, the bread and butter of our work in the national security division over the past year, we recently charged three Iranians with conducting a ransomware campaign that targeted hospitals, local governments and organizations all over the world.

We secured a 20 year prison sentence for an individual who leveraged teams of hackers and insiders in a multifaceted espionage campaign on behalf of the PRC, PRC intelligence. The campaign targeted both american and european aviation companies. That person, as I mentioned, received a 20 year sentence and is currently serving that sentence.

Another example, shortly after the Russian invasion of Ukraine just over a year ago, we unsealed indictments that had previously been filed. And we unsealed those indictments that. Then publicly demonstrated that we had evidence that two different sets of state-sponsored Russian actors associated with Russian intelligence. Had compromised devices at hundreds of critical infrastructure providers around the world.

And they had deployed malware that was designed to enable physical damage in the future. So we are holding individuals accountable, we're imposing consequences, using our indictments to inform the public about the nature of the threats we face. And our adversaries, as well, are informed that their actions are not as deniable as they might like to think.

So that's one. Second, we're also being proactive, using the full range of our authorities to disrupt national security cyber threats before a significant intrusion or attack can occur. And this has been a big focus of our team more recently and it includes, in particular, the innovative use of our legal tools beyond criminal charges.

Let me give you a couple examples here. Just last month, the Justice Department on the FBI conducted what we called Operation Medusa. This was a technical operation to dismantle and effectively take out the, quote unquote, Snake malware. Which was at the time one of the Russian government's most sophisticated and effective computer intrusion tools.

The FSB Russian intelligence had used versions of this snake malware for really almost 20 years. To steal sensitive information and documents from hundreds of computer systems in at least 50 countries around the world, including some NATO governments. And through the innovative use of our Rule 41 search and seizure authority.

As well as through our collaboration with private sector partners and a number of foreign governments. We were able to basically disable the Snake malware, which had been, as I mentioned, one of FSB's most sensitive and complex espionage tools. And then last year, in a separate example, we conducted a court-approved operation to dismantle another Russian intelligence tool.

It was a GRU botnet that relied on a compromised firewall appliance. We worked with the company that manufactured those devices. And the FBI developed a court-authorized technical solution that basically deleted the GRU malware. And then took steps to close the vulnerability in those compromised devices. Third, we've also used our cryptocurrency tracing abilities and our seizure authorities to prevent over $100 million in ill gotten gains.

From ever being used by North Korea to support its ballistic missile programs. Those efforts focus both on the hackers who have stolen hundreds of millions of dollars of cryptocurrency. As well as IT workers who use online platforms to earn illegal revenue. And by coordinating the asset freezes and the sanctions, we're able to stop the DPRK from accessing a huge portion of those illicit gains.

And then, a final area I'd touch on is just that we coordinate our efforts with inter agency partners and foreign governments, as well as the private sector. To use the full force of these tools. As well as technical operations, sanctions, trade remedies, and diplomatic efforts. For example, in the Iranian example I just mentioned, we enhanced the impact of those public indictments.

By working with the Treasury Department to impose sanctions that connected the defendants in those cases with the Iranian Revolutionary Guard Corps. And of course, intelligence plays a key role here, we share targeted threat intelligence that we gather as a result of these investigations. And a really good example of this that was recently declassified is that following the Colonial Pipeline attack.

We were able to acquire information, this is information that we acquired using Section 702 of FISA. And that information verified the identity of the hacker, and it enabled the government then to recover a majority of the ransom. So our commitment to combating these threats using every tool we've got I think is making an impact, and I think that's why we're being more effective.

We're making it harder for hostile nations to maneuver and recruit, by imposing accountability. We're denying our adversaries access to technical infrastructure and cutting off their funding. We're disrupting the criminal ecosystem by making cybercrime and ransomware higher risk and less lucrative. We're helping the private sector defend itself with key intelligence and threat information.

And then we're marshaling the efforts of like-minded nations around the world on both law enforcement and diplomatic fronts. So as determined as our adversaries might be in escalating their brazen attacks, they are learning that we are even more determined to protect the United States. So since we first charged five members of the PLA in 2014.

The National Security Division, which I lead, has been at the front of the effort to take on this challenge. With just a handful of dedicated cyber prosecutors really operating on caffeine and grit and a shoestring budget. And none of these cases that I mentioned would be possible without that effort.

Along with the critically important efforts of our partners in the US attorney's offices around the country. Who have proven to be incredibly enterprising in our work with them. So I'm proud of that work, I'm proud of the work that's being done in NSD and the us attorney's offices and the FBI and across the Department of Justice.

The cases I just discussed a few minutes ago, they're not easy cases, these are hard cases, they're fast paced, they span international boundaries. They often involve classified data and often highly technical data, and they demand innovative legal approaches. So these are actions that require time, attention, expertise. So now, because of that and because of our recognizing that we are aggressively growing our national security cyber program.

So today I am announcing that we are establishing a new national security cyber section, NatSec Cyber, for short, within the National Security Division. And this new full litigating section, which now has the approval of congress, will place our work on cyber threats on equal footing with our other NSD components.

The counterterrorism section and the counterintelligence and export control section. The new section will allow NSD to increase the scale and speed of our disruption campaigns and prosecutions of nation state cyber threats. As well as state-sponsored cyber criminals, money launderers are often associated with them and other cyber-enabled threats to national security.

NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles with the department in this area. This new section will have prosecutors who will be positioned to act quickly as soon as the FBI or an IC partner identifies a cyber-enabled threat. And we will be in a position to support investigations and disruptions, and this is really important from the very earliest stages.

And in order to more closely integrate with the FBI Cyber Division, NatSec Cyber will mirror the structure of the FBI and its Cyber Division. Organizing our leadership by geographical threat actor. Having prosecutors that are fully dedicated to national security cyber cases will deepen our expertise and it will enable us to better collaborate with our key partners.

And that includes, in particular, the criminal division's computer crimes and intellectual property section. The new section that we're announcing today will also serve as a really important resource for prosecutors in US attorney's offices around the country. As I mentioned, these offices, US attorneys offices, 94 of them around the country, represent the tip of the spear in confronting many of the threats that occur in their districts.

Responding to highly technical cyber threats often requires significant time and resources, and that's not always possible within the demands of these individual us attorney's offices. So my goal for the NATSEC cyber section will be to serve as something of an incubator. Where we're able to invest the time and energy early in these cases to ensure that they're properly handled.

And then the section will also allow the prosecutors, this is really important as well, to work with our colleagues around the federal government who are focused on the policy process. In particular, that policy process that's led by the National Security Council. So, in conclusion, the bottom line, cybersecurity is a national security matter.

Our cyber adversaries are innovative and constantly adjusting their tactics to hide from our investigators and overcome our network defenders. So the National Security Division is committed to matching our adversaries by adapting our tactics and our organization, as I've announced today, to bring all of our tools and authorities and expertise to this fight.

So thanks. I look forward to my conversation with you, Jack, and to answering your questions.

>> Jack Goldsmith: Okay, let me know if this is not picking up. Okay, so I neglected to say that I am Jack Goldsmith. I'm a professor at Harvard Law School and a senior fellow at the Hoover Institution.

That's why I'm here today. I know a little bit about national security and cyber. And so I'm going to ask you some questions, starting, Matt, with what you just announced and then working out to some broader policy questions for the national security division. So I guess the first question is, why now for this new section?

You talked about it. You talked about the successes you've been having, and you talked about there being an incubator role. And so could you just say more about that? Why do you need this new section now? And it's a significant change in the bureaucracy. I take it you're elevating it to the level of the other sections.

 

>> Matthew Olsen: Yeah, so, as you said, Jack, you downplayed your own background here, but you served in the Department of Justice and have been a leader in national security. And probably, I don't know, and you were in the Justice Department 20 years ago or so, but there really wasn't an effort around cyber security and cyber prosecutions.

And we didn't have the same threat for sure, but it was emerging. And so I think now the answer to the question why now? Is, is threat based. We're responding to the nature of the threats that we face from the countries that I discussed and what we've seen.

What I've seen in my time in the Justice Department, as I returned a year and a half ago, is that we are in the national security division. We are sort of fighting above our weight class. We're having an impact, but we're doing so with just a small handful of prosecutors.

And we need to take advantage of some of the expertise that we've developed and some of the efforts that we've proven to have been effective over the past few years. And now just protect those resources and increase them. So there's just a, it's really a recognition that in order to be effective, we need to play a more significant role and do that through more resources.

 

>> Jack Goldsmith: And you said soe more resources. You said that previously, the attorneys that were doing this were kind of, in an informal way, operating on a shoestring budget, you called it.

>> Matthew Olsen: Yeah.

>> Jack Goldsmith: So what about now? But do you still have that shoestring budget, or do you have the resources you need to make this happen?

 

>> Matthew Olsen: We're doing this out of hide now, for sure. We've got, and we're adding prosecutors to this new section, and we're gonna continue to do that over time. But there's, I think, rightly the federal government is investing more and more in cybersecurity. We see this with CISA at DHS, we see this with cyber command and NSA and at FBI.

And I think it's incumbent on us within the Justice Department to kind of keep up with the investment that our partners are making in cybersecurity. Again, this is just like in CT, it's a big team sport.

>> Jack Goldsmith: Counterterrorism.

>> Matthew Olsen: Counterterrorism, I said CT, right. Just like in counterterrorism.

It's a team sport. And we need to understand there are different authorities that are brought to bear by these different organizations like Cyber Command and FBI and CISA within the Department of Homeland Security. But now we need to make the same level of investment within the Justice Department.

 

>> Jack Goldsmith: Okay and you described this new section as having. It would be a full litigating section, and you talked briefly about your relationship to the criminal divisions, computer crime and intellectual property section, and to us attorneys. But could you flesh that out?

>> Matthew Olsen: Sure.

>> Jack Goldsmith: If this is a full litigating section, how does it relate to those other two groups of lawyers?

 

>> Matthew Olsen: So this is internal DOJ, right? But it's really important to understand the criminal division has a section that's been around for a long time focused on cybercrime and intellectual property that does amazing work. And has built out a level of expertise on cybercrime focused on criminal activity involving cyber intrusions.

And similar type of malicious cyber activity. And they're our close partner. And then within the us attorney's offices around the country, particularly, some offices have developed more expertise than others over time, as you'd expect. But they are often the ones who are in court on a daily basis, right.

They bring these cases in court. So our role in the national security division is to collaborate closely with the criminal division. Understanding at certain times at the early stages of a case, might not know if it's a criminal case or national security case. And so we work hand in hand with them as we coordinate and deconflict.

And then early on in a case, we may be the ones in the national security division to issue the first set of process subpoenas. Or use grand jury tools to understand the nature of the threat before we may even know which us attorney's office is going to work on it.

And so we're often. That's why I use the word incubating. We're early on in the case, developing the investigation, getting it started, and then we make a decision, okay, this case belongs here or there, and we partner with the us attorneys, kay?

>> Jack Goldsmith: And this is my last bureaucratic question and then we'll get to the more interesting policy questions.

I think you said that the new section will mirror the FBI. I don't know what that means. Can you explain that?

>> Matthew Olsen: Yeah, sure, part of the goal here is to. The FBI has been increasingly effective, and they've got a really strong cyber team. They've got a cyber division that's organized geographically, so they understand where the threat actors are.

And the threat actors use different types of tools and malware that associated with those actors, right. And when it comes to nation state, we know, for example, the types of tools that we associate with the PRC or Russia or Iran or North Korea. So we're gonna organize at a leadership level, at least initially, our NATSEC cybersection, to correspond directly to how the FBI cyber division is set up.

So that, again, just very practically speaking, when there's an intrusion and there's an agent or a leader in the cyber division, FBI. He knows exactly who to call in our division to say, I need your help, we need to issue a subpoena, or, let's get going on this case.

And there's a point to point, constant sort of interaction between those two, between us. The FBI is our key investigative partner, so mirroring how they're set up just makes total sense.

>> Jack Goldsmith: Okay, so, these bureaucratic questions are hugely important for the government being successful and for how the government runs but I want to and.

And you make a powerful case for the role of this new section. But I wanna broaden out some of the policy questions you raised. You talked about bringing indictments. I think you mentioned an indictment against some Iranian officials. And I think it's fair to say that the vast majority of the indictments brought against officials, foreign state officials, especially, who are overseas, there's dim prospects of bringing them to trial, not zero, but dim prospects of bringing them to trial.

And so, I mean, I've been, and I'm not the only one, a questioner or critic of this policy. And I'm just wondering, I mean, and I know you disagree. So the worry is that the signal that an indictment of a foreign official that can't be followed through on the danger is you're revealing vulnerability.

You're acknowledging that they made their way in and had a successful operation. You're signaling that you don't, in the short or medium term, have the prospects of bringing them to trial. And you're announcing to the rest of the world that maybe our tools aren't so great because here we are admitting that we were infiltrated and implicitly admitting that we can't prosecute.

Now, I know there's a counter argument, but that's a case against naming and shaming. So why do you continue to do this and what's the value?

>> Matthew Olsen: Yeah, first of all, I recognize that there are skeptics about this approach, and you're one of them. And we've talked about this, you and I, in the past, because, look, I think it's a really important part of our strategy and here's why.

One, when it comes to going after nation state cyber activity, it's not that much different than the other work we do in the national security division, whether that's going after terrorists or in espionage cases, going after spies. We often don't have the prospect, especially in the near term, of putting handcuffs on somebody.

But here's an important point. Our memory is long, right? We are going to bring these cases and we're going to pursue justice. And we did this recently, in fact, with one of the alleged bomb makers in the Pan am 103 case from 30 years ago. That person's now pending trial here in Washington, DC.

So we remember these people who carry out these attacks, and we go after them over time. So that's one reason. A second is we sometimes unseal these documents, the charging documents, to send a message, and we send a message to our adversary that we know what they're doing, and that we've uncovered their activity.

And that message is also sent to the private sector so they can better defend themselves. And an example of that is the case involving, there's actually two indictments that we unsealed shortly after Russia invaded Ukraine just over a year ago. And spelling out in some detail what we understood about what Russian intelligence had done to go after critical infrastructure providers.

And one, as I said, I think it does send a deterrent message because we're revealing to them that we know what they've done. But we're also giving the private sector, backed up by the evidence alleged in a Department of justice indictment, here's the type of threats that you all are facing from these actors and give them a sense of what they need to do to better protect themselves, because, again, it's pretty much on them in the private sector to invest in their own cybersecurity.

The third reason I think that these indictments can make a difference is they, over time, and this is something your scholarship, I know, focuses on. You hope to develop some international norms around cyber-crime, and what rule of law nations like the United States don't tolerate. And if we didn't do this, if we just stayed quiet or we only worked in the secrecy of intelligence activities, we wouldn't, I think, have the same ability to develop those norms internationally.

So I think that's another advantage. But, look, some of those are untested, and we'll see over time who's right.

>> Jack Goldsmith: Maybe we'll see, maybe we won't. I'm not sure how we'll know. But I wanna pick up on one thing you said. You said it's important for us to let them know that we can see what they're doing.

There's been a sea change in the government since I was there in the early two thousands, since you started at the national security division. There's been a sea change, it seems to me, in the government, across the government, in the national security division over time about it used to be the case that you wouldn't want them to know.

Or that there was a view that the intelligence community, including NSD, should not reveal what we know about what other, what our adversaries are doing. Because it enables them perhaps to figure out what we're doing and therefore to deny access to us. Now, clearly, NSD and the government in general, and a lot of context has gotten over that.

Can you just explain in general why and how that works?

>> Matthew Olsen: Yeah, I mean, it's an ongoing conversation, and the conversation is always the same. It's, you know, what do we need to say to bring a case? What do we need to say to provide that message? And what do we need to do to protect how we got that information?

And I think the difference and the distinction is, we're not saying in these cases how we learned disinformation, the how, that's sources and methods, that we protect. But sometimes we can say more about what we know without revealing how we know it and where we can, where we can.

And this is true in all of our cases. And in fact, it's sorta a core function for the National Security Division, created 15 plus years ago, that we are in a position to navigate this tension between being able to publicly talk about what we do and protecting the ways the intelligence community collects information.

And so we are the go between the prosecutors and the intelligence community. That's true across the board, but it is especially true in this context in cyber, because often what we know, we know from very sensitive collection methods. And so there are times we don't say we have to hold back.

But where we can, where we can be open, where we can send that message to our adversaries, where we can send that message to our own private sector, where we can send that message to the American people so that they understand where we can be transparent. They understand how their investment in intelligence is paying off.

I think those are all public values that we should support.

>> Jack Goldsmith: You referred to Operation Medusa-

>> Matthew Olsen: Yeah.

>> Jack Goldsmith: Which, as I understand it, is a remote access technical operation. And I think you alluded to the fact that this was an increasingly important tool. How much more can you say about that?

Its importance, what it involves? Do you work with the private sector in doing that? How much more can you tell us about that?

>> Matthew Olsen: Yeah, I'm gonna talk a little bit more. I think its a really an important part of our overall playbook. As I mentioned, obviously, we prosecute cases where we can.

The goal, just like in the counterterrorism context, is to stop an attack. Right, or disrupt it at its very early stages, as opposed to bringing a case down the road after an attack. So in this context, with Operation Medusa, what we were able to do was to identify an FSB tool that had debuted for 20 years to great effect.

And we were able to, what I can say is we were able to disrupt it, but we worked to do that. We worked very closely with the private sector and with the intelligence community and with foreign government. So again, it's a little bit out of the playbook of our other national security cases, where we have multiple stakeholders when we work on one of these cases.

And we coordinate our efforts to the extent we can with the private sector and particularly with foreign governments, both on the intelligence side but also on the law enforcement side to have maximum impact.

>> Jack Goldsmith: And related to the private sector. What is the role of the private sector, reporting or notifying you that they've suffered.

A breach or some kind of adverse activity, and how does that happen? Does the new section have a role in that? I assume you need to know what's going on in the private sector to be able to protect the private sector. But how does that relationship work? And will the new section have a role in that at all?

 

>> Matthew Olsen: Yeah, I mean, most of that interaction is the FBI and private sector companies, right. At the field office level, private sector companies, particularly those that are within the crosshairs of nation state cyber actors, they have a relationship with the FBI. As you know, I was the Chief Trust and Security Officer at Uber for a number of years before coming back to government and ran our cybersecurity program.

I knew who the FBI field office leadership was, who worked on cyber. We met on a monthly basis to talk about cyber threats so that relationship was really strong. The goal is for the FBI and then for us, relatedly, us in the national security division, to have that relationship so that when there is a threat or certainly if there's malicious activity, that those companies understand that we have a victim centric approach.

And that they will come to us and tell us what they're seeing, because when they do, we are going to be better able to defend them. We treat them as victims, not as perpetrators. And that's a really important point because we want them to come forward. We recently, there have been recent cases, there's this case involving hive ransomware, where we were able to actually provide the decryption keys to protect private sector companies.

But what we saw in that case was only about 20% of the companies had come forward, but those 20% had given us the information we needed. When I say we, the FBI, the information the FBI needed to understand that ransomware and to develop the ability to unlock the data, that's a great example of where coming forward really enabled the FBI to then better protect these companies from that activity.

 

>> Jack Goldsmith: So one upshot is, the more that companies have these relationships with the FBI and report these things, the more you can protect them. Is that right?

>> Matthew Olsen: Exactly. The more they come forward and the better that relationship is. I think we're much better able to then defend them both after an attack in a responsive mode, but even before, where we can give them early warning or a heads up that this is the type of activity that we see.

Here's why we think you might be vulnerable, and here's what you may consider doing to protect yourself better.

>> Jack Goldsmith: Okay, let's switch to a final big topic, and I imagine this is taking up a lot of your time, and that is section 702, FISA 702 reauthorization. Why don't you briefly tell us what FISA 702's reauthorization is, and then I have some questions about it.

 

>> Matthew Olsen: Sure, and this is familiar to, I know folks in the audience here, but section 702 is a new or relatively new amendment to FISA from 2008 that is due to expire at the end of this year, at sunsets by statute, at the end of this year, unless it's reauthorized.

I just testified before the Senate Judiciary Committee along with a number of colleagues last week to really emphasize the critical value that section 702 provides. I don't think there's really any doubt about the value that it provides in terms of protecting the national security, because the way it works is that it enables the intelligence community to collect against non US persons overseas without obtaining an individualized probable cause warrant.

When we target those individuals who are not us persons and who are outside the United States and who have no Fourth Amendment rights, over the past 15 years, it has become just increasingly important as a tool for collection. The challenge we face now is that in some of the implementation of this tool, particularly the FBI, has made some significant mistakes and has a poor compliance record over the past several years.

And so there's really a trust deficit that we're dealing with, with Congress to make sure that, well, we're dealing with that trust deficit, and it's incumbent on us to demonstrate that we can, we in the bureau and the Justice Department and the intelligence community at large, can be trusted to implement this tool responsibly.

And we've made a number of changes to demonstrate that we can do that. But we have some work to do to continue to convince Congress and the american people of that.

>> Jack Goldsmith: And one thing you've been trying to do, I mean, the original dominant justification of 702 was a counterterrorism justification.

And I've noticed you've been emphasizing, you may have done this in your testimony, that 702 is valuable for far beyond counterterrorism, one component of which is cybersecurity.

>> Matthew Olsen: Right.

>> Jack Goldsmith: Can you explain how that works and?

>> Matthew Olsen: Yeah, I mean, the tool's agnostic on the nature of the threat, right.

The initial justification was counterterrorism, but it has proven to be extraordinarily adaptive and agile, and it's now been used in a number of other contexts, whether that's Chinese espionage and counter narcotics, fentanyl, for example, working with foreign partners there, but also in particular on the cyber threat. And chief information security officers, CISOs, all over the United States, should be very thankful that we have section 702 because of the amount of intelligence we get through 702 that we then are able to provide companies to better protect them.

A specific example that I've talked about is the really notorious colonial pipeline ransomware attack, where we used 702 threat intelligence to identify the chinese hacker and then to recover some of the ransom. So, really important tool in that case. But that's just one of many examples of where 702 has provided critical intelligence in a cyber context.

 

>> Jack Goldsmith: So you mentioned the challenges to renewing the authorization and some of the troubles that the FBI has had. So where do you see. This is my last question. Where do you see the debate now? How do you see it playing out? What are the main issues going forward?

Where are we?

>> Matthew Olsen: Yeah, I mean, there's really one core issue that I think stands out, and that is the FBI's ability to take 702 data that's been collected by NSA, which FBI gets a small portion, about 3% of the overall collection, so a very small fraction. But they get, it's really important because that 3% relates to threats inside the United States, where the FBI has an open national security case.

So the issue is the FBI's ability just to simply query that data, just like you might query your own Gmail account when you're looking for an email from somebody, the FBI conducts queries of that data, and sometimes they do so using a US person identifier. And the debate is, should they have to get a warrant, for example, to do that?

I think that would be an extraordinarily bad idea, that's not legally required. And it would basically shut down the FBI's ability to search data, query data that's already been lawfully collected. And I'll put it in the cyber context, imagine, hypothetically, that a US company has been attacked. That company's name and some of the technical indicators that are associated with that company would be really useful for the FBI then, to look at 702 data.

So say there's a working assumption that it's Russia that's behind that attack of that company. At the very earliest stages, one of the first things the FBI is gonna wanna do is put that name of that company and some of the technical information, which might also be US person information, into its database to look to see.

Is this attach limited to this company? Has there been anything exfiltrated. Can we associate it with FSB or GRU, Russian intelligence activity? And there's not gonna be probable cause, in all likelihood, at the early stages, to search a name of a company, right? I don't even know what probable cause would look like in that context.

So, I think some of these ideas, perhaps well intentioned, are really misguided and would not be operable.

>> Jack Goldsmith: Misguided because it really narrows the significance of the program. But okay, so my last question.

>> Matthew Olsen: Yeah, but can I say one more thing? Misguided because it misunderstands a central lesson of 911.

Is that it would basically recreate a divide between foreign intelligence collection and what the FBI can do to protect us here in the United States. And that's not the nature of the threat.

>> Jack Goldsmith: You would do that just by slowing down the process.

>> Matthew Olsen: Slowing down or gutting, really, the ability of the FBI to take advantage of this collection.

 

>> Jack Goldsmith: Okay, so my last question is, you acknowledge and the government's acknowledged that there have been problems with compliance. There's a larger political dimension here which we can set aside, but there have been serious problems with compliance. Not short-term. There have been medium term problems with compliance with 702.

And so, the question is, how can you fix those compliance problems in a way that gives Congress and the American people confidence while maintaining the virtues and powers of the tool? How do you do that?

>> Matthew Olsen: That is the crux of the problem, right? You just, in a nutshell, identified the challenge.

And one thing that I guess I would say is it's not a fix the problem. It's a process. So compliance requires sort of ongoing understanding of the nature of the problems, what's causing those problems, and then taking steps to address them. And one of the things that we've done most recently, and it's a very simple fix, and it's really had a significant impact.

And that is when the FBI first set up this system, basically by default, when they searched all of their databases of other cases and other sources of information, they were by default searching this row section 702 data. And so many, many, if not the vast majority of the problems that they committed, mistakes they committed, were by inadvertently searching this data.

We just flipped that default setting to require that FBI agents and analysts affirmatively opt in and then justify that search before they conduct it. And that's reduced the number of, quote, unquote, US person queries by 90 plus percent.

>> Jack Goldsmith: Over what period does that happen?

>> Matthew Olsen: Well, it's over the last year and a half that change was implemented.

But understanding that problem, taking steps to fix it, and then measuring our success as we move on to the next challenge, because there are gonna be other mistakes and other problems. We need to demonstrate that we can be trusted with this sensitive information. No question. But I think that's an example of where we have taken significant steps to address a problem and that it's paying off.

 

>> Jack Goldsmith: Okay, great. We have time for a few questions, if anyone has some. If you just announce who you are, please.

>> Mike: I'm Mike Irosci, formally with DOD, for the state sponsored terrorism. One thing you did not mention was retaliation. Why are we taking retaliation if not, why not?

 

>> Matthew Olsen: So, one of the reasons I don't talk about retaliation. So a lot of what happens in terms of how we might be responding to nation state activity in this context is not publicly acknowledged. You said you're from DOD. Obviously, DOD has cyber command. Cyber command operates, can take offensive operations at the direction of the president.

Some of those have been revealed publicly, but others may not have been. So, I think it's a capability that the United States has developed and uses where warranted.

>> Jack Goldsmith: Other questions? Yes, sir.

>> Matt: Thanks for doing that.

>> Matthew Olsen: Good to see you again.

>> Matt: Good to see you.

Has the Justice Department been affected by the move it breach that has impacted several agencies, including OMB, USDA? I'm curious, is there any progress in investigating the breach in the agencies it has impacted?

>> Matthew Olsen: So it's an ongoing investigation. So I'm really, as I know you appreciate limited what I can say about it, something we're looking closely at, but it's an ongoing investigation, so I can't say anything further about it.

 

>> Matt: Has the Justice Department been impacted.

>> Matthew Olsen: So I'm not gonna comment on it because it's ongoing.

>> Jack Goldsmith: Other questions? Yes, sir.

>> John Sackler: I'll hop in. John Sackler politico. A little convoluted, and I might have missed this, but on an edge case where there's a cybercrime incident in the state and a new litigator from the cybersecurity section steps in.

Do they step in above their equivalent at the criminal cyber division? Like you were talking a little bit about the. I'm just trying to understand that first kind of interaction.

>> Matthew Olsen: Yeah, it's a good question. And you said bureaucratic, but if you'll. So we're partners and on equal footing with the criminal division.

So you have the criminal division and the national security division and there's an assistant attorney general over the criminal division, Kenneth Polite. He's my colleague. And it's the case that if there's an attack or some sort of intrusion at a company, for example, or at a government agency, we may not know initially, is that a nation state case?

Does it involve national security, or is it a criminal case involving criminal actors? And we'll work that together until we can resolve who should be in the lead. We're on equal footing as we make those determinations. And this is where intelligence can make a big difference, because often it's the case that our intelligence agencies will have some insights about who's behind an attack at the very earliest stages.

So understanding very quickly that this is a Russian intelligence activity versus an Eastern European criminal group, for example, very early on, we might be able to make that judgment and be able to assign the case accordingly. In every case I've been involved in, there's been a very easy way, or at least a very collegial way to work that out.

 

>> John Sackler: And if you don't mind, just follow up, just versus what was happening in the past. Does that just mean NSD as like a voice in the process earlier?

>> Matthew Olsen: No, we've always had that sort of process and that sort of relationship. What this does, though, having a national security section, a NATSEC cyber section does, is that it gives us just more in terms of resources.

It's our commitment to invest more in terms of resources and also to protecting those resources. I think anyone who's worked in an organization understands, like when you have multiple demands. And when our cyber prosecutors were in CES, they did espionage cases, they did export the counterintelligence and export control sections of CES, but they did all these cases.

They did transnational repression. They did export control trade secrets theft. So taking those prosecutors and dedicating them to a section, elevating that section in terms of its importance and its profile will help to protect those resources as we continue to grow.

>> Jack Goldsmith: Any other questions? Matt, thanks very much.

>> Matthew Olsen: Thank you, Jack. Thanks, everybody. Appreciate it.