The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Three takeaways from the Justice Department’s cyber review

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Three takeaways from the Justice Department’s cyber review


A previous version of this newsletter incorrectly said the Justice Department seized approximately $500 million from a ransomware gang known as Maui. The amount is $500,000. The article has been corrected.

Last year, Deputy Attorney General Lisa Monaco announced a wide-ranging, 120-day review of how the Justice Department addresses threats in cyberspace. More than a year later, a report on the review is out — and it offers praise, warnings and a sometimes dire picture of cybersecurity within the department. Here are a few key takeaways:

1. Warnings to companies

Top Justice Department officials turned the screws on private companies, warning with a harsh tone that they could be caught in prosecutors’ crosshairs if they don’t quickly comply with warrants, subpoenas or court orders.

The “failure of certain technology companies” to meet their legal obligations “is a major factor in allowing criminals to escape detection and apprehension,” the report argues.

  • Some companies don’t have enough staff members or resources to quickly respond to law enforcement orders for information, according to the report.
  • In other cases, when law enforcement “alerts a company to its ability to access and search certain data,” companies will “‘engineer away (i.e., eliminate) such capabilities,” the report warns.
  • Elsewhere in the report, officials argue that end-to-end encryption technology, which ensures messages can only be read by a sender and recipient, has made investigators’ jobs more difficult. It’s a long-standing criticism by U.S. law enforcement, while privacy advocates say Americans rely on the privacy and security that comes from encryption tools.

The report also takes technology companies to task for “too often” not proactively reporting signs of criminal activity to law enforcement. “In many cases over the last decade,” companies have “proactively taken independent actions” against cybercriminals without coordinating with U.S. law enforcement officials, according to the report, which didn’t provide examples.

  • The report argues that “there is no reason that criminal activities in the cyber context should be handled differently than in the real world, where it would almost be unheard of for private companies to observe criminal activity” and not quickly letting law enforcement know and working with them.”
  • It recommends that the Justice Department and U.S. technology companies “develop a voluntary set of principles regarding the proactive and systematic reporting of cybercriminal activities using their platforms.”

Those are long-running criticisms of the tech sector, but this time come in a high-profile document.

  • The tone is also much more stern: These statements “have a much harder edge than what we’ve seen in years (and administrations) past,” Ed McAndrew, a former cybercrime prosecutor and a partner at Baker & Hostetler, told me in an email.
2. More of the new

For more than a year, the Justice Department has sought to disrupt malicious hackers by seizing their cryptocurrency, trying to take over their servers and other infrastructure, removing infected software from private systems and attempting to bring hackers to justice.

Those recent examples show that the Justice Department “can be impactful against these threats even before prosecution and arrest,” the report says. Recent “successes should serve as ‘proof of concept’ and renew the Department’s commitment to using its full suite of tools to disrupt cyberthreats,” it argues.

Prosecutors have to “carefully consider” whether disrupting hackers could mitigate the harm they cause, according to the report. “Impactful operations that bring substantial or significant disruptions of criminal cyber activity should be pursued, even if such actions might otherwise alert criminal actors of the nature or existence of the Department’s investigation and thus make apprehension of individual actors over the short term more challenging.”

3. Rethink workforce issues

The report also paints a dire picture of the state of the Justice Department’s cyber workforce — even when compared with other federal agencies. The warning comes as the Biden administration launches a high-profile cyber workforce and education initiative to fill hundreds of thousands of open cybersecurity jobs.

  • Retaining cyber-specialized workers is difficult for the Justice Department and pay is a factor, the report concludes.
  • The number of “cyber-specialized attorneys has remained roughly the same size over the last 15 years,” although agencies like the Pentagon and Department of Homeland Security have created new cyber departments — complete with funding and staff.
  • Until 2020, the Justice Department’s counterintelligence office had just three prosecutors “dedicated to investigating, disrupting, and deterring nation state cyberthreats.” But their work has translated into “an immense positive impact on this country’s cybersecurity,” officials wrote.

The conclusion: The Justice Department needs to write a new cyber hiring and retention strategy, and “the Department should initiate an internal campaign to educate managers and budgetary personnel regarding existing hiring and retention incentives,” according to the report.

The keys

Justice Department seizes $500,000 from North Korean ransomware gang

The Justice Department said Tuesday it snatched approximately $500 million back from a suspected North Korean government-affiliated ransomware gang known as Maui, after a Kansas medical center reported to the DOJ that the hackers encrypted systems used to operate key equipment and paid the gang to unlock them.

In prepared remarks, Monaco told cybersecurity conference-goers in New York City that the Kansas center — which she didn’t name — “did the right thing” to cooperate with the FBI, which in turn was able to identify the ransomware and trace the center’s $100,000 bitcoin payment to money launderers based in China. That put the FBI on the trail of a Colorado medical facility’s payment to the Maui attackers, too, enabling the bureau to recover around $500,000 in all.

The Justice Department flex comes shortly after government and cyberfirm warnings about the rising Maui ransomware threat to the health-care sector.

  • The FBI, the Treasury Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an alert July 6, saying it had responded to multiple Maui attacks that encrypted systems crucial to health-care services. “In some cases, these incidents disrupted the services provided by the targeted [health-care] organizations for prolonged periods,” the alert said.
  • The same day, cybersecurity companies called attention to some of the unique aspects of the Maui ransomware, namely that it was manually operated rather than automated, suggesting highly targeted attacks rather than scattershot attempts to encrypt anyone it could ensnare. It’s not the first time North Korean attackers have gone after health-care targets, which hackers perceive as more likely to pay given the life-or-death stakes of freezing their tech.

But as one reporter observed, $500,000 is a drop in the bucket.

Federal agencies launch cyber apprenticeship sprint

The four-month initiative will seek to boost awareness and participation in cybersecurity apprenticeship programs, according to the Department of Commerce and Department of Labor. The sprint was announced at a White House summit on cyber workforce and education issues convened by National Cyber Director Chris Inglis.

The summit came amid a shortage of cybersecurity workers in the public and private sectors, and as cybersecurity workers respond to wave after wave of threats in cyberspace.

Inglis’s office plans to continue collaborating with the private sector and federal agencies, he told reporters after the summit. The office also plans to “lead the creation of a cyber education [and] workforce strategy,” Inglis said.

Global cyberspace

Russian hackers behind SolarWinds breach continue to scour US and European organizations for intel, researchers say (CNN)

A Russian-backed malware group is spoofing pro-Ukraine apps, Google finds (The Verge)

Hosepipes on roofs Are keeping U.K.’s data centers cool (Bloomberg)

Cyber insecurity

Attackers can surveil, disrupt vehicles outfitted with popular GPS tracker, CISA warns (CyberScoop)

Industry report

BMW wants to charge for heated seats. These grey market hackers will fix that. (Motherboard)

Securing the ballot

FBI and NSA directors warn of evolving foreign interference threat ahead of US midterms (CNN)

Privacy patch

Anonymous mental health app Feelyou accidentally exposed 70,000 personal emails (Daily Dot)

Government scan

Cyber Command chief stands by comments on 'offensive' operations against Russia (The Record)

Encryption wars

The FBI forced a suspect to unlock Amazon’s encrypted app Wickr with their face (Forbes)

On the move

  • Stacy O'Mara has been promoted to Mandiant’s senior director of government affairs. Melanie Lombardi has been promoted to be the company’s vice president of communications.


  • Cybersecurity officials speak at the International Conference on Cyber Security today.
  • Election officials testify at a House Homeland Security Committee hearing on election security and threats to election infrastructure and workers today at 9:30 a.m.
  • The House Energy and Commerce Committee discusses bipartisan privacy legislation today at 9:45 a.m.

Secure log off

Thanks for reading. See you tomorrow.