Subscribe to FDD

Transcript: Combatting Emerging National Security Threats

Return to Summary




  • John P. Carlin, Assistant Attorney General For National Security, Department of Justice
  • Juan Zarate, Former Deputy National Security Advisor For Combatting Terrorism

DUBOWITZ:  And now I'd like to invite up the Chairman and the Senior Counselor of FDD Center on Sanctions and Illicit Finance, my -- my colleague and dear friend, Juan Zarate, who's going to introduce our next session with Assistant Attorney General John Carlin.  Thank you.


ZARATE:  Good morning everybody.  Mark, thank you very much for the introduction.  Hope everyone's doing well.  What a fascinating morning, what a great day that FDD has put together at the forum.

Welcome, my name is Juan Zarate, as Mark mentioned I'm the Chairman for the Center on Sanctions and Illicit Finance which FDD established over a year and a half ago to look at the issues of sanctions, financial power and economic influence in national security.

But I'm up here and honored to be moderating a discussion with one of the countries great patriots, a good friend of mine, but also somebody who is at the center of the storm of the key national security issues and cutting edge challenges that the United States now faces in a globalized inter-connected environment.

John Carlin is the Assistant Attorney General at the Justice Department for National Security.  He runs the National Security Division.  That means he's in charge of everything related to international and domestic terrorism. 

Anything and everything related to cyber and cyber security, issues related to espionage.  Issues like sanctions enforcement and export controls.  Anything that you can think of that matters to the U.S. government and our national security, John Carlin deals with it.

And he deals with it with great professionalism and with great aggressiveness.  So we are honored to have John here today, welcome John.

CARLIN:  Thank you Juan.

ZARATE:  Let's welcome John.


Our session is called Combating Emerging National Security Threats.  And again there's nobody better to talk about these issues than John.  And to talk about the intersection of law enforcement and national security.  Because John, if you read his press releases he's literally putting out important and precedent setting cases every day for the country.

So John let's talk a little about your experience and, and what you're focusing on.  And in recent days including just yesterday if I'm not mistaken, you've given speeches and put out a number of cases related to cyber security.

Cyber security of course involves not just low end cyber fraud and identity theft, but high end cyber espionage, hacking and even potential cyber disruption to our national economy and national systems.

Can you talk to us a little bit about the cases that you've seen and I do want tot then talk a little bit about some of the specific cases, fFor example the one that you brought against the six PLA, the Chinese Officers for hacking.

CARLIN:  Yes and, and thank you Juan.

So the National Security Division is the first new litigating division created at the Department of Justice in about 50 years.  And we were created as one of the September 11th reforms and the idea was simple. 

That we had failed to effectively share information across the law enforcement and intelligence divide prior to September 11th.  That was partly responsible for the loss of so many lives and it was a mistake that we could not repeat. 

So in addition to certain legal reforms, there was also a recommendation that culturally, that all of the lawyers who handle national security matters should sit together under one roof.  That is those that do terrorism prosecutions, espionage and export prosecutions, the lawyers that do the intelligence work and provide advice to Treasury Department.

But to also all of the elements of the intelligence community, and the lawyers that appear before the Foreign Intelligence Surveillance Court.  And the lawyers that review certain transactions for national security risk.  For instance, through the Committee on Foreign Investment inside the United States.

That we should all sit together under one roof.  Prior to that there had been four chains.  And that there should be one Assistant Attorney General whose job it was to look across the spectrum of threat to preserve our national security. 

And that meant being intelligence led.  In other words, our mantra should be what is the intelligence show us that the threat looks like.  Then threat focused.  And that success was not a criminal prosecution for instance after a terrorist attack has occurred, that might be necessary. 

But success was using that intelligence to show what the threat was and then using every available legal tool to make it hard for the threat actor, the terrorist to do what they want to do.  So that might mean prosecution.  It might mean the use of Treasury Department sanctions authority. 

It might be using the commerce departments authority to designate an entity as one whose contrary exporting to them is contrary to the national security interests of the United States.  It might mean supporting military action.  Tool agnostic, we should just look across the codebook and see what works best.

Which is a little prelude is to how we're tackling cyber.  So I think when Juan and I had an opportunity to work together in the prior administration was over his Chief of Staff to Director Mueller at FBI.  We got very good at applying this model against terrorists' threats.  And obviously it's still a very complicated environment there.

But, as we started looking at what we're doing against national security cyber threats, that is threats posed by nation states or terrorist groups.  Was over at FBI we got very good at merging the intelligence to see what the threat was.  And for instance, there was a jumbo Tron screen that was set up and you could watch in real time as intrusions took place. 

You'd watch the hacker jump in to say a university.  You'd watch them then jump to a company or hop to a company.  And then you'd watch data be exfiltrated out of the United States.

And you, you could see on the map that this was happening hundreds of times a day, all across the country and we were losing billions of dollars being exfiltrated out of the country.

So it was remarkable to be able to get the intel picture, to see it.  But it was horrifying.  And so, the idea that we could just watch it, that it was an intelligence problem like other intelligence problems, we realized that's not sufficient.  We gotta get in there and disrupt.

And so when we came back to the Justice Department National Security Division one of our priorities was are we applying the same approach that we've applied against the terrorist threat, against these national security cyber actors.  And the truth was at first we were not. 

So what we weren't doing at it's very basic for instance, was we hadn't trained prosecutors across the country to handle the national security cyber threats.  So when I was a prosecutor doing the criminal side I worked with a squad at the FBI, we did computer hacking cases and there was an intel squad, they were behind a locked, sealed secure compartmented facility.

And I never went on the other side of that door.  And it's not like I was banging to get in on, on the door cause as most of you know in the space there's plenty to do on the criminal side.  But we realized no one was going in on the other side of that door.  So we re-trained hundreds of prosecutors across the country towards the end of 2012. 

And at the same time in the beginning of 2013 the FBI issued an edict to the field.  It said thou shalt share what was formerly only on the intelligence side of the house, with these new specially trained cadre of prosecutors, to see where we can do disruptions and how we can creatively use legal tools.

So a pretty new approach started in 2013 and it was that new approach that led to some of these cases.

ZARATE:  So you in essence literally broke down the wall between intelligence and law enforcement on the cyber side the way that we did on terrorism, right?

CARLIN:  That's exactly or at least opened --

ZARATE:  Opened the door, yeah.

CARLIN:  door, opened the door on the wall.  But and -- and the -- so that led to the first of its kind case that you referenced.  The indictment of the five members of the Peoples Liberation Army, Unit 613 --

ZARATE:  I said six I'm sorry.

CARLIN:  You added one.  Unit 61398.  And so to describe a little bit who that unit is and why we brought that case.

So the activities that we laid out, and these are allegations and they have a right to defend themselves in a court of law and I look forward to the day that they chose to come and do that.


ZARATE:  This is an open forum your welcome to come to the United States where there's jurisdiction.

CARLIN:  Welcome to come.  Yes.  So what we laid out in that case is that what they were taking, these were not national security secrets this is the same type of theft that we prosecuted in every other area.  They were targeting every sector of our economy from nuclear to solar to steel, management side to labor. 

I mean one thing is they brought everyone together as, as victims.  And so what they were taking to give some examples is for instance, there'd be a company doing a joint venture with China.

And right as they were going to lease a lead pipe that they had put all this research and development into designing, you the saw the PLA go in and steal the designs for that lead pipe so they wouldn't have to pay for it.

Or to use another case with the solar company.  They went in and stole the pricing information for their product so that they could dump their product into our market at a lower rate and try to drive them out of business. 

And to add insult to injury; when that company sued, they stole the litigation strategy that they were going to, that they were going to use.


And this is a group in, in uniform as we showed.  That they would get in in the morning and we laid this out in a chart in the affidavit as an allegation which is, the activity would spike around 9 a.m. when they got in.  Then it would go from 9 a.m. till 12, it would then decrease from 12 to 1 o'clock.  And then from about 1 to 6 it would increase again. 

And luckily they seemed to only work an 8-hour day, cause it would go back down again over night.  So we took this as a serious -- so this is the, you know, one of the largest militaries in the world whose day job is to steal what our companies are investing in, doing research and development in. 

And there's a concept in, in U.S. law called an easement where if you let someone walk across your lawn long enough, they have the right to walk across your lawn.  And so the idea was we need to put up a giant No Trespass sign before this becomes international law that says this is theft, it's wrong.

It's criminal just like when any other criminal group does it, that we can do the investigation and attribution to figure out who you are.  A lot of people thought we couldn't by name, by face.  When we do we're not afraid to make it public and we're going to bring -- we're going to use traditional legal tools including the criminal justice system when that occurs.

ZARATE:  An incredibly important case.  And in particular for this issue of proving it right?  Cause the Chinese and others are often saying well you're alleging all of this cyber espionage your alleging all these cyber hacks, where's the proof.  And in many ways that's exactly what you did and you, you dealt with the attribution issue.

John can you, in the context of this case but also some of the other cases, the Iranian hacker case for example that, that you all have brought as well.  Can you speak to why these tools are so important even if you can't have a defendant in court in Washington D.C..

Or the Southern District of New York?  Why is the use of these tools and, and your ability to bring these kinds of cases, why is it important from a national security perspective?

CARLIN:  Let's just focus part, part one if you think of it as three steps.  Investigation, attribution, making it public, doing something that imposes a consequence.

So on the investigation attribution front, what we did is we unleashed the -- through this program the prosecutors, the FBI, working with other partners, intelligence agencies and others to look at what we could see about who the actors were and figure out a way not just to know who they are and what they're doing but to be able to say it in a public setting. 

Which isn't always the goal of the intelligence community.  But this is a group who's specially trained in finding out who did but doing so in a way you can talk about it publicly.

So fast forward a little bit after the PLA case where we're trying out this new approach and now we've done it, done it once already, to what I can tell you none of us exactly gamed out.  So we gamed out there will probably be destructive attacks by nation states and we were out explaining that that would occur. 

We did not think necessarily that the first case would involve a rogue nuclear armed nation doing a cyber-attack and it'll be over a movie about a bunch of pot smokers.


ZARATE:  Of course you're talking about North Korea and Sony.

CARLIN:  North Korea and Sony.  And you've spent a fair amount of time there yourself in the situation room, it's not that often that you have brief out a movie to the present situation room but that's what we had to do in this, in this case.

ZARATE:  Let it roll.

CARLIN:  And many of us in the national security community watched over, watched over Christmas this Sony, this movie produced by Sony and we blamed North Korea for that.


But, it's a great movie, I'm sure and they had the right to make it, we'll defend that.


But so, so you have this intrusion and Sony did exactly the right thing.  And the challenge here that's different Juan than on terrorism is that it's not sufficient to share information across the law enforcement intelligence divide, we have to change the way we do business because there's a third party here.  And that third party's the private sector.

And since so much of the critical infrastructure is in private sector hands we have to figure out a way to incentivize folks to private center to put -- private sector to put in better defenses and to share information.  And we have to get better at sharing information back.  Sony was a great example of a company that did the right thing. 

They came in immediately to share what happened and because they did that and we were used to doing this new approach, it about 28 days we were able to figure out conclusively that it was the North Koreans.

And that's an example of where the investigation and attribution was done.  But the vehicle by which we made it public was not a criminal charge.  The FBI Director just did what we hadn't done before, but we need to be creative in this space, and laid out that we had conclusively determined it was North Korea.

And then you saw, because there was an existing executive order where you could sanction North Korea, that there were additional sanctions put on the North Koreans as the tool to impose consequences.  And you had certain officials say there'll be some things you see and some things you don't but there will be consequences. 

That was important not just as a message to North Korea, but to all the other state actors who are trying to figure out what deterrence means in this space.  And as a national security issue, from our point of view, front of mind has to be if people think it's completely anonymous, that we can't do the investigation and attribution.

Then our traditional models of deterrence won't apply.  So it's critical that we start ripping away the veil of anonymity and show that we can figure out who does it and there will be consequences.

One thing we realized around the table there are those -- there was an existing vehicle to do sanctions for North Korea.  There was not one for general cyber type activities.  And so that led to the new executive order in April of last year that allows you to sanction specific actors, companies or states who commit cyber hacking.

But also those who benefit from theft through cyber enabled means that damages our national security.   I think it was the combination of those two things that led President Xi for the first time to declare in fall of this year, that as a norm as the world we all want to live in, that using your intel services to commit cyber enabled theft is wrong. 

And that's an important first step, that we all agree that that should be the international law was the first time they said that in, from my point of view, the only reason they did that was because we had taken action, both the PLA indictments and the fear that we were going to start using this new executive order.

Now that doesn't, as we all know, a lot of laws on the books and this international norm is starting to be created.  The G20 adopted the same norm.  The next thing will be to do actions, follow words and we need to keep working on the enforcement to hold people to what they say their commitments are.

ZARATE:  And one of the things to watch of course is whether or not this administration or the next administration begins to use that executive order and those sanctions aggressively.  Not just against the actual hackers but against those companies that are benefitting openly and directly from the cyber espionage. 

And I think the threat to Chinese state owned enterprises is part of the reason you saw the deterrent effect there.  Take a step back for just a second and, you've worn more than anybody that I've seen in the U.S. government of the cyber capabilities of terrorists.  To include the Islamic state, the cyber caliphate. 

Your department has talked about the Syrian electronic army and you pointed out cases there.  You've seen Iranian hackers.  What's the future of cyber threats and how does it converge with state and non-state actors and the threat of terrorism? 

From what seeing as, as you've broken down the walls or opened the doors what, what's the map look like now from your perspective?

CARLIN:  That's a great -- and let me talk about some of the -- cause we're getting better at using this approach of investigating, attribution, making public, bringing charges.  Let me talk about what that's revealed in terms of the blended threat that we are seeing.  I'll tell you about one case in particular. 

So imagine that, as some, as some of you are, that you're a CEO of, of a company and in this case it's a retailer with a trusted brand name inside the United States.  And there's a hacker that enters into your company's systems and it looks like a low level criminal group.  They steal relatively small amount of personal identifiable information. 

And then when you try to kick them out of there, kick them out of your system, they say pay me $500 through bitcoin.  So it looks like a low level type of hack that companies see all across the United States every day and most companies don't report. 

In this case the company did the right thing, worked with law enforcement and what turned out, and these are allegations, because the person is facing, facing charges in a court of law. 

Turned out on the backend what you had was a Kosovo extremist who had moved to Malaysia where he was working with co-conspirators in Kosovo to hack into this U.S. company, steal the information and on the backend he was supplying it to one of the most notorious terrorists in the world, Junaid Hussain., a British born citizen living in (Rokasyria) located with the Islamic State of Levant.

And what they were doing was culling through that information to look for the identities of government employees and then using American made technology against us, they were using Twitter to incite people inside the United States to kill people with that particular information that they put out.

That's the complicated threat environment in which we currently live.  And it's one we can't tackle without working with the private sector.  Because they did work with us, the individual Forezy was arrested in Malaysia and is facing charges.  He'll have a right to defend himself in the Eastern District of Virginia after his extradition, there where he currently resides.

And the -- Junaid Hussain was killed in a Centcom strike in Syria.  And I think it's an example of the blend in terms of a group that does both criminal and national security.  And we saw we recently brought charges against three members of the Syrian Electronic Army.

And once you've laid out exactly who they are and what they did, it was clear in addition to doing things like pretending the White House was under attack and falsely posting that through a website that caused a multi-billion-dollar dip in the stock market. 

They're all just a bunch of criminals and they were out extorting private companies to line their own pockets for profit, as we laid out in the allegation.  I think that is both the current nature of the threat and that blend is going to continue to grow.

ZARATE:  Fascinating John.  You know FDD and CCIF the center we built does a lot of work on sanctions, use of financial power and regulations and, and influence.  Could you talk just a little bit about the, the -- how you've used sanctions and export control enforcement because you've had some big cases recently. 

A Turkish individual and network tied to Iranian sanctions evasion.  You've had a Singaporean individual charged with export control violations.  Can you talk to us about how you view the sanctions and export world as part of your remit?

CARLIN:  I view that as a vital part of the all tools approach that, is that -- again code agnostic view of the world that our lawyers should be playing at the Department of Justice.  And the fact we restructured to put more of a premium.  We -- our counter espionage section is the now the Counter Intelligence and Export Control section. 

To emphasize how important those cases are, to use one example of a case.  And again allegations is someone whose -- we had our first extradition out of Indonesia.  This is a person who had been held there I think since roughly 2011. 

And what they had done is they had falsely put down the end user, so they said these radio frequency modules were going to go to one country, but in fact they went to Iran.  And they ended up in 16, at least 16 unexploded IED's in Iraq.  As many of you know a majority of the fatalities in Iraq to our soldiers were caused by IED's

  And I think that's an example of why it is so important that both that type of technology is controlled in the first instance, and you need to get a license and why we use the criminal system when people lie in order to obtain those licenses.

ZARATE:  John just a -- maybe a final thought cause I think we've got about a minute here.  You just got back from Detroit where you addressed the auto industry.  People would say what's the AAG for National Security doing talking to the auto industry. 

But can you just briefly talk about again the importance of the private sector?  We've got a lot of folks here with businesses, lots of private sector interest.  What's the role of the private sector and frankly what were you doing in Detroit?

CARLIN:  And to -- I'll give it cause I think it's a good sense of the threat we are and why we've created for the first time at the national security division where we're normally a group that works behind closed doors, an outreach program.  Because of the private sectors involvement.

So I was in Detroit yesterday.  And a week or two before I was in Iowa.  And these were not normal places but that's because that's where we see the threat going.  So in Iowa the threats there and the fact is China along with other countries want what American technology has built with great cost.  Which are these bio-engineered seeds. 

And we have a case there someone recently pled guilty where we're literally there was someone spotted 25, 35 miles off the Interstate, corn field after corn field after corn field, in the middle of Iowa on their hands and knees in a field digging up this seed.

That led to a multi-year investigation.  Resulted in a multi-person conspiracy count where they were stealing what would be -- given a value of millions and millions of dollars.  And so we were out working with them. 

And what we often see is a blend again where they'll try to get in through cyber enabled means, figure out where you have what you value, and then they may use physical means, insider threats or someone digging up in a field to steal what you have.

Detroit is we were looking at what the threat of the future will be.  And according to one study in 2020, about 220 million some cars on the road will be internet enabled.  So about 75 percent of car traffic.  Leap ahead another 20 years and people are expecting the self-driving cars to be a 40 billion some dollar market.

And what we're trying to do there is emphasize look all the same bad guys, crooks, nation states who want to steal or cause destruction and terrorists, they go where our technology goes.  And so let's not repeat some of the mistakes we've made in the past where we've invested.

And moved very, very quickly from an analog world in 25 or so years, we've moved 98 percent analog to 98 percent digital and we didn't invest on the front end on making those systems secure.  We undervalued the security risks.

And now your' seeing companies across the United States try to figure out after the systems are already built, how do we make them secure, how do we revisit decisions about putting sensitive information.

So we're out in Detroit talking to what is going to be a great boom, so we don't want to discourage it, but to make sure that they think on the front end, here's what the bad guy -- who the bad guys are, here's the type of things they're going to try to do.  How can we, before these are deployed, figure out how to make them safe. 

We've already had one instance of with Jeep Cherokee of over a million cars being recalled because they demonstrated after they were deployed that they were vulnerable to hack.  We don't' want that to, to be the future we want the future to be safe cars at the moment they're deployed.

ZARATE:  Fantastic.  Well John thank you for laying out the map of the threats, the map of how you are trying to address it with your tools.  And frankly the critical role that you always played, and I was honored to work with you and that you're playing now.  So please join me in thanking John.  Thank you.