As law enforcement, the intelligence community and the private sector work more closely together to bring cyber attackers to ground, a senior Justice Department official said some nations and terrorist groups are marrying with organized crime to continue stealing what they want.
John Carlin, assistant attorney general with the department’s National Security Division, said “blended threats” are becoming more common as criminals become willing proxies who “rent out” their tools for a profit.
Speaking Tuesday at the Center for Strategic and International Studies, a Washington, D.C., think-tank, he described how one hacker accessed names and personal data from a non-government source and passed that along to a terrorist in Raqqa, Syria, the proclaimed capital of the Islamic State. The terrorist went “culling through it to find government workers . . . to kill them.”
Another example of the “blended threat” comes from “from a state actor but not state action . . . who uses those tools for their own gain” as was discovered recently in Russia.
In addition, Carlin said, “There’s a plague of ransom-ware” by hackers who either lock up systems so legitimate users cannot gain access, or threaten to take a system down unless a payment is made, often in a digital currency such as Bitcoin. He added that those attacks often go unreported to authorities.
One reason for this “plague” is the “Internet of things” where “everything is stored digitally” from businesses to hospitals to governments to the operation of cars and locking doors from far away. What is needed to “think on the front end” what this interconnectivity means and “how we think bad guys are going to take advantage” of this vulnerable data.
For large entities, Carlin said it means taking steps such as storing this information off the Internet. He also noted one business, after it had its e-mail system hacked, went back to using fax machines.
In answer to a question, Carlin said, “We have to continue to be agile,” a quality that was lacking after the Sept. 11, 2001 terrorist attacks. He added the threat changes quickly as both sides become more adept in using new tools and developing better tactics and techniques.
Because of the increased sharing of information, “we can figure out who did it.” Now the Justice Department often is “willing to be public about it” by seeking indictments as it did against members of the People’s Liberation Army in China for waging economic espionage and gaining trade secrets. It also provided the information the Treasury Department used to impose sanctions on North Korea as it did in the Sony Entertainment case. “There will be consequences.”
A recent executive order broadened the Treasury Department’s authority to impose sanctions against other nations for those kinds of activities, but so far it has not been invoked, he said. “We have shown we can do the investigation . . . and make the attribution.”
Where the information collected could damage national security sources or tradecraft, Carlin said, “It’s not worth bringing a criminal case.”
Sharing of information from and with the private sector “has gotten a lot better,” in part, because of a recent change in federal law. “But we’re still a long way from perfect.” Carlin said there remains a tendency “to blame the victim” when a breach occurs and to keep quiet about the hack because of its potential impact on market and share price. He said an important change on the government side has come in not blaming the victim by “talking to the business side of the house,” not just the technical side. The reason, he said, is to determine “why did they take what they took” and not just how the intruders took it.
While hackers “are looking over their shoulders and wondering when they are going to be picked up,” Carlin said, “some groups [terrorists] are not going to be deterable.”