[0:58] The Cybersecurity Frontier
Rachael: I'm excited we're getting into some of my favorite topics here today. Happy to welcome you to the podcast Leonard Bailey. He is head of the Computer Crime and Intellectual Property Sections Cybersecurity Unit and special counsel for national security within the Department of Justice Criminal Division. He's been on the cyber frontlines for many years. Among his many achievements, I am most undoubtedly in awe of his work on cybersecurity policy, which we know is so much fun and no small feat. So Leonard, welcome to the podcast.
Leonard: Thank you so much Rachel, and thank you, Audra.
Audra: Excellent. Leonard, what I want to know is how you actually fit that title onto a business card.
Leonard: I don't. It actually wraps around the back of the card.
Audra: Excellent. So to kick off the podcast I think would be really interesting for our listeners to hear an overview of the government. And then how the cybersecurity and Department of Justice fit into it. Like untangle the web or give us the lay of the land.
Leonard: Sure. And thank you for that. So I mean, cybersecurity is such an interesting issue, so complex and sprawling. I think it's often difficult to kind of untangle exactly how the government works in this space. So to start there, I would say that really the government has essentially four tasks that tries to accomplish in cybersecurity. The first I would say is on the front end of cyber, trying to make sure there's secure and resilient equipment and hardware. And that's something that goes to standard setting and something that agencies like the National Institute of Standards Technology at NIST, at Commerce, along with CISA.
Department of Justice Cybersecurity Symphony
Leonard: They also work in that space where critical infrastructure is involved. So you have that and then I'm going to jump all the way to the tail end of dealing with the cyber incident. And that's recovery, reconstitution, restoration services, getting an infected organization back on its feet. And that really is CISA's kind of wheelhouse. The sandwich in the middle is where DOJ tends to play. So I would put the other two tasks as one prevention of cybersecurity instance.
And that would include things that we're going to talk about, information sharing efforts along with the department's, deterrence efforts in enforcement and prosecution. So there's that. And then you have the fourth thing, which is incident response, which is sort of the real-time reaction to a cyber incident. Again, that's very much in our wheelhouse with the FBI and prosecutors working. So that's sort of that laydown for the general government activities. And you see that kind of captured in the national cyber security strategy that was released in March of this year by the Office of Cybersecurity national director.
Audra: So can we double-click on that and kind of go into how are the issues related to cybersecurity distributed across the Department of Justice? And what kind of responsibilities are associated with each division?
Leonard: Well, so I'm going to go with the nudging number four. Again, I think that there are really when you look at what the department is best known for. We enforcement activities, investigation, and prosecution. There are really kind of four components that are principally engaged in those activities at the department. And with a nexus to cyber.
Navigating Cybersecurity Challenges with the Department of Justice
Leonard: The first I'll mention actually the US attorney's office. So across the country, there are 94 local federal prosecutor's offices that are responsible. There are frontline prosecutors in all criminal matters. Now, in those offices, there are things called chip prosecutors, computer hacking, and intellectual property prosecutors. They belong to a network of 300 or so prosecutors across the country.
The section I come from, the computer crime and intellectual property section or CIPS in the criminal division, both supports training and prosecutes cases. So my office exists largely to deal with things like, well, we support the chip network, we prosecute, deter, and disrupt computer crime. We provide technical and legal support to agents and prosecutors, state level, some international, wherever is needed.
So a couple more things about my section. In 2015, we started the unit that I had because after seeing that we were gathering some sort of expertise in computer crime. And had opportunities to maybe leverage that in ways we decided to try to take that knowledge and channel it into the prevention of crime. So what my unit does is we do a tremendous amount of outreach to the private sector on a variety of issues, including information sharing.
But also on issues like we were one of the very first government agencies to come out in support of vulnerability disclosure programs. So in 2017, we produced a document, a white paper on setting up a program for VDP, for online systems. We produce white papers, we produce one on, for example, intel gathering on the dark web. And trying to identify red lines for trying to gather intelligence while dealing with unsavory people on the net.
Guardians of the Digital Real
Leonard: We have done extensive work with the computer security research community, the white hat hackers. In fact, that's been a good chunk of work I've done in the area of good-faith security research. We've come out multiple times in support of expanding that exception under the Digital Millennium Copyright Act. I think in May 2022, we changed our charging policy to reflect the importance of computer security research.
And by saying that prosecutors should decline prosecution if available evidence shows that the defendant's conduct. And the defendant intended good-faith security research. Okay. So that's CIPS, that's in criminal vision. In addition to us though, there is the National Security Division and they are increasingly engaged in cyber. I actually worked in the front office of the National Security Division a decade ago on cyber policy issues. So there's also the National Security Division of the department, and they are increasingly engaged in cyber.
I worked there 10 years ago as a senior counselor for the assistant attorney general focused on cyber policy. But they have since really weighed into the prosecution of cyber threat actors. And their remit is really cyber threat actors who are nation-state actors or their proxies. They also though have opportunities to do operational activity with the intelligence community. And with other agencies working on things like export control and laws around that that sometimes do also. But into cyber issues. And the third, I'm sorry, the fourth component of the department I'll mention is also the FBI. Of course famously the FBI. Now they have a cyber division that is the division that we and CIPS interface with mostly. But they also have other components of the FBI that are engaged in what are cybersecurity activities.
[9:06] Exploring the Interconnected Landscape with the Department of Justice
Leonard: Including their counterintelligence division and their criminal investigative division, depending on the issues. With the FBI's footprint, 56 field offices across the country, 400 satellite offices, and 23 foreign liaison posts, their footprint is incredibly large and that is vital in dealing with cyber issues.
Leonard: Maybe I'll also toss in that we do have other components that do other kinds of, I won't say they're tangential at all. But there are other elements of cybersecurity. So for example, you have the civil division that has mounted its civil cyber fraud initiative. And you have the antitrust division that sometimes gets involved in information-sharing issues because of antitrust concerns among sharers. So I think that's almost the complete laydown of the department.
Audra: So can we talk more about how you actually work across these different agencies and into the private sector and personal interest into more international kind of zones?
Leonard: Right now I'm going to say something that's so trite, it's not even funny. But this is a team sport. Yes, very much. So we all operate frequently in our own silos of excellence. But we're also, I think, increasingly understanding and learning how collaboration and cooperation both is effective and even necessary to achieve our objectives.
So we have worked with not only the FBI but other criminal investigative agencies including the Secret Service, which sometimes people are surprised to hear the Secret Service mentioned. But frankly, the Secret Service has been a wonderful partner. They're responsible for some of the early huge data breach cases, shadow Crew and Carter planted back in the two thousands.
Department of Justice and Collaborative Partnerships in the Age of Cybersecurity Challenges
Leonard: So we work with the Secret Service, we work with some of the military law enforcement entities. In addition, though, we are working increasingly with DHS and CISA and we actually end up under presidential policy.
We actually end up responding to a number of instances together. There's something that was produced in 2016 Presidential Policy Directive 41, which outlines exactly what the federal government's Federal Instant Response policy is for all significant cyber incidents. And under PPD 41, the DOJ through the FBI is responsible for what's called threat response. We lead threat response and CISA at DHS is responsible for asset response.
So while we're investigating and attempting to attribute the source of an attack and ideally hold those responsible for the act. We have CISA working in a coordinated fashion alongside us. Doing those things that are about mitigation and remediation that have to happen. At the same time, we're also increasingly working with intelligence community components. And it's funny after I've been around a very long time, when I started practicing dinosaurs roam the Earth. We resolved conflict through Mortal ko.
But back post nine 11, there was sort of this model that was introduced, which was sort of all tools approach that you used. Whatever tools were available to deal with the terrorist threat. There is an analog that exists here in cyber with the all-tools approach. Where in the federal government law enforcement tools or the authorities that Homeland Security has or the ICS tools and capabilities. The idea of marshaling those so that we can deal with them. Whether it's an international ransomware group or a nation-state actor that's in networks for counterintelligence purposes. It's an effort to try to pull all of that together.
Collaborating for Cyber Resilience
Leonard: Now on the private sector, you asked how we work with the private sector, there is a tremendous amount of outreach that's happening involving the private sector. Again, going to that team sport ethos. But it's important not only because they're the victims. But they're often the first responders.
So we came to the point where I guess closure on the point years ago that we are not going to be the first call that most victims make after a cyber incident. That call's often going to go to a cyber incident response firm. There's going to be an attempt to figure out the nature and scope of the incident and whether there are other obligations that the victim has legally and policy-wise. And so our work with the private sector is also focused on figuring out how we better coordinate with those efforts that are going to have to happen.
At the same time, we're trying to investigate an incident ideally. And we encourage this all the time, industry and companies are forging a relationship with law enforcement well in advance of the bad day that could occur. And that's really important for information sharing. The other thing that we're going to be talking about
Audra: Exactly, so you're just preempting my questions. Appreciate it leading me along for once. This is awesome. Love it. So we kind of know the landscape of government where the JOD sits, sorry, Department of Justice sits within that landscape, the people that you work with. Both internal to the government, military, and enterprise and that sort of thing. The question is how do you share information? Because the information is very useful and can be very powerful to perhaps stop some problems coming along.
Sharing the Cybersecurity Seatbelt
Leonard: Yes. So as I mentioned, information sharing is sort of a linchpin in the prevention of cyber instances. And it's funny, Rachel when you mentioned you love this topic. It's funny because information sharing I would say is about a sex seatbelt, right? It's a topic.
Audra: Very useful.
Leonard: Very useful. And yet it's an evergreen topic, right? If you go to any cybersecurity conference, there are one or two panels on information sharing. If you ask cybersecurity leaders, what's the biggest challenge you have in cybersecurity in the top five? Information sharing pops up almost invariably. This isn't too much of a tangent, I'll tell you that.
I was going through my files a few months ago and I came across a document that identified what were the challenges with cyber threat intelligence sharing. It identified concerns about the Freedom of Information Act, FOIA disclosures, antitrust concerns, legal liability for sharing some classification issues, and trust with law enforcement. And that document, that memo was written by Assistant Attorney General James Robinson to Attorney General Janet Reno in 1999.
Audra: Wow. Okay.
Leonard: Now these are the same issues that people mention when you talk about challenges to information sharing these days. And I mean, to answer your question to start off with what are the mechanisms or the infrastructure? So we do not have a single portal from which you go and the FBI is writing all the cyber threat indicators right there. We are doing a lot of on-the-ground retail sharing through things like InfraGuard, the FBI's program across the country with critical infrastructure companies.
[18:05] The Evolving Approach of the Department of Justice Towards Information Sharing
Leonard: They have basically one in every regional office. I think one thing that can't be lost here is a big component of information sharing is trust. So some of the most effective information-sharing efforts we know happened in these communities of interest where people know who they're sharing with. They know how that information is going to be used, they know where the information is going.
And one of the challenges for the government is trying to do that at scale. Having people send things cold to a portal or something is not an easy way of doing this. So a lot of this is building information, and sharing trust through various outreach efforts. There's been a lot of that. Now, the ability to beat back some of them, I mentioned that number of 30 years ago. Some of the things that seem to chill information sharing have been very difficult because some of the limited perceptions have great longevity for whatever reason. They're kind of hard to knock down. But we're trying through these engagements.
Audra: And in terms of how have things changed, been in this area a long time.
Leonard: Are things I'm old, is what you're saying? You're saying I'm very old.
Audra: No, I'm saying I'm old and I'm saying that at least the tools that you have to be able to use them and her dog is barking. The tools that you have have certainly changed and in some ways should make it easier to share information. But what are you seeing because saying effectively a memo that you read that was from 30 years ago. The problems are still there and it's the same issue.
Navigating Changes and Mandates with the Department of Justice
Leonard: Right? So it's funny because I think you could argue that we're at this interesting inflection point there is. Let me first distinguish between information sharing and instant reporting. So information sharing is, as I think of it, canonically this thing that happens before the bad thing happens to prevent other bad things from happening. Incident reporting is after the incident happens. Some report to some government agency, for example.
The inflection point I mentioned is one, in which there has been a significant change. I think the appetite of various independent regulatory agencies to mandate things like instant reporting. So we've seen this in the last three years, this proliferation of mandatory incident reporting requirements. You see it in the financial sector with the OCC FDIC rule that came out in 2021, November requiring reporting. You see it in the SEC rule that was published just in July for all publicly traded organizations.
And you see it in the cyber insert reporting for the Critical Infrastructure Act that was passed in March of 2022. And this is relatively new. I guess, I think it probably is a product of 2021, which was just a rough year in cybersecurity, right? It started with SolarWinds in January, you had half the next month, then maybe you have Colonial Pipeline followed by JBS, and on and on and on. Ransomware taking hold. And I think against that backdrop, there has been, as I mentioned, a greater appetite for independent federal regulatory agencies to require certain things of companies. At the same time, alongside it, you have voluntary information-sharing programs. And I mean, there's one tool I'd like to flag in particular in that lane.
Catalyst for Cyber Collaboration
Leonard: Back in 2015, something was passed called the Cybersecurity Information Sharing Act of 2015, or it just said 2015 as we call it for short. And this was in many ways a landmark piece of legislation. It was the first piece of federal affirmative authority for companies to share information. There are complaints. If you talk to the lawyers of many companies, they'd say information sharing is hard because there are statutes that prohibit us from sharing. And we have to find our way into exceptions to those prohibitions we'd be much happier if there was affirmative authority to do this.
So actually Congress in 2015, December that year passed a bill, and it's a source of great frustration for me because it's a bill that's been in existence since 2015. We've been talking about 2015. And invariably whenever we talk to GCs of large companies or CISOs, the reaction is there's a what now? There's a law that allows me to do what I mean somehow it just isn't getting out there that there's this law. And this law is a very powerful tool. It provides affirmative authority for any private entity to share with any other private entity or non-private entity, including the government.
A cybersecurity purpose is defined by statute, but it pretty much is what you would assume a cybersecurity purpose is certain types of information called cyber threat indicators or defensive measures. Those are defined by statute, but they're defined broadly to capture the sort of technical information that you would expect to be shareable for the identification of cyber threats.
Department of Justice and the Cybersecurity Information Sharing Act of 2015
Leonard: And it authorizes this notwithstanding any other provision of law. Now, notwithstanding any other provision of law is like the tactical nuclear strike in legal language. That means that any conflicting law is overwritten. So it was an attempt to get the lawyers out of the way to simplify information sharing. So there's no issue about whether it's content or noncontent or whether you're doing it to protect your rights or property or whether it's an interception of communications. It's sharing of this information.
The thing I'd flag is this is a post-Snowden law. So there was an effort by Congress to build in some privacy protections. Those protections include that there be, it's for cybersecurity purposes and not for intelligence gathering purposes. For example, defined by statute, you're not allowed to share just any information. It's not about sharing the personal emails of every person. It has to be a cyber threat indicator that's linked to some cybersecurity threat.
And there is a requirement that before you share information you know to be at the time of sharing personal information that identifies a specific person or belongs to a specific person, be removed. And while at first blush shut may sound like it could be onerous, they took steps to make it less onerous. So for example, one, you have to know what the time of sharing is that it's personal information that identifies a specific person or belongs to a specific person. And that's different than PI. That's different than personally identifiable information, which is information that is linked or linkable to a person. So it is intended to be something that's not as restrictive and it's information that could be removed manually or through automated means.
[26:37] Legal Arsenal for Cyber Resilience
Leonard: And if you're dealing with the type of cyber threat information we're talking about, it is unlikely to conclude a lot of the personal information that people are concerned about. So an IP address is a perfect example of something that would be shareable under this authority. And I have to say just like the steak knives, but wait, there's more. Not only does it provide affirmative authority, but it also provides, in addition, if you share by IT, protection against antitrust, and liability against FOIA disclosure requirements.
Oh wow. Protection from regulatory use of the information that's provided is increasingly a concern for companies. And all of this is in this law that is not used in our view nearly enough. And it's something we like to flag for our industry partners so that they understand that this is there. Another thing I'll flag about it is sunsets in 20 15, 20 25, I'm sorry. So it was authorized for 10 years. And so we are concerned that we may lose this authority in a couple of years if it's not reauthorized.
Audra: It's interesting. So it's effectively kind of the whistleblower kind of protection of cyber. To me, that's the way it sounds because you can raise it without getting thrown under a bus. So I have to admit, I read the report Harmonization of Cyber Incident reporting to the federal government, and when I read all the input that your teams had had from businesses, when you said, yes, it became really popular to make people report on incidents when they happen and that sort of thing.
Overlaps and Harmonization with the Department of Justice
Audra: When I read through that, I was like, oh my God, that could kill someone. I was just kind of like the sheer number of overlap of things that you would have to do if things go wrong that just adds to the fire.
Leonard: Well, yes. I mean, I think when the Cyber Incident Reporting for Critical Infrastructure Act was passed in March of 2022, there was I think a recognition on the Hill that there had been this proliferation of reporting requirements and that there was a concern about overlap and duplication. And so they created this Cyber Incident Reporting Council, the circ, which is headed by DHS to try to start wrestling with that issue.
And I can tell you it's an active group. There is very good participation at very high levels of all agencies that are relevant, including the federal independent agencies. So you have the SEC the FCC and the Ft C engaged. But there's also, I think another effort, the C cyber regulators form in which the federal regulators are also talking about how to better harmonize their rules to avoid duplication and overlap.
I can tell you that there is very real attention being put to this and very real plans to try to figure out how to simplify this. I will say that there is, I think cyber incident reporting is important, oh God, it's important for several reasons. It's funny that there's this one story I love that involved a statistician who was at Columbia, I believe during World War II, who studied how, oddly enough people who were studying the downing of World War II aircraft decided to improve the armor on those aircraft.
Balancing Burden and Insight with the Department of Justice
Leonard: And what they were doing was they were looking at the planes that came back that made a successful mission and looking at where those planes were hit. And you can't armor everywhere on a plane. And so you would think they thought, many people thought that means we should put more armor in those places. Well, the statistician, I don't remember, was it Abraham Ward? I think it was maybe. But what he found was, no, that's wrong. And it's something called survivor bias, what should be happening instead. These are the planes that made it back and they made it back with this damage. Exactly. This means that ideally, you'd be looking at the planes that went down
Audra: Well, exactly what happened.
Leonard: Exactly. And so you could argue there's a similar thing here that you want to hear from the people who had a cyber incident, who had the instant, who didn't stop it and were victimized by it so that you understand, okay, what are the bad guys doing? And that's something that you do get from incident reporting that you don't necessarily get from other types of reporting. So I think there's value to this. I do think it's important to figure out how to do this in a way that's not unduly burdensome to the victims.
Audra: That's a very good term because what I read, I was like, burdensome. Oh my goodness. And I do, so there are eight recommendations in the report and three legislative changes that they're suggesting. And I think it could make it, it's not that it's going to be fun anyway when you have a cyber incident, but it at least will make it more contained.
Navigating Regulatory Concerns in Cyber Incident Reporting with the Department of Justice
Leonard: Yes. It is, at least our goal stated many times not to re-victimize a victim in a cycle.
Audra: Exactly. And that's what I recognized through reading. I was like, wow, okay. People are dealing with a lot When something like this happens, it's not just the business itself that's suffering or the government agency or whatever. It's not just that that's suffering, it's the wider, what do you have to do regulatorily to be correct.
Leonard: That's right. yes. That is one of the largest concerns we hear in outreach to the industry about there are concerns about the regulatory impact of an incident. So one thing that we have communicated to victims because we get asked this all the time, they ask, so if I report something, is that information being handed right over to regulators? And our answer is no. And this is not in any way criticizing other agencies with different missions. I mean, FTC protects consumers and that is their mission.
The SEC protects shareholders and market participants, and that's what they should be doing. Our job is to protect victims. And we've worked with the FTC and the SEC and other agencies. I think there's a respect for that understanding that if we just handed the information over to them, our ability to work with victims would be hugely impacted in a negative way, obviously. And so we do not, as a matter of course, hand over investigative information to any agency, including regulators.
[34:38] Leonard Bailey's Journey at the Department of Justice
Audra: Excellent. Now I'm conscious of time and I always want to fit in. My favorite question is, if you're happy to entertain me, I love to hear people's origin stories because I have yet to not be entertained and impressed by what people talk about where they started and how they ended up where they are and the path they took. So would you be happy to tell us your origin story?
Leonard: I would be happy to, but be prepared to be disappointed. I am a rather simple person. For example, in law school, I realized by the end of the first semester that I had only one interest in law, and that was criminal law. And because I had a certain bent, I was interested in understanding exactly what happened and what we could do to prevent that from happening again, which kind of veered me towards the government prosecutor, quite frankly, most of my friends with defense attorneys. But so when I got out of law school, the first thing I did was I applied to the Department of Justice.
They have a program where they take people directly out of law school. And I was fortunate enough to get in and I've been here ever since. So 32 years I've been at the department, I've been in different capacities. I started in the terrorism violent crime section. Then I went to the inspector general's office for some time as special investigative counsel. I went to the National Security Division as a senior counselor. I've been an associate deputy attorney general responsible for cyber policy for the department.
The Ever-Changing Landscape at the Department of Justice
Leonard: So I've been able to do a number of different things at the department, which is say, a wonderful place to work for a lawyer in particular, it's an agency of lawyers. And in that way it's, it's kind of unique and odd, this topic though, cyber and cybersecurity really is just one that, I mean, you could work a lifetime and still feel like you have just mountains to learn. I feel unfortunate.
I work with both people in my office who are, I think the smartest people I've ever encountered, and have the opportunity to work with people in the industry and other places who bring important different perspectives to issues and allow me to learn and figure out how we can deal with different problems in different ways. So my journey is pretty simple. It's been a straight line by and large, but it's been a wonderful journey.
Audra: Excellent. Now, I also like to hear when people are driven and driven from a young age, just be like, that's me. That's where I'm going. That's what I want. And you have to admit with cybersecurity, everything changes so regularly that you're never going to get bored ever.
Leonard: Yes, it does keep changing. I mean, for example, I'm not sure if you went back, I mean, go back three years, ransomware certainly was a thing. It started in 2014. But what we've seen over the last few years, it's a threat that there's just a sea change in the nature of the threat and its impact on systems, on businesses. And you just don't know when that's happening. We're at the moment where there's the advent of artificial intelligence, as we were talking about.
Audra: To make them more effective.
Unveiling the Dual-Use Dilemma
Leonard: And we'll see how that affects phishing attacks and things like that and how, but
Audra: Phish attacks never used to happen much in the Middle East. AI enables translation to be very accurate. Fantastic attacks have gone up something ridiculous, like a thousand or a few thousand percent. It's crazy. But
Leonard: This is the wonderful thing about this area. I mean, it's many of the things you deal with are dual-use tools. They can be used for good or for evil. Exactly. And trying to figure out how you cabin that and how you investigate that, that's the challenge that I'm happy the people who are working on it here are working on it because I think they're very smart, very balanced, and have a real interest in trying to figure out how to make it sensible. yes.
Rachael: Well, and in a pro, you know what I'm trying to say.
Rachael: To be on the prosecutor's side though, right? Criminal, you have to understand the mind of the criminal as well, right? I mean, you almost have to think like a criminal, borderline be a criminal, and then you know how to fight and prosecute said criminal, which makes it a really interesting world that you're existing in because there are a lot of creative people there in the criminal world. And I suspect all the great minds over the Department of Justice are very creative as well. And I would love to be a fly on the wall of some of your meetings.
Decoding Cyber Strategies
Leonard: Absolutely. I'll just use that to tell this one little story, which is, I mean, an example of that is what we were able to do to the Hive Ransomware group in January of this year. We announced that we had actually managed to infiltrate their network, sit on their network, watch them operate, take the decryption keys for the ransomware that they were using, and provide 300 victims who were currently under attack, meaning that they did not pay 130 million of ransom they otherwise would've. And also keys to a thousand businesses that had been attacked earlier to see if they could use them. And that's a product of getting into the network in the same way they do and being able to take advantage of that, again, all under appropriate legal authorities. But yes, you're absolutely right. We have to sometimes think creatively.
Rachael: Yes, I love it. Well, Leonard, thank you so much for joining us today. This has been such a fun conversation and really information sharing. I think that's a sexy topic. I don't think it's like seatbelts. So greatly appreciate your insights. And as to our listeners, because it's trying to understand how the government works and what can be complicated topics and themes and helping to break that down into kind of snack-size bites where you can Now I see where the pathways go and how they interact. I love that the Department of Justice focused on the victim, and I thought that was a really wonderful statement that people needed to hear as well. You do have a safe place to go,
Leonard: And thank you so much for a wonderful conversation. I enjoyed it tremendously. Appreciate both of you taking the time.
About Our Guest
Leonard Bailey is Head of the Computer Crime and Intellectual Property Section’s (CCIPS) Cybersecurity Unit and Special Counsel for National Security in the Department of Justice’s (DOJ) Criminal Division. He has prosecuted computer crime cases and routinely advised on cybersecurity. Searching and seizing electronic evidence, and conducting electronic surveillance. He has managed DOJ cyber-policy as Senior Counselor to the Assistant Attorney General for the National Security Division and then as an Associate Deputy Attorney General. He has also served as Special Counsel and Special Investigative Counsel for DOJ’s Inspector General. Bailey is a graduate of Yale University and Yale Law School. He has taught law courses at Georgetown Law School and Columbus School of Law in Washington, DC.