The challenges presented by maintaining cybersecurity and keeping pace with emerging technology are becoming more complex and critically important as the U.S. Department of Justice (the Department or DOJ) continues to store data digitally, utilize software as a service product, and incorporate emerging technologies into processes and systems. Given that the topics of cyber and technology touch upon so many different aspects of the Department’s work, this is a multifaceted challenge that needs to be addressed in a way that comprehensively covers the technological, financial, and privacy risks, among other threats. In addition, cybersecurity is a transnational issue. Global collaboration activities include information sharing with foreign partners on current threats and providing cyber training to foreign law enforcement. As highlighted in a U.S. Government Accountability Office (GAO) report issued in March 2023, DOJ also provides direct assistance to fighting cybercrime and works with foreign nations to help combat these technology-driven crimes. The report cited a lack of dedicated resources, difficulties in retaining highly trained staff, and inconsistent definitions of “cybercrime.” Continued collaboration, both across the federal government and among U.S. and international partners, will aid DOJ in combatting increasingly widespread and complex cybercrime.
“Cybersecurity” is the practice of protecting technology and is aimed at preventing cyberattacks or mitigating their impact. The Department has a leading federal role in the government’s cybersecurity strategy, as outlined in the May 2024 White House National Cybersecurity Strategy Implementation Plan. The plan includes the strategy to build and enhance collaboration among these five pillars:
- defend critical infrastructure,
- disrupt and dismantle threat actors,
- shape market forces to drive security and resilience,
- invest in a resilient future, and
- forge international partnerships to pursue shared goals.
Federal Bureau of Investigation (FBI) Cyber Division.
Source: FBI
Cyber Supply Chain Threats
The Department, like many federal agencies, relies on commercially available technology solutions to fulfill its mission, however this makes it vulnerable to the risks and demands of the market.
An excellent example of how vulnerable the U.S. infrastructure is to cyber threats could be seen from the cascading effect of the flaw in CrowdStrike’s July 2024 software push that shutdown airlines, companies, and government offices across the globe. According to CrowdStrike’s root cause analysis, a defect in a content update to its software caused system instability and resulted in the “blue screen of death,” which impacted large segments of the global economy, including key components at DOJ.
Cyber supply chain risk management includes identifying risks within the supply chain and managing those risks. When a cyberattack or other event disrupts the supply chain, problems can be significant such as a slowdown or complete stoppage of product delivery. Cyber supply chain threats can occur through suppliers, vendors, or partners and can result in the unauthorized release of sensitive data, malware, theft of intellectual property, among other things.
The Office of the Inspector General’s (OIG) July 2022 audit report highlighted supply chain risks, finding that the Justice Management Division lacked the personnel resources needed for an effective cyber supply chain risk management (C-SCRM) program, as well as widespread non-compliance with C-SCRM requirements, outdated C SCRM guidance, inadequate threat assessments, and insufficient mitigation and monitoring actions. Additionally, while the FBI had a more advanced program for mitigating supply chain risk, the FBI needed to improve its key deliverables to better align with intelligence community requirements, enhance both its risk mitigation and continuous monitoring efforts, and better integrate C-SCRM across the organization. The Drug Enforcement Administration did not have a supply chain risk management program at all. Two of the OIG’s recommendations to assist the FBI in mitigating supply chain risks remain open as of July 31, 2024.
In April 2024, the National Counterintelligence and Security Center and partners launched a National Supply Chain Integrity Month awareness campaign. Their mission is to urge public and private sector organizations to reinforce C-SCRM programs with acquisition security, cybersecurity, and enterprise security, known as “A.C.E.” Five critical technology sectors—artificial intelligence (AI), bioeconomy, autonomous systems, quantum, and semiconductors—have been prioritized by the National Counterintelligence and Security Center with challenges managing threats and risks to complex supply chains.
Malicious cyber activity is increasing as the barrier of entry for hackers becomes lower each year and threatens the public’s safety and our national and economic security. As a law enforcement agency, combatting cybercrime and cyber threats remain among the Department’s highest priorities as part of its mission to ensure public safety against threats foreign and domestic. DOJ, through the FBI, is the lead federal agency for investigating cyberattacks and intrusions. Some of the challenges the Department currently faces include threats from ransomware, insider threats, the need for federal and global coordination in combatting cybercrime, and recruitment and retention of highly trained cyber staff.
Ransomware
Ransomware continues to be one of the leading cyber-based threats to national security. Cybercriminals deploy ransomware and digital extortion attacks against federal agencies and U.S. businesses and organizations. The FBI and DOJ Criminal Division’s Computer Crime and Intellectual Property Section lead the effort to address cyber intrusions and attacks and in 2023, the Computer Crime and Intellectual Property Section was actively pursuing dozens of the highest priority ransomware groups, and had 108 open ransomware cases.
The Department has had some success in disrupting ransomware operations. For example, in December 2023 the FBI announced it had disrupted the Blackcat, or ALPHV, ransomware group resulting in restoration of over 500 systems that had been victimized. In March 2022, DOJ unsealed two indictments charging four Russian nationals who worked for the Russian government with orchestrating hacking campaigns that included hiding malware inside software updates for industrial control systems used by the energy sector. The FBI and U.S. Cybersecurity and Infrastructure Security Agency announced in June 2023 that the “Clop” ransomware gang used vulnerabilities in file transfer software to conduct large-scale data theft, including from federal agencies and government contractors. The investigative and technological challenges in this continuously changing arena are significant.
In an effort to assist the Department in managing this threat, the OIG conducted an audit to assess the Department’s strategy to combat ransomware threats, its response to, and coordination on, ransomware attacks against public and private entities. The OIG made findings concerning the Department’s general approach to combatting ransomware attacks. Those findings include that the FBI and the DOJ Criminal Division’s Computer Crime and Intellectual Property Section, which lead the Department’s ransomware efforts, have prioritized the ransomware threat and allocated existing resources in an effort to maximize their impact. The OIG also identified opportunities for the Department to improve its efforts to combat the ransomware threat and made three recommendations, including that the Department assess the U.S. Attorney’s Offices’ implementation of the deconfliction policy for ransomware cases to ensure that federal prosecutors have a consistent understanding of the policy and comply with its requirements. The Department concurred with all recommendations.
Recruiting, hiring, and retaining skilled, cyber employees remains a challenge for the Department. The federal cyber workforce, including many DOJ employees, performs vital work, such as protecting government IT systems, networks, and data from the most sophisticated adversaries, as well as critical infrastructure. In July 2023, the White House Office of the National Cyber Director published the National Cyber Workforce and Education Strategy consisting of four pillars:
- improving the public’s cyber skills,
- transforming cyber education
- expanding and enhancing America’s cyber workforce, and
- strengthening the federal cyber workforce.
The Department employs talented cyber personnel to respond to, investigate, and disrupt cyber threats—including attorneys, Special Agents, intelligence analysts, computer scientists, data analysts, forensic technicians, and others. With the increasing pace and sophistication of cyber threats, including ransomware and other malicious attacks, it is more important than ever that cyber-related jobs, within the Department and elsewhere in the federal government, are filled with highly qualified personnel. To address this challenge, the Department must leverage flexible hiring practices and workplace flexibilities to recruit and retain capable employees in the highly competitive market for such talent.
Advanced and emerging technologies present both opportunities and challenges for the Department. AI and other emerging technologies are being adopted quickly and have the potential to increase government capabilities and efficiency. However, the risks of these new tools must be managed, and DOJ must understand the legal regulations pertaining to these technologies and comply with them. This evolving landscape presents challenges for the Department to proactively strategize and respond to emerging risks to not be outpaced by technological change.
The Department’s 2022 Comprehensive Cyber Review identified a lack of coordination in emerging technology efforts across components and cited potential risks in duplication of effort. Additionally, the review included recommendations for a standing interdisciplinary body, established principles of use, and upskilling a cyber workforce in order to reduce barriers to adoption of emerging technologies. The Emerging Technology Board was established in December 2023 with DOJ’s first Chief Science and Technology Advisor and Chief Artificial Intelligence Officer to address the challenges that persist within the Department.
AI technology has been at the forefront of emerging technologies and has enormous potential to change the status quo across government and society at-large. The White House identified AI on its list of critical and emerging technologies this year, and issued Executive Order 14110 last year ordering government agencies to hire technical personnel and utilize AI in their work, taking a whole-of-government approach with AI. While the Department has made efforts to adapt to the change in the technological landscape, such as hiring the Department’s first Chief Science and Technology Advisor and Chief AI Officer, the most recent publicly issued strategy on AI from the Department—which outlines an AI adoption and coordination strategy with DOJ component responsibilities—is from 2020.
The Department uses some AI techniques such as machine learning to classify and detect anomalies in drug samples, topic modeling and clustering to consolidate records review, machine translations, and other algorithms to manage information such as tips to law enforcement, multimedia data, and case documents. As the use of more advanced AI increases, the Department cannot afford to be reactive to the risks and consequences of AI, as GAO reported in May 2023. The U.S. Department of Commerce, National Institute of Standards and Technology, has issued an initial framework to manage the risks of generative AI this year, but the management of AI risks undoubtedly poses a major challenge to the Department as the technology is new and constantly evolving and the standards and regulations around AI are few and in their infancy.
Emerging technologies, such as AI, will significantly affect the DOJ’s efforts to uphold the rule of law, keep our country safe, and protect civil rights over time. When utilizing AI models and tools, DOJ must understand that there is currently a lack of robust and verifiable measurement methods for risk and trustworthiness. To prevent the use of AI in ways that are irrelevant and potentially harmful, the Department must identify flaws and vulnerabilities, such as unforeseen or undesirable system behaviors, limitations, or potential risks associated with the misuse of the system. As part of this effort, the OIG is conducting an audit of the Drug Enforcement Administration’s and FBI’s integration of AI and other emerging technology as members of the U.S. Intelligence Community, with the primary objective of evaluating compliance with requirements related to artificial intelligence and other emerging technologies, as specified in Title LXVII of the fiscal year 2023 National Defense Authorization Act.
According to a study by the GAO, modern devices, systems, and locations generate, retain, and share enormous volumes of data. This includes information collected from the personal devices of government employees, contractors, and family members, as well as online accounts, credit reports, online searches, and online purchases. According to the FBI, this data can be used to connect people with locations and organizations, for example identifying a person as an FBI agent, or connecting that agent with a location such as an FBI building, known as ubiquitous technical surveillance. In February 2024, FBI Director Christopher Wray described ubiquitous technical surveillance as a method used by adversaries to exploit the digital trail left behind by individuals allowing the adversary to threaten or compromise government sources, operations, and personnel.
New technologies can include new communication technologies, end-to-end encryption of data, and facial recognition technology, and the Department must adapt. The OIG is conducting an audit of the FBI’s efforts to respond and adapt to changing technologies in the environments where it operates. The audit objectives are to determine the sufficiency and effectiveness of the actions the FBI is taking to respond to changing technological environments and the training the FBI provides to its personnel to increase the workforce’s adaptability to those changes. After initiating the audit, in December 2022, the OIG issued a classified Management Advisory Memorandum (MAM) to the FBI when the OIG’s initial audit work revealed that certain aspects of the FBI’s efforts to respond to changing operational technologies were inadequate and required better communication and coordination, and prompt corrective action. The classified MAM included two recommendations to help ensure that the FBI employs a more robust and effective strategy to address the risks posed by changing operational technologies and that its workforce is better positioned to identify and adapt to those risks. The FBI concurred with both recommendations and stated that it has already begun taking necessary corrective actions. Addressing the OIG’s recommendations in the MAM, and any recommendations that result from the current audit, will help the Department as it responds to changing operational technologies.