• Show Notes
  • Transcript

John Carlin, joins Preet Bharara to preview CAFE’s new podcast, “Cyber Space.” Every other Friday, John will explore issues at the intersection of technology, policy, and law with a range of guests that have made an impact in the world of cybersecurity. 

Sign up to receive a free link to listen to an episode featuring Alex Stamos, who served as the Chief Security Officer at Facebook during Russia’s 2016 campaign to manipulate the presidential election, and at Yahoo, when the company experienced a series of breaches that resulted in the compromise of more than a billion accounts: cafe.com/cyber

“Cyber Space” with John Carlin is the latest podcast for members of CAFE Insider. Try the membership free for two weeks, and get access to the full archive of exclusive content, including the “CAFE Insider” podcast hosted by Preet Bharara and Anne Milgram, the “United Security” podcast hosted by Lisa Monaco and Ken Wainstein, audio essays by Preet and Elie Honig, and much more: www.cafe.com/Insider

Preet Bharara:

Hey folks, Preet here. A few weeks ago, we brought you a special episode of a new podcast we’re starting, for members of CAFE Insider. It’s called Cyber Space, and it’s hosted by my friend, a renowned cyber and national security expert, John Carlin. Today, I’m excited to announce the official launch of the podcast. John led the Justice Department’s National Security Division under President Obama, and prior to that, served as Chief of Staff to then FBI Director, Robert Mueller. Every other Friday, he’ll be exploring issues at the intersection of technology, policy and law, with some of the most thoughtful and influential leaders who’ve made an impact in the world of cyber.

Preet Bharara:

What follows now is my conversation with John. He joined me to preview his podcast and give us a broad outline of the cyber threat, and the challenges created by ever-evolving technology. And if you’d like to listen to the first episode of Cyber Space featuring John’s interview with Alex Stamos, you can do so for free. Stamos served as the Chief Security Officer at Facebook during a crucial time, leading the company’s investigation into Russia’s manipulation of the 2016 election. To listen for free, head to cafe.com/cyber, and we’ll send you a link. That’s cafe.com/cyber. And now, here’s my conversation with John Carlin.

Preet Bharara:

John Carlin, welcome back to the show.

John Carlin:

Yeah, it’s great to be back.

Preet Bharara:

So we had you on about a year and a half ago.

John Carlin:

Not much has happened since then, I think.

Preet Bharara:

No, it’s pretty much the same.

John Carlin:

Yeah.

Preet Bharara:

No, a very static country in every respect. But one reason we had you on, was to talk about your book Dawn of the Code War. You’re not working on a second book, are you?

John Carlin:

No, I think I might be one and done, we’ll see.

Preet Bharara:

No, you’ll do others, but you’re going to be doing this podcast. So I wanted to ask you why you’ve agreed to do this podcast, because I think it’s very important. One theory I have is you saw that our friend and your predecessor at NSD, Lisa Monica, was doing a podcast and you had some FOMO. Is that fair?

John Carlin:

Never discount envy, but also, you’re a persuasive guy, Preet.

Preet Bharara:

On a scale of one to 10, what do you think the average person in the public’s understanding of the threat of cyber and the danger of cyber, and the issues relating to cyber are?

John Carlin:

Three, but I’ll complicate that answer a little bit with, I think that there’s a general sense of discomfort or fear about it that’s probably accurate. And so, maybe that’ll rank a lot higher, but then specifically about where we are right now, what bad guys have already done to us, that I think is pretty low. And that’s not just for the average person, grandma, person you’re hanging out with at a bar, that is also, I’m finding true at some of the highest levels of corporate America.

Preet Bharara:

Well, what about lawmakers? I mean, I made this point a lot. I was having this conversation with my daughter the other day about some hearings, and you see both senators and members of the House, not understanding the basics of technology and they’re the ones making the laws about this stuff. If you say the average person is at a three, where would you say… You don’t have to name names. Where would you say the average lawmaker is?

John Carlin:

Well, I’ll just say, yeah, I do this project for the Aspen Institute on cybersecurity, and you’ve identified what we’ve identified as one of the top problems, and some of the members of our group are sitting members of Congress, and they have described it down near a zero or a one, which in some ways makes sense, if you think about the average age of a Senator House member, and the speed with which technology has changed. I mean, one of our big initiatives, one of the reasons to do a podcast is just, at the heart of this, I think sometimes it’s a translation issue. Suddenly, we’re relying on a technology, and the people who understand it best speak a different language, speak geek, that they understand, but don’t speak policy, and then the policy folks don’t speak geek. And so, a lot of the initiatives that we’ve tried to start are just trying to teach each other our respective languages.

Preet Bharara:

So on the podcast, are you going to speak policy, technology, geek, or how about English?

John Carlin:

We’re going to try and go with English, the translation.

Preet Bharara:

Good, okay. All right.

John Carlin:

But we’ll try to bring on guests who range. Our first guest was really someone who’s a policy expert, and a sitting government official who had my prior job, and Lisa Monaco’s prior job as Assistant Attorney General for National Security. So he’s the sitting government official, and his background is more policy, but he’s finding that the issues he’s facing are right at the center of this technological change of this move to cyber. So we’ll have people like that who are real policy experts, and then we’ll also have, Alex Stamos is going to be an upcoming guest who is a former Chief Information Security Officer at both Yahoo, and then Facebook, and lived through some of the most serious attacks by Russian, and other actors, and he’s really a technologist, but is someone who’s good at speaking in policy. So we’re going to try to bring in both voices.

Preet Bharara:

What do you think are the most important issues that are going to be a big deal in the news and in people’s lives in the coming months and years?

John Carlin:

Well, I’ll tell you one that we predicted when I think I was last on with you, so a year and a half ago, despite everything changing, the threats haven’t changed, it’s the magnitude has increased. We saw five years ago at this point, the Syrian Electronic Army. So a group of individuals associated with the Syrian State who supported the Assad regime, and they did what is still, I think is the single most damaging just in terms of dollars attack, and it was simple and easy to do. They took over the Twitter account of the Associated Press, to pretend that there was a terrorist attack in the Obama White House, and they watched the stock market plunge, billions and billions of dollars.

John Carlin:

So we talked about that then as something to worry about heading into the election, as it seems like we’re more, not less reliant on getting information through Twitter. Recently, when numerous public personalities, Twitter accounts were taken over, and luckily in that case, it was a relatively low rent, bad guy scheme, where what they were trying to do is convince people to give them Bitcoin, to gain digital currency. But that same scheme, if you did that right before our election and the news media fell for it, you would have people wondering about the legitimacy of the election.

John Carlin:

So one issue I think is going to be, how do we get news? How do we get information, and how can it be manipulated in this age? What do we do to protect ourselves? There’s one thing we’ve learned repeatedly in this space, is that everyone is watching. So even if the intent of this particular actor really was a lower-end scheme to make a buck, when people see how easily it works and use their imaginations, then actors with much more nefarious intent, terrorists, nation states, are taking notes, and we need to prepare ourselves for more sophisticated use, and we’ve learned that lesson time and again the hard way. I hope we learn it this time, and protect ourselves before we see the worst use.

Preet Bharara:

So who needs protection the most? Who’s farther behind than others, to make sure at least with respect to an election, you don’t have some bad event?

John Carlin:

Well, one education effort I know we’ve been doing, is with the news media and reporters, so that they learn to take a breath, in terms of reporting out what they get through Twitter, and the possibility of it being manipulated, and not just Twitter, but other social media as well. But in addition to that, I think it’s something that state election officials need to plan for, and I know Homeland Security needs to plan for. So what if the threat that we faced during the election is not a disruption of actual vote count, or wiping people from the registration, both things that we can and should worry about, but instead, is just manipulating media to tell people misinformation about how to vote, for instance? So I think state and local officials, reporters, and federal officials need to be quite aware of the way bad guys could manipulate.

Preet Bharara:

Is interference with the election your topmost concern at the moment?

John Carlin:

It’s hard in this space to pick a top, because there’s a lot-

Preet Bharara:

Because they’re all terrible.

John Carlin:

There are.

Preet Bharara:

There’s so many doomsday scenarios.

John Carlin:

There are, and they all flow from the same fundamental change, right? Which is we moved almost everything we value from books and papers, from analog to digital, over a very short period of time, and we did it further and faster than any other country in the world. So that goes to our water supply, our electric grid, the way we get our news media. Everything now that is… I’m looking at with COVID occurring, everyone’s working from home. You can’t work if your systems get disrupted, and we’re seeing that.

Preet Bharara:

Yeah. So how much has COVID increased our risk?

John Carlin:

I’m seeing it, so in my private practice now, which is helping companies who are the victim of cyber attacks, I’m seeing an increase in ransomware in particular. So these are schemes that encrypt, they lock up your computers, you can’t use them unless you pay the bad guy a fee. And what the bad guys have realized is that in an age of COVID, people are going to pay because even a minor disruption, and no matter what your business is, everyone’s working from home right now and dependent on being able to use their networks and systems, so it’s spiking. And again, going back to our earlier example, those are groups who you can pay, by and large, because what they’re trying to do is to make a buck. But if you think about that type of vulnerability on scale, if someone really wanted to deliver a shock to the American economy at a time we’re already dealing with a lot of shocks, you see that with the prevalence of ransomware attacks, if a bad guy locked up those systems, and there’s no amount that you could pay, that could really cause damage.

Preet Bharara:

I want to talk about your background a little bit. You’ve had a lot of different jobs, just like Lisa Monaco, and Ken Wainstein. But I want to ask you, your interest in and focus on cyber, how that evolved over time. So how much different is your view and your attention to cyber comparatively between the time you served, for example, as Chief of Staff to Robert Mueller, then FBI director, and say, your last year in government, in the Obama administration?

John Carlin:

Yeah. So I’d say, so prior to serving a Mueller as Chief of Staff, back in the good old days when he was relatively anonymous and just Director of the FBI, I had coordinated nationally the computer hacking intellectual property criminal cases, so I’d become somewhat of a specialist in this area. And when I went over-

Preet Bharara:

CCIPS.

John Carlin:

CCIPS, yeah.

Preet Bharara:

CCIPS.

John Carlin:

He’s responsible for that name, I think he told you before. Because he doesn’t watch TV, he had no idea that they were a bunch of-

Preet Bharara:

Who’s responsible, Robert Mueller?

John Carlin:

Robert Mueller, yeah. When he was the US Attorney in California, he started the first CCIPS unit there to deal with high-tech crime, and they named it the Computer Hacking and Intellectual Property Section, and it was just a section in that one US attorney’s office, and then he brought that name with him when he came back.

Preet Bharara:

Yeah, I never loved that name.

John Carlin:

Yeah, well he didn’t know about the short shorts-

Preet Bharara:

We had CCIPS two.

John Carlin:

… and the sunglasses, and the whole thing. And so, I gave him flack for that.

Preet Bharara:

You’re talking about the TV show. Like I don’t-

John Carlin:

Yeah.

Preet Bharara:

Bear in mind that many of our listeners don’t know what the hell you’re talking about. They’re like potato chips-

John Carlin:

I guess that’s true.

Preet Bharara:

… tortilla chips? What kind of chips? The California Highway Patrol.

John Carlin:

Big, big show.

Preet Bharara:

Right. CHiPs was the show.

John Carlin:

Yeah.

Preet Bharara:

Look, I know you watched that show religiously, John.

John Carlin:

I watched the show some… I wasn’t allowed to watch TV, but it was one of the shows I snuck, and they just did a remake that is really a terrible movie, I got to say. But, so maybe it’s more people have heard of it because of the remake.

Preet Bharara:

No negative, we don’t do negative promotions here, John.

John Carlin:

So yeah, so [crosstalk 00:12:07]-

Preet Bharara:

[inaudible 00:12:08] So between then and recently, how much bigger of a deal has this become?

John Carlin:

I think what it is, a lot of what we foretold has now come to pass. So for a while, everyone was saying, “It’s a matter of time before a nation state attacks the United States through cyber means,” and now we’ve had things like the North Korean attack on Sony Motion Pictures, going back to your don’t give negative reviews, because they essentially, were giving a big negative review to a movie they didn’t like, The Interview. You’ve had Russia. We talked about the fact that there was the possibility of meddling in an election, but now we’ve seen it happen, and on scale, and not just once, we saw them attempt to do the same thing in the 2018 elections, and we know they’re trying to do it again. We’ve seen China steal intellectual property on a scope and scale that’s simply unimagined in history, that former Director of the National Security Agency called, “The largest transfer of wealth in human history,” Keith Alexander, and I think he’s right, and we’ve seen that affect the world’s geopolitics.

John Carlin:

So I think what we’re seeing is a lot of what had been predicted, has already come true, and unfortunately, since then, I think there has been increased investment in security. New positions created, the government has change and new policies, but at the same time, we’ve also doubled down on increasing our reliance on that technology, without fixing the underlying vulnerabilities. So I’m not sure we’re more safe than we were before.

Preet Bharara:

That quote from Keith Alexander, I used to also invoke regularly when I was in office, “The greatest transfer of wealth in human history,” and a lot of that wealth is being transferred where? To China, right? Based on theft of intellectual property. So I want to ask you about China for a second. I was recently talking to some folks who said something that made my hair stand on end, and it was the question of what is going to happen with the relationship between the United States and China, and how big a threat China is, much more so than Russia, and the question was, “Are we inevitably headed towards armed conflict with China, military conflict with China?” And the consensus was “No, not in the conventional sense. That seems unlikely,” but if you’re including cyber and whatever cyber war means, they thought there was a very high likelihood of that inevitability. Do you agree with that, and what would that look like?

John Carlin:

I agree with it, but I do think it’s something that we can positively impact, and it’s a good reason to talk about it now. And so, and part of that is I think China and the US have a vested interest in having some norms, some rules of the road on how you use these weapons that are incredibly powerful. And in order to set those rules of the road, you need to create clear norms, like things that are okay and are not, what are the red lines? Make sure that there’s not confusion, and then make sure that your deterrence is credible.

John Carlin:

So China right now has great capability to disrupt inside the US, and we have a great capability to disrupt their systems as well. I think what’s keeping it more in the realm of espionage and trade secret theft, rather than actually disrupting systems that we rely on, is deterrence and that understanding of where are red lines. One of the concerted efforts you saw in the Obama administration, that I think has fallen off somewhat, not because of… There are great cases being brought by the law enforcement and intelligence professionals, but there hasn’t been consistency at the top, in terms of the messaging to China on what’s most important.

John Carlin:

But one of the changes you saw attempt to be made in the Obama administration is to say, “Hey, trade secret theft, when you’re targeting private companies, we’re putting as a norm, we’re saying that is one of our red lines, that you can’t use your cyber capability instead of investing in research and development, to just steal intellectual property.” And then we did see a change of behavior when that breakthrough occurred with President Obama and President Xi, it was somewhat remarkable. I think we’ve fallen off that a little bit because it’s so conflated with all the other US-China trade issues, that there’s not a clear message on what’s different from trade and really, a national security issue.

Preet Bharara:

Putting China side, what are some of the other countries that you think are dangerous in this sphere that you’ll be talking about on the pod?

John Carlin:

Yeah. Top four are China, which we’ve talked about, Russia, North Korea, and Iran, and that’s been fairly consistent in terms of the assessment of the intelligence community for nearly a decade now.

Preet Bharara:

You and I discussed this once at a panel, where I think I was moderating, and… No, were at the same conference, I don’t think we were on a panel together. And I remember asking someone, this was not long after the Sony hack that was perpetrated by the Government of North Korea, “Should we be surprised that North Korea is in the top four, given that as I understand it, they have all the processing power in that country?” I’m exaggerating, but “All the processing power of my laptop?” I mean, isn’t it otherwise digitally, very behind as a country?

John Carlin:

No, I think that’s fair, and it’s one thing, when North Korea did do the attack, for instance, on Sony Motion Pictures, some people said, “Well, why didn’t you attack them back through cyber means?” And I think that the old maxim, “You want to attack your enemy where you are strong, and they are weak,” and at that time, we were very digitally reliant, but you could knock all of North Korea offline, and they had fewer IP or internet protocol addresses than an average company does, so it wouldn’t mean much to knock them all offline, to your point.

Preet Bharara:

Right, so being a little bit behind digitally is in some ways, a measure of protection currently.

John Carlin:

That’s right, and they’re also, so the way that they’re conducting most of their attacks are not from folks inside of North Korea. What they’re doing, as they do with their schemes to develop their weapons of mass destruction, they have a network of agents outside of North Korea, and they use infrastructure, broadband and computers outside of North Korea to conduct their attacks. And it is a major part of their national security strategy right now, because when you look at our policy, which is to try to deprive currency from the regime, in order to change policy through sanctions, what they’ve decided is, “Okay, well, they may try to deprive us of legitimate banking, we are going to become the world’s largest bankrupter, and use our cyber capability to do things like wire transfer schemes,” where a bank thinks it’s transferring to one place, but they change the currency, and we see North Korea doing that all the time now. They also do the ransomware type scheme we discussed before, and so they’re extorting companies to get payment. And they’re really, it’s not tied to any particular political goal, they’re just doing it to raise money.

Preet Bharara:

The Sony hack case that you mentioned perpetrated by North Korea, was that the most interesting case you worked on when you were in government, in this area?

John Carlin:

Sadly, I’d say there’s a couple, and each country has a case that I found particularly interesting, of the four we discussed. So you have that North Korean attack on Sony, and then you have the Russian blended threat attack on Yahoo, where they took a guy who’s a crook, a legit crook, and so, no nation state motive on his part, and he would do things like hack and change the Yahoo search engine, so when you search for anything, you got redirected to an erectile dysfunction site, and then he just took a part of the cut. Yeah, not a national security emergency.

Preet Bharara:

Yeah.

John Carlin:

And he’d take a buck. But then you saw Russian operatives, and it was the same unit that we relied upon for cooperation with Russia, so he was one of our most wanted criminals. We went through the FBI to say, “Hey, can you help us arrest him?”, just like we’ve cooperated on other cases like child porn or terrorism, this has nothing to do with national security. And instead of helping us arrest him, they signed him up as an intelligence asset, and then they used his same type of crazy criminal schemes and allowed him to make a buck on them, but while he had access and stole things, like literally hundreds of millions of email addresses, in order to do a mass spam scheme, they used that same information for intelligence purposes, for things like surveillance before Ukraine.

John Carlin:

So that was a fascinating case as well, and then there was an Iranian attack on our financial sector where they essentially-

Preet Bharara:

Oh, I remember that case.

John Carlin:

Yeah, that’s-

Preet Bharara:

We did that. We worked on that together.

John Carlin:

Exactly. And then, and you remember in addition to the attack on the financial sector, which essentially they made hundreds of thousands of compromised computers into a cyber weapon of mass destruction, they also hacked the Bowman Dam in Rye, New York. I don’t know if we’ve ever talked about it, Preet. What’s your theory as to why they hit the Bowman Dam?

Preet Bharara:

I don’t have one, other than it seemed like it was an easier thing to do. I mean, we’re trying their hand. I mean, I don’t mean to be a sort of dry run theorist, like we talked about at the beginning with the Twitter hack, but I think people, if you’re a general criminal and you’re going through a neighborhood, and you’re engaging in one kind of crime, robbing people’s houses, you think, “Well, there’s a car in the driveway. Maybe I should think about that,” and you kind of take a shot. I don’t know. What do you think?

John Carlin:

Yeah, I’ve had that theory of possibly dry run, and just to fill people in who aren’t tracking on it, so this was part of the same Iranian group that attacked our financial sector to try to knock online banking offline, so as a consumer, you couldn’t reach your bank. They also hacked into this dam in Westchester, in Rye, New York, and they accessed the sluice control system, so they’d be able to open and shut the dam, and flood the surrounding area. Now, as it so happens, the dam was down for maintenance, so it wasn’t working. But I think I remember Preet and I agreeing at the time, that our crumbling infrastructure should not be our first line of cyber defense.

Preet Bharara:

Right.

John Carlin:

But it’s not the biggest dam, so there was a lot of questions about, why would they hit that particular dam? And one theory is that there there is another Bowman Dam that is of significant size, and because they don’t know America very well, and they’re operating offshore, that they hit the wrong Bowman Dam, but we never fully had an answer as to why they wanted to control there.

Preet Bharara:

No, we didn’t. Well, final question before I let you go, who’s going to play you in the movie?

John Carlin:

The thing about, okay, going back to the problem-

Preet Bharara:

Clearly, you’ve thought about this and you have an answer.

John Carlin:

No, no, no, no, no. But clearly, although I will say my nickname growing up for a while was Ferris, because of a movie that your listeners will also not probably be that familiar with any more, Ferris Bueller’s Day Off, and Matthew Broderick was this big hacker guy that-

Preet Bharara:

I can see that.

John Carlin:

… [crosstalk 00:23:15] at the time, which is still a great movie.

Preet Bharara:

Oh, I see. Right.

John Carlin:

And influenced Ronald Reagan’s policy-

Preet Bharara:

Oh my God, that’s like back from 1983.

Ferris Bueller:

Hello. Are you still playing a game?

Speaker 5:

Of course. I should reach Defcon One and launch my missiles in 28 hours. Would you like to see some projected kill ratios?

Ferris Bueller:

69% of the housing destroyed, 72 million people dead? Is this a game, or is it real?

Speaker 5:

What’s the difference?

Ferris Bueller:

Oh wow.

John Carlin:

That was one of the one… It’s a big moment for cyber policy historians, because-

Preet Bharara:

And cyber fiction.

John Carlin:

… Ronald Reagan, seeing that movie asked his team, “Hey, could this happen?” And then the answer turned out to be yes, and it was the first big initiative on cyber. So I don’t know if you knew that, but that was when the White House first-

Preet Bharara:

I didn’t know that.

John Carlin:

… Yeah, drive it. So, fiction can make a difference.

Preet Bharara:

But that’s a nice note to end on, because that’s the kind of thing that you’re going to be talking about on the Cyber Space podcast. I’m very excited about this, John. I think for a long time, there’s a lot of confusion and there are a lot of myths around the cyber threat, and a lot of people think, “It seems too complicated. It’s something for the IT people to care about, and I don’t really understand it,” and that’s just not true. There’s a lot of common sense, things that ordinary people can learn about it, and people who need to be able to protect their companies, and their homes, and their livelihoods, and their bank accounts. So I consider what you’re about to do to be a real great public service, so thanks for doing it, and I’m glad we’re working together again.

John Carlin:

Really looking forward to the opportunity. Thanks, Preet.

Preet Bharara:

I hope my conversation with John Carlin has piqued your interest in the fascinating world of cyber. As mentioned, for the first episode of Cyber Space, john speaks with Alex Stamos. Prior to serving as Facebook’s Chief Security Officer during Russia’s assault on our democracy, Stamos held that role at Yahoo, when the company experienced a series of cyber attacks from nation states, resulting in the breach of some billion user accounts. Stamos is now helping Zoom with its cybersecurity challenges, exacerbated by the company’s exponential growth during the pandemic. It’s a compelling discussion, and I hope you’ll check it out. You can do so for free by heading to cafe.com/cyber to sign up, and we’ll send you a link to listen. Again, that’s cafe.com/cyber.