A former official talks past, present and future of cyber at the Justice Department


Welcome to The Cybersecurity 202! It’s getting too dark out too early in the day. And yet somehow fall is a “great” season to most people. Also, everything is dying, and I don’t get enthused about death.

Below: The U.S. government asked Mexico to not buy Chinese border technology, and hackers leak data from inside Iran’s nuclear agency. But first:

John Carlin had a lot of cyber in his portfolio as a principal associate deputy attorney general at the Justice Department. The New York Times described his job as “one of the most powerful and under-the-radar posts” at DOJ.

It was his second sojourn at the department, in fact, having previously served as assistant attorney general for the DOJ’s National Security Division in the Barack Obama administration. When he returned to serve under the Biden administration, Carlin was quickly confronted by hacks on Colonial Pipeline and meat supplier JBS. 

As of this month, Carlin is co-head of law firm Paul Weiss’s cybersecurity and data protection practice and a partner in its litigation department. We spoke about his time at DOJ, what’s ahead for the department and his focus now that he’s returning to the private sector.

This interview has been edited for length and clarity.

The Cybersecurity 202: What do you think you did at DOJ this time around that made a difference?

Carlin: We’ll start structurally. And this is when I’m still acting [deputy attorney general], so very early in the administration. The ransomware epidemic had reached new heights, particularly during covid. And so, launching the ransomware task force in order to address that threat and ensuring not just that we employ the full resources of the department and prioritize the threat but also that we looked for new and innovative ways to tackle it. … We did that prior to attacks attracting the attention of the country because of the attack on Colonial Pipeline. So centralizing every ransomware case, requiring reporting.

In terms of successes: We did this effectively working with international partners, so I don’t want to downplay the success of bringing people to justice in a criminal court, but changing the focus from success being criminal prosecution, to applying the full set of tools to try to disrupt the ecosystem of bad guy organizations and make victims whole. 

And by that I mean, going after a digital currency, the proceeds from bad guys and either making it unavailable to them or returning it to victims; to go and take affirmative steps to take over the infrastructure, take over the command and control of the botnet; clean up people’s computers who are otherwise unable to do it, so that another organization doesn’t pick up where the one that you’ve disrupted left off. So really, working to just unleash the full creativity of the amazing prosecutors and agents throughout the department.

Launching the National Cryptocurrency Enforcement Team. This is at least true for the criminal groups and increasingly for some of the nation states like North Korea: It’s about getting the money. So having a team that really focuses on depriving them to easily get their profits by disrupting the criminals’ use of digital currencies and exchanges, and particularly making it difficult to convert it to fiat currency.

How would you say things changed from the first time working on cyber issues at DOJ to your return?

Carlin: When I first did it, the National Security Division … charged five members of the People’s Liberation Army, meaning [Unit] 61398, in 2014. The idea of taking that which has been secret, and putting it into a public charging complaint, and charging by name the uniformed officers for what was essentially theft — economic espionage for the benefit of rival companies overseas — was novel. By the time I left, we had used similar approaches with regards to North Korea’s attack on Sony Motion Pictures. Iranian Revolutionary Guard [Corps]’s distributed denial of service attacks on the financial sector and they also hacked the Bowman Dam in New York to gain access to the control systems. And of course, Russia, which resulted ultimately in the criminal charges for the Yahoo attack.

By the time I returned, that really was ingrained, the idea of the Department of Justice, the FBI, the criminal justice system was an important tool. With the threat landscape, we saw ransomware exploding as we left. But because of the reliance people had on communicating digitally during covid, it had reached proportions I’ve never seen before.

You talked about those criminal cases. You’ll hear some people say, “Those don’t matter, those people are never going to jail. You’re just naming and shaming.” What’s your thinking on that subject?

Carlin: I do not think we’ll be able to prosecute our way out of the cybersecurity problem. But it’s a tool and particularly when it came to national security-related threats, nation-state threats, there was a period of time where it was a tool that we were not using at all. And I actually don’t think that was a conscious strategic choice, having lived through it. It’s because people didn’t realize the effectiveness when you apply the resources investigators could bring to doing attribution and figuring out not just generally, who did it — not, it was emanating from China, or from Russia, but specifically enough with sufficient evidence that you could prove beyond a reasonable doubt in a court of law.

Then the other part of it is, there are many people who are in jail today because they travel or they go to a state that cooperated and they’ve been prosecuted. So these are real charges with real consequences.

What cyber challenges remain at DOJ that you’d be focusing on if you were staying longer?

Carlin: I still think [it’s] under-resourced. The department, both on the prosecutor side and the FBI side, needs a dramatic infusion of resources to address the scope of the threat.

Is there an ideal number or increase in scale?

Carlin: I will put it this way: On a significant scale, there needs to be a re-architecting of the way that you’re getting the most volume of resources and the technology, the personnel, but also getting the right recruiting and having the proper training and background in information technology and computer science.

I know you always planned to stay just for a year, but why return to the private sector, and what kind of cases, clients and problems do you look forward to tackling?

Carlin: I really enjoyed having a different way of helping, when you’re able to directly help the clients and companies who are hit by these attacks. I’m happy to get back to advising clients as they navigate this changing world in terms of threat actors and ransomware, but also the political landscape where the tools of the U.S. government are sanctions, are export controls, a new focus on corporate compliance, trying to ensure the rule of law here to help them navigate and stay on the right side of what’s just an unprecedentedly complex picture when it comes to cybersecurity and related national security concerns.

Ideally, you’re talking to clients before the major incident to help them — to share the hard work, hard-earned lessons of living through the worst cyberattacks, on things they can think about ahead of time on the prevention side.

If you have a transaction that’s being reviewed by the Committee on Foreign Investment in the United States, that shifts from being about missiles and affects transactions like an acquisition of Grindr, a dating site, and that was because of cybersecurity and privacy. Or sanctions, where now as you’re trying to contemplate whether or not to make a ransomware payment you need to think about this. It’s really animating across a range of areas where it’s new. 

U.S. government asked Mexico to not buy Chinese technology for border

U.S. Ambassador to Mexico Ken Salazar’s letter to Mexican Foreign Minister Marcelo Ebrard urged Mexican authorities to not buy equipment from Beijing-based Nuctech, which U.S. officials worried would give China access to data about goods entering the United States, Kevin Sieff and Nick Miroff report. In the previously unreported May 2 letter, Salazar wrote that U.S.-Mexico bilateral cooperation “could be put at risk by the use of unreliable equipment.”

The letter was one of the millions of documents that hackers leaked after targeting Mexico’s defense secretariat. Internal documents show that Mexico already began purchasing Nuctech scanners even before May 2.

  • Civil society organization Mexicans Against Corruption shared the documents with The Post. The Post independently verified the documents.

The Department of Homeland Security said in 2020 that “Nuctech very likely has a close and enduring relationship with the Chinese Government to advance Nuctech’s business interests and develop screening and detection systems on behalf of the Chinese Government.” It also wrote that the company’s equipment likely has “deficiencies in detection capabilities, which may create opportunities for exploitation by the Chinese Government.”

Nuctech, which didn’t respond to requests for comment, said in an undated statement on its website that “it is not state controlled” and its customers are the “sole owners of all data generated by Nuctech’s systems.” The firm is “100 percent committed to the safety and security of our customers and their data and any suggestions to the contrary is categorically false and designed to stifle emerging market competition,” it said.

Hackers leak emails from Iranian nuclear agency

The Atomic Energy Organization of Iran confirmed that emails from a nuclear energy production subsidiary’s IT unit were posted online, Bloomberg News’s Arsalan Shahla and Golnar Motevalli report. A group calling itself “Black Reward” has claimed responsibility for the hack, which the group said was done to support protests in Iran.

“The Telegram messages contained a raft of links to email correspondence that Black Reward claimed involved the UN’s International Atomic Energy Agency, foreign contracts and Iran’s Bushehr nuclear power station,” Shahla and Motevalli write. “In its statement, the AEOI didn’t mention Black Reward and said the emails contained ‘normal everyday exchanges’ and were about ‘technical matters.’ ” The leak comes amid stalled international talks over Iran’s nuclear program. 

Pro-Trump group gathers intel for its war on voting machines (Reuters)

Russia still using Israeli tech to hack detainees’ cellphones (Haaretz)

Australia to introduce tougher penalties for data breaches (Bloomberg News)

After cutting ties with Iran, Albanian PM arrives in Israel to talk cybersecurity (Times of Israel)

  • CISA chief of staff Kiersten Todt speaks at an event hosted by the Virginia Academy of Science, Engineering, and Medicine on Tuesday.
  • The R Street Institute holds an event on school cybersecurity on Wednesday at 10 a.m.
  • Rep. Tony Gonzales (R-Tex.), Col. Jennifer Krolikowski, the chief information officer at U.S. Space Systems Command, and other speakers attend the BlackBerry Security Summit 2022 on Wednesday.
  • National Cyber Director Chris Inglis and Anne Neuberger, the deputy national security adviser, speak at a Center for Strategic and International Studies event on Thursday at 10 a.m.
  • Rob Silvers, the undersecretary for policy at DHS, discusses cybersecurity initiatives at a Center for Strategic and International Studies event on Friday at 11 a.m.

Thanks for reading. See you tomorrow.