This article is part of the series "[Podcast] John P. Carlin". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
In part two of our series, John Carlin shared with us lessons on economic espionage and weaponized information.
As former Assistant Attorney General for the U.S. Department of Justice’s National Security Division, he described how nation state actors exfiltrated data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs.
He also reminded us how important it is for organizations to work with the government as he took us down memory lane with the Sony hack. He explained how destructive an attack can be, by using soft targets, such as email that do not require sophisticated techniques.
Cindy Ng: In part two of John Carlin’s talk, we learn more about how nation state actors exfiltrate data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs. He also took us down memory lane, describing how the Sony hack showed us how successful an attack can be by using soft targets, such as email, that do not require sophisticated techniques.
John Carlin: Let me talk a little bit about economic espionage and how we moved into this new space. When I was a computer-hacking prosecutor prosecuting criminal cases, we were plenty busy. And I worked with an FBI squad, and the squad that I worked with did nothing but criminal cases. There was an intelligence squad who was across the hall, and they were behind a locked, secured compartmented door. The whole time I was doing criminal cases, about 10, 15 years ago, we never went on the other side of that door. If an agent switched squads, they just disappeared behind that locked, secured door. I then went over to the FBI to be Chief of Staff to the director, FBI Director Mueller. And when I was there, that door opened and we started to see day-in, day-out what nation state actors were doing to our country.
And what we saw were state actors, and we had a literal jumbotron screen the size of a movie theater where we could watch it through a visual interface in real time. And we were watching state actors hop into places like universities, go from the university into your company, and then we would literally watch the data exfiltrate out. As we were watching this, it was an incredible feat of intelligence, but we also realized, “Hey, this is not success. We’re watching billions and billions of dollars of what U.S. research and development, and our allies, have developed in losses. We’re seeing millions of jobs lost.” One estimate has it at more than two million jobs. “What can we do to make it clear that the threat isn’t about consumer data or IP, the threat is about everything that you value on your system? And how do we make clear that there’s an urgent need to address this problem?”
What we did is, when I came back to Justice to lead up the National Security Division, is we looked to start sharing information within government. So, for the first time, every criminal prosecutor’s office across the country, all 93 U.S. Attorneys’ offices now has someone who’s trained on the bits, and the bytes and the Electronic Communication Privacy Act on the one hand. On the other hand, on how to handle sensitive sources and methods, and encouraged to see, can you bring a case? This only happened in 2013. This approach is still very, very new. The FBI issued an edict that said, “Thou shalt share what was formally only on the intelligence side of the house with this new, specially-trained cadre.” They then were redeployed out to the field. It’s because of that change in approach that we did the first case of its kind, the indictment of five members of the People’s Liberation Army, Unit 61398.
This was a specialized unit who, as we laid out in the complaint, they were hitting companies like yours and they were doing it for reasons that weren’t national security, they weren’t nation-state reasons. They were doing things like…Westinghouse was about to do a joint venture with a partner in China, and right before they were gonna into business together, you watched as the Chinese uniformed members of the People’s Liberation Army, the second largest military in the world, went in, attacked their system and instead of paying to lease the lead pipe as they were supposed to do the next day, they went in and stole the technical design specifications so they could get it for free. That’s one example laid out in the complaint. Or to give another example, and this is why it’s not the type of information that is required to be protected by regulation, like consumer data or intellectual property. Instead, for instance, they went in to a solar company, it was a U.S. subsidiary of a German multi-national and they stole the pricing data from that company. Then the Chinese competitor, using this information stolen by the People’s Liberation Army, price dumped. They set their product just below where the competitor would be. That forced that competitor into bankruptcy.
To add insult to injury, when that company sued them for the illegal practice of price dumping, they went and stole the litigation strategy right out from under them. When people said, “Why are you indicting the People’s Liberation Army? It isn’t state-to-state type activity. Everybody does it, what’s the big deal? Criminal process is the wrong way to do it.” The reason why we made it public were a couple. One was to make public what they were doing so that businesses would know what it was to protect themselves. Second, what they were doing was theft and that’s never been tolerated. And so, there’s a concept in U.S. law of what’s called an easement. This is the idea that if you let someone walk across your lawn long enough, in U.S. law, they get what’s called an easement. They get the right to walk across your lawn. That’s why people put up no trespassing signs. International law, which is primarily a law of customary law, works the same way. And as long as we were continuing to allow them to steal day-in, day-out, the Director of the FBI called them like a drunken gorilla because they were so obvious in terms of who they were. They didn’t care if they got caught because they were so confident there’d be no consequence. Then, we are setting international law, we are setting the standard as one where it’s okay. So, in some respects, this case was a giant “No trespass” sign, “Get off our lawn.”
The other thing that we did, though, was we wanted to show the seriousness, that this was their day job. And so, we showed that the activity started at 9 a.m. Beijing time, that it went at a high level from 9:00 to noon Beijing time, it decreased from noon to 1:00, it then increased again from 1:00 to around 6 p.m. Beijing time, decreased on Chinese holidays, weekends. This was the day job of the military, and it’s not fair and it can’t be expected that a private company alone can defend itself against that type of adversary. This single case had an enormous impact on Chinese behavior, and I wanna move a little bit to the next major cases that occurred. So, that’s economic espionage, theft for monetary value.
We also started seeing some of the first destructive attacks. Everyone remembers Sony, and many people think of it as the first destructive attack on U.S. soil. It really wasn’t the first destructive attack. The first destructive attack was on Sands Casino by what the Director of National Intelligence called Iranian-affiliated officials. Those Iranian-affiliated actors, when they attacked Sands, they did so because they didn’t like what the head of Sands Casino had said about Iran and the Ayatollahs called on people within Iran to attack the company. They did a destructive attack that essentially turned computers into bricks. And it was only, actually, because there was someone quick thinking in the IT staff who was not authorized by their policy, by the way, who spotted what was occurring and essentially pulled the plug, and in that respect was able to segment the attack and keep it confined to a small to a small area, it didn’t cause more damage. That didn’t get nearly the attention of Sony, so let’s talk a little bit about Sony.
You know, I spent nearly 20 years in government working on national security criminal threats. We did enumerable war games where we war-gamed out, “What’s it gonna look like if rogue nuclear arms nation decides to attack the United States through cyber-enabled means?” And I don’t know about you guys but we all got it wrong, because not once did we guess that the first major incident was gonna be over a movie about a bunch of pot smokers. It’s the only time…I remember every morning I’d meet with the Director of the FBI, the Attorney General to go over at the threats. That Christmas we’d all watched the movie the day before, shared movie reviews. And it’s the only time in my career where I’ve gone into the Situation Room to brief the president on a serious national security incident and had to start by trying to summarize the plot of that movie which, for those of you unlucky enough to have seen it, not that I’m passing critical judgement, it is not an easy plot to summarize.
So, why did we do that? Why were we treating this like a serious national security event that had presidential attention? The attack had multiple parts. One was, just like the attack on Sands Casino, it essentially turned computers into bricks. Secondly, they stole, so this is like the economic espionage threat. They stole intellectual property and they distributed it using a third party, the WikiLeaks-type example. Using third parties, they distributed that stolen intellectual property and tried to cause harm to Sony. Nobody remembers those two. What everybody remembers, and this is the weaponizing of the information idea, is that by focusing on a soft target like email communications, it was the salacious email communications inside the company between executives that got such massive media attention. That and, of course, the fact that it’s a movie company. That lesson was not unnoticed, and so there’s a lot of focus on it and we’ll talk about it later. And it was used again, clearly, in the Russian attempt to influence elections not just here in the United States with our most recent election cycle, but both before that in elections across Europe. You can see them trying to use similar tactics and techniques right now when it comes to the French election. They clearly stumbled on the fact that, “Hey, it’s not the information inside a company that people put great safeguards around, like their crown jewel of intellectual property. It can be the softer parts like email, like routine communications that, if we gather them in bulk, we can use to weaponize and cause harm to the company.”
The reason why we treated that as such a serious national security concern in the White House was because of the reason behind the attack. Just like the attack on Sands Casino, this attack on Sony was fundamentally an attack on our values. It was an attack on the idea that we have free speech. And similarly, the Russian attempts are fundamentally an attack on the idea of democracy. That’s why they’re attacking democratic institutions not just here in the United States, but across the world.
For you, in the private sector, as we’re designing and you’re thinking about, you need to have products inside your system that can allow you to monitor broadly what type of attacks are occurring within your perimeter so you can get ahead of a weaponized information-type attack. That means fortifying defenses beyond those that are under legislation or regulation. In order to do that, that means figuring out and using products that are business-friendly. By that I mean, you may be the best information technology folks in the world, if your business side can’t understand the tools that you’re using or the risks that you’re trying to describe to them, then you can’t engage them on what could really harm the company most. And that’s what you need to do your job, to figure out what that is.
Another thing that we can work on now when it comes to responding quickly is how fast these events occur. And these days, the best practice is to monitor social media. Now, I know a couple companies that they’re monitoring social media. In part, it’s not just for cyber crisis, right? Every crisis moves that quickly. Some are monitoring it because a certain president of the United States right now, occasionally, will tweet something out in the middle of the night that can cause a company, if he singles you out, he can cause your share price to torpedo by the time the market opens. So certainly, a couple of companies who’ve actually been though that have rapid communications plans in place, and we’ve other clients now that just as a best practice have, essentially, a team monitoring that Twitter account from 3 a.m. to 6 a.m. so they can get a communication into the media mainstream before the stock market opens.
That’s the same idea when it comes to having systems in place, so you’re monitoring social media for mentions of your company and then having a rapid response plan in place. That can also be majorly benefitted by you and your understanding of the system. If you spot where the data is that was stolen and think through with your business side how it can be used, you can get in front of it suddenly appearing somewhere on social media through WikiLeaks or some other site, just through Twitter and so that you’re ready to have a rapid response that addresses your business risk.
I want to focus a little bit, as we did, on this idea of working together, government and the private sector. I’m gonna go back to the economic espionage case for a second, the China case. When we did that PLA case, for years before when I was doing the criminal cases, I think companies didn’t work with law enforcement because they figured, “What’s the upside?” And I’ll just talk about that China case, but that case, the indictment of the People’s Liberation Army, it changed Chinese behavior, maybe not forever, but for now. It caused President Xi, I think that case, plus the response to Sony where we used the same type of response when it came to North Korea, which was…look, it was incredibly beneficial to Sony when we were able to say that it was North Korea. Until then, all of the attention was on Sony, “What did they do wrong? Why weren’t their systems better? Isn’t it ridiculous what their executives were saying?” After we could say that it was North Korea, the narrative changed to, “Hey, Government, what are you doing to protect us against nation-state threats?” That is why attributions can matter.
And what did the government do? We applied now, for the second time, the approach that we’d applied for the first time with the People’s Liberation Army of, number one, figuring out who did it. And that required working closely with the company to figure out not just what they took, but why they would have taken it, what could have precipitated the event. Number two, collect information in a way that we can make it public. And number three, use it, cause harm to the adversary. And that’s why in Sony, unlike in the PLA case, we didn’t have a criminal case available to us, so instead of using a criminal case you saw us publicly announce through the FBI who did it, and use that as a basis, then, to sanction North Korea. We realized sitting around the Situation Room table, lucky it was North Korea. If it had been some other cyber actor, unlike North Korea, who hadn’t done so many other bad things, we wouldn’t have been able to sanction them the way you could terrorists or those who proliferate weapons of mass destruction.
So, going forwards, the president signed a new executive order that allows us to sanction cyber actors. The combination of that new executive order which significantly allows, to use the PLA example, you to sanction not just those who take it, but the companies who make money off of it, those who profit from the stolen information. I think it was that combination of the new executive order in place, the PLA case and the realization that we could make things public and would cause harm that caused President Xi, the leader of China, to blink and sign an unprecedented agreement with President Obama. He sent a crew, we negotiated with them day and night for several days. And they said for the first time, “Hey, we agree, using your military intelligence to target private companies for the benefit of their economic competitor is wrong, and we agree that that should be a norm that you don’t do that.” That caused the G20 to sign it, and since then we have seen in government and private group monitoring, there’s a decrease in terms of how China is targeting private companies. Now, as some of you may be seeing, though, their definition of what’s theft for private gain and ours might differ, and there’s certainly sectors that are still getting hit and traditional intelligence collection continues.