Conversation with John Carlin - Part 2



Department`s national security division. October 15th is his last day.

His tenure encompassed overseeing the prosecution of cybercriminals and

more than 110 people on terrorism related charges, among his primary cases

are prosecution as rising out of the Boston marathon bombing, and the

indictment of five Chinese military hackers for economic espionage in 2014.

The U.S. is now weighing a proportional response to Russia after officially

accusing it of hacking the DNC and leaking it in an attempt to influence

the presidential election>

Web; Counter Terrorism Center; Domestic Antigovernment Terrorists; Cyber

Attack >

CHARLIE ROSE: When you look at -- if it is us versus them, are we especially vulnerable because so much of the United States is, for the lack of a better word, digitized?

JOHN CARLIN: So, I do think -- look, we as a society -- we move 25, 30 years ago, everything was paper, right?

CHARLIE ROSE: Yes. And then it`s all electronic.

JOHN CARLIN: It`s not only electronic, it`s digital and we connect it almost all to the internet.


JOHN CARLIN: And we did so without -- we systemically, across-the-board, we`re using a medium, the internet that was not designed with security in mind. And we systemically underestimate the risks, be it from crooks, terrorists or spies. And as a society, not just here in the U.S., although we did it the fastest, the whole world is playing catchup now. And maybe reconsidering, you know, in one case where someone had their personal emails compromised, I know the CEO of a Fortune 100 company said I`m putting a fax machine back in my office.

CHARLIE ROSE: Or I`m only going to do business on my cell phone.

JOHN CARLIN: So when it comes to -- and we`re just -- I mean, think about it in government times, we only started this new approach of figuring out who did it, making it public and imposing consequences in 2014. So it`s a couple of years ago. We`ve just reached the point now with Russia where we named our four major adversaries, we brought cases against places like the Syrian electronic army or the Islamic state various terrorist groups. We`re just beginning to bring deterrents to bear. As we do it, to your point, Charlie, I think it would be a mistake to say, oh, they hit us through cyber, so the only way we can respond is through cyber. That`s where it comes to us choosing how we respond.

CHARLIE ROSE: Both economic and military.

JOHN CARLIN: Economic, military, diplomatic pressure, criminal, all tools, don`t be wedded to what`s going to work for the bad guy, what works for the adversaries when we respond. We need to do.

CHARLIE ROSE: So what you`re trying to do is to send a clear message. We know who you are and we have ways to respond that you will not like. And so if you continue to do this, we will then responds appropriately and proportionately to make sure that you stop.

JOHN CARLIN: That`s right. And that`s an important each time we do it with a particular bad guy going it, whether it`s Iranian affiliate actor, Chinese, North Korean or Russia. But it`s also important not just to them, but as we try to set up a world that we all want to live in, every time we do one of these actions it sends a message to all the other states who are figuring it out what can I get away with in cyberspace.

CHARLIE ROSE: So there is this, we know that terrorists and extremists are using technology. We know they use it to recruit. We know they are sophisticated about it in terms of trying to keep their own phone conversations from being discovered. So they`re aware. What`s the likelihood that they have the potential to seriously engage in hacking?

JOHN CARLIN: We have to take that very seriously. Because just like -- prior to September 11th, they`ve told us they have the intent and we need to listen.


JOHN CARLIN: Dating back now around five years ago, al-Qaeda, Zawahiri, the head of al-Qaeda at the time said, called upon their adherence across the world, use cyber jihad, cause as much damage as you can. We know that they`re trying to do that. We know the Islamic state and the Levant is trying to do that, causes much damage and fear as they can. So they have the intent. And then what I worry about in terms of capability, going back to the blended threat is, we have right now a well-funded ecosystem of crime. I mean if you go on to what`s called dark web.


JOHN CARLIN: So that`s not mapped.

CHARLIE ROSE: Describe the dark web for the audience.

JOHN CARLIN: So the dark web is -- if you think about what you access on the web, it`s all has an address that`s locatable. So if you look it up on Google it shows up. There`s a dark web whose IP address is that you can`t see, so you have to know where to look, that`s not mapped. And in that dark web, you have things like criminal groups who create essentially cyber weapons of mass destruction like a botnet. This is hundreds and hundreds of thousands of compromise computers that a bad guy can turn to a weapon by hitting a command. And what they do sometimes, that`s how they did the attack on 46 different financial institutions that would link to -- link to Iran, is they used a botnet, they launched a so-called denial of service attack where they just bombard your website with so much information it becomes useless to hundreds of thousands of customers, and in that case, costs tens of millions of dollars.

So they build this capacity. The other way they can use it though, there is a case game over Zeus, a criminal case, one of these criminal groups created the Botnet and then what they would is that they allow you -- use the fact they had access to your computers to put a malware called CryptoLocker.

And CryptoLocker means it encrypts all your files and they use that to black mail you, so if are you about to prepare one of your shows, and you can`t suddenly access any of your files unless you pay money, or in the case of a hospital, it`s life or death. So they have created these systems.

And on the dark web now, it looks almost like Amazon or a commercial level platform here. And you can literally shop, hey, I want to buy stolen credit cards or I want to use a Botnet to launch a denial of service attack and it has, when I say it is like, I mean it has customer reviews. Hey, I bought from this crook before. And I found that this, you know stolen I.D.s were quite useful.

CHARLIE ROSE: So, they provide you or sell you is reliable.

JOHN CARLIN: Is reliable. Another one might say don`t use them. If you think about, just your question, though, it doesn`t take much imagination to think what happens if the terrorists, gets what the criminals have built. And so that is where I think we`re in a race against time to improve our defenses, and continue to try to deny and disrupt them the ability to do that.

CHARLIE ROSE: A race against time. Tell me more about a race against time.

JOHN CARLIN: So, it doesn`t take -- if you think about the capacity of a sophisticated criminal group, and certainly nation`s states. The intent of terrorists to use that is to cause as much destruction as they can. If a terrorist is able to encrypt a hospital`s records, they`re not going to say give me $10,000. They`re going to do it to try to cause loss of life.


JOHN CARLIN: So we need to move faster than they can before they get that capability to harden our defenses, which might mean, you know in certain cases not connecting things to the internet. And we also need to, just like we try to deny them other weapons of mass destruction, deny them the ability to get the use of those tools.

CHARLIE ROSE: In fact, you said your goal now is prevention.

JOHN CARLIN: It`s prevention. And you know, as I think about the -- we`re on the cuss of a major societal transformation. As big a change as it was when we digitalized information, now we`re moving towards the internet of things. Think about cars. This will be as big a transformation as going from horse and buggy to an automated car when you go from a driver car to a driverless car. And in 2020, the estimates are about 70 percent of the cars on the road are essentially going to be computers on wheels. And you think about the game of.

CHARLIE ROSE: If you can hack that computer, you can take that car and send it anywhere you want to.

JOHN CARLIN: Exactly and think about what one terrorist did with one truck in Nice, what happens if you have an automated fleet of trucks. We can`t make the same mistake that we made when we moved our information from analog to digital where we are playing catch-up. When it comes to things like cars, and trucks, and missiles, planes, drones, this internet thing or a pacemakers in people`s very bodies, we have to build security in on the fronted end by design.

CHARLIE ROSE: If they can attack your patient, they can kill you right there.

JOHN CARLIN: They can kill you and in the beginning it is not, its good people trying to do the right thing. In the beginning, a lot of these companies are focused on making it work. But they`re not thinking about well, what if someone intentionally tried to abuse it, the crook or the terrorist. That is what we need-- that is the mindset we need to change.

CHARLIE ROSE: You have said at one point, and this maybe what are you talking about, that the question of cyber security versus security.

JOHN CARLIN: Yes. I do believe that. So security versus security, by that I mean, there are, when we think through some of the hard issues like, can you, is there certain information that you ought to be able to obtain by a court order, and what should a company`s responsibility be in making its information accessible to the court order. I sympathize with -- we strongly preach the benefits of encryption. Because we want to keep information secure. And we wouldn`t want even the government to get it without proper legal process. But designing a system so that it is secure both from the bad guys who want to steal or destroy your information, and secure as in a safe place for, to keep terrorist from abusing it to commit terrorist attacks.

CHARLIE ROSE: You have been asked this before. Can you design a system that will give law enforcement access? Can they design a system, I mean Silicon Valley, on the question of encryption. That will give law enforcement access and at the same time, not destroy all the concerns that Silicon Valley has and that Tim Cook articulated in the conflict?

JOHN CARLIN: So I tend to be optimistic on this. When you think about the amazing.

CHARLIE ROSE: Optimistic that you can.

JOHN CARLIN: That we will be able to innovate our way out of this issue. Because if you think about right now, this is a strange analogy, but you know I`m a New Yorker. I grew up in New York. And I remember there was an old Saturday night live skit. And this guy is on the subway and he gets stabbed and is being interviewed on the radio. And the radio guy is like so, you`ve been stabbed. And he`s like yeah. And the guy says did you make eye contact. The guy says, yes. What did you expect? It`s New York, right? That was the way it was in New York. That was our expectation. Now it`s laughable because it`s changed. We feel safer on the streets of New York. In cyber right now, if you get hacked, what is the first question people ask? I mean, what the company did wrong.

CHARLIE ROSE: Everybody hears about John Podesta or heard about John Brennan and they say, if they can get Podesta, then they can get Brennan and they can get the U.S. Government, and they can get the Pentagon, they can get me.

JOHN CARLIN: Well, that is true, Charlie. It`s just true. Right now offense out strips defense in a sophisticated nation state where criminal groups can get into an internet connected system, if they want to. It may take persistence, but they can get in. Your information is fundamentally not going to be safe on an internet connected system if you are relying on some tool or something you can buy to keep someone from getting inside.

That doesn`t mean that we don`t want to raise the costs so that only the most sophisticated actors can do it, though. So you want to keep like the low level guys out, according to one study, about 80 percent of the breaches that we`re seeing, if people used known patches they could have prevented. So we`re trying to increase, you know customer safety that way. But at the same time, you got to make some fundamental decisions right now which is, should it be on an internet connected system at all. And if it is, assuming someone can get in, let`s say you`re a company and it`s your intellectual property, if you know that a dedicated bad guy can get in, and then maybe I don`t put it in my system in a folder called crown jewels.


JOHN CARLIN: That is not where I will put my crown jewels any more. I will put them somewhere elsewhere you have to have an insider to know how to access it and in crown jewels, maybe I will put something that doesn`t work. So go steal it, invest waste money and that is another way of increasing the costs to try to decrease this behavior.

CHARLIE ROSE: How much do you fear that there may be other Snowdens at NSA, because we have a story and we don`t know exactly where it goes, that there is someone else being questioned, within NSA, who came from a consultant firm.

JOHN CARLIN: I think the insider threat is a threat that we have to take very, very seriously in government. Because defending against those that you trust is going to be the hardest challenge. And it is also something that private business and industry need to be concerned about, which means continuously being able to continuously monitor in some instance changes in behavior that might be a tip that someone is an insider. And also building your systems in such a way that one individual doesn`t have access to anything, so they`re extra controls inside your system. But it`s a very tough challenge.

CHARLIE ROSE: Which brings forth the obvious journalistic question which we often ask, what do you lose sleep over. What worries you the most today?

JOHN CARLIN: It`s been, right now we`re in an unprecedented terrorist threat. And what we`ve seen is, again, this is in part a new technology problem, all adversaries applying new technology. But they`ve effectively crowd sourced terrorism, so when I was doing the al-Qaeda threat, and don`t get me wrong, al-Qaeda still is determined to do a complex threat, attack on the scale of September 11th, that is centrally directed. They`re still trying to do that, but.

CHARLIE ROSE: How are they trying to do that?

JOHN CARLIN: So they still plot and plan with trained and vetted operatives overseas and they`re looking for space to do that whether it is al Qaeda in the Arabian peninsula, in Yemen, Al-Nusra in Syria, or al-Qaeda - core al-Qaeda in the Afghanistan Pakistan region, but we have seen the change, the crowd sourcing of terrorism, roughly 2014, 2015, Islamic state in the Levant started to exploit social media and instead of having carefully trained and vetted operatives, they started putting out massive amounts of propaganda that looks as slick as a commercially produced advertisement, because it`s so easy to do that now. Because the technology. And then they used distribution platforms that they can use for free, twitter, Google, et cetera. And they blasted this message targeting our young people, targeting those who are mentally unstable and tried to turn them into human weapons. These aren`t always people who really understand the ideology that they are involved.

CHARLIE ROSE: But are they vulnerable?

JOHN CARLIN: They are vulnerable. And so what we are seeing inside the U.S. since they switched to this crowd sourcing of terrorism, our divisions coordinated cases of all across the country, brought over 110 terrorism linked cases in 35 different U.S. Attorney`s offices. And we have open investigations in all 50 states. We`re not seeing it confined, in other words to one geographic area or ethnic group. Instead, the common factor in almost every case is one. They almost all involve social media and two the age of the defendant and that really troubles.

CHARLIE ROSE: What is the age of the defendant?

JOHN CARLIN: It is over half are 25 or younger and one-third, one-third are 21 or younger. That is never been the case for our terrorism defendants.

CHARLIE ROSE: Have we been at all successful in trying to counter the argument on the internet that causes those people who might be susceptible to act?

JOHN CARLIN: So I think there is, we`re not done. But we need to continue to come with new approaches until we do. And one of those is to call upon on the private sector. I had a strange conference at justice, also a little national security guy different than the one, where we hosted Hollywood producers, Madison Avenue type, internet service providers and nonprofits. And I and the head of the counter terrorism center Nick Rasmussen walked them through the threats.

And we were really there to convene and educate. And since then, you have seen companies like Facebook launched initiatives like peer to peer that are encouraging college students and others to create content that will counter this message. And look, we`re never going to be is get it from government it can`t come from us. It has to come from communities and from voices that are trusted, because I`m not going to be a great messenger to the 21 year old or younger who is disaffected that they`re aiming to target.

So again two things -- three things, tactically we have to keep working hard, because it`s hard law enforcement, Intel prosecution work to bring these cases so that innocent lives aren`t lost. Two that tactical success, strategically we got to beat them where they are which means working with a coalition to defeat them so they lose territory in Syria and Iraq. And then three, we have to figure out away, because look, fundamentally this group once you get over there, its raping people as a political tool. They are murdering Muslims and non-Muslims alike with impunity. And they are selling women and children into slavery. So that is a war of ideas we ought to be able to win.

CHARLIE ROSE: Ok, couple of things more.


CHARLIE ROSE: James Comey had said. He worries about Diasporas of terrorists as ISIS loses territory, and power within Iraq and Syria, which is happening, you know, and major battles are looming in Mosul and perhaps even Raqqa later. Therefore they are sending them wherever their passport will allow them to go. How big a threat is that?

JOHN CARLIN: We keep our eyes focused on it and be vigilant, I mean from the beginning when it was first foreign terrorist fighters, before they switched the call and said, kill where you live, no passport, no travel acquired. One of our chief concerns has been those who grew up in our culture, go abroad, and learn bombshells.

CHARLIE ROSE: Got to make bombs and everything.

JOHN CARLIN: .bombs, and then are sent back to the U.S. So if we are successful, and we need to be successful over there to deny them Iraq and Syria, then we have to be very watchful as people flow back in.

CHARLIE ROSE: There is another term which is called domestic antigovernment terrorists, who are they?

JOHN CARLIN: That`s -- a really bad term, but I would say generally we have to be worried about terrorists regardless of their motivation. One of the things in this job that is harder, but also keeps you motivated is I attend a lot of memorial services. And one that I went to two years ago now, the 20th memorial of Oklahoma City bombing. And.

CHARLIE ROSE: That was clearly domestic terrorism.

JOHN CARLIN: In fact his motive, it wasn`t from an international terrorist group. It was because of grievances right here inside the United States. Are you with those families and they bombed a daycare center and so it just felt still so raw to those who lost children on that day. We cannot allow that to happen again. And we have to make sure that as serious as the international terrorism threat is and it is that we also address those who might have a different set of motivations.

And there was a group that was going to look at these issues that was actually set up post Oklahoma City that was supposed to meet, as I understand it, the morning of September 11th. And they didn`t meet that day. This is a Domestic Terrorism, executive council and so one of the things we have done is make sure that group starts meeting again and then have someone who is a coordinator who can take a look at other patterns or lessons that we can learn. Because I think the sense was -- is from U.S. Attorneys offices across the country, and from the FBI and others looking at this threat, that it`s on the rise. And so we need to make sure we adapt quickly.

CHARLIE ROSE: Republicans and critics of the administration try to make a lot out of the fact of the timing of the Iran ransom payment and the release of prisoners. It is said that you appreciated the optics of that and had argued against it.

JOHN CARLIN: So, one thing I think is important regardless.


JOHN CARLIN: Well, one thing I think is important, kind a regardless of what shall -- this issue is that what I found inside the executive branch is they have a bunch of people who are serious about confronting the same threats. And they want to do it in different ways. We have frank discussions and in those discussions, you have a whole bunch of viewpoints. Sometimes, and not talking about issues but in general, my view is the one that prevails. Sometimes it isn`t, but I think it`s so important that we don`t lose the ability to have those conversations and in the long run it leads to right decisions, which is one reason, Charlie I will not talk about conversations that I have.

CHARLIE ROSE: Fair enough but have I to ask because it is reported that you were against the timing of the ransom payment. Let me just talk about the Hillary Clinton investigation which really didn`t get to the Justice Department, because the FBI director chose not to recommend prosecution in that case. I realize you can`t speak to that, but you can`t speak to the ideas that we have been talking about. Why we`re the Clinton aides granted immunity?

JOHN CARLIN: So, as you say. I am not going to talk about that investigation. As a general rule, I`ve been a prosecutor a long time, either we bring.

CHARLIE ROSE: Immunity, because.

JOHN CARLIN: When we bring a prosecution, we bring a prosecution and if we don`t, you move on and you don`t talk about it. And that is the approach I will apply to any investigation over the years.


CHARLIE ROSE: Even though I was trained as a lawyer, when I went to law school and all of that. Tell me, when you grant somebody immunity, are you saying we`re not going to prosecute, because we hope you will tell us the truth, right?

JOHN CARLIN: Well, there are a lot of different types of immunity. The types that gets -- the type that could be called the act of production. Immunity so, you know, you give over a document and the fact that you gave the document can`t be used against you. It`s not immunity from prosecution. There`s testimony you all immunity where if you provide information then the information that you provide, if it`s truthful can`t be used against you, but it doesn`t provide general immunity. So I think it`s important to keep straight what it might be in the different types of cases.

CHARLIE ROSE: Disrespect, you have said, if somebody wants to hack somebody, they can do it. So if in fact they wanted to hack Hillary Clinton`s server, they could have done it.

Russians could have done it.

JOHN CARLIN: A sophisticated nation state.

CHARLIE ROSE: Could have done it.

JOHN CARLIN: Could have done it.

CHARLIE ROSE: But would there be evidence if they did it, is the question?

JOHN CARLIN: Well, and that is where -- you are good Charlie. I`m not going to talk about or speculate about the investigation.

CHARLIE ROSE: Not so good because would you not.

JOHN CARLIN: Let me tell you more generally too. Because we talked a lot about September 11th and there is a lot of distrust these days of institutions generally.


JOHN CARLIN: But one thing that is been just an incredible opportunity for which I feel grateful is to work day in, day out. You remember that feeling, as terrible as it was right after September 11th in the weeks and months to come. There was this moment where we felt as a country so unified. We knew who the enemy was. And it was the terrorists who were trying to kill us. And the world was unified.

CHARLIE ROSE: They made it clear, that is what they wanted to do.

JOHN CARLIN: And that`s -- they were attacking us, because of who we were. And then it brought us all together and put us aside a lot of petty types of differences that they have day in and day out. In the national security division and with the folks we have worked with FBI and other parts of the community, every day is like that.

There is nothing that focuses your mind more than when you know that there`s these -- a literal group, you say it so it doesn`t sink in. They are using. They are recruiting people using rape as a means to get them to join their group. They`re murdering, burning people alive. They`re beheading people slowly. They`re selling women and children into slavery and they are trying to kill us. That focuses you.

And the group that I work with, day in, day out, they are true career professionals. And what motivates them is protecting their families, and the families who don`t know what they are doing from groups like that. That is what is motivating them when they work -- they could give a damn about politics or any of the other -- and it`s not that that is not important for other people I think about, that is not approved.

CHARLIE ROSE: You are saying, you think about the context of this investigation into Secretary Clinton and her emails and all of that.

JOHN CARLIN: That is one of the reasons why, you know, it is political season, that I don`t want to talk about.

CHARLIE ROSE: My question was, in fact, if somebody wanted to ask somebody you said they could.


CHARLIE ROSE: And my question was if you had been hacked, would you know or would they be so sophisticated, you would never know, because they will be holding it to use at another appropriate time.

JOHN CARLIN: As a general rule. I think.

CHARLIE ROSE: Whatever the circumstances.

JOHN CARLIN: Yeah. I think we`re a lot better.

CHARLIE ROSE: Talking about capabilities.

JOHN CARLIN: Capabilities. We`re a lot better at investigation, attribution and people think, but that`s us working together,

CHARLIE ROSE: We`re a lot better at investigation of attribution that people think.

JOHN CARLIN: Yes, and that is true when we work, you know together. Business, victims, private victims and government, and put our information together. That allowed us to get China, Iran, North Korea, and Russian, and have this high confidence.

CHARLIE ROSE: In other words, you have to have high confidence that they did it before you a identified them and publicly said they did it.