The Importance of Strong Public-Private Partnerships in the Fight Against Cybercrime

Composite Image (Principal Associate Deputy Attorney General John P. Carlin/FBI Graphic)

The Importance of Strong Public-Private Partnerships in the Fight Against Cybercrime
Side Event at the 30th Session of the United Nations Commission on Crime Prevention and Criminal Justice

Remarks as prepared for delivery by John P. Carlin, Principal Associate Deputy Attorney General, U.S. Department of Justice
May 19, 2021

Thank you very much for the opportunity to talk with you today about the important issue of building public-private partnerships against cybercrime.

Let’s begin by talking about the threat. The scale of cybercrime we collectively face today—business email compromise, ransomware, digital extortion, identity theft rings, and so on—is staggering and still growing.

Give the interconnectedness of the world today, criminals can literally target almost every device on the planet. No government, therefore, can ignore the threat.

The scale of cybercrime’s economic costs is hard to calculate, but even anecdotal evidence shows a troubling trend.

In 2020, for example, the FBI’s Internet Crime Complaint Center (IC3)—a kind of “digital 911” program that allows victims of cybercrime to submit reports—received 791,790 complaints, a 69% increase from 2019. Total losses from those reported incidents of cybercrime exceeded $4.1 billion.

Those numbers, of course, are only the tip of a very large iceberg, since most crimes are not reported to any law enforcement entity, much less to the FBI.

Likewise, one recent study of digital ransoms paid by cryptocurrency showed a 300% increase in ransom payments over the prior year. This is alarming growth that demands action.

Although the toll to our economic security from this activity is obvious, cybercrime also is an urgent national security threat—something that’s starkly apparent after the past week’s events resulting in disruptions to the fuel supply chain in certain parts of the United States.

The tools used by certain cybercriminals can be equated to digital weapons of mass destruction, since deploying them can have crippling effects. When ransomware hits critical infrastructure such as police stations, hospitals, utilities, and municipal networks, it also jeopardizes our public safety, and potentially, national security.

The United States is fully committed to combatting cybercrime with all of the tools we have at our disposal, and we are currently reassessing what more we can do in this space.

As just one example, the Department of Justice recently announced a new taskforce focused on combatting ransomware.

The Department is similarly involved in a 120-day review of all cyber capabilities, which will involve a review of everything from our capacity to investigate cybercrime to a review of the Department’s own protections

For all of us, public-private partnerships play a key role in combatting cybercrime. We at the Justice Department have long recognized that private-sector engagement is one of the most important tools we have at our disposal.

The private sector helps us maintain the rule of law in cyberspace by, among other things:

(1) sharing information on emerging threats that the private sector identifies on their computer networks;
(2) preserving critical evidence for investigations and trials;
(3) taking their own initiatives to combat ongoing threats; and
(4) innovating new defenses and developing best practices on cyber defenses.

Conversely, we within the United States government recognize that we have an important coordinating and educational role to play with respect to the private sector, particularly given our visibility into threats that cut across multiple companies, industries, and nations.

For sophisticated cybercrimes that target hundreds of thousands of computers simultaneously, no single private entity will see the full threat.

In many cases, the government can play an important convening role that supports cyber defense for all companies and acts as a multiplier for threat intelligence.

This cooperation also strengthens our response time to threats. When security researchers identify the specific vulnerabilities exploited by an attacker, governments can amplify that discovery and ensure greater remediation across the affected industries and total victim population.

As good as our private-sector relationships are, we need to deepen our public-private partnerships further as we continue to fight cybercrime.

The Department of Justice already participates in well-known cybersecurity events such as the RSA Conference, Black Hat, DEFCON, and International CES to both share information and to learn.

The FBI has also a program called INFRAGARD in which law enforcement and industry to share threat information in a trusted and vetted community.

Companies which participate in INFRAGARD include business competitors who set aside differences because they all have an interest in reducing cyber vulnerabilities responding collectively to these threats.

In the near future, we will supplement these existing engagements with further private-sector discussions as part of the Department’s 120-day comprehensive cyber review.

The goal will be to identify tangible ways to improve the ways we fight cybercriminals, as well as build resilience against existing and emerging cyber threats.

Public-private partnerships are important beyond just responding to the threat of the day—they can also help promote the institutional framework that we collectively use to fight this threat.

For example, public-private partnerships can promote the development of legislation harmonized with the Budapest Convention on Cybercrime—which remains the gold standard for domestic legislation on cybercrime.

Right now, the Budapest Convention remains the most effective tool for harmonizing criminal legislation internationally, including the sharing of electronic evidence.

Recent global cybercrime investigations involving Dark Web marketplaces, ransomware, and data breaches have relied on cooperation among member states to the Convention. These investigations would not be possible without the cooperation of Budapest member states which have harmonized criminal legislation and a minimum standard of law enforcement capacity to assist.

Accession to the Budapest Convention also plays an important role in facilitating public-private partnerships.

Joining the Convention signals to the private sector that a nation is committed to maintaining the rule of law in cyberspace and fighting cybercrime in an effective in coordinated fashion.

Many providers, particularly U.S. providers, use accession to the Budapest Convention as a consideration when gauging whether to work cooperatively with foreign law enforcement in countries.

We encourage continued private-sector input into crafting the legal and political tools that can be used to fight cybercrime.

Thank you again for the opportunity to speak to you today. And thank you to UNODC for fostering this important discussion. We look forward to future engagement as we tackle the cybercrime threat together.