Conversation with John Carlin - Part 1



Department`s national security division. October 15th is his last day.

His tenure encompassed overseeing the prosecution of cybercriminals and

more than 110 people on terrorism related charges, among his primary cases

are prosecution as rising out of the Boston marathon bombing, and the

indictment of five Chinese military hackers for economic espionage in 2014.

The U.S. is now weighing a proportional response to Russia after officially

accusing it of hacking the DNC and leaking it in an attempt to influence

the presidential election>

Web; Counter Terrorism Center; Domestic Antigovernment Terrorists; Cyber

Attack >


CHARLIE ROSE, PBS HOST: Welcome to the program. Tonight, John Carlin, he is assistant attorney general for National Security, an important position. He leaves government on Friday, and this is an exit interview talking about the United States government, cybersecurity and terrorism.


JOHN CARLIN, ASSISTANT ATTORNEY GENERAL FOR NATIONAL SECURITY: So I think it`s important one to figure out who did it with high confidence which you see. Two, to make it public, and you`ve seen us do that here and say it`s the Russians. Because if you are going to be able to deter, you have to make sure the world knows we can figure out who did it. And then, third, to be public about the fact that there will be consequence, now what those consequences are, have varied depending on the threat that we face when we`ve been trying out this new approach. And the policy has been, it will be a time and place of our choosing.


JOHN CARLIN: . not our enemies choosing, and there may be things you see and you don`t see.


CHARLIE ROSE: John Carlin for the hour next.


CHARLIE ROSE: John Carlin is here, he is stepping down as the chief of the Justice Department`s national security division. October 15th is his last day. His tenure encompassed overseeing the prosecution of cybercriminals and more than 110 people on terrorism related charges, among his primary cases are prosecution as rising out of the Boston marathon bombing, and the indictment of five Chinese military hackers for economic espionage in 2014. The U.S. is now weighing a proportional response to Russia after officially accusing it of hacking the DNC and leaking it in an attempt to influence the presidential election. I`m pleased to have John Carlin at this table for the first time. Welcome.

JOHN CARLIN: Thank you, Charlie.

CHARLIE ROSE: It`s a pleasure to have you here. Why are you leaving it?

JOHN CARLIN: Yeah. It seemed like a natural break point. It`s been nearly 20 years with the Justice Department, but loved every job that I`ve had there.

CHARLIE ROSE: Tremendously influenced by 9/11.

JOHN CARLIN: Yeah, yes, I was -- I`m a New Yorker. And my family was in New York that day, and I remember my father was underneath the World Trade Center in the subway on his way downtown, my brother-in-law was right across the street looking out.

CHARLIE ROSE: So he saw bodies jumping out of.


CHARLIE ROSE: . the twin towers.

JOHN CARLIN: He was in the reserves that time, got called up as one of the people helping to clean up the site afterwards. I remember that feeling, as so many do, of wondering if your family members were safe and trying to call frantically to reach them. And we were lucky, that day, but many others were not.

CHARLIE ROSE: And have we learned the lesson?

JOHN CARLIN: I think we`ve learned important lessons from that day. One of which is do not forget what happened. And then in my space, the whole division that I currently lead, the national security division was created as a post 9/11 reform, because of a failure to share information across the law enforcement and intelligence.

CHARLIE ROSE: From CIA, to FBI, to NSA and others.

JOHN CARLIN: We just weren`t structured that way at the time. There were legal barriers and cultural. We didn`t sit side-by-side. In our division now we have the prosecutors sitting next to the intelligence lawyers, and it caused a change in mindset. So success was no longer going to be measured by the successful prosecution of a terrorist after the fact when families are grieving or lost loved ones.

CHARLIE ROSE: Success would be measured by?

JOHN CARLIN: Preventing the attack from occurring in the first place.

CHARLIE ROSE: Making sure that everybody knew what everybody else knew.

JOHN CARLIN: You have to know what they know, and then you`ve had to be creative as lawyers and look across the full set of legal tools. So you`re not wedded because if you are a prosecutor to just using criminal justice system, just doing prosecutions. Let`s think about everything we can do to keep the terrorists from accomplishing their goal of killing people.

CHARLIE ROSE: So what would be in that toolbox?

JOHN CARLIN: So it ranges, could be a criminal prosecution. It could be diplomacy. It could be a military strike or the use of treasury department sanctions to keep these groups from getting the funds that they need. It could be using strange authority commerce department has to say, hey, this company is doing business with terrorists so you can`t export, you can`t do business with this company without a special license. We just have to be as nimble as the threat is, and keep looking across that tool kit.

CHARLIE ROSE: Who had the job before you?

JOHN CARLIN: Right before me was Lisa Monaco.

CHARLIE ROSE: Who is now at the White House.

JOHN CARLIN: She`s now the president`s homeland terrorism advisor.

CHARLIE ROSE: And has said that she wanted you very much and recommended that you take this job. You formally have been also chief of staff for Robert Mueller, the FBI director.

JOHN CARLIN: It was an amazing experience, where there`s no one I have worked with who is like him in terms of being dedicated day in, day out to the task at hand. I think he`s uniquely qualified to drive change at the bureau at the time he was put in.

CHARLIE ROSE: How did we determine that the Russians were behind the hacking of the DBC and perhaps John Podesta as well?

JOHN CARLIN: Well, you know, Charlie, when I think about this case, I go back to my first encounter with the Obama administration, was actually when I was over at FBI working with Director Mueller. And we briefed both campaigns. We briefed the McCain campaign at the time and the Obama campaign. The Obama campaign sent Dennis McDonough, who later became his chief of staff, and a guy named Mark Lippert, who later became ambassador to South Korea. And we had to tell both campaigns you`ve been breached by China. Your emails have been compromised. And we did so at the time and later was declassified in a classified setting. I think about how far we`ve come since then on the threat changes as well.

CHARLIE ROSE: Let me just pause you for a second, they didn`t know they`ve been breached.

JOHN CARLIN: They didn`t know.


JOHN CARLIN: We knew. And so we went to tell them, to inform them they`ve been breached.

CHARLIE ROSE: How did you know?

JOHN CARLIN: So we knew using in part sensitive sources and methods to collect the information, so we couldn`t tell them at the time how we knew. But we could tell them that they had been breached and some defensive steps that they could take. And at that time, we had known for a while that China in particular was committing economic espionage, and we had not -- we were not saying that publicly, we didn`t use the word China in relation to the threat that would come later. So the whole thing was treated as an intelligence problem, as a secret issue, as it has for years when it came to spy versus spy. But here`s what was different. When it came, in particular in China was over at FBI, and I saw for the first time what was on that intel side of the house because I have been doing this for a while as a prosecutor on the criminal side, computer hacking prosecutor, and there`s plenty to do on that side. I worked with a squad of FBI agents, and occasionally one of those agents was switch over to the Intel side. And the Intel side was literally behind a locked secured door, and the agent would just disappear behind that door and I wouldn`t see him again. I never knew what was going on there. And it`s not like I was banging on the door to get in because there was plenty to do on the crime side.

So, when I came over to the FBI for the first time, opened up that door and saw what was on that intelligence side of the house, it was amazing. We worked on getting better at collecting the intelligence, and we created a system where you could watch on a huge jumbotron screen, Chinese actors, for instance, hopped to a university, hopped from a university into a company, and then you`ll watch the data exfiltrate out of the United States. And what we were seeing was an amazing intelligence feat, but we were losing billions and billions worth of dollars of intellectual property, trade secrets, theft. And it became clear, to your question earlier, how we`ve changed since 9/11, that we were not applying some of the changes that we`ve applied against the terrorist threat when it came to cyber. And what I mean by that is when I went over to the Department of Justice, we still hadn`t opened that door. We still weren`t sharing that intelligence with law enforcement, with victims to see how we could do disruptions. And that caused us to take a massive transformation in the Justice Department`s approach to national security, cyber-threats.

CHARLIE ROSE: And that`s how we know the Russians were hacking into the DNC and John Podesta?

JOHN CARLIN: And so that`s what lead to a -- an approach where hundreds and hundreds of prosecutors across the country were re-train, and started working in day in, day out with FBI agents. And there were four -- I thing there`s four major threat actors that were up against, Russia, China, North Korea, Iran.


JOHN CARLIN: That`s the director of national intelligence said, the FBI said. Once we started this new approach, the first one that we used that we went after to do an investigation attribution and see what we could make public was China. And that`s a case that leads to the first indictments of their kind back in 2014. It`s only a year after we did this transformation. And we indicted five members of the People`s Liberation Army -- 61398. And what they were doing was not traditional spy craft. So what they were doing is, we laid out was they were going into nuclear, to solar, to steel, and going inside the company. And they were stealing things like one company was about to do a joint venture with a Chinese company, they were going to lease a pipe, and right before they leased the pipe, we watched the Chinese uniformed members of the People`s Liberation Army go into their systems and steal the design specification for the pipe, or to use another case with solar, we watched them go in and they stole the pricing information from the solar company, so they could price dump. And then, to add insult to injury, when that company sued, these uniformed members of the PLA stole their litigation strategy. And so, that`s why we treat it differently.

CHARLIE ROSE: Let`s talk about that and we`ll come back to the other point.


CHARLIE ROSE: So, in fact, what happened is that United States came very - - basically said to the Chinese, you have to stop this. You`ve got to stop helping private companies have an advantage with respect to American companies. And the Chinese have agreed to do that?

JOHN CARLIN: That`s right. And the only reason I think they agreed to do it is because we did a new approach that said number one, we can figure out who did it, so if you think it`s anonymous and therefore cost free, you`re wrong. Two, we made it public, in this case in the form of an indictment. And three, we showed we can impose consequences, we can figure out by name and by face and impose consequences. In this case it came in the form of a criminal indictment. And that lead to an amazing experience where right before President Obama was going to meet with President Xi, they believed we were about to use this new executive order on sanctions. We`ll talk a little bit more later. And got a call that the personal emissary of President Xi, wanted to come over to the United States and came over with a crew of 35, 36 people. We hammered out over for or five days of negotiations, so-called 5-point agreement. One of which was for the first time President Xi said it is wrong to use your military and intel for this purpose.

CHARLIE ROSE: But there is some aspect of that which -- because I was trying to get an interview with President Xi at the time, that he might cancel the trip, was it? I mean, there was some threat or overhang that maybe he wouldn`t come if we couldn`t work this out. If there were going to be sanctions imposed.

JOHN CARLIN: I think they were very.


JOHN CARLIN: I can`t tell you what fully motivated them to come and have this precedent-setting new agreement. But they clearly were very concerned.


JOHN CARLIN: And otherwise they wouldn`t have sent over the high level delegation and made this agreement. And because they`ve made the agreement you saw the G20 adopt the new norm. And so if you think about cyberspace.

CHARLIE ROSE: The G20 that was in China, or the G20 -- the most recent G20 or the earlier G20.

JOHN CARLIN: It was the earlier G20. I think it was not in China that year.

CHARLIE ROSE: But it was in China this year.

JOHN CARLIN: This year it was. And they -- if you think about cyberspace, this is the Wild West in some ways as the president said. If we`re going to bring law to this new frontier, it`s going to take agreements like that. It`s one of the reasons we brought the case.

CHARLIE ROSE: So when we say the Russians are behind this, we are, the U.S. government is pretty clear and pretty sure that that`s in fact true.

JOHN CARLIN: They wouldn`t say unless we`re highly, highly confident that it`s so. And that`s the investigation attribute part.

CHARLIE ROSE: And then, should we expect therefore an indictment of individuals in Russia?

JOHN CARLIN: So that`s the part of this all tools approach. So I think it`s important one to figure out who did it with high confidence which you see. Two, to make it public, and you`ve seen us do that here and say it`s the Russians. Because if you are going to be able to deter, you`ve got to make sure the world knows we can figure out who did it. And then, third, to be public about the fact that there will be consequence. Now what those consequences are have varied depending on the threat that we face when we`ve been trying out this new approach. And the policy has been, it will be a time and place of our choosing.


JOHN CARLIN: . not our enemies choosing, and there may be things you see and you don`t see. And talk a little bit about what happened which was a surprise case with the North Korean hack into Sony, I think you`ll see an example of that.


JOHN CARLIN: . of that approach.

CHARLIE ROSE: Again, where we were sure that the North Koreans did it, that they hacked into Sony.

JOHN CARLIN: Exactly. And it was amazing feat of Intel and law enforcement in that case, where in less than 28 days we reached that high level of confidence. It`s only because Sony did the right thing, and within 24 hours had a team of FBI onsite, was working very, very closely with us. We`ve had just done the PLA case less than a year ago. We`re trying this new approach. We get a call at national security division. I can tell you, been doing this for a while, and we`ve done a lot of wargames of what it might look like if a rogue nuclear armed nation decided to attack the United States through cyber means.


JOHN CARLIN: And we never figured it would be about a movie like The Interview, about a bunch of potted smokers.


JOHN CARLIN: So that was a surprise.

CHARLIE ROSE: In fact, you had to brief the president in the situation room on the plot of the movie.

JOHN CARLIN: Which if you`ve seen that movie, it`s not easy to do.


CHARLIE ROSE: But let me just go back to this. So with respect to the Russians, you know what the motivation of the North Koreans was.


CHARLIE ROSE: They were all unhappy about a movie that they thought had smeared their leader. What`s the motivation of the Russians.

JOHN CARLIN: Well, if you think of the China case it was to make money.


JOHN CARLIN: To sell trade secrets.


JOHN CARLIN: In North Korea.

CHARLIE ROSE: And that their company is in competition with American companies.

JOHN CARLIN: Exactly. So instead of spending money on research and development, they thought it would be cheaper to steal it from. And then with Sony they wanted to -- in their society, you don`t have political free expression. They didn`t like what somebody said, and so they wanted to prevent them from being able to say it, by intimidating people out of saying what they think. So it was an attack in that sense on our fundamental values. And a third case, the third actor we haven`t talked about is Iran.


JOHN CARLIN: And they`re attacking our financial institutions, which you can guess that the motive is the Iranian actors affiliated with the Iranian revolutionary guard corps. But they too wanted to attack an American institution for a political purpose. I think what`s -- with the Russians, what we`re seeing is they want to undermine confidence in our public election. That would be consistent with what we`ve seen them try to do in Germany, in other parts of the world.

CHARLIE ROSE: How does that strategy work for them?

JOHN CARLIN: One question is, can it work if you call it out? So once people know that they`re trying to do it, I think it becomes a lot harder for them to secretly try to influence an election or cause uncertainty. But this is a country who under its current leadership, is anti-Democratic. Its fundamentally opposed to the idea of democracy. And that`s why it`s so important if you try to undermine the confidence for an election, that we do publicly confront it and impose consequences.

CHARLIE ROSE: Mr. Podesta -- John Podesta`s whose emails were attacked, and he said then released by WikiLeaks. What`s the connection between Russia, hackers and WikiLeaks.

JOHN CARLIN: So, I`m not going to address the specifics outside the statement that the director of National Intelligence and Homeland Security put out.


JOHN CARLIN: But I think what we do in terms of looking at it as a frame, is look, there`s going to be a lot of mischievous bad actors, ranging from those who want to undermine confidence in election, to terrorist groups who attack private companies in order to steal names to create kill lists, which is an actual case.

CHARLIE ROSE: Kill lists.

JOHN CARLIN: Yeah. One case that it`s important for those, especially, in private industry watching -- because here`s a case that looks like it`s a routine criminal hack. And so, companies every day have intruders go into their systems, looks pretty unsophisticated, they steal things like names and addresses, and usual to make a buck.


JOHN CARLIN: In this case, they stole a relatively small amount and the vast majority of companies wouldn`t report it to anybody. And luckily, in this case they did report it. And the guy steals the names and then he bribes -- tries to blackmail the company and says give me 500 bucks through Bitcoin.


JOHN CARLIN: . or I`m going to embarrass you by releasing these names. Again, vast majority of companies either pay 500 bucks or decide to handle it on their own. And this one didn`t.

CHARLIE ROSE: And the lesson is that they should report it.

JOHN CARLIN: They should report it. And because they reported it, because we worked together, it turns out on the back end it`s not the low level criminal that it looks like, but instead of a crook is this Kosovo extremist who`s moved to Malaysia, as in a conspiracy with other folks in Kosovo.


JOHN CARLIN: . and he`s the one who`s involved with getting the information, was doing the hacking into the U.S. trusted retail company. He then hooks up with a guy named Junaid Hussain.


JOHN CARLIN: . who`s a British born terrorist, who`s moved to Raqqa, Syria, where he`s located at the heart of the Islamic state.

CHARLIE ROSE: Headquarters of ISIL.

JOHN CARLIN: Headquarters of ISIL. And he calls through that list of stolen names to make a kill list. And then he uses Twitter, and this is the threat that we face now which is more complex than it`s ever been before, when it comes to terrorism, using Twitter, American-made and invented technology, he sends that kill list back to the United States to their adherents and say kill these people by name, by address, they`re government employees, kill them. Because we worked it together, even though it crosses, you know, involve people from five different nationalities and moves at the speed of cyber, we were able to take effective action here. The individual, Ferizi, gets arrested on U.S. charges in Malaysia, brought to the U.S., was just sentenced a couple of weeks ago to 20 years in prison. And Junaid Hussain, the one living in that ungoverned space in Raqqa, Syria, is killed in a military strike.

CHARLIE ROSE: In a drone strike.

JOHN CARLIN: The military announced it was a strike. I don`t think they said whether it was by drone or airplane.

CHARLIE ROSE: OK. What`s interesting about this too, is this notion that you call this a blended threat. What does that mean? Just what you just described?

JOHN CARLIN: Yeah. So, what I mean there is, we`re seeing more and more of an overlap between criminal activity or what looks like criminal activity.

CHARLIE ROSE: But it`s something else.

JOHN CARLIN: But it`s something else, either national security threat, meaning a nation state or a terrorist group. And that`s very concerning as we look forward.

CHARLIE ROSE: Back to the Russians.


CHARLIE ROSE: So looking at your tool kit and saying you have a proportionate response, what are the possibilities?

JOHN CARLIN: Well, we publicly talked before in applying this approach on some that we`ve used. So we`ve used criminal.


JOHN CARLIN: . indictments, including real charges.

CHARLIE ROSE: Requires names of individuals.

JOHN CARLIN: Requires names of individuals. And you`ve seen in some cases, we have apprehended the individuals, this guy named Subin, who`s a.


JOHN CARLIN: . Chinese individual, traveled to Canada, was in a conspiracy with two People`s Liberation Army members to hack into Boeing, gets arrested in Canada. Extradited -- fights extradition, ultimately waive, come to the U.S., is sentenced over four years in prison in the Central district of California. So these are real charges. So that`s one. Another is the use of a sanction, you saw that with the North Koreans. And then -- because when we`re sitting around that situation room table when it came to North Korea, one of the things we realized was, you know, good thing in some respect is North Korea, because if it was another country, we don`t have an executive order to sanction individuals or companies the way we do with terrorists or those who would proliferate weapons of mass destruction and we need one. So later that year the president signed in a new executive order. So that`s another tool that`s available now. And the case of Subin, he had a company that he worked with, and addition to him being criminally prosecuted, the Commerce Department said you can`t do business with that company if you are in the U.S. without getting a special license. So that`s another tool that causes economic harm.

CHARLIE ROSE: Do you believe -- does our intelligence believe that in the Russian`s case, that they wanted to upset the American political system and confidence in it? They, of course, would denied it. The foreign minister then gave an interview to CNN and said no, it`s crazy, we would never do this, and we didn`t do this, as you might expect one government. The other thing that`s interesting about it is whether it was connected to the ties leadership in Russia. In the way it might be the republican guard in Iran, or does it go all the way to Putin?

JOHN CARLIN: Well, I think you`ll continue to see the intelligence community give an assessment as to whether this would have to have high levels of government.

CHARLIE ROSE: Will they do it without the approval.

JOHN CARLIN: Well, you can tell from our response which is to be public and to say that there will be consequences that we believe the Russian leadership is accountable for this activity.

CHARLIE ROSE: What happens if there is a cyberwarfare? And who`s vulnerable? I mean, one of the problems with cyber, you may not know the address of who your attacker is, correct?

JOHN CARLIN: That`s true, yes. It`s true, but I also think we`re much better at investigation and attribution than people thought. We`ve brought that -- before we brought the China case, people said you`ll never be able to do it.


JOHN CARLIN: It`s too hard in cyber. There are some who said it. And we showed not only that we could do it, but we showed activity like their conduct started to increase at 9 AM in the morning, Beijing time.


JOHN CARLIN: And then it spiked from 9 to noon, decreased a little bit from 12 to 1:00, Beijing time. Lunch break.


JOHN CARLIN: And then went back up again from 1 to 6, and then decreased overnight. Luckily they don`t seem to work the same hours as some of their U.S. counterpart`s do, but it was their day job. That`s evidence. That`s giving you a hint as to who`s involved, that they`re doing that on a 9 to 5 clock, Beijing time. Or to give another example, because it`s not all bits and bytes attribution, in the North Korea, Sony attack, it was one of the first times we brought in some of the same guys I worked with when I did homicides and serial rapists, the behavioral analysts specialists at the FBI worked out at Quantico. These so-called profilers. And they applied their trade craft where they study psychology, but they also have now someone who is a cyber expert. This one, first time they used them. What they looked at is when the North Koreans went into the Sony system, if you think about it like a murder, there`s malware you need to turn the computers into essentially bricks, right?


JOHN CARLIN: And so -- and they use that. But, they also did -- they also staged the crime scene, so just like some serial killers will stage a body, it`s not necessary to kill them but they stage a body because they want an impact on those who walk into the room. These North Korean hackers did something called splash screen which is the cyber equivalent where they put up messages designed to intimidate those who were watching before the screens turned into bricks. That`s a clue. And so, the profilers used that skill set combined with things like actual analysis of the malware to reach this high confident conclusion that it was the North Koreans.