Last week, the Justice Department brought an indictment against two individuals accused of working with China’s Ministry of State Security to conduct a decade-long cyber intrusion campaign. The Justice Department says the two individuals were targeting the private sector some of which included research institutions working on coronavirus treatments. But there is another side to this story. DOJ says the suspects were also using their criminal expertise to conduct side operations for personal gain as the MSS looked the other way. If true, this marks a significant change in Chinese tactics when it comes to separating nation state activities from cybercrime.
The Cipher Brief spoke last week with Assistant Attorney General for National Security John Demers about what the shift in strategy means and about his other top national security priorities going into November’s presidential election.
We included questions for Asst AG Demers from our Cipher Brief members as well. What follows is not an exact transcript of the conversation but is a version that has been lightly edited for length and clarity.
The Cipher Brief: You mentioned in your press briefing around last week’s indictment that individuals who are conducting nation state cyber intrusions for China are also conducting criminal attacks on the side?
Demers: For the first time, China is behaving as we've seen Iran and North Korea and Russia behave, which is to give safe harbor to hackers, allowing them to conduct their criminal activity for their personal benefit while also being on call for work for the Chinese government - in this case, the Ministry of State Security. We have charged this in the past with respect to these other countries, but this is the first case that we've announced that involves this kind of conduct on behalf of the Chinese and the volume of information that is taken in each of these intrusion cases is just enormous.
Another thing that we're seeing develop – and I think we've had about three announced arrests so far - is the arrest of members of the PLA who were sent here undercover as researchers to do things like steal biomedical information. Biotechnology is one of the areas of focus for China's 2025 plan. What we saw in the cyber announcement, in terms of the interest in these biomedical research facilities is nothing new in the broad sense. It's something that we've been tracking for a long time, but obviously it's focused on the most valuable biomedical research these days, which is research on vaccines and the treatment of coronavirus.
The Cipher Brief: So, the Chinese Government is now allowing people who are hacking for them to also conduct criminal activities on their own behalf for personal gain. Is that a big change in strategy from what you've seen in the past?
Demers: It's a significant shift. When you talk about what responsible nation-states do, it really lays bare how - at least of cyber intrusions - they're not acting like a responsible nation-state. It's bad enough when you direct members of your armed forces or your intelligence community to conduct the kind of commercial and intellectual property theft that we have charged and seen in the past, but remember those folks who are working for you, they're doing what you ask them, they're not also extorting some poor person who doesn't want their personal information released, or their personal life, in some way, displayed on the internet. They're not running scams of that kind.
Now what you're doing is you're tolerating criminal behavior, which isn't even what the government wants in the first instance, it's just what they're willing to tolerate so that they can use the talents of these hackers for their own ends. So, I do think it's a significant step in terms of responsible nation-state behavior. It's just unfortunate that we're seeing that from China. As I said, we've seen it from these other countries in the past.
We’ve seen in the case of the Russians and the Yahoo hacks, messaging like "Well, you can target other individuals through your hacking, but they just can't be Russian citizens." We didn't see that here. We'll see where all this goes. But I do think it's a significant and unfortunate step that we've seen now from the Chinese government.
The Cipher Brief: When you're seeing attacks like these that are targeting industry on a global scale, are you also seeing a level of cooperation, particularly among allied nations when it comes to combating things like this?
Demers: We are. I mean, that's the good news with respect to like-minded countries – that is, other countries that are respecting these cyber norms that we're trying to promulgate and enforce. We do see a great deal of cooperation in the international community. We don't get cooperation from China and we don't get cooperation from Russia. That already was a signal to us that they were tolerating cyber intrusions that they didn't sponsor themselves, but we do get it from other countries.
In fact, we've had already three or four announcements by the U.K., the Australians, the Lithuanians, and I think the Germans, all supportive of the actions that we took yesterday in calling on countries around the world to respect these norms of cyberspace and abide by their bilateral commitments that they've made with these various countries. That's very important.
The Cipher Brief: Let’s talk about the closure last week of the Chinese Consulate in Houston. Was there a specific trigger behind that or was this a response to cumulative offenses?
Demers: I'll make a couple of points on that. The first is it's not related to the cyber indictment. I've seen that get conflated and it's understandable because of the timing. But they're not totally unrelated in the sense that one of the reasons why that consulate was closed was because of the level of theft of intellectual property that we see from folks who are sent here from China to steal U.S. intellectual property, so that's one reason.
It wasn't so much one particular thing but a slow buildup of what we've been seeing over time and a decision was made to take a strong step not just to confront it in a general sense but to actually disrupt it by closing that consulate.
The Cipher Brief: We understand there's been a big push by the administration against China on a number of issues that the U.S. finds challenging to U.S. national security and to the economy. What else should be thinking about as we look to understand today’s threats?
Demers: It’s across the board. We continue to be very focused on election interference. This was the time four years ago when the Russians had already gone pretty active. Luckily, we haven't had to talk as much about this as we might otherwise have had to. We've done a lot of work with the social media companies to try to disrupt the foreign influence piece of election interference. DHS has done a ton of work with state and local officials on firming up election infrastructure and balloting infrastructure, that is all going to continue as we move forward. But that's a big focus of ours, and as we've said publicly, we've certainly seen - on the influence front in terms of social media - the Russians, the Iranians and the Chinese be active on foreign influence.
We haven't yet seen the kind of hacking and dumping that we saw last time around with respect to the Clinton campaign, but we're very focused for the next three and a half, four months on that issue as well.
And then in general, on Iran and its activities in cyberspace as we see they're quite sophisticated in that space and always with an eye out for espionage activities more broadly. On the nation-state front, I would say it's as busy as ever.
The Cipher Brief: Terrorism is also one of the issues that your office investigates and prosecutes. One of our members asks about the FISA section 215 provisions, which have now lapsed for about 3 months. Where are we on replacing those? And is the U.S. at risk for a broader terrorism incident in their absence?
Demers: Unfortunately, the bill seems to be stuck right now in terms of reauthorization. I think everybody knows we got to a point where we thought we had a good compromise with the House that would reauthorize those provisions and also address some of the issues that were discovered by the Inspector General, with respect to the Carter page application.
When it went to the Senate, certain provisions were added on that we thought were just too much and that would impair the value of our normal Title I FISA collection, the core authorities, and that therefore we would rather wait to see whether we could work with Congress more constructively to try to address their concerns without undermining broader FISA collection.
What that's meant is, of course, since the middle of March, is that we've been without the Business Records Authority, the Lone Wolf Authority, and the Roving Authority. Luckily, the sunset provisions in those authorities allow us to continue to use, for instance, business records where it's really most important, on existing investigations.
In the near term, the impact has been greatly lessened by the existence of those sunset provisions, but of course the value of that will degrade over time because we'll have new investigations, we won't be continuing old investigations. This isn't something that can go on forever without us being impacted. So far, I think that we've been able to manage the risk. But as I said, that will get harder and harder over time. We'll see what the path forward is. Right now, there's not a lot of activity on the Hill on this topic. We are prepared to do everything we can to continue these investigations lawfully, obviously without these authorities for quite some time, because I could see it being sometime more before they're reauthorized.
The Cipher Brief: Another of our members asks whether the proposed lower threshold for FISA Amicus is one of the DOJs concerns with reform, and if so, how does the perceived burden outweigh the benefit to the process?
Demers: That is one of the concerns. The big change when the bill went to the Senate was an amendment which passed, that was proposed by Senator Lee, that would greatly expand the use of Amicus in the FISA court, and, I would say, change the nature of the FISA Amicus from one of being what it currently is, which is a friend of the court responding to requests of the court, to one that has almost its own independent basis for arguments. Almost like a federal public defender approach to a FISA Amicus, to what essentially is really a search warrant process at the end of the day. One that we're very used to seeing on the criminal side.
Just in terms of numbers, since we've had an Amicus that was put into place a few years ago, the average amount of time that it takes us when an Amicus is appointed to get a ruling on the case, is something like six to nine months. So that's a significant delay in FISAs that can usually be done within a week or so, once they're submitted. Obviously, a lot of work goes into them on the front end. But once you expand the cases in which you're going to use an Amicus, then you're going to just increase the number of cases in which we have this significant delay, which of course can be very meaningful in national security cases.
The second part is that the scope of the expansion wasn't focused on sort of core U.S. person cases. It tries to do that in some places, but for various reasons that are too detailed to get into now, it really goes a lot broader than it would even if you were worried about some core U.S. person cases.
It also took the Amicus a little bit more out of the control of the judges. That was one of our concerns. We had some other concerns about some of the wording that was used in the Lee provision with respect to some other aspects of the certifications and procedures that were called for. It's not to say that these are all unfixable concerns. I think there may be a path forward here to get to the core of what I think the Senator was worried about while making sure it doesn't have the operational impact we were worried about. But in terms of the way the language was drafted and the way the language passed in the Senate, we ultimately thought it just had too much of an operational impact.
The Cipher Brief: What’s concerning you most, as you look forward over the next six to 12 months?
Demers: Number one is guarding against election infrastructure interference and foreign interference in elections. That has to be the biggest short-term priority.
The second is the ongoing threat from China, which is multi-faceted and increasingly aggressive. The level of intellectual property theft that we're seeing is greater. The level of foreign influence activity we're seeing from the Chinese Communist Party is greater. That trajectory is one of the bigger trends that we're going to want to confront going forward.
There are a whole host of issues on the U.S.-China relations front. They're going to drive the conversation in terms of foreign policy and even some aspects of domestic policy for some time I think, as we figure out what this new relationship is going to look like. But a lot of those pieces are outside my world.
And then, obviously being a head of a division that was founded after the attacks on 9/11, is the priority to keep a careful eye on the terrorism front right now. We've been in a quieter period when it comes to international terrorism. We certainly see some people who are interested in traveling to the Middle East still, or some people interested in carrying out activity here in the U.S. A number of them are coordinating and finding one another online and encouraging one another online. So that's something to always keep an eye on. I think we've been fortunate in the past couple of years, but you never want to lose your focus on that because one loss of focus could be tragic.
Related to that, on the domestic terrorism front, keeping an eye on domestic violent extremism is something that also falls within the national security division. We have seen some increase in violence, of course, on the domestic terrorism front over the last couple of years. One of our approaches has been to take the same approach that we took on the international terrorism front. Not, of course, using the same tools, because we can't use those legally, but using some of the same coordinating approaches, and also trying to get ahead of the violence and applying that to the domestic terrorism front.
We're not just investigating an incident after it happened, but we're actively trying to disrupt incidents of domestic terrorism. I think we've seen arrests in the last year of domestic terrorism subjects, not all of which were for the biggest offenses, but were really meant to take that same approach we do on the IT side, which is to try to disrupt these plots before they can develop into something that's much bigger.
The Cipher Brief: The international terrorism concern, for a while, was around lone wolf actors who were being inspired online. Do you see more of a coordinated approach when it comes to domestic terrorism or do you have the same concerns about people acting out for whatever their ideologies are, and acting without coordination?
Demers: A lot of it depends on what you mean by coordination. A lot of folks are talking to one another online. They're meeting in different groups and sharing ideologies and even sharing techniques, and thinking about how to conduct attacks, and inspiring one another, and convincing one another that they're thinking about things the right way. We worry about that.
And of course, recently the State Department designated one group, the Russian Imperialist Movement as a terrorist organization. The concerns there were that they do not just reach out online, but they also provide training, firearms training, tactical training, to individuals who are willing to do that, and that's worrisome, obviously, because that increases people's expertise on that front.
You might remember recently, we charged a case of a US service member who was abroad, and he was brought back and charged. Here's a guy who was, in some ways, a domestic terrorist, and he was –– in order to effectuate his goals –– willing to give information to Islamic terrorists to get them to attack his brigade when they were deployed.
So, you have these weird mixes of ideologies and people. In that case, the person's ideology was a little bit of Satanism, a little bit of white supremacy, and then working with Islamic terrorists, it’s a big mix of things and we're definitely seeing that both on what you'd call the more traditional IT front and then the newer DT front.
The Cipher Brief: How has the Coronavirus remote-working situation worked out for DOJ? Are there any unique challenges it's brought to the department?
Demers: Well, it's changed all our lives. I mean, for me, the biggest difference has been one, I have to come to work every day because so much of what I do is classified, and there's no way for me to do that from home. Some percentage of the folks in NSD are here every day. They rotate. They come in when they're needed. We try to tele-work when we can. It's just, that's not always possible for us.
The biggest impact it's had for me is this kind of outreach activity. So, something which was a very significant part of my job in terms of going out and speaking, meeting with the private sector, talking to them about the threats they face from different nation state actors, speaking at conferences, et cetera, that's unfortunately greatly diminished.
I'm happy to do things this way now because I think we've all realized that we're at that point in this pandemic where we can't just keep postponing things. We've got to do them. We've just got to do them a new way because otherwise, we're going to postpone things for too long and we have to keep working together and we need to keep hearing, exchanging thoughts with one another.
I think that's been the biggest impact. Otherwise, things on the prosecution side move more slowly. Courts are moving more slowly. Grand juries are meeting less frequently. That's starting to open up a little bit and change. Obviously, we'll see what changes on the pandemic front, but there's definitely been a slowdown on the prosecution side.
On the investigation side, less so. I think, between us and the Bureau, obviously a lot of these things are time-sensitive, so when you have to do them, you have to do them and then you've got to overcome whatever it is that you need to overcome to get that done.
It's had a real impact, but I think so far, we've been able to manage it and thankfully no one in NSD has been sick. So that helps as well.
The Cipher Brief: Any closing thoughts?
Demers: Thanks very much for having me. Thanks for continuing these conversations. I think it's important for us to be talking to each other and I think it's very important for us in government to be explaining what we're doing and to be transparent about what it is that we're trying to achieve.
Certainly as I said, there'll be more to come on the China front, but the messaging remains the same as we're trying to do what we can to disrupt foreign influence activity, we're trying to do what we can to disrupt the theft of intellectual property, and we're definitely taking a harder line on these things, but it's one that's well supported by the weight of what we're seeing in terms of Chinese activity. A lot of which is reflected in our cases, but our cases are, as you can imagine, the tip of the iceberg of the actual activity that we see because it's the stuff that we can prove in court with unclassified evidence.
Read more expert-driven national security insight, perspective and analysis in The Cipher Brief
