D.A. Vance Delivers Remarks at Cityforum Cybersecurity Summit


April 13, 2021

Remarks as Prepared for Cityforum Cybersecurity Summit

Greetings everyone. I am excited for the opportunity to join you today for the 12th Cityforum Cybersecurity Summit.

Thank you first to Cityforum for inviting me to participate in this event. I am grateful for all of the work that Cityforum and its Chairman Marc Lee do around cybersecurity issues. I always enjoy participating in and learning from your events and I look forward to a day, hopefully in the near future, when I can attend one in person again.

I also want to express my gratitude for the support of the NSA and Wilton Park in making this Cybersecurity Series possible, and say how delighted I am to be participating alongside this outstanding panel under the chairmanship of Sir Craig Mackey.

Today’s topic “Criminality and Disorder, Terror and Disruption – Meeting the societal and economic threats” is a particularly immediate one in light of the alarming rise in international cybercrime over the past year. COVID forced all of us to spend more time indoors – and, unsurprisingly, to spend more time online. For cybercriminals, quarantine proved a bonanza.

Cybercrime losses for the year 2020 are estimated at nearly one trillion dollars – almost double the loss incurred just two years before. As we survey this young decade, this virtual but very real menace is – and I believe will continue to be – one of the greatest, non-COVID threats to our companies, institutions, residents, and way of life. You don’t need a crystal ball to predict that, in the coming years, we will experience increased cybersecurity risks to our critical infrastructure and increased cybercrime, as more people inhabit the digital space.

New York City and London, by virtue of their status as financial, cultural, and media capitals of the U.S. and the U.K., are and will remain prime targets for large scale attacks. And so too will our countries. This is borne out by a recent study by the Center for Strategic and International Studies that revealed the U.S. and U.K. combined were the victims of more than 200 significant cyberattacks between 2006 and 2020.

Not only has their frequency escalated in recent years but also their destructive force – from Russian interference in the 2016 U.S. presidential election to this year’s Solar Winds cyberattack that targeted thousands of public and private organizations in the U.S., U.K., and numerous other countries. Likewise, recent ransomware attacks on municipal governments – whether in American cities like Atlanta and Baltimore or London’s Hackney Borough Council just last fall – have demonstrated that the indispensable services and utilities citizens rely upon in their daily lives are now more vulnerable than ever.

It’s welcome news then that, in this year’s early days, world leaders like British Prime Minister Boris Johnson and French President Emmanuel Macron have pledged to increase national cybersecurity capacities. But more resources alone won’t stop these assaults.  Just as important? – collaboration and partnership.  We, in law enforcement, must therefore not only be proactive and innovative in confronting the rapidly developing challenges and risks of our current threat landscape; we must be willing to collaborate – by strengthening existing partnerships and creating new, bold ones – to prevent these threats from coming to fruition. 

Today, I will quickly highlight the two keystone initiatives of my Office’s “prevent and partner” approach to cybersecurity: the Global Cyber Alliance and the NYC Cyber Critical Services and Infrastructure project. And then with my remaining time, I will turn my attention to smartphone encryption – an area where greater public-private cooperation is sorely needed to fight cybercrime.

*****

I’ve said on numerous occasions – and will repeat again today – that when it comes to the magnitude of the cybersecurity challenges my Office confronts on a daily basis, that New York has more in common with London – as well as Paris and Singapore – as our respective national governments. The global nature of these crimes demands that global cities stand on the frontlines of this fight together.

We are, in truth, facing identical cyber threats to our businesses, residents, and municipal governments at similar scales. While prosecutors have traditionally been stuck in a sluggish data-sharing framework, this modern peril demands a paradigm shift toward rapid sharing of relevant, real-time information. I am convinced this transformation can only come through creative and committed partnerships.

Six years ago, for example, I joined with the City of London Police and Center for Internet Security to form the Global Cyber Alliance, a multi-sector, non-profit coalition of organizations focused on addressing worldwide cyber threats. At the time, most cybercrime-fighting entities operated with restrictions or limitations either because they were for-profit or were divided by region or industry. By contrast, GCA crosses borders and sectors in an effort to map, understand, and thwart cybercrime.

Today, GCA has grown to include 206 partners from 29 countries and 31 industries, including government, technology, finance, defense, and health, among many others. Partners include a who’s who of security and defense organizations such as the U.S. Secret Service, Europol, and Lockheed Martin.

To begin this collaboration, my Office committed a $25 million investment in seed capital to GCA.  The immediate goal was to produce the development of a suite of free email and Internet protection tools that help organizations of any size adopt effective defensive protocols against common cyber threats. 

The quantitative impact of these tools can best be witnessed through Quad9, a public and free domain name service that blocks access to malicious sites more than 60 million times per day. And what’s more: the compromised sites operate in 160 cities across 90 countries – almost half of the world’s sovereign nations. Clearly, this is a malady that respects no geographic boundaries and warrants a serious response from all of us.

With this in mind, GCA continues to support those small businesses, municipalities, and journalists without the means or wherewithal to fight cybercriminals on their own.

For example, GCA and Mastercard collaborated in 2019 to release a Cybersecurity Toolkit specifically designed for small and medium businesses, providing them with immediate, concrete steps to protect their companies and customers against crippling cyberattacks. Internal data shows that the English language version alone has received visits from almost 100,000 unique users – once again, a remarkable indication of the existing need – and subsequent versions in Spanish, French, German, and Bahasa have reached thousands more. Further proof of this toolkit’s global reach will be on display later this week, with the start of GCA’s Cyber Basics for Small Business, a three-week series that has attracted registrations from around 40 countries spanning across five continents.

GCA’s portfolio has also expanded in recent years to include popular Cybersecurity Toolkits for Elections and Journalists. These aids provide an invaluable resource at a time when democracy, free and fair elections, and the exchange of fact-based information face serious challenges in all corners of the globe.

Through its diverse group of offerings, GCA is our best effort to remove existing communication barriers between industries, companies, and governments. But we also must follow through on our responsibilities to protect our major cities at home.

*****

I’m happy to note here that New York’s level of connectedness and preparation in this area is unparalleled among American cities thanks to our CCSI project with the NYPD, GCA, and New York Cyber Command.

CCSI stands for Cyber Critical Services and Infrastructure.  In earlier times, when a house caught fire in a community, the entire town – a fire brigade – turned out with buckets of water to put out the fire.  A threat to one was a threat to the entire village.

Since launching in 2019, CCSI has brought together 114 members from 57 organizations, and across 13 sectors, to create a modern version of a “fire brigade” that increases communication about cyber risks and lays a foundation that will facilitate coordination and a formal response mechanism in the event of a cyberattack on any piece of our city’s critical infrastructure.

How does CCSI lay this foundation in practice?

In the summer of 2019, for instance, New York authorities conducted a “digital fire drill” with leaders across 17 sectors at IBM’s training facility in Boston. The purpose of this tabletop exercise: To see how leaders from law enforcement, telecommunications, energy, and numerous other sectors would hold up during a security breach. 

In action, members of CCSI share intel on cyber breaches elsewhere, and are alerted to, and respond to city cyber assaults on our neighbors in New York City in whatever sector the attack occurs, by whatever attack vector.

Above all, we want people and companies in this city to rest assured – today and well into the future – that their safety won’t be undermined by a simple lack of coordination. 

Such assurances require effective and fully funded state, local, national, and international partnerships. In order for us to build safe and sustainable cities, we must fight to protect public safety, government infrastructure, and capital markets against new threats in our high-speed world in the years to come.

*****

Cooperation, in the name of public safety, is sadly  not a given in our connected future. This is especially true when it conflicts with the bottom line of Silicon Valley’s tech giants.

Almost seven years ago, Apple and Google rolled out their first default-encrypted smartphone devices that were completely inaccessible without a passcode – a marketing decision that has had detrimental effects on law enforcement across the globe. In doing so, they dictated the balance of public safety and privacy in our societies with minimal input from government or law enforcement. In their home country, the United States, they also frustrated centuries of jurisprudence holding that no item is beyond the reach of a court-ordered search. 

It’s my steadfast belief today, just as it was seven years ago, that the power to determine whether a search of a smartphone can proceed should rest with neutral courts, not tech giants that have rendered themselves the sole arbiters and gatekeepers who themselves, without government regulation, determine whether a court can order access to critical information necessary to solving crimes. 

In the seven years since this encryption rupture, thousands of phones in law enforcement possession remained locked, with their data, and the possible evidence of crimes enclosed within, hidden from investigators. Meanwhile, the percentage of encrypted devices we obtain each year grows. These devices, access to which is frequently impossible notwithstanding a court order, impedes and prevents  local and federal law enforcement efforts to obtain justice, both for survivors of crimes and, to a smaller degree, people wrongly accused.

Let me be clear: My Office is not anti-encryption. Far from it. We routinely use encryption in carrying out our daily work and recognize its value in our society and across the world. That does not mean evidence on smartphones equipped with military-grade encryption should be beyond the law when a judge signs a search warrant – especially when we’re talking about potential information tied to a child sex abuse case or a potential terrorist attack. 

No less an authority than FBI Director Christopher Wray also raised this concern last month before the U.S. Senate Judiciary Committee. Wray warned committee members, that unless legislative action is taken, the resources needed to address investigations involving smartphone encryption will “continue to diminish and ultimately overwhelm state and local capacity to investigate even common crimes.”

The current status quo is unacceptable and dangerous, and I join FBI Director Wray in urging American lawmakers to pass legislation to correct this wrong.  Put simply, a world in which court orders are meaningless affects the safety of our communities and the integrity of our justice system.

Thanks again to Cityforum for inviting me to participate in today’s event, and thank you all for listening. I look forward to answering your questions during the panel discussion.