U.S. intelligence officials have identified four major cyber adversaries targeting American businesses and infrastructure, from China and North Korea to Iran. Only one — Russia — has yet to be publicly blamed by the Obama administration in a strategy that national security experts have dubbed “naming and shaming.”
But after senior Democrats in Congress pointed the finger at Russia for hacking into the Democratic National Committee and trying to infiltrate the voter registration systems in nearly two dozen states, that may be about to change.
“I would just say to any of those out there considering whether or not to try to harm the United States through cyber means, we have a message, which is: we can figure out who did it, and when we do, we’re not afraid to impose consequences, and we will,” Assistant U.S. Attorney General John Carlin told NPR in an interview this week.
Carlin declined to say whether indictments against anyone in Russia were imminent. He added: “We would take very very seriously an attempt to undermine the integrity of our democracy.”
Carlin leaves the Justice Department next week, after 17 years as a career prosecutor. Even over the past three years in his leadership post, he said, the threat has changed a lot. But when it comes to cyber intrusions, authorities have gotten better at finding out who’s behind keyboards, even thousands of miles away.
In the spring of 2014, his prosecutors charged five uniformed members of Unit 61398 of the People’s Liberation Army of China with stealing secrets from American business competitors.
The Justice Department traced their movements online. The activities peaked from 9 a.m. Beijing time to noon, dipped during the lunch break, then resumed until 6 p.m. “This is their day job,” Carlin said. “This is their day job, to steal from American companies. … That’s not a fair fight.”
China’s president eventually reached an agreement with the White House, agreeing that it’s out of bounds to use military or intelligence powers to target private companies for financial gain. The next challenge, Carlin said, is to enforce the laws on the books about cyber intrusions.
Earlier this year, the Justice Department struck again: indicting seven hackers with ties to the Iranian government. Court papers said the intruders attacked the web sites of dozens of major U.S. banks and breached controls at a dam in Rye, N.Y., raising alarms about safeguards in American infrastructure.
In those two cases, authorities decided to utilize the criminal justice system. But that hasn’t always been the case. In late 2014, rather than public charges against people who took part in wrongdoing, the FBI issued a statement blaming North Korea for breaking into computer systems at Sony Pictures. The studio had released The Interview, a Seth Rogen comedy mocking the nation’s leader. Carlin found himself in the White House situation room trying to summarize the plot of the film.
“The first major attack from a rogue nuclear armed nation state on the United States, and we’ve war gamed that for years, turns out to be because of a movie,” Carlin said. “I’ll leave you to your own reviews of the movie but it’s about a bunch of pot smokers and so not what you expect to be fodder for a national security event.”
In the past year, the Justice Department also has prosecuted 60 people with ties to foreign fighters or home grown extremism. But most of those people radicalized online and never met an al-Qaida or Islamic State figure in person. Those cases are spread across 35 states, with defendants in one-third of the cases aged 21 or younger.
“Here you have an international terrorist group that’s deliberately exploiting that [social media] trust to try to convince young people or mentally troubled people to go out and kill,” Carlin said.
Carlin, 43, mostly operated under the radar during his years at DOJ. But he supervised some hot-button cases. Among them: the now-closed investigation of Hillary Clinton’s private email server.
Of that case, he offered praise for the career prosecutors and FBI agents. “When it comes to any matter I’ve worked on with them, I’ve been so impressed with their dedication to keeping our country safe and for doing the right things for the right reasons,” he said.
In the coming weeks, Carlin expects to spend some time at home with his wife and young daughter before exploring private sector opportunities in cybersecurity or public safety.
He said he wants to devote some of his time, and to urge others, to thinking about the looming transformation of the auto industry and other businesses.
“When you think about what one terrorist was able to do in Nice with one truck and the devastation it caused on civilians, it doesn’t take that much imagination to figure out what they could do if they were able to control a fleet of automated trucks,” Carlin said. “So we just need to just make sure on the front end we prevent that type of disaster from happening.”
A veteran national security lawyer, Mary B. McCord, will take his place at the Justice Department.