9-51.000 - Cyber and Cyber-Enabled Crimes

9-51.100 - Cyber and Cyber-Enabled Crimes Requiring Enhanced Coordination and Deconfliction

Due to the nature of certain threats in cyber space, some cyber and cyber-enabled crimes require enhanced coordination and deconfliction requirements, as described in Section 9-51.101. These include investigations into cyber and cyber-enabled crimes where:

• a computer or network is the target of criminal action (e.g., computer intrusions, large-scale breaches, damage to computer, ransomware and digital extortation, botnets, and denial of service attacks); or
• online platforms or digital assets are central to the commission of the offense (e.g., investigations of bulletproof hosting, counter antivirus services, and darknet or online criminal markets; investigations into criminal digital asset exchanges, mixers, tumblers, stablecoin or token issuers, or other decentralized finance (DeFi) platforms (including instances in which the provider or platform is a target of, or a victim in, the investigation); significant crimes targeting digital asset service providers or other DeFi platforms; and significant digital asset theft and fraud schemes).

By contrast, Section 9-51.101 does not apply to the investigation of child exploitation crimes, crimes where criminals primarily use online technology as a means of communication or coordination (e.g., drug trafficking organizations or gangs that use social media accounts), or internet-enabled fraud crimes that lack an above-described digital asset nexus or a known computer intrusion (e.g., business email compromises (BECs) not known to result from a larger network intrusion). 

[added August 2023] 

9-51.101 - Notification, Deconfliction, and Reports for Applicable Cyber and Cyber-Enabled Crime Investigations

1. Notifications During Cyber and Cyber-Enabled Crime Investigations 
   1. The U.S. Attorney’s Office or litigating section (each hereinafter referred to as a “prosecuting office”) will, as soon as practicable:
      1. prior to opening any investigation described in Section 9-51.100, confirm that the investigative agency has conducted the deconfliction checks described in subsection 1.b. (even if the investigative agency is not a Department component) and has acknowledged a continuing obligation to do so during the investigation;
      2. upon opening any investigation described in Section 9-51.100, immediately enter the matter and related details that will enable deconfliction into the appropriate case management system under the National Initiative code “Cyber or Cyber-Enabled Crimes” along with the applicable reference in the “DOJ Division” field to the Criminal Division or National Security Division (NSD) as the related Main Justice component; [1] and
      3. record in the appropriate case management system any charges, pleas, dismissals, and sentencing information, and make a corresponding notification to any assigned CCIPS, NatSec Cyber, CTS, or MLARS point of contact.

   The Executive Office for United States Attorneys (EOUSA) will periodically generate reports of case management system data for the relevant Main Justice components.

   Based on its unique law enforcement, intelligence, and counterintelligence authorities, the Federal Bureau of Investigation (FBI) is responsible for cyber and cyber-enabled investigations relating to national security. See 18 U.S.C. §§ 1030(a)(1) and 2332(f) and (g), 28 U.S.C. § 533, 28 C.F.R § 0.85(d) and (l), and Executive Order 12333, §§ 1.3(b)(20) and 2.3(b). Prosecutors should not open such an investigation with another law enforcement entity without first notifying the relevant NSD section for assistance in conducting deconfliction with the FBI. In instances where national security connections emerge only after initial deconfliction has occurred under these procedures, such NSD coordination shall occur prior to any further investigative steps.

   2. The Department's investigative components will, as soon as applicable, ensure that appropriate deconfliction has occurred at the National Cyber Investigative Joint Task Force (NCIJTF), pursuant to procedures promulgated and updated by the NCIJTF. As per subsection 1.a.i., the Department’s prosecutors shall ensure that this same NCIJTF deconfliction occurs prior to supporting the relevant investigative actions of agencies that are not a Department component.
2. Resolving Potential Conflicts 
   1. Prosecuting offices have the responsibility to identify and promptly resolve potential conflicts with other offices. Thus, if the deconfliction checks described in subsection 1 or other available information identifies potentially conflicting ongoing or proposed investigations, prosecuting offices should:
      1. First seek to resolve the potential conflict themselves through open discussion and information sharing among the relevant offices. In holding these discussions, offices should use the following factors to guide their conversations: the progress of the first-in-time investigation; venue or jurisdiction requirements; experience and resources; impact of binding circuit case law; location of defendants (if in the United States), victims (and relationships therewith), harm, computers, witnesses, forfeitable assets, and evidence; greatest deterrent effect; and investigative agency input. The fact that an investigative agency has assigned the matter to a particular field office will not, however, determine which prosecuting office should be assigned the matter. For investigations relating to state-sponsored actors or counterterrorism, such discussions shall include NatSec Cyber or CTS. For all other investigations, prosecuting offices may ask an appropriate Criminal Division office—such as CCIPS or MLARS—to coordinate or participate.
      2. For investigations not relating to state-sponsored actors or counterterrorism, if any prosecuting office believes a mutually agreeable resolution of the conflict is unlikely, that office should so notify the Office of the Assistant Attorney General for the Criminal Division (CRM OAAG), who will then notify ODAG and all other known affected offices and investigative agencies. CRM OAAG, or a CRM section it designates with programmatic expertise, see, e.g., JM 9-50.102, will solicit information from all parties, compile it, and submit it to ODAG and all parties along with an analysis. That analysis will apply the factors listed in subsection 2.a.i. and two other significant demonstrable factors relating to the practices of the relevant offices:
         1. timely, proactive, and effective coordination, deconfliction, and information-sharing with other prosecuting offices or Department investigative components; and
         2. compliance with all relevant Justice Manual requirements and other Department policies. See e.g., JM 9-27.000, 9-48.000, and 9-50.000.

      ODAG shall consult with the appropriate component(s) and resolve the conflict. ODAG may resolve conflicts by assigning an investigation to any prosecuting office.

      3. For investigations relating to state-sponsored actors or counterterrorism, NSD will resolve any conflicts between prosecuting offices in a manner that NSD concludes best protects national security interests. In doing so, NSD will be guided, in part, by the factors listed in subsection 2.a.i and ii., as well as other factors unique to national security determinations. Such factors include, but are not limited to, an office’s historical practice related to the Justice Manual’s national security consultation requirements, U.S. Intelligence Community interests, classified discovery issues, local application of Federal Rule of Criminal Procedure 6(e)(3)(D)'s information-sharing provisions, and issues related to operational security, such as the availability of non-disclosure orders for “exceptional circumstances” under the relevant Department policies and a district court’s “highly sensitive document” policies.
   2. In the event that one of the prosecuting offices seeks an ODAG or NSD-brokered resolution, no office may charge or pursue any action to apprehend any target or targets prior to receiving the ODAG or NSD decision, absent exigent circumstances and explicit authorization from ODAG or NSD, as applicable.
   3. Upon resolution of any conflict, all prosecuting offices that continue with the matter must remain in close coordination and communication during the duration of the matter’s investigation and prosecution. 
3. Public Statements

For investigations or cases described in Section 9-51.100, media engagements—such as press releases, interviews, and prepared speeches that are open to the press and/or livestreamed—or other public statements outside of court or court filings that are otherwise likely to generate media attention shall be coordinated among the Department’s Office of Public Affairs, see JM 1-7.210 and 1-7.310, the litigating offices (including CCIPS, NatSec Cyber, CTS, or MLARS), and relevant investigative agencies. If the investigation or case relates to or may have an impact on an election, the Public Integrity Section (PIN) also shall be consulted. See JM 9-85.500.

4. Clarification Regarding Urgent Reports

JM 1-13.100 requires that “United States Attorneys’ offices and Department litigating divisions submit Urgent Reports to inform Department leadership, including the Attorney General and the Deputy Attorney General, of . . . major developments in significant investigations and litigation.” Under JM 1-13.110, “Significant Investigations and Litigation” include investigations or litigation that involve:

• national or statewide public official, public entity, or prominent public figure as a party, subject, target, or significant witness;
• high likelihood of coverage in national news media;
• high likelihood of Congressional interest;
• extraordinarily large monetary liability, loss amount, or recovery at issue;
• significant implications on foreign relations; and
• novel theory of law likely to implicate significant Department interests.

In addition to those examples, offices and divisions should consider cyber and cyber-enabled crime cases to be “significant investigations and litigation” under that section—and thus, requiring an Urgent Report for major developments—when the cases involve, for example:

1. significant damage, substantial loss, or any operational impairment of a federal, state, local, tribal, or territorial government entity (including public schools and universities) as a victim;
2. significant damage, substantial loss, or any operational impairment of a foreign government victim;
3. foreign malign influence;
4. foreign or domestic critical infrastructure, as defined in the guidance notes to section 2B1.1 of the Federal Sentencing Guidelines;
5. an investigative team having surreptitiously obtained ransomware decryption keys or access to infrastructure that would allow the generation of such keys;
6. an investigative team having developed a technical capability to conduct a botnet disruption or large-scale malware removal operation;
7. an investigative team having developed the capability to disrupt an illicit cryptocurrency exchange or mixer;
8. the theft of, or fraud involving, cryptocurrency or other digital assets held by a financial institution, digital asset service provider, or any centralized or decentralized entity, platform, or protocol that provides exchanging, mixing, tumbling, staking, pooling, lending, transferring (including through cross-chain bridges), or similar services; or
9. attacks or intrusions simultaneously affecting the computer networks of an extraordinarily large number of victims.

Prosecuting offices should ensure that investigative agencies are similarly reporting the underlying developments to their relevant headquarters components, which will create efficiencies in responding to any further inquiries from Department leadership.

[added August 2023]