HARI SREENIVASAN: One official at the helm of the U.S. government’s fight against terrorism is the Assistant Attorney General for National Security John Carlin.
Carlin oversees 75 criminal cases that have been brought in the past 18 months against alleged supporters of the Islamic State in Iraq and Syria, known as ISIS or ISL.
The majority allegedly tried to travel abroad and a quarter are accused of plots on U.S. soil.
In an interview earlier this week, Carlin laid out the threat that ISIS represents.
JOHN CARLIN: We’re facing a new threat when it comes to terrorism. The Islamic State, what they did is they decided to crowdsource terrorism. And they exploited US technology companies: Twitter, Facebook, Google, others that do so much good, but they exploited them for their terrorist aims.
What they did is they bombarded thousands and thousands of propaganda messages all over the world. Then, when they had someone on the hook through social media, what they would do is often take them into a private, encrypted direct messaging forum, and you’d have a terrorist overseas talking to a kid here in the United States, and further walk them down that path of radical, radicalization.
And while their success rate is very small, all it takes is a relatively small number to pose a big problem.
HARI SREENIVASAN: You’re talking about fighting an idea. You’re talking about fighting an idea with all the modern tools and technologies that exist today to spread ideas.
How do you stop someone from proselytizing across Twitter?
JOHN CARLIN: We very much need the same folks who had the innovative idea to create these products, to focus on the solution. They don’t want their businesses used by terrorism.
So we need to work in partnership with them to keep terrorists overseas from targeting our kids. We’ve brought over 75 criminal cases against terrorists in the U.S. system.
In the beginning, they used to mostly be foreign terrorist fighters, those who want to go join this group overseas. We need to be concerned, once those guys get that training overseas, that they don’t come back and use it to commit terrorist attacks inside the United States or in western Europe.
ISIL started saying, ‘No passport required, no travel required, we call on you to commit attacks, terrorist attacks where you live. Kill innocents around where you live.’ And we’ve seen people answer that call in Australia, in Canada, in France, in Belgium.
Here in America, we’re not seeing any particular ethnic group or geographic group answer the call. Instead, the trend is almost every case involved social media. Over half these cases involve individuals 25 or younger, and most troubling, a-third involve kids that are 21 or under.
We’ve never seen that problem here before when it comes to terrorist threats.
HARI SREENIVASAN: So how do you stop that? It used to be that you could say, ‘Listen, let’s have the religious leader, the local pastor, the local imam intervene on our behalf,’ right?
When you’re talking about someone who’s under 25, they might be listening to Twitter and Instagram a lot more than their parents.
JOHN CARLIN: That’s a very good point, and a concerning one. These corporations that provide these services, and their advertisers, are really good at figuring out who’s listening to what, and how to change minds.
We need their help to make sure that the terrorists aren’t out there using their services to pinpoint individuals. The same way we’ve done campaigns against sexual predators.
Because I think a lot of parents out there, you know, they don’t necessarily know what their kid is up to when they’re down in the basement online, or when they’re walking around using their phones on social media.
And it used to be the assessment of the intelligence community that before someone would become a terrorist, they would need to meet someone in the real world, face-to-face, who would walk them down that path.
But that assessment’s changed, especially with this generation that’s used to trusting people online. And we need to adjust accordingly.
HARI SREENIVASAN: How do you see encryption as a problem? Especially with telecom companies?
JOHN CARLIN: You have the terrorist overseas. Once they’re in direct contact, they use American-made technology that’s pushed out for free and has many good purposes, to directly communicate. And what I’ll find, from where we sit, is we’ll get a warrant.
We go to serve it on the company, and the company says, ‘yes, this is legal process, but we are technically unable to effectuate the court process. We can’t tell you what they’re saying.
We can’t tell you what they’re writing to each other. That’s a major problem for law enforcement intelligence, because that’s been a critical, the ability to do those intercepts has been a critical tool.
HARI SREENIVASAN: So is there a concern that, if you ask a company to say, decrypt all conversations, you’re also threatening my right to have private speech and my ability to whisper a secret to you.
JOHN CARLIN: So I think what we need to do is have a balance between protecting our national security, but what we are protecting is our way of life, which includes our civil liberties and our privacy.
And we can and have done both. So what they’re looking for now in partnership is saying, look, what we’re looking for is specific targeted ability to do an intercept when we have a lawful court order. And we’re asking for a technical means to be able to effectuate the court order.
Folks in government don’t need to have that solution, we just need the company to be able to do it.
HARI SREENIVASAN: Carlin also oversees federal prosecutions for hacking, as hackers overseas increasingly attack U.S. companies and government agencies.
One big case involves a 20-year-old from Kosovo, living in Malaysia, who allegedly stole personal data of U.S. military members and gave it to ISIS, which posted the names online and encouraged followers to attack them.
HARI SREENIVASAN: A guy from Kosovo, sitting in Malaysia, is able to hack and find the addresses of 1,400 military service members. How do you stop that?
JOHN CARLIN: This wasn’t a small-scale crook. It was an extremist from Kosovo who’d moved to Malaysia, was hacking into their system for the purpose of providing it to a British-born terrorist, Junaid Hussain, who was living in Raqqa, Syria, and associated with a designated terrorist group, the Islamic State.
He was culling through that information to look for military and government addresses, and then was again using US technology, Twitter and other services, to broadcast that out and say, ‘Here’s the identity of these individuals, here’s where they live, kill them.’
We were able to arrest this individual, and he’s pending extradition from Malaysia. And the person to whom he was giving the information, according to a public statement from CENTCOM, was killed in a military strike.
HARI SREENIVASAN: It’s almost like a drumbeat that in the news, I hear, Target gets hacked, or a bank gets hacked, or V-Tech, a company that makes kids’ toys, gets hacked, right?
Millions of pieces of information on us as consumers and our behaviors is out there in the open market. Sort of, the dark Web, and sometimes used by these actors in ISIL or ISIS. How do we protect ourselves?
JOHN CARLIN: About 98 percent of what we value is now in digital space and connected to the Internet. And we didn’t invest in protecting that information.
So, now we need to move quickly to catch up and make sure what’s a strategic advantage for the United States – the fact that we digitalized and moved to the Internet faster than any country in the world – doesn’t become a strategic disadvantage exploited by nation-states.
If you have an Internet-connected system, there’s no wall currently that you can build that’s high enough or deep enough to keep a dedicated nation-state or even a sophisticated criminal group out of your system.
HARI SREENIVASAN: Another important hacking case last year saw the Justice Department indict for economic espionage five Chinese nationals who were working for the Chinese army.
JOHN CARLIN: This is a case where Chinese members of the People’s Liberation Army deliberately targeted the United States economy. They targeted sectors ranging from nuclear to steel to solar.
And what they stole was not traditional national security information, what they stole was the lead pipe designs that they were otherwise trying to lease, or pricing information that they could use to dump products here in the U.S. at a lower price.
So what they’re stealing was for business advantage. And so we treated it like theft, not like an intelligence problem. So we brought that indictment, was the first of its kind.
HARI SREENIVASAN: But those five guys from the PLA, they’re not in a federal prison?
JOHN CARLIN: We’ll see, and again these are allegations, what happens in the future. But it clearly, that had an impact in part, because it showed we could figure out who did it.
And then the executive order that’s in place now as of April of this year, that allows for the sanctioning of actors or companies, people or companies for cyber-related activity. That’s on the books.
HARI SREENIVASAN: It didn’t take long for the FBI to figure out North Korean hackers were behind the hack of Sony Pictures, stealing private communications and destroying the company’s servers.
JOHN CARLIN:We’re now doing this deterrence, deterrence approach. All the more important when you see a destructive attack like Sony.
They went to law enforcement immediately after the hack. That allowed us to figure out in 27 days that it was North Koreans. Make the decision as the National Security Council and at the president’s level to publicly say that it was the North Koreans.
To announce sanctions, and to have the president and others say there’ll be some things you see, and some things you don’t see, but there will be consequences.
That was important not just to send a message to North Korea but to all the other countries in the world who are figuring out what are the red lines, what can I get away with in this space without suffering a consequence.
HARI SREENIVASAN: John Carlin, thanks so much for joining us.
JOHN CARLIN: Thank you.