John Carlin brings a wealth of government experience to his new book, co-written with author Garrett M. Graff, Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat.
Part of that government experience includes serving as the former Assistant Attorney General for National Security, as well as the former Chief of Staff and Senior Counsel to former FBI Director Robert Mueller. Carlin also worked as a National Coordinator for DOJ's Computer Hacking and Intellectual Property Program (better known as CHIP), and before that he served as Assistant U.S. Attorney for the District of Columbia.
Under/Cover caught up with Carlin to talk about what he saw during his time in government that convinced him that the Code War is upon us.
In your book, you make pretty clear connections between cybercrime and terrorism that aren’t often talked about. Has there been anything that has surprised you since the book came out in terms of a reaction?
Carlin: One thing I’ve found since I’ve been out of government and I've been talking to clients, sophisticated clients, that include CEOs and Boards of Directors, is that the cases that we brought at the Justice Department that we thought had reached people's radar had not. And so, I am finding that people are finding it ‘news’, for instance, that a private company, a retailer that was entrusted to store people's personal information including their names, addresses, and the like, was not only used by criminal groups, but there was a case that was actually brought and made public where that group was exploited by one of the most notorious terrorists in the world.
It's the first time we saw someone charged with both the Computer Fraud and Abuse Act for computer hacking and providing material support to terrorists. The case saw an extremist from Kosovo who had moved to Malaysia to get better access to broadband, believe it or not. And then, along with another extremist, the two of them hacked into a retailer who was a publicly known and trusted name and stole a small amount of information. And when, like a lot of crooks these days, they were thrown out of the system, they sent an email saying, "Hey. Let us back on the system. We're mad that you threw us off. Oh, and we want $500 through BitCoin."
A lot of companies today are just paying the $500 to make the nuisance go away in cases like this, but if this company had done that and not worked with the government to bring the case to a proper resolution, we would never have found out that on the other end of this case was this extremist terrorist in Malaysia who had become friends with a hacker who lived in England named Junaid Hussain.
Hussain had been convicted for computer hacking, he got out of jail, become radicalized, and moved to Raqqa, Syria, where he began looking at the Islamic State. And he's at the tip of the spear of what we were seeing, because our systems were essentially blinking red when it came to terrorism.
And what we saw in a record number of cases were two things that were linked: One, in almost every case, there was a link to social media. Two, I think because of that social media link, was the age of the defendants. Over 60% were 25 or younger, and the most troubling statistic is that one third were 21 or younger. It's something we had not seen before. We had to do special training on how to handle juveniles in the court system.
Hussain was the architect who was so good at reaching those young, English-speaking kids in their basements, and he had become friends with the young hacker, Ferizi, in Malaysia through Twitter, through direct messaging. They didn't meet in the real world.
Along with some of Hussain’s disciples, they convinced Ferizi, the 21-year-old in Malaysia, to provide them the information that he had stolen from this trusted retailer inside the United States. And Junaid Hussain and the Islamic State wanted to do what the Islamic State was doing at the time, which was trying to murder Muslims and non-Muslims alike with impunity; they were using rape as a political tool, they were selling women and children into slavery.
And what they did, consistent with that group's ideology, is they turned that entrusted information into a kill list. They looked to see who might be a member of the military or police. And using Twitter, they pushed it back into the United States and said, "Kill these people, by name, by address, where they live."
Under/Cover: That's pretty terrifying. And you write about the case of Junaid Hussain, actually, it's the first chapter in your book, I'm assuming, for a reason. Was that because the story of Hussain was kind of the beginning of this evolution that got us where we are now?
Carlin: I think it shows different strands coming together where the threat was changing. On one hand, there was this social media-driven, part propaganda campaign, part recruiting campaign, that's driving terrorism. We later saw Russia and North Korea use similar tactics in cyberattacks, ranging from the attack on Sony to the attack on our electoral system.
So that's on the one hand. On the other hand, it involves straight-up computer hacking and the way that the threat is starting to blend between those who hack for criminal gain, for profit, versus nation states.
And there is a third part of the equation. You have social media and hacking in that blended threat. Then you start having that marry up with the strategic goals of our adversaries. The reason I could go into so much detail on the Hussain case is because Ferizi was arrested pursuant to U.S. process. Thanks to cooperation from the Malaysians, he was brought over to the eastern district of Virginia and was tried and sentenced to 20 years. And Hussain was killed outside the reach of law enforcement in a military strike that was acknowledged by Central Command. So, it shows you can take effective action.
Under/Cover: You detail so many fascinating cases based on your experience in government in this book. Is there one particular thing that stands out for you that if you had just that 60 or 90 seconds of someone's attention that you would just grab them by the collar and say, ‘This is what you need to know to open your eyes to the risks that are out there?’
Carlin: It’s this idea that there's no product you can buy, there's no person you can hire that can keep your system safe. Which means you need to understand what's on it, where it is, and whether or not you think that risk is acceptable, and you need to do it now. And one thing we found is that you can't predict the specifics of exactly how a hack is going to happen, but you can get that general muscle memory or thought pattern on how to respond.
John Carlin's book is Dawn of the Code War: America's Battle Against Russia, China and the Rising Global Cyber Threat.
This interview has been edited for length and clarity.
Read more from John Carlin here...
