Assistant Attorney General for National Security John P. Carlin delivered remarks at Harvard Law School on Thursday, December 3rd at an event hosted by the Harvard National Security Journal. Professor Jack Goldsmith introduced the Assistant Attorney General. After prepared remarks, Mr. Carlin and Professor Goldsmith engaged in a back-and-forth discussion, followed by questions from the general audience. Mr. Carlin kindly provided the text of his remarks; they are posted here.
Thank you for that introduction, Jack [Goldsmith].
And thank you to Dean Minow, Julissa Milligan and the Harvard National Security Journal, and the entire Harvard Law School (HLS) Community for inviting me to speak. As a graduate of HLS, it is good to see that, thanks to wonderful changes made since I graduated, HLS has encouraged the best-trained lawyers in the country to pursue public service.
I am also grateful for the Heyman Fellowship Program, which supports HLS alumni at the beginning of their careers in service to the federal government. As a member of the inaugural class of Heyman Fellows, I began my legal career at the Department of Justice, through the department’s Honors Program, and have been able to spend the entirety of my legal career as a public servant.
As an alumnus, it is exciting to see how HLS remains at the forefront of cutting-edge legal issues. As the world around us changes, HLS has staked its place as a thought leader. HLS has taken a prominent role in the fields of national security and cybersecurity. From the Berkman Center for Internet and Society and the Harvard National Security Journal, to leading academics like Jack and Phil Heymann, HLS’s place in the national security cyber policy discussion is inarguable.
Today’s conversation is an urgent one. In 2012, Leon Panetta described the nation’s lack of cybersecurity as a “pre-9/11 moment.” Nation states and terrorist groups are probing our critical infrastructure, planning destructive attacks and stealing our personal information and intellectual property.
The Role of the National Security Division
As a nation, we must have a strategy to deter and disrupt this high-stakes hacking, to change our adversaries’ calculus by increasing its cost. Simply being shielded (if not sponsored) by a foreign power will not offer protection. Our strategy must ensure there is no free pass.
Let me start today with a bit of background about what our experience with other national security threats, like terrorism, can teach us about combating the cyber threat, and why the Department of Justice created the National Security Division.
Our approach to countering terrorism as a government shifted after 9/11, in recognition of the fact that we needed to approach the problem using every tool and resource available to the federal government. So, obviously, we used military force, but we also recognized that law enforcement is a valuable tool for disrupting plots and neutralizing terrorists, and that financial sanctions and diplomatic pressure play key roles as well. We created military commissions to address the unique challenges of foreign captures and classified information, but we also relied on our time-tested U.S. district courts to do what they have done for centuries: provide fair trials and meaningful punishments for serious federal crimes.
And we, as a department, rotated to better integrate the work of prosecutors and law enforcement officials with the Intelligence Community. The 9/11 Commission Report recognized that the lack of information-sharing prior to 9/11 left the U.S. vulnerable to terrorist attack. So nearly a decade ago, Congress created the department’s first new litigating division in almost half a century, the National Security Division (or NSD for short). We ensure unity of purpose in the department’s number-one mission – to protect against terrorism and all threats to our national security.
As a result of our creation, federal prosecutors and law enforcement agents across the country immerse themselves in intelligence information, in part so that they can build more, and better, criminal cases and thereby protect the homeland. Not every tool fits every case – certainly, we will only arrest and prosecute a fraction of the terrorists we fight. But in the years since NSD’s creation, it is increasingly clear that the factors that motivated our creation and guided our efforts to combat terrorism are equally true in the cybersecurity realm. That is why we apply the lessons we learned in the counterterrorism context to national security cyber threats. Together with our interagency partners, the federal government has developed a suite of tools available to us to combat online threats to national security – including criminal prosecution, sanctions and designations and diplomacy – and we have the ability to pick the best tool or combination of tools to get the job done under the rule of law.
Our attorneys, as well as our national security partners in the FBI and elsewhere in the government, live by the all-tools approach. We ensure that we have the necessary expertise no matter who is behind the threat, what their motivation is or what tool we need to use.
The Threats We Face
That integration is critical as we face a wave of new cyber threats and intrusions that raise national security concerns.
In the Sony hack, just over a year ago, we saw a foreign, state-sponsored actor wage a destructive cyber attack intended to chill the speech of U.S. citizens and a company in the United States. The attack was perpetrated by North Korean-sponsored hackers who destroyed computer systems, stole valuable information, released corporate data and intellectual property at significant cost and threatened employees and customers.
Destroying data and networks is serious. But the threats go well beyond that. Cyber intrusions can inflict significant physical damage. Last year, the Department of Homeland Security warned about infections targeting industrial control systems, with malware like “Black Energy.” Shortly thereafter, Germany’s Federal Office for Information Security released a report describing a cyber attack on a steel mill that reportedly caused “massive damage.” That attack began, as so many intrusions do, with a spearphishing e-mail. The hackers moved from the company’s business network to the plant’s production network, which controlled the plant’s equipment, then caused cascading failures across systems that, ultimately, prevented the plant from shutting down its blast furnace.
Well known to all of us, intrusions also target the personal information of tens of millions of Americans. Perhaps most notably, the OPM intrusion resulted in the compromise of millions of sensitive records, including background-investigation files for federal employees who hold security clearances. Similar intrusions over the past two years have targeted major health insurers’ customer financial and medical information, and even airline passenger travel reservation records. Recently, a New York Blue Cross Blue Shield provider revealed that it was the victim of a massive breach, exposing the data of more than 10 million people.
In short, online threats of all types are increasing in frequency, sophistication and scope. And these threats are occurring against a background of increasing worry about the nation’s overall network security. The past year has seen the announcement of several significant software vulnerabilities – some now so famous that they have their own dramatic brand names: Heartbleed, Shellshock and Stagefright. This year, the Department of Homeland Security’s Computer Emergency Readiness Team published a list of 30 “high risk vulnerabilities” that they say are exploited in as many as 85 percent of attacks on critical infrastructure organizations. These included several software vulnerabilities that were disclosed years ago, including one as far back as 2006. This means that companies are not only falling victim to new and unidentified exploits, but also to vulnerabilities that have been known for almost a decade.
And at the same time, new threats appear on the horizon. Terrorists seek to exploit our reliance on weak or outdated network security to harm our way of life. To date, terrorist groups are largely only experimenting with destructive hacking, but they are developing more advanced capabilities. We’ve also seen calls to action through Internet jihad by both Al Qaeda and ISIL, and our international partners have experienced attacks conducted by purported online jihadists. We are concerned that those groups will not hesitate to deploy offensive capabilities if they are able to acquire them.
We are already seeing online threats converge with terrorism. Just last month, we charged a defendant with soliciting the murder of military members after he disseminated ISIL’s violent rhetoric online calling for the killing of American service members in the United States. According to the criminal charges, the defendant circulated detailed information about U.S. military personnel to urge recipients to murder the service members in their homes and communities. These charges follow a complaint we unsealed in October against a hacker who stole PII of over 1,000 U.S. government personnel from a U.S. business and provided it to ISIL, so that it could be used by ISIL against those individuals.
Our Response: Public Attribution and the Tools It Enables
It’s clear that the threats are growing, and both the government and the private sector need to improve their defensive capabilities. But improving cybersecurity practices and building more resilient systems will not be enough. Because the attacker always has the advantage. The defender must protect against all vulnerabilities at all times. The attacker only has to succeed in one place at one time.
Thus, to make real progress, we must not only defend against and disrupt attacks, but also deter them in the first place. In other words, we must fundamentally change our adversaries’ cost-benefit analysis.
But to deter our adversaries, we must know who they are and what makes them tick. We must be able to attribute their actions with confidence – down to the country, government agency, organization or even individuals involved.
And that is no easy feat. Anonymous accounts, third-party proxies, rented and compromised servers and the international nature of our investigations make our jobs tough. But through a mix of formal authority, cyber expertise and cooperative relationships with private-sector victims and international partners, we can track down cyber attackers and ensure their crimes are not without significant cost.
Law enforcement agencies and the Department of Justice are uniquely good at these kinds of investigations. And they are the bedrock of our approach because they facilitate the use of so many other tools that promote deterrence. And we have already seen results.
For example, in May 2014, after a lengthy investigation, the department indicted five Chinese military officers by name for computer hacking, economic espionage and other offenses directed at American companies. The 48-page indictment describes numerous and specific instances where uniformed officers of the PLA hacked into the computer systems of American nuclear power, metals and solar-products companies to steal trade secrets and sensitive, internal communications that could be used by Chinese companies to give them a commercial leg-up.
But the investigation, and the public charges it led to, have had a lasting impact. Last spring, our indictment was met with indignant denials. But a year later (and after rumors circulated that additional costs might be imposed), Chinese President Xi Jinping publicly declared, during his state visit in September, that, “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.” The United States and China committed that neither country’s government will conduct, or knowingly support, cyber-enabled theft of trade secrets or confidential business information with the intent of providing competitive advantage to companies or commercial sectors. And, at the G20 Summit last month, leaders of the world’s most powerful nations pledged not to conduct or support cyber economic espionage. What began with denials ended, at least for now, with a shift in international norms and a commitment from China to change its behavior. We must hold them to that accord.
Of course, prosecution will not always be the only option, or even the right one. We may not be able to gain custody over the defendant, or the case may involve classified information that cannot be disclosed in open court. So, you might ask, why investigate targets that we might never apprehend?
The answer is three-fold: one, public attribution itself can have a deterrent effect; two, public attribution charges can also have a positive effect on victims of cyber crime; and three, investigation and attribution enables the use of other tools, including sanctions and diplomacy.
The PLA case illustrates how public attribution alone can have a deterrent effect when you are talking about world powers operating in the global community. But it is easy to see why the same holds true in other contexts. Even before an arrest, being publicly named and shamed creates risk of detention or arrest abroad. It restricts liberty and travel. But perhaps most important – hackers, like other thieves, are valued for their ability to get in and get out without getting caught. Anonymity is the key to their livelihood. Public attribution creates too much exposure. It’s a liability for the hacker and his business associates and can chill the marketplace for the hackers’ services.
Public attribution can also have a positive effect on victims and potential victims of cyber attacks. Public attribution recognizes the victim’s injury, validates their sense of violation and loss and reassures them that the U.S. government is dedicated to punishing the criminals who broke into their systems and stole their information. It raises awareness of the threats we face, thereby encouraging resilience and hardened defenses. And where the perpetrator is a sophisticated actor, like a nation state, it also levels the playing field. Attribution can help demonstrate to victims that no criminal gets a free pass.
But perhaps most importantly – investigations, and the ability to find out whodunit, facilitates the use of nearly every other tool in our toolbox to increase the cost of this behavior. Sometimes those tools will be prosecution, sometimes sanctions, sometimes disruption operations, sometimes bilateral diplomacy. But it will always require attribution.
To start, attribution empowers us to actively neutralize the threat. Last year, for example, the Justice Department and the FBI obtained both criminal and civil orders to take down the GameOver Zeus botnet, employed by a criminal network responsible for an estimated $100 million in losses from businesses and consumers worldwide.
It also empowers us to bring national security solutions to national security problems, including diplomatic, financial and military responses. Take the Sony hack. Through close partnership with Sony, and through the hard work of the FBI, within weeks, we were able to attribute the hacks to North Korea. Less than two months after the attack, the United States imposed sanctions on North Korea.
More broadly, in April of this year, the President issued an executive order that enables the Secretary of the Treasury to block the assets of persons who are engaging in malicious cyber-enabled activities that could threaten the national security, foreign policy or economy of the United States. The order will allow us to hold accountable companies that knowingly receive or use trade secrets stolen through cyber-enabled means. These beneficiary companies are taking advantage of the hard work of Americans and harming our competitiveness. This executive order – and the consequences for entities sanctioned under it – should make companies think twice before hiring hackers or making use of information that they know was stolen. But employing these authorities will only be possible through investigation and attribution.
Finally, attribution is crucial to effectively partnering with the private sector, especially in the context of information sharing. The private sector is on the front lines of the fight for a secure Internet, and we rely on companies to keep the government informed. If we don’t even know that a cyber incident has occurred, we can do nothing to help – let alone identify the perpetrators.
At the same time, the private sector relies on the government for information about the latest threats. Sometimes, the government has access to the cyber threat signatures that private industry needs to defend itself. In addition to the Department of Homeland Security, which runs the important Computer Emergency Readiness Team, the FBI works closely with the private sector through its InfraGard program, a public-private partnership with over 30,000 members. The program securely distributes unclassified intelligence products relating to threats to critical infrastructure and allows affected stakeholders to report incidents directly to the FBI. Furthermore, the FBI has, in the past year alone, presented over three dozen classified, sector-specific threat briefings to companies.
To conclude: the cyber threat is real and growing, but we are fighting back. To deter malicious cyber actors – through prosecutions, public identification, disruptions, sanctions or improving the private sector’s defenses – we must be able to attribute these activities back to the perpetrators. And more often than not, attribution requires the work of lawyers and related professionals in the Department of Justice and the FBI.
As you prepare for the start of your own legal careers, I ask all of you to consider working with us in this fight. The threat is formidable, and to fight it we’ll need help from the best. I feel grateful every day for the opportunity I have: to enter public service and to become a lawyer in the Department of Justice. It is a privilege.
Once again, thank you for inviting me. I look forward to your questions.