SAN FRANCISCO — Private companies have a crucial role to play in assisting the Department of Justice and FBI as they gather information to charge malicious cyber actors with crimes, especially as the department views criminal charges as a form of indictments, a top FBI cyber official said Feb. 26 at the RSA Conference.
Adam Hickey, deputy assistant attorney general of the national security division at the Department of Justice, said that companies reporting breaches to the Justice Dept. allows the agency to begin an attribution process that may ultimately result in criminal charges.
Contacting law enforcement, Hickey said, was the “responsible” thing for companies to do.
“That [contact] is critical to the attribution question a lot of the times," Hickey said, because the law enforcement can the work "backwards from whatever breadcrumbs are on the network of the victim to figure out on our end who did it.”
The department also has a fundamental different role in cyber attribution — one that also has to be significantly more transparent — than other government agencies doing attribution.
“The intelligence community may know well from other sources who’s responsible, but when I think about bringing an indictment, I’m sourcing that from unclassified information,” Hickey said. “So I’m often starting from victim information and going from there.”
Hickey also said the Justice Dept. has benefited from a “shift in culture” where companies’ responsible behavior isn’t necessarily judged purely on if it was breached or not because there’s now an understanding that an “adversary with enough time and resources is probably going to get in.”
“Instead you want to understand how quickly were they to identify it, did they build a security architecture that allowed them to mitigate the consequences quickly before it was detected, and did they do the responsible thing and contact law enforcement,” Hickey said.