Book Review: Dawn of the Code War

Listen & Download

In Dawn of the Code War, authors John P. Carlin and Garrett M. Graff describe how the Internet has been weaponized by hackers to facilitate election tampering, theft of intelligence files, and many other online forms of attack. The digitization of our economy gives our enemies more avenues to attack us.  Carlin and Graff explain the unusual difficulties America has faced in cyber warfare, partially due to our adversaries not abiding by the same rules of engagement online. The United States government does not have a developed framework of how to respond to these various attacks, and many of these technological developments are still unfamiliar. Our understanding of the threats we are facing is essential to combatting them, and this book makes it clear how necessary winning the code war is.

Featuring: 

John P. Carlin, Partner, Morrison & Foerster LLP, and former Assistant Attorney General for the U.S. Department of Justice's (DOJ) National Security Division (NSD)

 

 

Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

 

Event Transcript

Operator:  Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's International & National Security Law Practice Group, was recorded on Friday, April 12, 2019, during a live teleforum conference call held exclusively for Federalist Society members.     

 

Wesley Hodges:  Welcome to The Federalist Society's teleforum conference call. This afternoon’s topic is a book review on the Dawn of the Code War. My name is Wesley Hodges, and I'm the Associate Director of Practice Groups at The Federalist Society.

 

As always, please note that all expressions of opinion are those of the expert on today's call.

 

Today we are very fortunate to have with us the author of the book, John P. Carlin, who is Partner at Morrison & Foerster and former Assistant Attorney General for the U.S. Department of Justice's National Security Division as well as the former Chief of Staff to Robert Mueller when he was Director of the FBI. After our speaker gives his remarks today, we will move to an audience Q&A, so please keep in mind what questions you have for the book, for the author, or for a topic related to these things. Thank you very much for sharing with us today, John. The floor is yours.

 

John P. Carlin:  Thank you and to The Federalist Society for hosting this event. Imagine this: you're a CEO at a company, and you get a knock on the door. And you hear from your chief information security officer that there’s been a breach. Someone’s inside the information technology system. And they tell you don’t worry about it. This is no big deal. We’ve seen a theft of a relatively small amount of information, some names and addresses. And, look, they got in because we made a mistake. We misconfigured a server, and so it doesn’t take a sophisticated hacker to get into our system. So you go back to your daily business.

 

A couple of weeks later there’s another knock on the door with an update and an email. And what the email says, little bit of broken English, spelling errors, some grammatical mistakes, but it says essentially two things. Number one, I want 500 bucks through bitcoin. Otherwise, I’m going to release the fact that I got into your system and stole this information. And number two, I want to be let back into your system. So a little bit of a hutzpah on the part of the bad guy.

 

So you're thinking through what to do as a company, and in this exact same situation, many, many companies, I’d even say a majority of companies, make the payment. 500 bucks, it’s a nuisance. Let’s just make the problem go away. Others would decide, “Hey, it’s no big deal. Clearly, they're not the world’s best hacker. They need our help to get back in. So we’ll just ignore it. Everyone’s getting hacked these days. Who cares if they release the information?”

 

This was a real case, though, and the problem with cyber-enabled attacks is that you don’t know who’s on the other end of the keyboard. And so it’s hard to properly categorize the risk. And in this case it turned out not to be the low-level crook that it looked like. Don’t get me wrong. It really was a crook, and he really did want the 500 bucks. But it was also an extremist from Kosovo who had moved from Kosovo to Malaysia, in part to get better access to broadband. He was around 21 years old. And from Malaysia, working with a co-conspirator in Kosovo, this hacker hacked into a trusted, U.S. retail brand and stole this information that had been entrusted to them by their customers. Unbeknownst to them, the hacker in Malaysia—and his name was Ferizi—had become friends, not in the real world, but online through Twitter with one of the most notorious terrorists in the world, a man named Junaid Hussain. Let me back up a little bit.

 

At the time that this case—and it is a real case—occurred, I was the head of the National Security Division. The National Security Division is the first new litigating division of the Justice Department in about 50 years since the Civil Rights Division. And it was created as one of the post-September 11th reforms. And the idea was simple: that prior to September 11th, we had failed to adequately share information across the law enforcement and intelligence divide and that that failure to share information had led to the unnecessary deaths of thousands of people, and it is a mistake that couldn’t be made again. So that success for this new division would not be measured by prosecuting criminals or terrorists after the fact when families are grieving or have lost loved ones, but success had to be measured by preventing the attack from occurring in the first place. And as a government, we’d gotten much better, thanks to billions of dollars spent in new departments and agencies, not just the National Security Division, but the Department of Homeland Security, the Director of National Intelligence, new laws, the National Counterterrorism Center (NCTC). We’d gotten much better at dealing with the threat of, I’ll call it “Terrorism 1.0” – Al Qaeda. So a threat model that really focused on finding and vetting and training operatives in a specific geographic region in Afghanistan, Pakistan, directly controlling them, funding them, and trying to plot for terrorist attacks on the scope and scale of September 11th. And we got very good at disrupting those plots in train, through a combination of military, diplomatic, law enforcement, and intelligence means, working across our government and with partner governments.

 

But as we got better and evolved, so did the terrorists. And my last two years running the Division, we saw a new threat, Terrorism 2.0—the Islamic State was particularly good at it. And just as Al Qaeda had used western technology, in their case aviation, against us by turning airplanes into bombs, we watched as the Islamic State took another Western innovation used mostly for good, social media, and used it to try to turn human beings into weapons where they lived. And they were successful.

 

We saw in my law two years, we brought more international terrorism cases in those years than we’d ever brought before as a Department. And we saw two trend lines: number one, the age of the defendants. Over 60 percent of the defendants in these international terrorism cases were 25 or younger, and most troubling, one-third, one-third of international terrorism-related defendants were 21 or younger. And that was simply not a phenomenon we’d ever seen before. We had to issue new guidance and training to prosecutors in the field on how to handle juveniles in the Federal Justice System. And linked to that trend, the age of the defendants, was another trend, which was the use of social media. We saw the involvement of social media in almost every one of those cases. And it was clear that success was not going to be measured by continuing to arrest young people at that rate, but that success would be preventing the terrorists from exploiting social media in the first place and convincing people to commit attacks.

 

I go into that back story because one of the most notorious terrorists was this man, Junaid Hussain, and Junaid Hussain was a former computer hacker. He was a British citizen, lived near the London area. He’d been convicted for computer hacking. And when he got out of prison, he moved to Raqqa, Syria where he was located at the very heart of the Islamic State. And he was at the tip of the spear in conducting these attacks. He was one of the most successful individuals at his cadre at convincing people to kill. And we saw him in our most serious cases.

 

So this terrorist, Junaid Hussain, who moved from London to Raqqa, Syria, he had come in contact with Ferizi in Malaysia and convinced Ferizi to provide the information that he had stolen from a retail company inside the United States that was entrusted to them by their U.S. customers -- he convinced him to provide it to him. And Junaid Hussain, consistent with the Islamic State, he wasn’t interested in the 500 bucks. He could care less. What he wanted to do, just as they were murdering Muslims and non-Muslims alike, just as they were bringing women and children into slavery, just as they were using rape as a political tool, what he wanted to do was kill and cause terror. So he called that list of stolen information from this U.S. retail company and turned it into a kill list. And, again, using U.S. technology against us, he used Twitter to take this kill list that he had created and push it back to the United States saying, “Kill these people, by name, by address, where they live.” That is the current threat, and it’s the reason why you see across administrations now directors of national intelligence. And the national intelligence, for years, put cybersecurity as the top threat facing our country.

 

Now, it’s not a threat we can do nothing about. One of the reasons I could go into so much detail in my book, Dawn of the Code War, is because we were able to take effective action. We worked with the State Department to get the Malaysians to honor an arrest warrant issued out of Virginia. And we extradited Ferizi who plead guilty and sentenced him to around 20 years in incarceration. Junaid Hussain was outside the reach of federal law enforcement in Raqqa, Syria, and he was killed in an openly acknowledged, publicly acknowledged, military strike by central command.

 

So effective action was taken, but if you think about the scope of the problem it’s crossing five, six different countries. It involved multiple nationalities to address it effectively. It required military, law enforcement, State Department. But the other aspect of it is, and the key aspect that makes it different than the original terrorism threats, if you think about all of the reforms that had taken place within government and really were about sharing information effectively and working across the federal government, sometimes the state governments, and with other governments. This new challenge, the threat that’s going to define our age, is how do we share information on what the threats are at the scale and speed of the threat with our private sector partners? And how do you incentivize those within the private sector where both the information and the critical infrastructure resides to share information back to the government at scale and speed and submit that this is still a new challenge that we are attempting to tackle and we’re not where we need to be, given where the threats are.

 

So I use that example of the blended threat, something that looks like criminal, and it was the first time we charged both computer hacking, the Computer Fraud and Abuse Act, and material support for terrorism in the same case. First, but it won’t be the last.

 

The other aspect, though, of this case, of course, is not terrorism, the other aspect of this new phenomenon; it’s dealing with nation state threats. And so backing up how I came to this, I was a computer hacking prosecutor that worked on the criminal side of the house. We have a name for the unit, the Computer Hacking Intellectual Property Prosecutors, or CHIPS, that actually dates back to when Robert Mueller was head of the U.S. Attorney’s Office in San Francisco and created the first unit of its kind, focused on these cybercrime cases.

 

When I was prosecuting those cases, I worked with a criminal squad of the FBI. There was another squad – the Intelligence Squad – that worked behind a secure, compartmented facility door. And the whole time I was working the criminal cases—this is back ’04 to ’07 roughly—I never went on the other side of that door. Didn’t know what happened in the intel side of the house. And occasionally an agent would switch squads, and when they switched squads, they just disappeared behind that door, never to be seen again.

 

So I then went over and coordinated that same program, the computer hacking program, nationally for all the federal prosecutors doing criminal cases. When I was coordinating that program nationally, I still did not have access to what was on the other side of that door. It wasn’t until I went over to work for Director Mueller, back when he was relatively anonymous compared to his current gig, and was barely the director of the FBI, but when I went over to work for him, the door open and I saw for the first time what was happening on the intelligence side of the house. What I saw was staggering. A great, amazing intelligence feat by our professionals combining the information that we were collecting on nation state adversaries.

 

And so I went and literally watched on a giant, Jumbo Tron screen, and I could watch nation states hacking into companies, like private sector entities, like universities, hoping from the university or the non-profit into major corporations, and then—and literally watch because they had a graphic user interface—watching as the data exfiltrated and flowed out of the United States. Billions and billions of dollars’ worth of trade secrets, trade negotiations strategies. It’s what the former director of the National Security Agency, Keith Alexander, called the largest transfer of wealth in human history. It was primarily China that we were watching when it came to economic espionage. And it became clear that although this was a phenomenal intelligence feat, it was not success. Success would be figuring out a way to disrupt, not just watch this activity. And that required a change in mindset.

 

When it came to collection against nation-state intelligence threats, the mindset grew, understandably, out of the Cold War. It’s not like we weren’t still bringing those cases. I was there when we brought the case against the Russian illegals that formed the basis for the show, The Americans. So we still were seeing these long-term patient plots. But the old strategy was to watch for a long period of time, in that case years and years and years, perhaps feed information that would mislead the enemy, not take steps to disrupt because then they might collect through another means that you couldn’t detect. And the problem was that that approach just doesn’t work when you're seeing a threat on the scope and scale of what we were seeing from Chinese economic espionage efforts, to name one. And also, this wasn’t just traditional collection of intelligence. This was causing real harm to real victims now. It was putting people out of work. It was closing companies. And so we needed a new approach.

 

When I went back to the Justice Department, we started up a program, in part just to replicate what we’d done in terrorism and then take it further. So the beginning was opening that door to all U.S. Attorney’s Offices, to all federal prosecutors, so they could see what was going on on the intelligence side of the house. So we trained a special cadre of national security cyber specialists, or NSCS, to are trained on the one hand how to do the bits, and the bytes, and the Computer Fraud and Abuse Act, and on the other hand how to handle classified sources and methods, sensitive information. Understanding that in the large majority of cases the criminal justice system won’t be the best tool to disrupt. We were never going to bring a case in the first instance if we were unable to see the information and think about how we could use it creatively. And then the FBI issued an edict to the field that said, “Thou shalt share with this new specially trained cadre.”

 

And it was that change in approach and structure that led to the first case of its kind, the indictment of five members of the People’s Liberation Army, Unit 61398 in 2014. And to give you a sense of what a difference that was, it was only in 2011, roughly, as a government official that I could say that China was committing economic espionage through cyber-enabled means. Before then, it was classified, and we weren’t allowed to talk about it.

 

So this case, the first case of its kind, charging nation-state actors with committing this type of activity, members in uniform of the military -- some controversies at the time. People asked, “Why are you bringing this type of case? Doesn’t everybody spy?” I think to answer that question, it’s important to know the details, to know the facts of what happened. So when you look at that case, and these were attachments put on the case, you’ll see things like these were not traditional nation state targets. Instead they were doing things like Westinghouse was about to do a joint venture with a Chinese partner. They were going to lease a lead pipe, no military application. And the night before they were going to lease that pipe, we watched as these uniformed members of the PLA went in and stole the technical design specifications for the pipe. So the next day they didn’t need to lease it anymore. They could build it themselves.

 

Or to use another example from that case, SolarWorld. We watched as these actors went in and stole the pricing information from the weakest part of the system, the email system. And then they used that pricing information to price dump, to hit the price point they knew that the company couldn’t match. And then after price dumping and forcing that company into bankruptcy, to add insult to injury, when that company sued, they stole the whole litigation strategy right out from under them.

 

We even had a case—this wasn’t cyber enabled—but a case out in California, DuPont was the victim. Chinese actors stole the formula for titanium dioxide, which sounds like it might be some type of military secret, but in fact is the formula for the color white that’s used in state secret activity of the Oreo cookie. As much as I love Oreo cookies, I don't know that that’s traditional national security, but it gives you a sense of when I say they were stealing everything, they were literally stealing the color white.

 

The other interesting thing that we put in as an attachment to the case is to show this was their day job. So this activity started at 9:00 AM in the morning, Beijing time. It went from 9 to noon. Unlike many of you listening today, they apparently did take a lunch break because it decreased from 12 to 1, and it increased again from 1 to 6, decreased overnight, on weekends, and on Chinese holidays. So former prosecutor in me would call that circumstantial evidence that it’s coming from China.

 

But the other lesson, right, is that this is the second largest military in the world. Second largest military in the world. And their day job, their 9 to 5 job when they get up and go to work every morning, was to target private companies to steal information that would benefit their competitors overseas to that their competitors would make a buck. And the fact is no company can compete against that type of resource. So as long as we were keeping it in the shadows in the intelligence world and not informing companies, not taking public action  against those committing this type of activity, we essentially were saying that it’s okay and that it’s a private company’s responsibility to deal with these types of threats. And they know this is illegal or anti-group. I know those of you listening are familiar with the concept of an easement right? This is the idea that if you let someone walk across your lawn long enough, dating back in common law roots, then they earn the legal right to walk across your lawn. That’s easement, and that is why you put up “No Trespass” signs.

 

Well, international law is a customary law, and if, at the time, former-Director Comey I think characterized it as a “drunken burglar going around your house.” If we allow China so noisily and so obviously to be hacking into companies across the United States in every sector and every sphere, we were creating international law in an area that has been compared to the Wild West. We were saying that the new norm in this area is that it is okay to use your military and intelligence services to target private companies for private gain. And so if you think about it that way, this case in some respects was a giant “No Trespass” sign, get off our lawn, this is not okay. This is not the law that we want to live with.

 

Another critique of the case at the time was, “Hey, are these real charges?” And of course they are, and they had to meet the normal standard of being provable beyond a reasonable doubt. And I still look forward to the day that the individuals might be extradited and we’ll have all the rights of due process to defend themselves. But they say, “Well, you're never going to catch somebody like this.” And even at the time that that criticism was taking place, there’s another case that I go through in the book that was not much talked about. There was an individual named Su Bin who had, with a co-conspirator in China, had hacked into Boeing. And he had actually been arrested. We were just keeping quiet about it because he had been arrested by the Canadians, pursuant to process out of California at our request, and they said we shouldn’t talk about it publicly to avoid interfering with the extradition proceedings.

 

But Su Bin -- and this is interesting in light of current events that happened after Huawei, after Su Bin was arrested, we knew China was paying attention because they immediately arrested two coffee shop owners, Canadian coffee shop owners in China and told Canada “If you don’t give us Su Bin back, we’re not going to release these two Canadian coffee shop owners.” Now, Canada stood strong and Su Bin was ultimately -- they allowed the legal system to play its course and Su Bin was extradited, convicted, sentenced, and serving time out in California.

 

So these are real cases. People do travel, and I think the criminal justice system can be an effective tool in starting to deter and disrupt this type of behavior. That said, it won’t solve the problem. For too long we didn’t use it at all. But it is also -- has to be a tool of a larger strategy using all tools of government power until we ultimately raise the costs such that they outweigh the benefits and cause China to reevaluate using these methods.

 

And it’s important we do it not just for one country, but when you think of the other actors out there, the next major case we faced, I can tell you we war gamed out for years. “Hey, what’s it going to look like if a rogue, nuclear armed nation decides to attack the United States through cyber means?” And we war game it out. We never predicted the first major, disruptive attack was going to be not on the electrical grid, not on a water supply, but instead an attack on a major motion picture company. And here I refer to the attack of North Korea against Sony Motion Pictures. It’s the only time in my career that I had the somewhat surreal experience of going into the Situation Room, briefing the President of the United States and the Security Council and starting the briefing with a plot summary of the movie The Interview. And for those of you who have seen it, that was not easy to do because that’s not a movie that makes a whole lot of sense if you watch it.

 

And there’s question then, “Why are you treating this as a national security event?” The answer was, “It’s true it’s not at a traditional, national asset” -- and this is a lesson I wished we had learned better at the time. If you think about it, what was happening was North Korea was attacking a core United States value. And what they were saying was from overseas we can impose the North Korea authoritarian view that some speech cannot be made, and if you make it, there are going to be consequences by attacking Sony. And if we allow that to stand -- and again we’re sending a signal to other countries around the world that you can interfere in our affairs that way.

 

And if you think about that attack, it really did three things. Number one, it was a destructive attack. It essentially turned computers into bricks. But that’s really not why anyone remembers Sony. In fact, there had been another destructive attack when two Iranian-affiliated actors against Sands Casino after Sheldon Adelson had said some somewhat provocative comments, something about turning Iran into a nuclear dust cloud. And afterwards you saw an attack that turned some of the Sands computers into bricks. No one really remembers that attack, though. It was just destructive.

 

Number two on Sony, they also stole a massive amount of intellectual property. But that, at this point, has happened to company after company and you don’t see it resonate the way the Sony attack did.

 

The third thing they did was the most damaging part to the brand, although they were able to recover thanks to an effective plan, I think. But the third thing they did was they hit the least protected part of the system, email again, and stole salacious, internal traffic. They then used non-traditional media who disseminated what was stolen. And then ironically in this case which was fundamentally an attack on the American concept of the First Amendment to free speech, a Western pillar, they watched as the mainstream media really carried out the attack on the part of a nation state by disseminating that material and causing harm to the victim and did so without thought to the fact that they were carrying out that regime goal.

 

That caused a flurry inside of the government on how to respond, and thanks to great cooperation with Sony, we were able to for the first time follow the model that we’d applied in the PLA case of number one, figure out who did it. Number two, once you figure out who did it, make it public. Don’t keep it in the shadows. And number three, impose consequences. Except here, instead of using the criminal justice system, because there wasn’t a charge at that time available—there’s been one subsequently brought—they used the tool of sanctions for cyber-related activity. We realized, though, going around the Situation Room table that unlike terrorism, unlike those who proliferate in weapons of mass destruction, that there is no executive order that allows for this sanctioning of purely cyber activity.

 

So one of the lessons -- it happened to be North Korea. They had done so many other bad things that we had an executive order unique to North Korea. But what if it had been some other country? I think that led the President to drive the creation of the first executive order of its kind in April following the Sony attack that allowed for the sanctioning of not just the military or intelligence that stole the information but significantly of the companies or entities that benefited from the stolen information. And that executive order has been resigned by President Trump and is still in effect.

 

I think it was the combination of the PLA case, Su Bin, and that executive order that led to a breakthrough that turned out to be relatively short lived for a couple of years, but a breakthrough nonetheless where China, believing we were about to use that executive order, sent over a delegation on behalf of President Xi who hammered out an agreement that contained, as one of its core points, the principle that you shouldn’t use your military and intelligence to target private companies for private financial gain. And then President Xi stood up with President Obama, announced that he believed in that norm. With that breakthrough, the G20 adopted that same norm and at least helped set the rules for the world that we want to live in that says that’s not okay.

 

Now, prosecutors and others would be out of business if setting the rule or setting the new law of the road meant that people followed it. So I think it’s incumbent upon us, then, when they don’t to continue to bring cases. And we’ve seen a similar approach in this administration of having a China initiative led by my successor, John Demers, design to keep increasing that cost until that behavior changes. And in so doing, they said that they were seeing signs that this norm, this law, was not currently being lived with.

 

I’m going to wrap up shortly and leave questions, including on the big four actors. I’ve spoken mostly about terrorists, China, and North Korea. But of the big four nation-state actors who I haven’t talked as much about, Iran and Russia—and I’m happy to answer questions—but let me end on one note, which is when you think about where we are, we moved over an incredibly short period of time, historically, 25, 30 years, to take everything we value, essentially, from analog space, from books and papers to digital space, to bits and bytes. And then we connected it through a protocol that is fundamentally insecure. It wasn’t designed -- and I go into a little bit to the roots of the internet and interviewed the designers of it. The internet was never designed with security in mind – quite the contrary. It was designed for open communication.

 

And we moved all of that information there in government, in the private sector, in business fundamentally not calculating in the cost of risk. And so in that sense it was not a wise investment. And people tested whether it worked but not whether it would work if a bad guy, a terrorist, a crook, a nation-state actor, a spy wanted to disrupt it or steal from it. And I think what you're seeing over the last five years, prompted in part by this new strategy public what the threats are is a fundamental recalculation where now boardrooms -- I know in my private practice when I'm speaking to boards of directors, to C-suites, they're now starting to calculate risk in a more traditional way.

 

Insurers are moving to this space. You're seeing the government change course as well. But we’re playing catch up. This is a critical moment, though, and I encourage all of you listening today in your respective day lives to try to help effectuate this change which is we have to do a better job before the next revolution occurs. And that is already in progress, and that’s the change from taking data and making it accessible to the so-called Internet of Things. And when I say the Internet of Things—and these are real examples that we saw—pacemakers getting connected to the internet, put into people’s hearts, and after they are in our bodies, then realizing “Hey, we didn’t test security by design,” and a 12-year-old using publicly available software can hack and kill because we didn’t encrypt any of the combinations back from the pacemaker. So now we’re going to roll out a fix.

 

Or to use another real example the cars on our roads which increasingly are computers on wheels -- I’d say in about five years about 80 percent of cars will be computers on wheels, and that’s before we even make the leap from a car with a driver to a driverless car. And if you think about all of the fundamental changes in our society in that one area alone when we switch from a horse and buggy to an automated car, the switch to driverless cars is going to be similarly disrupted. We’ve already had a proof-of-concept hack that showed that you can get in through the entertainment system easily into the breaking and steering systems of cars, simply by computer hacking. And after that proof of concept, you had 1.4 million Jeeps recalled from the roads where people are already driving them because of that design flaw.

 

So when we think about this change, it’s important now that we figure out ways to incentivize and drive the calculation of risk into these products before they're rolled out, bought, used, relied upon whether it’s in the military or our day-to-day lives to ensure, not that we don’t innovate in this area, but that we think through security by design and we make smart, risk-based decisions on what to connect and how to connect it. And with that, thank you for your time listening today. Hope you get a chance to read the book. And I want to open it up to your questions.

 

Wesley Hodges:  Well, thank you, John. That was fascinating. I'm sure it was a great taste of your book. Remember everyone the book’s name is Dawn of the Code War. And while we wait for any audience questions, John, I do want to piggyback on one of the comments you just made a couple minutes ago on the Internet of Things. Obviously, on our mind today is Huawei as we see the government’s focus on that. Can you elaborate on recent developments with Huawei relating to your subject?

 

John P. Carlin:  A couple of thoughts on Huawei. One, it’s really back to the future to that Su Bin case that I think folks really hadn’t focused on before, which is a legitimate charge inside the United States, filed under seal, that gets effectuated when somebody travels. It’s one of the reasons why it gets very long to reach the Criminal Justice System but why it can be an effective tool even when it’s being used against those who fundamentally have a different view or world order. And just like Su Bin, you saw that right after the arrest of the Huawei chief financial officer, there were a string of arrests of Canadians in retaliation.

 

Some ask in this area if you're attacked through cyber means, why don’t you retaliate through cyber means? I think one of the answers to that is when it comes to cyber, we’re more vulnerable than a lot of our adversaries because we move farther and faster than anyone else into this space. The old axiom when thinking strategically is to attack your enemy where they are weak and you are strong. And I think this is an example of one area where we are strong is in the credibility of our criminal justice system. And this is an important thing that we all need to work not to undermine. But the world has great respect for the independence of our criminal justice system. And so when a case is brought and facts are laid out, they're viewed as real. And that’s simply not true. When other systems bring charges, whether it was the Chinese retaliation charges here or other adversaries like Russia, Iran, and North Korea, although we’ve see tit-for-tat arrests, I think you’ve also seen the world condemn those arrests.

 

The other significant part of the Huawei discussion is why is the U.S. government so focused on 5G outside of any conduct by Huawei? And that goes back to where I ended, which is as we move towards the Internet of Things, 5G, which essentially is the way for more things to connect faster to the internet, and I think the vision is of smart cities where data is being collected from almost all of our devices, our cars to allow for more efficient transportation systems, other innovations. But the backbone of that transformation where there’s a blend between commercial and public sector interests is going to be the way in which they connect. And that backbone is 5G. So if the backbone of the world is provided by a country and a company who, simply by law, has to be responsive to requests of the Chinese government, then we’re potentially setting the value system and also allowing disruption in the event of a national security dispute into essential systems. That’s why the stake from the U.S. government’s perspective and from some of our critical allies are so high.

 

And that’s just one critical area of emerging technology. I’d say two others that people really focus on are artificial intelligence and the race to quantum.

 

Wesley Hodges:  Thank you, John. It looks like we do have one question from the audience. Here’s our first audience caller.

 

Caller 1:  Hi there, sir. Great talk. Thank you so much. I actually work in machine learning and artificial intelligence, specifically emerging threat operations. And one of the problems that we’ve been kind of looking at is the intersection between foreign intelligence services and the general internet troll and how they utilize these communities to attack companies, attack corporations, attack states. My question is how do we incentivize the private companies to share this kind of threatening information with the government? Because in my world, a lot of people are very hesitant about even if we have direct data that this is a foreign operation, we are very, very reticent to make that a thing, to go reach out and give that data over. So my question is how do we incentivize the private sector to work with the public sector on these type of issues?

 

John P. Carlin:  That’s a great question and a critical current gap. So for those less familiar with the issue, just a quick step back. Actually, one of the chapters I talk about in the book is how the Russians, in particular, have blended the traditional criminal actors. So there’s two cases I talk about in particular. One is a famous crook who repeatedly managed to reconstitute a botnet – a system of hundreds of thousands of compromised machines that could be directed by a single command and control server to do all sorts of criminal activity. This is GameOver Zeus. So he’d do things like steal information on a global scale that was used to commit bank heists. It was used to do denial of service attacks where you take that botnet, distribute it down to service tech, take that botnet, aim it at someone, and extort them for money. And it was also used to do things like use the access through the botnet to take compromising pictures of people and then bribe them.

 

That criminal tool that was used and leased by crooks was also, we could see, overlapped with Russian intelligence priorities. So right before Ukraine, for instance, they used that same criminal design tool in order to commit mischief and collect intelligence in Ukraine.

 

A second example is a man -- an individual named Belan. He’s the hacker behind the Yahoo compromise. He stole hundreds of thousands of email addresses, who took over the Yahoo Search Engine. And he did it for mundane criminal purposes like redirecting everyone who searched Yahoo to an erectile dysfunction site and then collecting money if he was successfully advertising them. But we also, as is laid out in the charges, show that Belan was acting at the direction of the Russian military and intelligence services. So they let him be a crook on the side, and they also directly tasked him to go after DOD officials, other national security targets, and even Russian rivals within the system.

 

And so what the callers question gets at is these dark webs or dark forums where information is traded, tools are leased -- and when I call it a dark market, it really looks like a market. You go on here and some of these sites look like Amazon for crooks. And when I say it looks like Amazon, I mean it literally will say, “Hey, we just stole 100,000 credit cards, bought from this site the stolen credit cards, and most of them were five stars. Great job.” Or—and these are the ones I always love—it’ll say, “One star. I bought from this crook and he ripped me off. He can’t be trusted.” I’m like, “What do you expect? It’s a criminal site.”

 

So a lot of the intelligence that’s collected because it’s such an active, dark forum is not by traditional government actors but instead by private security firms. And the gap right now is how do you incentivize those firms to -- if we think that collection’s a good idea, how do we incentivize them to do it? And then how do we incentivize them to share it so the government can figure out, “Hey this group that looks criminal is actually being exploited by national security services of an adversary.”

 

And the problem right now is number one, I think there needs to be better guidance on what’s legal for threat intelligence firms to collect. Because it’s a bit of a grey area. You don’t get on these forums by saying, “I’m John Smith, and I’m here from a threat intelligence agency. Can you let me monitor you?” Usually, you use a fake persona. So that’s one: better clarity.

 

Number two, and this has to do more with the threat intelligence by the private companies who are victims. When I’m counseling companies now, they hesitate. Sometimes they're required to go forward by regulation because they're in a regulated sector like the defense industrial base. Or HIPPA regulated information. But if they're not, it’s unclear what’s going to happen with the information they provide? Could they be revictimized because a regulator uses that information to review their security policies? Could they -- the fact that they cooperated create a brand event for an attack that’s otherwise unknown.

 

So I think we need to change our current ‘carrot and sticks’ to make it clearly in the interest of private sector companies to provide this information. And there’s different ways to do that. One would be to consider if it’s voluntary and it comes in immunity from suit, if you provide it. Another way, kind of in the opposite direction, would be to mandate that some of the information is required. So whatever the right result is, our current balance of ‘carrot and sticks’ completely agree that the color is wrong. We’re not properly incentivizing people to come in.

 

Wesley Hodges:  Thank you, caller. Seeing no immediate questions from the audience, John, I have another one for you. I guess just looking in the news recently, certainly this has been a notable thing in computer hacking. Would you mind commenting on Julian Assange and I guess his situation as it relates to computer hacking?

 

John P. Carlin:  Yeah, it’s an interesting case. For those of you who follow the computer hacking issue because -- here’s an individual. There had been discussion of whether or not to use the Espionage Act against him, and that created potentially difficult issues of both fact and law, including when it comes to the release of classified information, whether there’s either policy or baseline constitutional issues, First Amendment issues, against prosecuting someone solely for the act of disseminating classified information. And so you see his rather clean, at least initially, charge here that focuses on the manner in which the information was obtained. And this is the Computer Fraud and Abuse Act, 18 U.S.C. §1030, where it’s focused on the conspiracy to aid the person taking the information and stealing it by helping this crack a password that was encrypted to hashed. In that sense I think it was a good use of a new statute designed to punish analogs of crimes that are committed in the real world.

 

But if you think about it, like every reporter knows you're not supposed to help someone pick the lock or break into building to steal documents even if it is okay for you to publish the documents after they’ve been taken. And this is clearly the digital equivalent if you help someone hack into a site.

 

So it also gives a sense of the new world we’re facing in terms of threats, which is actors from overseas, just like what we saw with the Islamic State and terrorism threats, but now increasingly in espionage, are able to communicate, convince, cajole, and in this case, ultimately conspire to help individuals break in and take information. And so we need to come up with creative ways to stop that.

 

There’s great case brought by my former division this year where -- or actually last year, where there was a Chinese intelligence agent, MSS, trying to steal from what they thought was a cooperator inside GE. He went to meet the cooperator in the real world to try to steal documents, and it was a sting. They arrested the MSS agent who traveled out of China to Europe, extradited him, and he’s facing time in here. It’s one of the -- I believe it’s the first time that I know of where we’re able to catch the handler in one of these cyberattacks, the intel handler when they traveled.

 

Wesley Hodges:  Thank you, John. That is fascinating. Well, seeing no more questions from the audience, John, I turn the mic back to you. Do you have any closing thoughts for us today?

 

John P. Carlin:  Thank you, again, for providing this forum. This is a new area where I think we can tackle the threat but it’s going to take the greatest thoughts of viewer/listeners, public awareness of what the threats are. And that much of what is talked about as if it’s science fiction has already occurred. So thank you for the time and attention to the topic.

 

Wesley Hodges:  Well, thank you for bringing the time and attention yourself. On behalf of The Federalist Society, I'd like to thank you for the benefit of your very valuable time and expertise today. We welcome all listener feedback by email at [email protected]. Thank you all for joining for the call. This call is now adjourned.

 

Operator:  Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at fedsoc.org/multimedia.