Sharing information about attacks will be key in the future of cybersecurity

Governments and business should collate their data to prevent attacks and limit terrorist recruitment online

A photo taken from an Islamic State website shows its militants fighting in Iraq. Photograph:  via AP
A photo taken from an Islamic State website shows its militants fighting in Iraq. Photograph: via AP

National governments and global companies need to be more vigilant about the ways in which terrorists and criminals are increasingly using the internet as a medium for recruitment and attacks, says US assistant attorney general for national security John P Carlin.

For example, he notes during an interview at the US Embassy, services from social media companies such as Facebook and Twitter have become a vehicle for terrorist groups such as Islamic State (Isis), and are used to recruit and radicalise.

As both companies, as well as many other internet and technology multinationals, have their Europe, Middle East and Africa (EMEA) base in Ireland, Carlin quietly made a visit to Dublin last week to address them via the US Chamber of Commerce here.

Also on his agenda were discussions with Irish government officials about the potential for radicalisation of terrorists in Ireland. This is not due to a specifically identified threat.

READ MORE

“We are talking to lots of countries,” he says. “Each of us has a responsibility to keep our citizens from contributing” to terrorism. A growing concern, he says, are people who are radicalised at home via social media, who never travel abroad for training and come less easily to the notice of law enforcement. Such people may intend to carry out attacks in their home country, he says.

“We know Isis places a premium on getting recruits with a familiarity with English” language and culture, Carlin says, hence one reason for a visit to Ireland.

Because of the importance of social media to the process, “we need partnerships with those companies”.

Cybercrime – including attacks and commercial espionage carried out by nation states – is also high on his discussion list. One of his key points to make while in Ireland is that governments need to be sharing more information about attacks with companies, and vice versa.

Companies or governments can no longer simply build technical defence walls around their networks: “You can’t build a wall high enough or deep enough.” And it isn’t “a badge of shame to be breached” any longer, as security experts widely agree the issue isn’t if, but when.

Instead, modern security needs to be about rapid response, isolating attacks, acting quickly, sharing information – and awareness at the senior executive and board level of companies.

Because breaches are so widespread now, along with some high profile attacks such as last year's hack of Sony, there's been a "sea change" in the understanding of such issues by companies, and the willingness to share information, Carlin says.

The current drive to begin to address such concerns arises out of new co-operation between the law enforcement and intelligence gathering arms of national security. The fact that the two divisions in the US didn’t talk enough and share key insights was highlighted in the wake of the September 11, 2001 terrorist attacks in the US. The National Security Division for which Carlin works was set up in response to the 9/11 attacks, in part to start to bridge those divisions. It is also the first new government litigation division set up in about 50 years, he notes.

“Our goal should be threat-based” – to try to address threats, and ideally, prevent attacks, using all the tools from intelligence to law enforcement to working with foreign partners, he says.

“A win is not convicting a terrorist. A win is preventing an attack.”

What’s new, he says, is that in 2012 they began to apply this more joined up approach to not just to more traditional attacks and threats, but to “cyberthreats”.

“What we saw was shocking: day in, day out, nation state actors intruding against companies,” he says.

Co-ordinated approach

Up to then, intelligence and law enforcement had worked separately against such actors. Now the approach is to co-ordinate, and also bring in national governments and companies as partners.

“We need to do a better job as governments, in pushing threat information to companies,” he notes – it is the governments who often have the intelligence about such threats.

But isn't the US in an awkward position to be preaching against nation state attacks, when it is widely accepted by security analysts that the US and Israel were behind the sweeping global spread of the Stuxnet worm, created to compromise some of Iran's nuclear fuel enrichment systems?

“I think there are norms we can agree on,” says Carlin. “The response of a nation state should not be to target private companies.”

A department spokesman accompanying Carlin hastens to add that his reply is not in any way a reference or acknowledgement of the origin of Stuxnet.

Though he clearly has no intention of disclosing it, Carlin likely knows the full story, though, as he is one of the most senior US officials with a cybersecurity brief, and has intelligence clearance is of necessity, at the highest level.

Carlin himself comes across as unassuming, even a somewhat unlikely candidate to be in his current role, to which he was appointed by President Obama last year.

And it's certainly a far cry from where he started out, writing his undergraduate thesis at Williams College on Shakespeare as a political philosopher. He also spent a year abroad at Oxford University, and then took a law degree from Harvard.

He came into the Department of Justice on the Attorney General’s Honours Program, where he started in an entry-level position but soon ended up looking at computer hacking and information technology-based crimes. “I think because I was the youngest person there,” he says with a laugh. But he found the area fascinating, and it has remained a speciality.

Special counsel

In 2007, Carlin was named national co-ordinator of the Computer Hacking and Intellectual Property Program in the DOJ’s Federal Computer Crime Unit. After only seven months in the role, he became special counsel to FBI director

Robert S Mueller

, and then, his chief of staff. He returned to the

Justice Department

in 2011.

When charges are brought against terrorist suspects in the US, the American official who appears in the news coverage making the announcement usually is Carlin.

He's also one of the two government officials that signed a recent formal request for a six-month extension to the controversial US Patriot Act – the document used to legitimise much of the covert surveillance and bulk data collection revealed by former security contractor Edward Snowden.

Instead, Congress voted in the more restrictive Freedom Act, which disallows bulk data protection (though a US judge last week re-enabled bulk data collection in the short term). Is he happy with the new act and its greater constraints on intelligence gathering?

Carlin is not giving any personal opinions on this topic, either, and reverts to a spokesman stance.

“The president fully endorsed the Freedom Act and fully mandated the end of bulk data collection,” he says.

A Shakespearean character couldn’t be more adeptly politic.