Originally aired on September 29, 2020 @ 3:00 PM - 3:30 PM EDT
2020 marks Cloudflare’s 10th birthday. To celebrate this milestone, we are hosting a series of fireside chats with business and industry leaders all week long.
In this Cloudflare TV segment, Alissa Starzak will host a fireside chat with John P. Carlin, Former Assistant Attorney General for the US Department of Justice’s National Security Division and current Chair of Morrison & Foerster’s Global Risk + Crisis Management practice.
Watch more Fireside Chats 🎂
So welcome everyone. It's so great to be here today. I'm here with John Carlin, who I'm going to let describe his own illustrious background, but has had a long government experience and is currently the global chair of the risk group at Morrison and Forrester. So I want to actually start with that. And John, you've been you've done so many things in government. Can you just give a sense of how you where you started, how you ended up and how that progress went? Yeah, and it's great to be joining you today on the on Cloudflare birthday week. Say I ended up specializing in cybersecurity issues, but really originally came about, I joined the Justice Department through something called the Honors Program, where they take you straight out of law school. And I was about 20 years younger than the other prosecutors on the team, and they knew how to, and was comfortable using something called email, which was relatively new than setting up people's printer, crazy things. Yeah. So they converted my ability to help them, with their printers, into thinking that this English major was somehow a cyber expert. And so I ended up working on digital evidence and other issues. And then kind of worked from there, prosecuted different cases over the years, but ended up being a computer hacking intellectual property prosecutor or CHIP. And that name actually came from the former director of the FBI, who now has been more in the news, Robert Mueller, from when he was the top prosecutor out in Northern California. And I can assure everyone watching that he'd never heard of the TV show, CHIP, so I had no idea that people were going to make fun of us and think we should be wearing short shorts and sunglasses. So that wasn't just part of the uniform, the helmet and the motorcycle, and that wasn't part of it? Yeah, exactly. Not so much, not so much. And in fact, I got the opportunity later in the career to move over to the FBI as a chief of staff and brought up to him the fact that he had caused years of derision by picking that name, and he was nonplussed, as expected, not being with the popular culture. But I ended up doing that on the criminal side of the house, went over to the FBI as his chief of staff. And what really switched is, you know, when I was prosecuting these cases on the criminal side of the house, sometimes you'd see a company get hit, and it would be a nation state, and that would just disappear behind a locked, secure, compartmented door. In fact, sometimes the agent would switch squads from the FBI, and I wouldn't see them again either. I didn't know what was happening. And even when I coordinated the whole program nationally, I still didn't know what was going on behind that locked door. And it wasn't until I went over as chief of staff and was working on the national security side of the house that the door opened. And what you could see was, on the one hand, incredible work by folks in the government, the intelligence community and law enforcement to map out what the adversary was doing in the U.S., along with other countries across the world, day in, day out, attacking places like universities, stealing info, hopping from there into companies, massive billions of dollars out. But though we were able to watch that, in fact, in a facility on a giant jumbotron screen in real time, which was a great, great thing. It didn't feel like success, right, to see that. It was a bit deflating. And so one of the key issues that we worked on when I went back to lead the national security division at the Justice Department was, is there a way that we can apply? Can we think about the way that we've tackled terrorism? Are there lessons that we've learned that we can apply when it comes to cyber? And so when you think about the national security division that went back to lead under President Obama, it was the first new litigating division at the Justice Department in 50 years, since the creation of civil rights. And the idea was simple. It posed September 11th, that reform that prior to September 11th, we failed to share information effectively across in law enforcement intelligence, so inside government, and between governments. And that failure led to the unnecessary death of thousands of innocent civilians. And that was a mistake we couldn't make again. And so the mantra of the national security division was that success is not prosecuting a case after it has occurred, and victims have lost loved ones and are grieving, but success is working across the full range of legal tools. So intelligence lawyers sitting side by side with prosecutors to try to figure out how to prevent that attack from occurring. And it starts with the sharing of information. And we realized when it came to cyber, you know, as was my own experience, we weren't sharing it, you know, no one was looking to see when it came to a nation state, what could we do to change this behavior? Can we figure out who did it? When we figure out who did it? Can we make it public? And after making it public? What type of consequences can we impose to change behavior? So give make that real for people. So explain how that actually works in practice. So here you are, having been a prosecutor, how does that case look like? So what does it look like on the intelligence side? And then what does it look like on the prosecution side? Just give the description. Yeah, to give it to you. So to give a real life example, the first case of its kind, the first time there was an indictment that involved nation state hacking activity was relatively recent. It was in 2014. And it was a result of this new approach where the door opened and that which had previously been in the shadows, behind closed doors, the classified information was shared with a specially trained cadre. And we had a much better name than CHIPS. They were the National Security Cyber Specialist for NISQS, rhymes with meniscus. So okay, I plead guilty. I'm also bad with the names and the acronyms. But the idea was that these prosecutors, on the one hand, knew the bits and the bytes, like your background behind you, and digital evidence. And on the other hand, knew how to handle classified sources and methods and prosecute a criminal case. And Empowered, they brought the first case of its kind in 2014. And this was the indictment of five members of a specialized unit of the People's Liberation Army, unit 61398. And this group, their day job, as we showed in attachment to the indictment in that case, that the activity started around 9am in the morning, Beijing time, went at a high level from nine to noon, decreased from noon to one. So they took a lunch break. Everyone needs lunch. One to six, everyone needs lunch. Then increased again, one to six, decreased overnight, on weekends, Chinese holidays. So the former prosecutor in the USA, circumstantial evidence, we know who did it. But if you think about it as well, this is the second largest military in the world. And each day they were putting on their uniform, going to work, and their day job was sitting behind a keyboard and hacking into private companies. And when I say private companies for private gain, I mean companies like Westinghouse was about to do a joint venture with a Chinese partner. And the night before, these members of the army, of the People's Liberation Army, hacked in and stole the technical design specifications for a lead pipe. And that way, the next day, they didn't need to lease the pipe. Their commercial competitor didn't need to lease the pipe. Wasn't a national security secret, just about money, ultimately, making a buck. Similarly, the same group that was laid out in detail in the indictment, hacked into a US subsidiary of a German multinational solar company, Solar Energy. And here, they hacked into the email. So the most vulnerable part of the system, not well protected, not where the crown jewels are, but they stole from that email the pricing information. And then they use that knowledge of the pricing information to know exactly the pain point for the solar company and their competitor in China, then price dumped and forced that company into bankruptcy. And that insult to injury, when they sued, they also stole the whole litigation strategy from them. So that was the first case of its kind. But when you think of the four major adversaries in the space, China, Russia, North Korea, and Iran, that have been the most active, really, most Western countries agree that those are the four bad actors in the space causing the most activity. There's now been public indictments, use of the criminal justice system with all four. So how do you think about that? So obviously, you're talking about nation states, you're talking about diplomacy in some cases, right? So you're talking about foreign relations, you're talking about prosecution and criminal activity, you're talking about things that potentially impact trade. How do you put all those pieces together in a way that feels coherent from a US government policy standpoint? Yeah, I'll give one case as an example of why it's so important to do that, and how it can be successful. And then further answer your question and talk about this all tools approach that is a rare area. There's not too much that President Obama and President Trump have agreed on. But this is a rare area of continuity, actually. So in terms of why it's so important, and why, you know, we've had five now, I think, directors of national intelligence, each say in sworn testimony in the National Intelligence Estimate that the top threat to our country, our way of life is through cyber. And imagine, for those listening, you're at a company, you see a relatively small hack, it steals some personally identifiable information, some names, some addresses, you misconfigured a server, you know how it happened, you're not that worried that they're technically good. And then a couple weeks later, you get a note, an email, spelling errors, grammatical errors, but basically saying, hey, I want number one 500 bucks through Bitcoin, or I'm going to embarrass you by releasing this information publicly. And number two, by the way, I'm mad that you threw me off your system. So I would also like you to let me back on to your system. Most companies would pay the 500 bucks or decide they don't care. Everyone gets hacked. This is low level. This company did work with government. And I think to your question, it's one of the key things that makes this different than all the other post 9-11 national security improvements. I'll say a little more on that later. But they worked with government and shared information. And because they did, what they found out is on the other end of that keyboard, it wasn't the low level hacker that it looked like. I mean, don't get me wrong. This was an extremist from Kosovo named Fareezy, he moved to Malaysia, it's around 21 to get better access to broadband, in part, so he could do this. He wanted the 500 bucks. He also had managed to make friends with one of the most notorious terrorists in the world at the time, a man named Junaid Hussain, who was a hacker who had been convicted and then radicalized while in prison in the United Kingdom, moved to Raqqa, Syria, where he was located at the heart of the Islamic State of Lebanon. And when you think about September 11th, which we talked about in core al Qaeda, all these reforms within government creation, Department of Homeland Security, Director of National Intelligence, the National Security Division, which led all of them were about trying to stop terrorism 1.0, or al Qaeda 1.0, which was, they very much wanted to train operatives overseas in a specific geographic area in the Fatah, in Afghanistan and Pakistan, deploy them to try to commit another terrorist attack on the scale and scope of September 11th. It was expensive, and they centrally direct it. We got very good at disrupting that attack. But as we evolved, they evolved. And in terrorism 2.0, the crowdsourcing of terrorism, you saw the Islamic State in Lebanon, in particular, perfected a new technique of using Western technology against us, just as al Qaeda used aviation. This group was using social media. And instead of training operatives overseas, they were doing a far less expensive route of trying to recruit people online, no travel needed, and convince them to kill where they live. And the person who was the best at that, one of the best was Junaid Hussain. He was an English speaker, and he was good at reaching into these audiences. And that's what he was doing, in part, from Raqqa, Syria. So Junaid Hussain in Raqqa, Syria, reaches out and connects with Fareezi in Malaysia, the Kosovo extremists who moved to Malaysia, hacked into a US company, stolen US information, now meets with this British citizen who's living in Raqqa, Syria, and they meet only through Twitter. They don't meet in the real world. And he convinces Fareezi to give the stolen information from this trusted brand name in the US over to him, the names, the addresses, etc. And unlike Fareezi, Junaid Hussain could care less about the 500 bucks. He wants to do what the Islamic State was doing then, which was a group that was committed to murdering Muslims and non-Muslims alike with impunity, that was using rape as a form of political coercion, and that was selling women and children into slavery as part of their, when they were taking over territory in the region. And so consistent with that murdering group, what he wants to do is create a kill list. So he culls through the stolen information entrusted to a US company with a well-known and trusted brand name, and culls through it to see, hey, who looks like they're .edu, .mil, maybe a member of the government. He creates this kill list. And then again, using Western social media, pushes it back and says, kill these people by name where they live using the stolen information. Now, the reason I can go into so much detail about this with you and have written about it is because that company shared information with government and it allowed, to your point, multiple tools to be used. So Fareezy is now sitting in, was convicted and is in prison in the United States in Virginia after being brought there by Malaysia, thanks to great partnership with the Malaysians done through the State Department. But Junaid Hussain was outside even the long reach of US law enforcement. He was actually killed in an openly acknowledged military strike by Central Command because he was in ungoverned territory. So diplomatic tools, military tools, intelligence, the criminal justice system, all combined effectively in this case to prevent the threat from occurring, prevent lives, innocent lives from being lost. But when you think about it, unlike September 11th and all that great work that was done to share information within and between governments, none of that could happen here without the private sector sharing in the first place, which means figuring out a way to get private companies to share threat information with government on scope and scale and the speed of the threat, and then vice versa, to get the government to be able to share. And you've been in government, we worked together there as well. It is a total sea change in the way that many of these agencies are collecting and processing information, and it's going to take a while to effectuate. This is Khalaf's birthday week. Obviously, we've been in business for so 10-year anniversary, which is really exciting. But a lot of the sea change that you're talking about has happened in the last 10 years. So from a government perspective, we always think about this sort of 9-11 world. But in the cyber world, it seems like it's actually been more recent. I mean, it seems like a lot of the sea change, the sort of all tools technique has been the last 10 years. Do you feel like it's given how the adversary shifts in those cases, right? So you have big nation-state adversaries, you have non -nation states. Given how quickly they manage to shift and find new avenues, do you feel like we're able to keep up now? Do you feel like it's continuing to shift? Do you feel like there are new tools out there that we need to then respond to from the US government standpoint? That's a good question. I think we've made a lot of progress, and I'll pick through a couple of examples, but we're not where we need to be given where our vulnerabilities are and where the threat is. So on the progress front, we've gotten used to and better at applying different tools and starting to think of this as a joint government and private sector problem. And we've done that after being surprised time again. I know in government, we war game for years, right, what it would look like if a rogue nuclear-armed nation decided to attack the United States through cyber -enabled means. And we got it wrong. I mean, we were thinking electric grid, we were thinking nuclear power. We were not thinking a movie about a bunch of pot -smoking journalists was going to be the target of attack, it's fair to say. I'm not thinking about the regime. I don't know. Not saying, like some people really liked that movie. I'm not sure that I'm one of those people, but they had every right to make the movie. And it was a surreal experience. It was back when I was in government, and it was around Christmas, and we're sitting there watching a clip from that movie, the interview with the director of the FBI and the attorney general. The only time in my career I've had to go brief the president of the United States in the situation room and start the briefing with a plot synopsis of a movie to explain what we're doing there. I'll never do that again. But it did show, I think, to your question on how fast it's morphing. I mean, that was an attack. The North Koreans, when they attacked Sony because they didn't like the content of the movie, they just turned computers into bricks. So it was a destructive attack where they're wiping operating systems. They also stole intellectual property and publicized it through third parties. Neither of which is why people remembered the attack and it wasn't the thing that was most damaging to the company. What was most damaging to the company was that, similar to stealing pricing information in the China case, that this was an instance where they stole salacious email traffic and just dumped it. And ironically, in a case that was all about a dictator overseas not liking content here, it was our own First Amendment protected media that really stuck the shiv in and did the damage for the authoritarian regime by then running and publishing the salacious emails. In some ways, we learned one lesson, I think, well, or two lessons. One, because of that case, in that case, we followed the same approach and we figured out who did it in a short period of time and made it public. But looking around the range of available options to add pain to have a consequence, there wasn't a criminal case. Actually, they were later indicted, but at the time it wasn't ready. And so they looked to see if they can impose sanctions, the ability to say, hey, you can no longer do business with US dollar transactions or companies. And there was no, unlike weapons of mass destruction or other regimes, there wasn't an available vehicle to impose the sanctions. Now, luckily, in some respects, it was North Korea, they'd done so many other terrible things. There was a North Korea unique vehicle to sanction them, and that is what happened. But it pointed to a gap. And later that year, President Obama, and now President Trump, re-signed it when he came into office, signed an executive order that allows for the sanctioning, not just of those who steal information, but also from the beneficiary companies. That has some bite and is a good tool to add to the arsenal. The second thing we learned, but not perhaps well enough, and then you see the Russians exploiting both in the 2016 election, because they're watching and learning too, was that we learned this wasn't critical infrastructure, but it is core to the way that we live. And so in this case, it was because it was an attack on this core value of free expression. In 2016, it's an attack on democracy and the right to vote. And we've seen that again in 2018, and the intelligence community is saying it's happening again right now, along with Facebook and Twitter and others, as we head into 2020. So how do we rethink what critical infrastructure is when you can attack a value that doesn't have a physical location? So that's one lesson. And then the one we didn't learn well enough, I think, but is now addressing is this idea of information warfare and the morphing of a threat, so that just like the terrorist group was using social media and they morphed, we're seeing nation states now realize they have an asymmetric advantage against a free society using information warfare. And so the stealing and dumping of that type of information can be harmful, and we need to think through ways to defend against that. I think one thing it seems like we have gotten a little bit better on, and certainly we think about this as a company all the time, is the hardening of defenses piece. So we often emphasize that just as a general standpoint. So there are so many different ways you could potentially use cyber attack, both to take down a website, to remove content, for example, but also to access information, to do a whole bunch, a whole range of things. Do you think that we're in a better place on the security side? So post-Sony hack, do you feel like there's more awareness on the cyber side? Do you feel like the 2016 election influenced that? I mean, what's your sense just on familiarity with cybersecurity and the importance of it? Yeah, I mean, we've had a couple of events now where we all thought, this is the canary in the coal mine, this is the event that's going to break through, whether it's the North Korean attack on Sony or the Chinese massive theft of Office of Personnel Management information. I know my daughter's first piece of mail, and she was very excited to see her name on an envelope. It was actually inside the envelope with a notice from OPM saying her identity had been stolen before she even has an identity. So not good. And then the Russian 2016 election interference, cumulatively, I'd say these different events, and for corporate executives, the firing events are clarifying. So changes of personnel after Equifax also, I think, had a notable impact. So if I were to compare where corporate America is today, when we have discussions with boards or C -suites, compared to the early aughts when I was prosecuting the cases, it is a massive sea change, to your point. And it's been dramatic over the last 10 years, and even more dramatic, really, over the last five or six years. Is it where it needs to be? No. And I'm sure you're seeing this too, in terms of attacks, particularly in our COVID world, where we're all working remotely, and bad guys realize that means you're much more vulnerable and much more likely to not only pay, but pay large amounts to extortion schemes. We are seeing, and I think the FBI will put more concrete stats on this, third parties have, I'm seeing it day-to-day in my legal practice, which is, we are seeing an explosion in ransomware, so traditional ransomware, which means the deployment of malware that would not enable you to be able to access your own data without a decryption key, hybrid scheme, extortion schemes, where first you steal the data, and then you deploy the ransomware, and your extortion is for both, either you pay or I'm going to release that and make public that which we stole. And then, denial of service attacks, or distributed denial of service attacks, so massive armies of compromised computers launching attacks, we're seeing that, and it's getting so bad that the groups are copying each other. There's one group right now that's pretending to be from North Korea, but it's assessed to likely actually be Russian, linked to both the state and a criminal group that's running that extortion scheme. What I find is, once you've lived through it, then companies make the proper investment, and what we're trying to do is figure out ways to make it real enough, and what I think is often an issue is just translation. It's not a comfort zone, and so they don't let the security professional deal with it, they don't totally understand when they're briefed by the IT or the CISO, particularly boards of directors who are in those positions because they're senior, so a lot of this is very new to them, and then traditionally it wasn't one of the areas of expertise that you looked for on a board of directors, which puts a premium on something called translation from geek, and you saw this in government, right? Of course. I remember post office of personnel, President Obama tried to convene the cabinet to get people to pay proper attention, because ultimately the risk decisions, and you have to own it as the cabinet secretary, and I know even for justice, the attorney general sent me and the CISO to the meeting, and then there was a stern missive that went out to all the cabinet secretaries that say, you can bring whoever you want to support you, but you have to come, because if you can't understand it, then we've failed. We need to figure out a way to describe this in a way that you understand it well enough so you can make decisions about what should be online, what shouldn't, how much do you want to invest in security products. That translation process, I mean, so the private sector has a challenge with it, the government has a challenge with it. Do you think we are, that's another area, I guess, where there's sort of a long-term improvement, right, where we need to make long-term improvements, and do you think that the reality of having a set of people coming up who are more, you know, they were, they're computer illiterate because they were essentially born in an age where that was, there was nothing else, right? Do you think that that will help? Do you think that that will both help on the, just the development side, but also on the sort of immunizing people from other kinds of threats, or at least making sure that they impose certain kinds of security requirements? Where do we go? I think it can help. There's a couple of initiatives we're doing through a non-profit I work with in the Aspen Institute. So one, if we want everyone who's going digital, and boy, it's all happening, you know, our kids are all right now on school from home, teach security. So that should be part of the basic curriculum. Don't just teach them how to use it and get online. Teach them about the fact that there are threats and bad things that can happen online, and how to protect yourself. So that should be mandatory, in my view, across every public school, in fact, across the United States. Number two, when you get to the higher level, and this is still not done, it also should be mandatory in your 100, you know, required course at MIT and other institutions, that you learn security, not just how to write the code. Number three is, and it's something we're working on, actually, as an initiative out in California, which is, let's actively try to accelerate, because I think you're right, some of it will be generational, but let's try to accelerate the knowledge transfer. So let's take the best and the brightest, technically, and teach them how to speak policy, because that's not a natural language. They need to get lessons from you. You know, people spend time on the Hill, like, how does Congress work, and how do they think about something, and then vice versa. Take people from Congress, take staffers, do education, so they get, you know, basic fluency in digital speak, and you're not talking past each other, but speaking the same language. So I think there are improvements, but they're not going to happen on their own, that we need to invest in and force that knowledge transfer. So we're in our last couple of minutes. Again, birthday week, so I'm curious where you think we'll be in 10 years. Will we be there? Will we have improved, or will we just have a whole new set of challenges? Right. I've always, I'm by nature optimistic, and so I think we innovated our way into a lot of these issues, and we can innovate our way out of them, and it starts with things like we're doing for birthday week, and you have a CEO who's also out there and outspoken on the problems that he sees, which is raising awareness, so there's sufficient pressure from the public to make the changes that will make us safer, and I do think we're at an inflection point. So what happens 10 years from now isn't fixed. It depends on what we do today, and when I look at the explosion that's happening with the Internet of Things and the devices that are being connected at an exponential rate, increasing potentially the service area for vulnerabilities, now is a key time to change the way of thinking so we build security in by design. Well, Cloudflare is all about all of those things and thinking through those big security problems. So we still have a couple seconds left, but any final sort of big words of where we go, of what we should do next birthday week? I thought, you know, the final words were going to be, we're jointly saying happy birthday. Oh, yeah, well, of course, if you want to sing happy birthday, I would not stop you. Well, John, thank you so much for joining us. It's been a pleasure talking to you, and I should have given you a full set of career titles in advance. I realize that no one knows what the Assistant Attorney General for the National Security Division is unless you give the full title, and people appreciate how impressive it is. So thank you again. No problem. Thank you.