Listen to the CAFE Insider podcast
January 3, 2019

Stay Tuned: Inside the Cyber War (with John Carlin)

LISTEN

Listen on

  • Show Notes
  • Transcript

John Carlin is a cybersecurity expert and chairs the Global Risk and Crisis Management practice group at Morrison Foerster. He previously served as the Assistant Attorney General for the National Security Division at the Department of Justice and as Chief of Staff to Robert Mueller at the FBI. He is the author of Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat. Carlin speaks with Preet about his book, the U.S. response to cybercrime, China’s theft of intellectual property, and how America was unprepared for the attack on its values.

Plus, Preet’s thoughts on House Democratic committee investigations and the possibility of amending the U.S. Constitution.

Mentioned on this episode of Stay Tuned:

– To take the midroll survey

– John Carlin’s bookDawn of the Code War

– The 2014 DOJ indictment of the People’s Liberation Army

– The 2014 North Korea Sony Pictures hack and DOJ charges

– The 2014 Iranian hack on Sands Las Vegas Corporation

– The 2014 Yahoo data breach

– The 1998 Lockerbie bombing

– Preet’s 2012 NYT op-ed on cybercrime, Asleep at the Laptop

This interview was taped on 12/4/18.

Do you have a question for Preet? Tweet them to @PreetBharara with the hashtag #askpreet, email [email protected], or call 669-247-7338 and leave a voicemail.

Inside the Cyber War (with John Carlin)

Air date: 1/3/19

Preet Bharara:

John Carlin, great to have you on the show.

John Carlin:

Great to be on.

Preet Bharara:

We go back always. We should state on the record that, at least, I consider you to be a friend. I don’t know if you consider me to be your friend.

John Carlin:

Yeah. It’s nice to be talking to you on the phone. There’s not some crisis in the background.

Preet Bharara:

Yes, it’s kind of mellow now. You have had a lot of jobs. We’re going to get to various aspects of those jobs and how they relate to this book you’ve written, which is called Dawn of the Code War. I see what you did there. That’s a play.

John Carlin:

[crosstalk 00:13:50], did you?

Preet Bharara:

No, it’s very clever. Did you come up with that?

John Carlin:

Yeah, we were trying to-

Preet Bharara:

“We?”

John Carlin:

I’m used to saying “we” in all context. Writing a book’s been a little different and I’m trying to use the word, “I,” on occasion and ignore the training that Mueller gave me. There is no “I” in government work.

Preet Bharara:

In team. There’s no “I” in “team.” That’s how I think the phrase goes. It’s called Dawn of the Code War. The subtitle is America’s Battle Against Russia, China, and the Rising Global Cyber Threat. Congratulations on the book. It has more pages than the book I just wrote. Congratulations on that, also. You didn’t get paid by the word, did you?

John Carlin:

No. A lot of ground to cover, though. As you know, having seen many of these firsthand incredible stories, one thing I’ve realized, particularly being out of government and talking to people in the private sector, is how few people know about cases that they think are science fiction and things that nation states or terrorists might do that have already happened.

Preet Bharara:

Let’s talk about some of these things. Maybe, let’s go back to the premise of the title of the book, kidding aside. Dawn of the Code War, I’m guessing, from having looked at the book, is to play on the Cold War. How are those things similar?

John Carlin:

We’re not in an armed conflict, a traditional armed conflict, or even one recognized under international law. We are experienced to low intensity conflict day in day out that’s causing real harm to real victims. Just like the Cold War, it’s going to require concerted leadership across the western world, and particularly, from America, to confront our adversaries in the war that’s going to require both winning the battle on whose values should prevail. Also, spending the resources, technically, and otherwise, to ensure that our businesses, our society is safe from what is already day to day combat that’s occurring.

Preet Bharara:

When you’re comparing the Cold War to the cyber threat, which we talk about as the Code War, is a part of what’s happening now also an arms race like there was in the Cold War?

John Carlin:

It’s not directly analogous, but there are some lessons that you can apply. Parts of the Cold War, there are types of technology that we need to win. I think about 5G, for instance. This is the new way that our cities, our cars, our drones, and the Internet of Things is going to be able to connect, is going to be based on this wireless standard of 5G. Who controls that standard, what values lie behind it are going to be critical to our safety going forward.

Preet Bharara:

I want to talk a little bit about how we got to this point, not just how we got to the point where there were sort of outright cyber-attacks that nation states are sponsoring against the United States and other countries against each other, but relatedly, how we got to the point where people at the top of government care so much about this.

Preet Bharara:

I don’t know what your experience has been, both at the FBI and then at the Department of Justice. When I began as a US Attorney, and you and I have spent a lot of time talking about cyber and overseeing cyber cases, though, when I began in August of 2009, the level of attention that our government was paying to the cyber threat was, I think, beginning to increase. It wasn’t that high.

Preet Bharara:

My recollection is that in New York, there was only one squad of the FBI that was focused on cyber. You had a lot of squads that were focused on the Cosa Nostra Italian organized crime. Then, over the course of the next five, six, seven years, in our office, we went from sort of one person who’s expert on all this stuff to having more than 10. The cyber squads began to proliferate at the FBI, both in New York and around the country. Lots of other US Attorney’s offices gained expertise in this. You started having people as high up as the treasury secretary who usually didn’t get involved in these things. Not just the FBI Director and also the President of the United States talking about cyber. Explain how you think the government’s response has changed over time and how aware we are of the threat, even if we’re not fully prepared for it.

John Carlin:

I was aligned prosecutor doing computer hacking intellectual property cases and specializing them. It’s late of, say, 2006 going into 2007, I would work with a squad at the FBI. I worked with the criminal squad. There was a lot to do on the criminal side of the House. There was another squad and intelligence squad that was behind a lock secured compartment that door. I didn’t have no idea what was going on behind that door. Occasionally, one of the agents would switch squads. They just disappeared, never to be seen again, no clue what they were up to.

Preet Bharara:

They didn’t give you a key to that door?

John Carlin:

No key for me. Actually, I’m trying to remember. I think it required a handprint and a code, neither of which my hand did not work, and I did not have the code.

Preet Bharara:

That changed, eventually.

John Carlin:

It did change eventually. After being on the line, I ended up I was coordinating the program nationally in ’07 and I still did not have access to that door. It wasn’t really until I went over to the then director of the FBI, Bob Mueller, when he was relatively anonymous compared to his current gig, that the door opened and I was given access to what was going on in the intelligence side of the house.

John Carlin:

There was a secured facility where we could watch on a jumbotron screen in real time. They’d set up a visual so you could see China going into places, like universities hopping from the universities into American companies. Then, we were literally watching a visual representation of billions of dollars worth of trade secrets, intellectual property, flowing outside of the United States. I think that’s what caused the former director of the National Security Agency at the time, Keith Alexander to call it the largest transfer of wealth in human history.

John Carlin:

I think you’re right. When you came on in 2009, the change was starting to take place, but to say, “Hey, if this is what we’re seeing on the intelligence side, we got to start being able to talk about this publicly.” It wasn’t until, I think ’11 going into 2012, that as a public official, we were allowed to say that China was committing economic espionage through cyber-enabled means on this vast scale, so people could understand the urgency of the threat that we were facing.

Preet Bharara:

Can I push you on that for a second? I remember thinking in 2009 and ’10 that we weren’t talking as much about China as we should. I get that part of that was a function of some of this being on the other side of the wall, the classified wall. It seems to me that a lot of people who were in business and in industry knew that the Chinese were stealing intellectual property. There were political reasons why people may not have wanted to blame the Chinese, and also, financial reasons.

Preet Bharara:

Somebody once said to me about CEOs who decided to do business in China that they understood. You go to China and you open up some kind of plant and you could make $4 billion, let’s say, hypothetically, from this new business you’ve started in China, and you knew that the Chinese were engaging in, as part of their great transfer of wealth to themselves, intellectual property theft to a huge degree. They were taking, maybe, siphoning off in terms of value, $2 billion. You would think that someone would get very mad about that. You know what? They’re still making $2 billion. It seemed to me that there was not a lot of will to call out the Chinese, not just that some of it was behind that wall.

John Carlin:

One of the stories that I tell in the book was going to meet with General Counsel with exactly that point of view. They were actually somewhat frustrated by it. They had actually done a study that showed. They projected out. They’re a well-run company. They projected out here’s the period of time we’re going to remain in the black in China, so we’re going to be making profits.

John Carlin:

We can foresee 5 to 10 years out, there’s going to be a total flip. We’ll be way in the red. Because they’ve stolen our intellectual property and we’ll be able to produce this in country, that it’s going to devastate our business into the future. Right now, we don’t want you to take any action. It was one of the more frustrating conversations I had as a government official.

Preet Bharara:

It was like a short-term profit thing.

John Carlin:

Yeah. I do think it’s linked, just to go back to what we were keeping private, they knew there was a risk. What they weren’t seeing was the Chinese government-driven strategy were tactically part of that strategy was stealing this intellectual property or trade secrets.

John Carlin:

Their long-term plan, and now people refer to it as the Made in China 2025 Plan, which is public, was not to continue to do business competitively with companies overseas. It was to create the capacity in-house and then crush every other company in the world, so that there was no competition.

Preet Bharara:

We’ve been talking a little bit abstractly. Give us an example or two, if you can, of what the Chinese would do and what the consequence was in a concrete way.

John Carlin:

As we were doing this transformation in government, we opened the door, we watched that great intelligence feed of the information flowing out, then, we’ve decided that this can’t stand, what can we do to change it? That led to the first case of its kind, the indictment of five members of the People’s Liberation Army.

John Carlin:

This was a specialized unit, Unit 61398. Their day job when they went off, put on their uniform, and went to work as a uniformed member of the army, was to hack into the private competitors of Chinese companies overseas. We saw things like Westinghouse was about to do a joint venture with a Chinese company. The night before, they were going to lease a lead pipe. We watched these Chinese members of the military go in and steal the technical design specifications for the pipe, so the next day they don’t need to pay.

John Carlin:

To use another example, this was a US subsidiary of a German multinational company, a solar company, Solar World. What the Chinese military did here was they went into the email. That’s the least protected part of the system, usually, right? It’s not like the intellectual property, which might be encrypted, or you take other special measures to protect. It’s just general email traffic. They stole the email traffic to figure out exactly what the price point would be to cause the most harm. Then, they price dumped. They placed their product right below the price point that they knew would cause the most pain. It worked. They forced that solar company into bankruptcy.

John Carlin:

Then, as lawyers, to add insult to injury, when that company sued for unfair trade practices, they stole the whole litigation strategy, too. This is why we did the novel approach of bringing a case, even though they were uniformed members of another military, because this was not traditional national security secrets. This was just theft, pure and simple.

John Carlin:

It reminds me of another case, just giving details, where this wasn’t cyber enabled espionage. This involved an insider. They literally stole this formula for titanium dioxide, which sounds fancy. Actually, it was the formula for the color white, including the color white in the middle of an Oreo cookie. As much as I like the Oreo cookie, that is not a state secret or national security. When we say they were stealing everything, I mean, literally, they were stealing the color white.

Preet Bharara:

A question that listeners might have as you’re hearing these dramatic stories, if you were watching this in real time, how come we couldn’t stop it?

John Carlin:

I think for a long period of time, there was an assumption that you could treat this like a traditional spy versus spy issue. You brought some of these cases when you were a US Attorney. When it came to the Cold War, rather than the Code War, the strategy was often to watch espionage agents, to watch spies inside the United States for years and years and years without disrupting.

John Carlin:

The idea with this was relatively small scale and sophisticated, you could watch the spies operate. Then, like you did in the case of the Russian illegals, eventually, you could disrupt. In the interim, you’d learn about how they operate and you could feed them false information. That was partly the mindset behind how we were observing nation’s state cyber activity.

John Carlin:

The problem is just it was so large and on such a scale that it was causing real damage to real victims. Now, it wasn’t traditional intelligence collection. You can, in some instances, and I think there has been a change of approach to get out proactively warn companies, so they can take immediate measures to stop this activity while it’s occurring.

John Carlin:

There’s a real loss. You’ll hear from Intel specialists now that their lives are more difficult because we’ve made public some of the tradecraft of our adversaries, which means our adversaries overseas are getting better at what they do. I just think the benefits outweigh the losses there, because the fact that they have to improve their tradecraft means fewer companies are getting hit. Sometimes, I think about, imagine what our own services could do, like the National Security Agency, if they didn’t have to care at all about getting caught.

Preet Bharara:

Two questions related to each other. One is, shouldn’t we be angrier about China? Two, is China the worst transgressor in the cyber area? I remember a study. You might recall the details better. That was brought into my office by my chief cyber person. That attempted to track sort of all the nefarious cyber activity happening at any given time in the world. There was a dip in the nefarious cyber activity on a particular day. It was a very significant dip. I remember the percentage, but 30% or 40% less on a particular day. It turned out that was a Chinese national holiday. It doesn’t take rocket science to do that graph. Are the Chinese the worst?

John Carlin:

Backing up, because you reminded me of another part of that case that we brought, the first case against the People’s Liberation Army, was we put an attachment on that case that showed this was activity that peaked around 9:00 a.m., stayed high from 9:00 a.m. to noon. Apparently, they take a lunch break, because it decreased slightly from 12:00 to 1:00 Beijing time. It increased again from 1:00 to 6:00, decreased overnight and on Chinese holidays.

John Carlin:

I think both of us, as former prosecutors, will call that great circumstantial evidence as to who did it. It also shows, again, that this was the day job of the second largest military in the world. There’s no way private companies are going to be able to defend themselves against that type of resources. We shouldn’t blame them when they successfully get into a private company. Instead, it’s got to be the responsibility of the government to try to send a strong message that that’s not an acceptable way to use your military or intelligence.

Preet Bharara:

The Chinese are the worst?

John Carlin:

I don’t think the Chinese are the worst, though. It kind of depends on how you describe it. We talk about four major adversaries in cyberspace: Russia, North Korea, Iran, and China. They all have different attributes. When it comes to economic espionage and intellectual property theft, by volume and capability, I would say China is the worst or does the most economic damage.

Preet Bharara:

Would you say that they’re, with respect to economic damage, the worst by far?

John Carlin:

Worst in terms of theft of intellectual property that could be used by viable companies against you. That threat is really a Chinese threat. An actor like Russia has been doing things that cause indiscriminate damage to companies. It’s not giving them financial game. It’s just causing harm. I think of a threat like a ransom worm NotPetya that was unleashed against Ukraine, and then spread all around the world, causing $500 million worth of damage to Maersk shipping alone, $300 million worth of damage to FedEx and other companies around the world.

John Carlin:

That type of disruptive activity could have been even worse, and in some ways, is a greater immediate threat, because both with Russia and North Korea who unleashed a similar ransom worm called WannaCry, they seem to not care about causing indiscriminate damage; whereas, China is trying to steal strategically, but ultimately, compete in the same economic system.

Preet Bharara:

They’re being utilitarian and they’re trying to help their own companies. One more question about China before we move on to these other countries. How much concern should average consumers have, severing apart from the big corporate concerns? If there are Chinese manufacturers who are involved in the making of any product, particularly, electronic product, that they are doing nefarious things in the supply chain there by putting in backdoors so they can steal information into a recording devices and surveillance type techniques, into products that people have in their homes on a regular basis? Is that outlandish or is that happening?

John Carlin:

No. It’s not outlandish. I think it is happening. You’ve seen it as a top concern of government officials now, that supply chain is being corrupted. Now, that said, there’s no Internet connected system that’s safe from a dedicated adversary who wants to get in. The technology just doesn’t exist in government or in the private sector. When you’re determining how much of a threat there is against you, it’s how much does anyone care about you.

John Carlin:

I’d be more worried about the very sophisticated, organized criminal enterprises that have risen up. That’s where we’re seeing people’s home devices get compromised, sometimes, from things ranging from using webcams to taking naked pictures for extortion, to using all of your devices to simultaneously send a request for information all at the same time, something called a Botnet, an army of compromised computers. Because site gets so much that information at the same time, it crashes.

John Carlin:

That was something we’ve already seen in something called the Mirai Botnet that actually took part of the Internet down and turned out not to be a nefarious nation state overseas or even a criminal group, but some knuckleheaded kids out in Canada that were mad at other people that they did their video games with.

Preet Bharara:

Can we talk about North Korea before we get to Russia? The reason I like to talk about North Korea, and you and I, I think, have talked about. It wasn’t my case. It was done out of the Central District of California, ultimately. The famous Sony Hack, where North Koreans were mad about a particular movie, broke into the Sony system, their computer system and revealed emails that were sort of embarrassing.

Preet Bharara:

It was not the crime of the century in the sense that hundreds of millions or billions of dollars of intellectual property was stolen, like we’ve been talking about with the Chinese. It wasn’t the taking over of a hydroelectric dam that seems also possible in the current climate, or the stealing of people’s money in their bank accounts, which is a terrible thing. It was kind of an embarrassment.

Preet Bharara:

I have a couple of questions about that. One is why was that such a huge deal in America? I have a theory about it. Then, second, what does it mean that a country that is trying to develop nuclear weapons doesn’t have them yet? Otherwise, as I understand it from various experts, the total computing power, I’m exaggerating here, of all sort of computers in North Korea is the sum total of a Commodore VIC-20 from years ago. We can overstate their technological abilities.

Preet Bharara:

Theirs are, from, again, what I understand from my time in office and otherwise, about their abilities are pretty low. They were able to cause an entire huge multinational company great pain and panic. Then, cause people in this country to be very worried about cyber intrusions, because it’s the entertainment industry. It’s not the making of devices. I think it upset people for a particular reason. What do you think about all that?

John Carlin:

First, I always think and you and I participated in some, but we war gamed out for years what it would look like if a rogue nation state overseas tried to attack the United States through cyber means. We all got it wrong. We never thought it would be about a movie about a bunch of pot smokers.

Preet Bharara:

I actually predicted that.

John Carlin:

You did? Wow. Sure.

Preet Bharara:

Yeah. I didn’t tell anybody. I didn’t tell anybody about it.

John Carlin:

[crosstalk 00:34:16]

Preet Bharara:

They can’t prove it now.

John Carlin:

It’s the only time in my career I had to go over to the Situation Room and brief the President of the United States and start the briefing by trying to give a plot summary of the movie.

Preet Bharara:

Did you see the movie before the hack happened?

John Carlin:

No. I saw it because of the hack. It was one year. Every morning, we go to meet with the Attorney General and the FBI Director to go over the most serious threats of the day. Suddenly, we had this threat coming from a movie. We all did kind of watch it right over the Christmas holiday.

Preet Bharara:

Can you remind people the movie?

John Carlin:

It’s called The Interview and it’s about a bunch of pot smoking reporters who get involved in an assassination attempt on the leader of North Korea. The leader of North Korea was not amused by the plot of that movie.

Preet Bharara:

Yeah. I’m sure he tried to do something more damaging than even the hack. What did you learn in overseeing the response there?

John Carlin:

One thing I find interesting now, when I talk to audiences all across the country and ask what was the first major destructive attack, almost everyone says, “Sony,” which I think is instructive because it was not the first destructive attack by foreign actors overseas.

John Carlin:

We had already seen Iranian attacks, denial of service attacks against our financial sector. We had seen Iran unleashed malware that essentially turned computers into bricks at the Sands Casino because they didn’t like provocative things that the head of Sands Casino, Shelly Adelson, that said something about dropping a nuclear bomb on Iran and creating a huge dust cloud. They were not amused.

John Carlin:

Again, we weren’t expecting attacks on our gaming sector, right? We always thought that we had to worry about things like dams and the electrical grid or the finance system. No one remembers that hack. Sony had three parts to it. One, it was just as destructive attack using malware that turned computers into bricks. That did cause real harm and fear among the employees at the company.

Preet Bharara:

When you start turning computers into bricks, you just mean rendering them useless.

John Carlin:

Absolutely useless. That’s right. It’s a type of malware that basically wipes the operating system of the computer. You have the physical box, but it doesn’t work. They did that. The second thing they did was steal intellectual property right, and rather large amount of intellectual property. Again, it’s something that people usually do worry about in this space, but not why people remember the Sony hack.

John Carlin:

What worked so effectively in the Sony hack, and the reason people remember it, was the easiest thing to do to your question in terms of capability, which was break into an email system just like China did with Solar World to get pricing information. Here, they just took emails, looked for what was salacious, some good rumors, some good Hollywood gossip. Then, they used non-traditional sites to push that information out.

John Carlin:

Then, they watched, ironically, because this was an attack that was all about being opposed, essentially, to the First Amendment and trying to stop a movie because you don’t like its content. Ironically, the press, the mainstream media did the damage for the North Korean regime by running endless stories about those emails. That’s what caused the biggest harm to the brand of Sony. That’s what they had to recover from. That’s why people remember the hack.

John Carlin:

I think there’s a couple of things you can learn from it. One is, and I wish we’d learned this lesson better, but that’s the exact tradecraft we see the Russians use in the election in 2016, where it’s that weaponizing of information using attacks that aren’t against critical infrastructure, but are attacks on a core value in 2016. It’s on our democracy here. It was on the First Amendment and the right to free speech, but to attack a core value.

John Carlin:

Second and linked to that, almost all of our laws, our regulations, the way we were thinking about our response plan, hinge around stuff. We defined critical infrastructure and we did it around, importantly, I’m not saying we should drop this, but around our financial sector, around the electrical grid. What we didn’t focus on was attacks that are on our fundamental values, what it is to be an American, like free speech or our electoral system. I think you’re seeing a change now, but what we need to continue to accelerate to protect our values.

Preet Bharara:

You mentioned the Russian hacks. How concerned should we be about Russian cyber-attacks, in particular, interference in the election in ways that are beyond what we believed to have happened in 2016?

John Carlin:

What about Russia now is the election attacks are one symptom of it. There, you see a regime that fundamentally fears Democracy attacking and trying to undermine confidence, not just in our electoral system, but also that Russia is increasingly a rogue nation when it comes to cyber.

John Carlin:

We talked about NotPetya earlier. Unleashing essentially cyber weapons of mass destruction, without concern about who they may harm, just like they were poisoning people on the streets of the United Kingdom is the cyber equivalent. Also, they increasingly are blended with these criminal enterprises that are so sophisticated that they could really be a Fortune 500 company that are dedicated to nothing but stealing information from people and companies all across the world.

John Carlin:

Then, they have a really sophisticated back end where they sell that which they steal. We’re talking about really brazen groups. One case discussed in the book is In Fraud We Trust. That was the actual motto of something that sounds like it’s a meeting of the crime families, but it’s all occurring online. Some of the world’s worst crooks had internal site where they all shared information on how to be a better crook.

John Carlin:

When you see takedowns, great work by US Attorney’s offices with partners across the world, you catch people in almost every country. In Russia, they won’t cooperate at all. They allow these people to act without impunity. If that continues, we’re going to continue to see just devastating financial losses from crime.

John Carlin:

Not only are they shielding them, and this story sticks in my craw, but the Yahoo case where over 500 million or so email accounts were compromised. That’s a case where one of the defendants was on our most wanted list on the FBI, most wanted list as a cybercriminal.

John Carlin:

We asked for Russian cooperation to lock them up after he escaped after being arrested and fled to Russia. Not only did they not cooperate on someone whose job was stealing credit card numbers, they signed him up as an intelligence asset after being asked to cooperate and test them.

Preet Bharara:

We’ve had all these cyberattacks. Something that always seemed odd to me, even though there was a lot of consternation about the Sony hack and all sorts of others, theft of documents and personal information like the ones you’ve described, others that we haven’t gotten to, it still is not the case that the public fully freaks out. Do you know what I mean?

John Carlin:

Absolutely, yeah.

Preet Bharara:

You’ll hear the story, a gazillion government employees’ information packets have been stolen through cyber. Everyone gets sort of very upset. Occasionally, a CEO will lose his or her job. That’s more recent and hasn’t happened too frequently. People like you and I, when we were in office, and you still, and me to a lesser degree, worry about it, scream about it. Politicians talk about it now. There are all these defenses that are being set up. It doesn’t really create the kind of wave of panic that might lead to better legislation or better protection that you might expect.

John Carlin:

Hell, I have a couple of different theories. One, in this time of year, I’m always thinking about them because it’s around the anniversary of the worst terrorist attacks at the time. It was called Lockerbie Bombing, the Bombing Pan Am 103. When I went to the memorial service, it was the 25th.

John Carlin:

I remember, there were the architects of a report on aviation security that came out after that bombing and before September 11th that said, “Here’s what we can learn. Here’s ways to make our airlines safer.” Almost all of those suggestions were adopted after September 11th, almost immediately, but not before. Even though we’d seen people die because of some of these security vulnerabilities. It was devastating to listen to them when you’re at the memorial service.

John Carlin:

I think about it all the time in terms of cyber. Is there a way we can learn from that? Is there some way we can do a better job of getting people’s attention now to take the necessary reforms before we see something of that type of devastating consequence? This is a vital moment to act because, when you think about it over 30-some-year period, we moved almost everything we value from analog space, books and papers, to digital and connected it through this medium that was never secure.

John Carlin:

As you pointed out earlier, for years, CEOs and government weren’t really taking seriously or assessing the risks of making that move. That’s one thing that we’re playing catch up now. We’re about to connect the things that will cause immediate life and death consequences. That ranges from the pacemakers in people’s hearts where we literally have already designed, developed, and placed pacemakers in people’s hearts without testing to see that they were secure by design. Then, afterwards, we realize an 11-year-old using publicly available software can hack and kill. Then, they rolled out a patch.

John Carlin:

At this point, over 70%, 80% of cars on the road are already computers on wheels. We’ve already had an instance where an enterprising reporter with a hacker showed you could get in through the entertainment system, take over the braking and steering system. That led to the recall of 1.4 million already deployed cars on the road. We have to figure out a way to ring that bell now.

John Carlin:

People think it’s science fiction, attacks that have already happened. We have to do a better job of showing what the harm is now. That’s one. Two, and I’m no good at this, so let me warn your listeners. You have a better example. I met this guy. He’s a reporter in this space. He told me he was the fingers. If you ever see the individuals on CNN and they talk about a hacking case, they always show a mysterious set of fingers on the keyboard.

Preet Bharara:

On the keyboard, yes.

John Carlin:

It was his fingers. It was a decade later and they still were using that. He was doing a different job, but it was still his fingers. It’s harder for people to, I think, see the concrete harm now, because it’s hard to visualize.

Preet Bharara:

Part of the problem, my theory is, that to the extent there needs to be a congressional response, legislative response. I worked in the Senate. They’re very diplomatic and no one like to say bad things about people. Our Congress is changing a little bit. It’s pretty old and pretty out of touch with technology.

Preet Bharara:

Lindsey Graham, among other people, it’s kind of cute, I guess, when he jokes about how he’s never sent an email, which he now jokes, I think, and says he was ahead of his time so he can’t be hacked.

Preet Bharara:

How are our Senators and members of the House supposed to deal with complicated sophisticated cyber issues when they don’t have even personal experience, many of them, doing basic things, like using Google and sending emails? I’m not exaggerating there.

John Carlin:

It’s a real issue. You saw it come up in some of the hearings last year. I think you’re talking about the Senate and the House. I’ve also seen the same issue with boardrooms, Boards of Directors. You need to get familiar with the technology as well. It’s a larger issue. I think you saw it firsthand.

John Carlin:

I remember after the OPM Hack, three times, the President tried to convene the cabinet to discuss it. In the first two times, the Attorney General sent me and the Chief Information Officer as the tech experts. The third time, Lisa Monaco is the Homeland Security Advisor at that time and the Chief of Staff, Denis McDonough, had to send us a stern email that said, “Listen, you can bring whoever you want, but you have to come to this meeting, because as the Cabinet Secretary, you’re ultimately responsible. This isn’t a technical issue. This is a policy call about what type of risk that you want to accept. You need to understand it well enough to make that policy call.” For a while, I think it was the ghetto of the geeks, so that people were too afraid to talk about it.

Preet Bharara:

Is that your next book title, Ghetto of the Geek? Look, I talk about this a lot. I wrote one op-ed in the first couple of years in office, where I talked about this issue from the corporate side, that it’s not just Congress. The members of the C suites thought that any cyber threat, that was something for the geeks, that was something for the sort of IT people. They didn’t think of it, as you say, in government, it’s a matter of policy.

Preet Bharara:

For companies, it’s a matter of corporate governance. It’s a matter of risk in the same way that competition is risk, in the same way that regulation is risk, in the same way, depending on the kind of company you run, climate change may be, and other things may be.

Preet Bharara:

In part because of out of ignorance or fear of trying to understand complicated things, they were leaving it to people way down on the food chain, who even if they were sounding the alarm, nobody cared because it wasn’t the CEO. Then, the second problem from a spending perspective is, this is changing a little bit, no company likes to spend a lot of money on something that is no profit center.

Preet Bharara:

They were not prepared to invest in things that would make them less vulnerable, literally, to existential threats. Some companies have gone out of business because of it.

John Carlin:

One of the first big government reviews as to how safe our military was against cyber-attack was because President Reagan saw the movie, WarGames. Then, he went and asked, “Can this happen here?” They went, they looked, they studied, and the answer was, “Yes, it could,” which caused really the first major push in government.

John Carlin:

Then, secondly, the word “cyber” itself comes from a science fiction book. The whole way we talk about it was because William Gibson imagined when he saw a bunch of kids playing in an arcade and he watched the way their eyes were on the screen. This was in the ’80s. It just seemed they were entirely living in the world.

John Carlin:

He thought, “This is really a new type of space, cyberspace, where they’re living.” Then, he envisioned a world where we became more dependent on it and disrupting that will cause real harm. The ability to tell these stories in a convincing way that cuts across line, I think, will be key to solving them.

John Carlin:

I do think the message is starting to resonate, at least, in C suites that this isn’t a more traditional area of risk management. Although, it’s still very new. A lot of them revolve around the privacy of information. What I’m worried about increasingly, that’s still an issue, but it’s not so much that people steal your credit card information or social security number for one thing they already have.

John Carlin:

I’m worried about the integrity of data, so that when the financial information where we rely on gets changed, that would have devastating effects. I’m worried about the actual disruptive attacks that end the ability of a business to function, like what almost happened and did happen for a period of time when NotPetya hit large multinational companies.

Preet Bharara:

John Carlin, thank you for your work. Thank you for your service. Congratulations on your book. Everyone should go buy it. It’s Gone to the Code War, not Cold War. Code War. Thanks for being on the show, sir.

John Carlin:

Thank you.

STAY TUNED WITH PREET

Stay Tuned: Inside the Cyber War (with John Carlin)

Download
x