John Carlin is an Assistant Attorney General at the Department of Justice in the US and runs the National Security Division. He is responsible for prosecuting cyber criminals in the United States that threaten the interests of the country. It was the first new litigation division created in 50 years and came from a recommendation of the 9/11 Commission and pulled together several different government entities that, until then, didn’t share information easily.
During a Q and A session at RSA Conference 2015 he addressed several important issues surrounding the policies and practices undertaken by the federal US government. In particular, it was clear that the US is taking a more aggressive stance in defending against cyberterrorism and prosecuting cybercriminals in order to establish and clarify what it sees as the boundaries of appropriate online behaviour – particularly when it comes to actions between nation states.
In 2014, the Department of Justice indicted five members of the Chinese People’s Liberation Army. They even issued wanted posted for the five officials. They were charged with the theft of intellectual property from US companies.
“We got really good at seeing the acts of nation states, [we’d] watch them and track them going into US companies and see the data exfiltrating out. We knew that day in, day out we were losing billions of dollars worth of information to China and others,” said Carlin.
The National Security Division asked itself what it was doing to prevent cyber attacks and found that they weren’t doing enough to disrupt their actions. Although it was understood that even a well resourced company lacked the resources to defend against a dedicated and motivated nation state who was determined to execute a cyber crime a message needed to be sent.
“It means improving what we do on the defensive side,” said Carlin. “But it also means doing what we do in every other [crime] and making it clear that it’s not OK to stela from American companies”.
Carlin said it didn’t matter where the evidence led. Whether it led to a gang in Eastern Europe or a nation state, there would not be any “free passes”.
A significant challenge in the PLA case was a balance between diplomatic interests, political realities and criminal actions.
Carlin said the President Obama was in talks with China and told them he knew they were involved in the theft of data putting continuing foreign trade was in jeopardy and the actions were outside acceptable norms of behaviour.
The other element of the decision to issue the indictments was establishing the criminal case in order to send a message that the theft was a criminal act. In the past, such cases were not raised and it was felt not prosecuting a case was establishing a norm where such acts would go unpunished.
“We need to increase the cost – it can’t be a cost-free environment. And to do that it means you have to do three things. One – you have to figure out who did it. Two – when we figure out who did it, when it’s a nation state in particular, we can’t be afraid of saying who did it. And three, after figure out who did it and day who did it, there needs to be costs. That cost might be a criminal indictment. It might be other sanctions. It might be diplomatic cost,” said Carlin.
In the case of the Sony hack, once the National Security Division established North Korea as the perpetrator, President Obama publicised that finding and then used an existing Executive Order to increase sanctions against the attacker.
Carlin was asked during the Q and A whether he could imagine a situation where US Special Forces could be deployed, as they have been in other criminal cases, to bring an indicted individual into the United States, under force, to face charges for a cybercrime. He said he could see that as a possible outcome although he noted the extradition process had been used successfully in some cases.
When asked about encryption and the way it had been deployed by Apple, Google and other parties, it was noted the US government was still grappling with the issue. “The top threats to the privacy of users, right now, are crooks, spies, to lesser extent terrorists, unsafe business and places that are unregulated,” he said. “Part of that defence is making sure we have the best encryption and using it to protect the users of your system and what you value most… from those that would steal it or destroy it”.
Although encryption was seen as important tool for users and businesses, Carlin pointed out parties acting illegally are using it as a weapon. However, finding a balance where the rights of individuals for privacy and the needs to obtain data within an appropriate legal framework – Carlin noted court orders were required – was proving a challenge.
Debate around this in the US has focussed on the provision of a “backdoor” that would allow law enforcement to access encrypted data. The counter argument to this is rogue parties could exploit a backdoor. But Carlin was optimistic a technical solution could be found.
“The best minds in the world are here and are working on technical plans and coming up with things that seem like miracles people have talked about that we have now fifteen years ago. I’m confident that, at the end of the day, the best technical minds will figure something out”.