Security news that informs and inspires

New DoJ Cyber Unit Adds ‘Horsepower’ to Cybercrime Investigations


The Department of Justice hopes that its new National Security Cyber Section will improve cybercriminal investigations with more dedicated resources, speed and organizational support.

The U.S. government has announced a new unit that is dedicated to prosecuting nation-state threat actors and cybercriminals with the aim of more quickly disrupting the overall threat ecosystem.

Over the past year, the Department of Justice (DoJ) has announced several charges, sanctions and disruptions targeting cybercriminals behind ransomware attacks, state-sponsored activity and more. The new National Security Cyber Section (NatSec Cyber), carved out within the DoJ’s National Security Division and led by Sean Newell, currently senior counsel to the Deputy Attorney General within the DoJ, would add more “horsepower and organizational structure” needed to support these investigations, said Assistant Attorney General Matthew Olsen.

“NatSec Cyber prosecutors will be positioned to act quickly, as soon as the FBI or an IC partner identifies a cyber-enabled threat, and to support investigations and disruptions from the earliest stages,” said Olsen in a Tuesday announcement of the unit.

A team of prosecutors fully dedicated to national security cybercriminal cases, which has the ability to move quickly and collaborate with different agencies across the government, will be key to NatSec Cyber’s success. Previous cases by the DoJ that have involved dismantling botnets, seizing illicit cryptocurrency funds from North Korean hackers and neutralizing Turla’s Snake intrusion tool have been fast paced and included technical and often classified information.

These types of cases have demanded “innovative legal approaches,” said Olsen.

“Responding to highly technical cyber threats often requires significant time and resources, which aren’t always possible with the demands on individual offices,” he said. “NatSec Cyber will serve as an incubator, able to invest in the time-intensive and complex investigative work for early-stage cases.”

International cooperation has been another area of focus, with Rob Joyce, director of cybersecurity at the NSA, recently pointing to partnerships with Five Eyes intelligence organizations worldwide as a critical puzzle piece to stopping ransomware groups. However, Olsen hopes that NatSec Cyber will also add a more solid process for collaborating or sharing information with key partners within the U.S. government, including the Criminal Division’s Computer Crimes and Intellectual Property Section, the FBI’s Cyber Division and colleagues focused on the interagency policy process in the National Security Council.

“NatSec Cyber will serve as an incubator, able to invest in the time-intensive and complex investigative work for early-stage cases.”

Megan Stifel, chief strategy officer for the Institute for Security and Technology and executive director of the Ransomware Task Force, said the unit is a “long time in the making.” That’s not only because it was developed in response to Deputy Attorney General Lisa Monaco’s July 2022 Comprehensive Cyber Review, but also because it has represented an evolution of Monaco’s National Security Cyber Specialists (NSCS) network announced in 2012, she said. This approach offered dedicated resources and specialized training for combating cyber threats to national security.

“This has been a focus of [Monaco’s] and the department’s for a long time, and I think it’s incredibly timely and necessary both to emphasize and enhance the resources that are being put to this issue set,” said Stifel, who previously served as director for cyber policy in the DoJ’s National Security Division. “Putting greater formality around the process may seem to some like bureaucracy, but it also can help, [if you look] at the signal we’re sending internationally.”

Overall the U.S. government has taken several measures to disrupt the threat ecosystem. This has included arresting or charging cybercriminals behind malware operations, including ones involved with the Lockbit ransomware; slapping sanctions on cybercriminal groups like the ones behind the Trickbot malware to restrict their travel and to make financial dealings with potential victims more difficult; and disrupting cybercriminal operations such as the ones associated with Turla’s Snake malware.

Stifel said that she has seen progress in how the U.S. government is tackling cybercrime, particularly in its use of sanctions and the international connections that have been built with agencies worldwide. However, she hopes that the new unit will also deepen partnership efforts with private sector organizations.

“Overall I think things have improved gradually,” said Stifel. “We’re seeing steady progress and a continuation of steady efforts that continue to build on their predecessors, and I think hopefully the ability to leverage all the tools of the government is enhanced and made more robust when there is deeper collaboration with the private sector.”