In a speech to Interpol in November, U.S. Deputy Attorney General Rod Rosenstein lobbied other governments to do more to help Washington track down foreign cybercriminals.
“By devoting appropriate resources to international cooperation efforts, we can properly address the increasing threat of cybercrime,” he said, adding later: “No nation should exempt itself from just and reasonable law enforcement cooperation.”
Rosenstein was acknowledging that regardless of the Department of Justice’s investments in countering cybercrime in the United States, the department’s ability to put foreign crooks behind bars can rest, in part, on other governments’ cooperation in finding and extraditing them.
That’s why, analysts say, it’s crucial to fund U.S. programs to boost foreign governments’ ability to crack down on hackers. A new advocacy effort from the think tank Third Way is trying to focus U.S. policymakers’ attention on making those programs more effective.
“We think that the U.S. government should be able to do better” in holding cybercriminals to account, said Third Way Vice President Mieke Eoyang. “There are crimes out there that are happening, that are never seeing any law enforcement action.”
Eoyang spoke Wednesday to a room of legislative aides as Third Way advisers presented recommendations they hope will gain traction in the new Congress. Those proposals include that the U.S. government develop clear metrics for assessing the effectiveness of its anti-cybercrime efforts and, in some cases, that Washington increase funding for programs that help other governments in the fight.
Over the last several years, DOJ has invested in developing cyber-focused prosecutors, and the State Department has carried out important cyber “capacity-building” programs with other countries. U.S. prosecutors also have notched some notable wins in extraditing accused foreign hackers, including the Russian who allegedly hacked LinkedIn and Dropbox.
Nonetheless, Third Way says, U.S. investments in stemming cybercrime at home and abroad are falling short.
An arrest occurs in only about 3 in 1,000 cyber-incidents that are reported to the federal government, according to federal data reviewed by Third Way. Of course, not every malicious incident is prosecutable, but the bottom line, the think tank says, is that more can be done to hunt down cybercriminals.
“Are we putting enough funding into certain countries? How are we measuring success and progress?” said Allison Peters, Third Way’s senior national security adviser. “There is a lot of capacity-building work that is happening, and we need more of a spotlight in Congress to ask some of these hard questions.”
For example, the State Department last May announced it would double the cyberdefense aid it had pledged to Ukraine the previous year to $10 million. But the announcement was short on details on how the money would be spent, much less how its impact would be measured.
Wednesday’s briefing was co-hosted by the office of Sen. Chris Coons, D-Del., who sits on the Judiciary and Foreign Affairs committees.
“I am encouraged by recent Department of Justice actions against cybercriminals, but there is more we can do,” Coons told CyberScoop. “I look forward to working with law enforcement officials and experts to find ways to expand and enhance our cyber capabilities.”
Paperwork is too slow in digital age
Another area of focus for Third Way’s cybersecurity initiative is improving on the Mutual Legal Assistance Treaties that govern requests for evidence between countries in cross-border criminal cases – the issue on which Rosenstein appealed to Interpol.
Christopher Painter, the former top cybersecurity diplomat at the State Department and an adviser to the Third Way initiative, told CyberScoop the MLAT regime was conceived in an essentially pre-digital era and can be too slow for dealing with cybercrime. MLAT requests can get farmed out to a regional law enforcement office in a country, where they might collect dust while cybercriminals change their tactics.
“We need to find a way to really speed these up for the digital age,” said Painter, a fellow at Stanford University’s Center for International Security and Cooperation. “You can’t wait months for data, especially in cybercrime cases.”
Painter said a 2018 law known as The CLOUD Act will help. The law allows the U.S. to strike bilateral agreements with certain foreign governments to facilitate direct data requests with tech companies during investigations. Critics warn that CLOUD agreements could violate users’ privacy if not properly implemented, but proponents counter that there are privacy safeguards in the law.
The U.S. and United Kingdom are negotiating a CLOUD agreement, and backers of the 2018 law hope deals with other countries will follow.
Third Way executives say America’s international cybersecurity efforts could also be strengthened considerably by restoring a top-level cyber diplomatic post at the State Department. That position was held by Painter until then-Secretary of State Rex Tillerson scrapped it and effectively downgrade the department’s cybersecurity office in 2017. Though State’s cyber diplomacy continues, the absence of a coordinator weakens those efforts, critics charge.
A bipartisan House bill introduced last month would re-elevate the department’s cybersecurity office and give an official in charge of it the rank of an ambassador.
Having a top-tier official once again heading State’s cybersecurity efforts, Peters said, “would be critical to ask[ing] some of these hard questions and do some of this coordination that needs to be done around all of the capacity-building support” that the U.S. does.