This article is part of the series "[Podcast] John P. Carlin". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Last week, John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice’s (DOJ) National Security Division, spent an afternoon sharing lessons learned from the DOJ.
And because the lessons have been so insightful, we’ll be rebroadcasting his talk as podcasts.
In part one of our series, John weaves in lessons learned from Ardit Ferizi, Hacktivists/Wikileaks, Russia, and the Syrian Electronic Army. He reminds us that the current threat landscape is no doubt complicated, requiring blended defenses, as well as the significance of collaboration between businesses and law enforcement.
John Carlin currently chairs Morrison & Foerster’s global risk and crisis management team.
Cindy Ng: John Carlin, Chair of Morrison and Foerster’s Global Risk and Crisis Management Group says the secret to effective crisis management is that you’ve thought about it before the crisis. We thought we’d put his expertise to good use by having him share with us his experience as Assistant Attorney General for National Security on a wide range of topics. He described the current threat landscape, economic espionage, weaponized information, and what organizations can do to manage their risk. We are re-broadcasting his talk in a series that was held last week by starting with describing what a blended threat looks like, the particular challenges of insider threats, and the significance of the government working collaboratively with the private sector.
John Carlin: The threat when it comes to what’s facing our private companies has reached a level we haven’t seen before. That’s true for two reasons really. Some of what we’re seeing on the threats are things that in the national security community that we’ve been monitoring for years, but we’ve had a change of approach. So in the past, while we were monitoring it, it would stay in classified systems. We would watch what nation states were doing or terrorist groups were doing and we didn’t have any method to make it public. So one trend has been governments are starting to make public what they see in cyberspace. The second is that the actual threat itself has increased both in volume and complexity. That’s been quite noticeable. In the past year alone, and really the past two years, we’ve seen cyber incidents that have gotten people’s attention from every level. That has caused in government a shift in terms of the regulatory attention that’s focused on cyber security breaches.
When I recently left government, there was almost an unholy rush across every regulatory and law enforcement agency as they realized what the scope of the threat was and how their existing regulatory or law enforcement authorities were not covering it. That caused them to do two things. One, to try to come up with creative ways to interpret existing regulatory standards so that they can impose liability in the event of a cyber breach, and second, for those who realize that no matter how creative you got, there just was no way to bring it within existing regulations, more countries around the world are adopting data breach laws than ever before, most notably, Europe coming onboard in 2018, but really it’s a global phenomenon. And as part of the focus on data breach, they’re also having laws that are starting to impose certain standards of care or specific security obligations. I think it’s that combination of increased awareness of the threat plus an increasingly complex and potentially punitive regulatory and law enforcement environment that’s made this a top-of-mind issue for C-suites in poll after poll, not just here in the United States but in countries throughout the world. It’s new and they’re not quite sure what the legal regulatory landscape looks like, and accordingly, it’s the type of thing that keeps them up at night.
For those of you in the information technology space, that could be good news and bad news. It means more scrutiny on what you’re doing but then hopefully, as we explain what it is and what can be done, it will also mean more resources. There’s the old description of traditional cyber threats, and it’s not like any of these have stopped, which would be crooks, nation states, activists, terrorists, everyone who wants to do something bad in the real world moving to cyberspace as we move everything that we value from analog to digital space, and the type of activity that they did ranged from economic espionage type activity to destruction of information, alteration of information, which I think is a trend that we need to watch, this is the idea of the integrity of your data may be at stake. I know, it’s top-of-mind for those of us responsible for protecting against criminal and national security threats in government and fraud.
I’m not going to spend too much on those traditional buckets. I wanted to highlight two new areas of cyber threat that are here, now. One is the, what I’ll call the blended threat and the second is insider threats. Let’s start with the blended threat. Imagine you’re back at your office, you’re in your company, and you spot what looks like a relatively low-level, unsophisticated criminal hack of your system. For many of you, it wouldn’t even warrant, as you handle it yourself, informing anyone in the C-suite. It would never reach that high in the company. Now imagine that as a result of that relatively unsophisticated hack, you’re a trusted brand name retail company, that the bad guy has managed to steal a relatively small amount of personally identifiable information: some names, some addresses. As you know, happens as we speak to hundreds and thousands of companies across the world. So the vast majority of those companies faced with an unsophisticated hack where it looked like the IT folks had a good control over what had occurred, it would stop there, to the extent it gets reported up to the C-suite, looks like a simple criminal act and will go unreported.
The case I’m going through with you now though is a real case and what happened next was several weeks later, this company then received, through email, it was Gmail, so a commercial provider, a notice that said, “Hey, unless you wanna be embarrassed by the release of these names and addresses, you need to pay us $500 through Bitcoin.” As these things go, you know, you can’t really think of a dollar figure much lower than $500, asking for something through Bitcoin on a Gmail threat also does not look particularly sophisticated, you combine that with great confidence that you’ve been able to find them on your system and kick them off your system, again, the vast majority of companies, this does not go down as a high risk event and would not be reported. In the case that I’m discussing, which was a real case, the company did work with law enforcement and what they found out that they never would have been able to find out on their own was that what looked like a criminal act, and don’t get me wrong, it was criminal, these guys wanted the $500, but it also was something else. And what it also was was it turned out that on the other end of that hack, on the other end of that keyboard was an extremist from Kosovo who had moved from Kosovo to Malaysia and located in Malaysia in a conspiracy with a partner who is still in Kosovo, he’d hacked into this U.S.-based trusted retail company, stolen these names and addresses, and in addition to the $500, he had managed, through Twitter, to befriend one of the most notorious cyber terrorists in the world at the time, a man named Junaid Hussain, who’s from the United Kingdom. Junaid Hussain had moved from the United Kingdom to Raqqa, Syria where he was located at the very heart of the Islamic State of the Levant.
In my old job, I was the top national security lawyer at the Justice Department responsible for protecting against terrorists and cyber threat, and on the terror side of the arena, this guy, Junaid Hussain along with his cohort in the Islamic State of the Levant, had mastered a new way of trying to commit terrorist acts. Unlike Al Qaeda where they had trained and vetted operatives, what they were doing was crowdsourcing terror. They were using social media against us and consistent with that approach, what Junaid Hussain did is he befriended this individual who moved to Malaysia named Farizi, he communicated with him through U.S. provided technology, Twitter, he got a copy of the stolen names and addresses and then he called those names and addresses into a kill list. He distributed that kill list through Twitter back to the United States and said, totally consistent with their new approach of crowdsourcing terror, “Hey, if you believe in the Islamic State, if you’re following me, kill these people,” by name, by address, where they live.
That’s the face of the new threat in a version of the blended threat. I think for any of you, any company, if you knew when you were dealing with the incident, where you’d seen someone breach your system, that the person who breached your system was looking to kill people with the information that they stole, that would immediately be a C-suite event, your crisis risk plans would go into place, you would certainly be contacting law enforcement. The problem with the blended threat, these guys who are both crooks on the one hand and working on behalf of a terrorist or a nation state is you don’t.
Because they did work together, in this case, Farizi, the guy responsible in Malaysia, was arrested pursuant to U.S. charges, extradited after cooperation from Malaysia, pled guilty and was sentenced this past July to 20 years in Federal prison. And Junaid Hussain, who was operating in ungoverned space in Raqqa, Syria, was killed in a military strike acknowledged by Central Command. This issue that’s putting your companies on the frontlines of national security threats in a way that they simply never happened before, there’s not another area of threat which has the same effect, requires new approaches in terms of security and in the ways that the Federal government interacts with private companies.
Let me go through a little bit of some other examples of this blended threat phenomenon. If you think about what happened with the Wikileaks, you have Wikileaks which acts as a distributor of information but what they do is they end up, it’s not necessarily the hacktivist that steals the information. So you see the breach into your system, you’re not quite sure how it’s gonna be used. Is it gonna be used by someone who wants to make money? Is it gonna be used as someone who has a very specific intelligence purposes? It used to be the case, certainly the assumption for those of us in government working with the private sector that if you had information stolen by a nation state, unless you had some economic espionage type issue, you really didn’t need to worry about the nation-state using it against you and that’s clearly no longer the case. What you see here with something like Russia and the DNC is information that is taken in one sphere then gets leveraged and used to be put out through another. So a nation state steals it and then they have this shield of Wikileaks for the distribution of the information.
You also have with Russia, we tried in terms of the blended threat, you have what look like nation state actors and let’s use the most recent Justice case against the Russian actors who attacked Yahoo. What you had there were crooks, I mean, straight up crooks who were Russian who were out to make a profit, and there was an attempt at law enforcement to law enforcement cooperation and U.S. law enforcement authorities passed information to the Russians to try to hold those crooks responsible. What you get instead of cooperation, this is all laid out in the complaint, is that the Russians then signed up the crooks as intelligence assets and used them to continue to steal information and to take some of the information they’d stolen so that the guy was both making a profit on one hand but also was providing it for state purposes.
That version of the blended threat has a slight variation on it which his day job is Russian State Security Service Hacker or Chinese State Security Service hacker but there’s a lot of corruption in both countries. You wanna make a buck on the side, same actor, same system, daytime working on behalf of the state, night time, looking to line their pockets with profits, what you’re trying to figure out on the back end of that attack, “Hey, what type of risk am I dealing with?” It can be incredibly complicated to figure out. Am I in a national security situation or a criminal situation. And that’s combined then with the deliberate blending. As we’ve moved toward doing attribution, you’ll see state actors, whether Russian, Chinese or others, they will not use the same sophisticated tools that they used to use in the past to breach your system that were identifiable. So you can tell by the tactics, the TTP, the tactics, the techniques, the procedures that you were dealing with a state actor from Russia or China or another sophisticated state actor. Now they’re using the same easily available tools that low-level crooks are using in the first instance looking to see if they can get in through human error or weaknesses in the defenses and that makes it much harder to do the attribution.
Final version of the blended threat would be Syrian Electronic Army. Now many of you may be familiar with this group. This was the group who, and, you know, it’s in vogue now, everyone’s talking about fake news. Well, they’re the original fake news case that we did. When we prosecuted the Syrian Electronic Army, what they had done was they spoofed a terrorist attack on the White House by defacing the White House, public facing site. That was very successful and caused the loss of billions of dollars in the stock market until people realized that it was a hoax. That same group though was regularly committing ransomware type offenses, they just weren’t calling themselves the Syrian Electronic Army. And so for many of your companies, you would have a policy in place that would again spot it at a high area of risk and say, “We’re not gonna make a payment if we knew we were paying off the Syrian Electronic Army,” or in the case of Farizi, if we knew we were paying off a terrorist, but the problem is you don’t know. And as it was laid out in that complaint when we arrested one of those individuals in Germany, I don’t think even their, the people operating them, running them from the Syrian Electronic Army knew that they were using the same tools on the side to make a buck.
So what lessons can you learn or how can we help protect our systems recognizing this change in threat? Well, one is as the criminal groups, as the sophisticated type of programs and vulnerabilities that you can sell on the dark web become more and more blended with nation states and terrorist groups taking advantage of them, we need to ask ourselves, “Are our defenses as blended as the threat?” And inside the company, that means making sure that we crosscut those who are responsible for preventing and minimizing the risk from a threat where it doesn’t stop and say, “Hey, maybe we could build a wall that’s high enough or deep enough to keep someone out,” because that doesn’t exist, but once they’re inside and we’re dealing with the actual threat, who do I have in my company who has evolved? Is there a way to make easily available to the business side so we can get their informed views as to what and how information should be protected to mitigate risk on the front end and then how to respond? And similarly, are we working together as companies and as a government with companies as the bad guys are with nation states who are sponsoring them or a terrorist group and that’s where there’s focus now, on figuring out a better way to do cooperation between business and law enforcement is vital.
The division I used to head, the National Security Division, we were created as one of the reforms post-September 11th and the idea was post-September 11th, we gotta get better at sharing information across law enforcement and intelligence divide. The failure to share that type of information led to the death of thousands of people on September 11th. This challenge of how to share information in terms of what the government is seeing on the threat and how to receive information is exponentially more complicated because it’s not just about sharing information better within government or within your company, it’s how to share information across government to the private sector and back again.