Security Expert Discusses Cyber Threats to the 2020 Election

Russia may already be attempting to interfere in the 2020 presidential election, if reports that Moscow hacked into Ukrainian gas company Burisma prove correct. It’s the kind of attack that keeps John P. Carlin up at night; he was Assistant Attorney General for National Security and speaks with Hari about the ever-rising cyber threat.

Read Transcript EXPAND

CHRISTIANE AMANPOUR:                     So the Ukrainian gas company Burisma, which is at the heart of president Trump’s impeachment trial, specifically because Hunter Biden, the son of the democratic front runner, Joe Biden, once sat on the board and then earlier this month we learned that Russia hacked into Burisma and now Ukraine wants the FBI to help investigate because of fears of more election interference here in the 2020 election. It’s the kind of stuff that keeps our next guest up at night. John P Carlin was the assistant attorney general for national security and he talked to our Hari Sreenivasan about the ever-rising cyber threat.

SREENIVASAN:                  Give us a lay of the land here who are the kind of nation, state cyber warfare players of consequence.

JOHN P CARLIN:                I’d say there’s four major players, eh nation state players in cyberspace, North Korea, Iran, Russia and China. And that’s according to both the views of the intelligence community and the cybersecurity cybersecurity community that monitors these threats. The other one to call people’s attention to though is what I call the blended threat, which is we’ve seen an explosion, billions of dollars have funded it in the organized criminal groups that try to attack companies and individuals to make a buck. And increasingly we see a blend between the traditional nation state activity and those criminal groups in both directions. We see that the nation States at the direction of their leadership when they want to do an attack, use those criminal groups and their tools as proxies. On the other side, you also have corrupt government actors and they want to make a buck on the side. So they’ll use state tools to do a criminal activity and they really just want, they really just want a profit. So what kinds of capabilities are we talking about? Because it’s not just the computers that can be attacked. It’s also the computers that are in charge of real world infrastructure for example, and the kind of ripple effects that normal people could see on a day to day basis. And we certainly know that very sophisticated actors like Russia and China have repeatedly shown that they’re able to get access now. They don’t necessarily use the access they have when they get it in certain critical infrastructure. But in the event of severe tensions between the nations or war, you could see them exploiting it more worrisome as you see North Korea and Iran trying to follow suit and they would, uh, use that, use that capability. And I think it’s something we need to watch for now as tensions increase with Iran and others. Another just side point on that though, is that’s critical infrastructure the way we traditionally thought of it. So it’s regulated space, electric water. We’re increasingly moving what’s called the internet of things. So when we talk about that transformation of data and connecting it online, increasingly we’re starting to connect everything. So that’s the cars on our roads. We’ve already had an instance, and this is back when I was in the Obama administration, where there was a proof of concept hack and you could, so using the entertainment system, you could control the braking and steering system of a Jeep. And that caused the recall of 2.4 million Jeep Cherokees with the idea that, Hey, that’s just like the brakes not working. That’s a safety law. But they were already out on our roads. And then you do the recall.

SREENIVASAN:                  When we talk about these nation state actors, how do they prioritize and what are their interests? I mean, is it about disinformation? Is it about stealing money? Is it about wreaking havoc on the economy? What are they trying to do?

CARLIN:                                Yes, it’s about all of those, but it depends on the, it depends on the state, state actor. So, uh, Russia, in addition to to, uh, obtaining money, um, and it’s blend with criminal groups in some respects, they seem to think that just attacking American Western interests anywhere in the world is to their benefit. And so they are purveyors of chaos and they attack things like our institutions and democratic institutions and our trust and faith in them. China’s been more focused on, uh, traditional national security goals. So, uh, state actors from their perspective, human rights, uh, activists or others. And then there’s economic, uh, espionage. So theft of trade secrets, North Korea bank robber, they want to raise currency. They’ve literally conducted essentially a bank heist, this so called Swift hack that’s been publicly indicted and they also use their capability to bully, uh, and try to influence the world where they’re otherwise weak politically like they did with their attack on Sony where they didn’t like the content of a movie.

SREENIVASAN:                  Right now, Iran is the one that we’re most concerned about because we’re in an increased period of tensions with them. What has Iran already done? What are some examples perhaps of what their capabilities are?

CARLIN:                                And in some ways, Iran has been the most destructive nation state actor on the world stage with North Korea may be a close second. They’ve shown the most willingness to use. They don’t have the top capability. I still would put that with the United States, Russia, China at some sense Israel, but they’ve shown the intent to use the capability that they have and this dates back to 2011 inside the United States where they were the first nation state to use cyber to launch an attack against American institutions. And what they did is a, it’s called a distributed denial of service attack and it’s basically the idea is they gained access to hundreds of thousands of compromised computers and then using something called command and control, including, you know, your computer at home could be one of those compromised computers. They could access all those computers at once and caused them to bombard a public facing website with requests for data. They get overwhelmed with data and it doesn’t work.

SREENIVASAN:                  So it’s all those computers are trying to go to the same website at the same time and then nobody can get it. \.

CARLIN:                                Exactly. And that’s what they did toward the financial sector. So they targeted major banks. It was a time, another time of tension between our countries. They launched these distributed denial of service attacks against the public facing website or the bank, and you’re the customer. So much of us have moved online banking, you can’t access your account. It affected hundreds of thousands of customers and cost tens of millions of dollars to over 46 different financial institutions at the beginning of that threat. You know, I was at uh, FBI at the time and later in department of justice, you know, we hadn’t really, we still, our default was to treat these cyber threats as secret. And this is a nation state issue. It’s between nation States. We should do what we did with the cold war, which is monitor it closely, maybe take action against that state, but you don’t tell anyone about it in the private sector or otherwise. And I think we got better and then ultimately publicly prosecuted the individuals that did that and they, they were affiliated with the IRG see some, uh, called the Islamic revolutionary guard Corps. That is the group that Amani, who is recently targeted and killed by a American forces led. So the, those were the actors attacking our financial sector all the way back from 2011 to 2014 while we were doing that, we saw other destructive attacks by Iran. We saw them use what’s called a wiper. Now we’re in attack against a Saudi oil infrastructure. Aramco. It was very effective and disrupted their production for a period of time.

SREENIVASAN:                  That means it goes in and basically wipes the software or some of the data that’s sitting inside a computer off?

CARLIN:                                Yeah. If you think about it at home, if that, if that hit, it basically turns your computer into a brick, you know, your computer is it, it doesn’t do anything without code. And there’s malware that wipes all of the code from the operating system of your computer. We saw that overseas and issued warnings here, but we also saw that the first destructive attack on us soil by a nation state using that same wiper type malware was actually against the sands casino, not critical infrastructure, you know, gaming. Uh, and what had happened was the head of the Sands casino, Shelly Adelson, had made some provocative remarks about Iran turning them into a nuclear desk cloud. The Ayatollah was not amused and issued essentially a fatwa against and called for jihad against the, uh, Shelly Adelson and the Sands casino.

SREENIVASAN:                  So in this day and age that jihad translates into a cyber attack.

CARLIN:                                That’s right. This is a, you know, w I think the first instance, at least in the U S where we saw that happen and they launched that malware and actually was it, luckily there was someone quick thinking in the information technology staff at sands that essentially pulled the plug and kept it from spreading all throughout their network. So it took, it took out a more distinct, separate facility. How about China? We know that there’s corporate espionage that’s happening. Uh, American companies have said that out loud. Um, what are their capabilities? So we talked a little bit about this new, uh, new approach taking place, uh, led through the department of justice and FBI when I was there, but echoed by other parts of the government, of taking what used to be in the shadows or secret in terms of nation state behavior and starting to have a strategy of figuring out who did it when you see bad cyber activity, making it public and opposing consequences sometimes using the criminal justice system. Actually, the first case that we brought, and this was in 2014, was against China. It was against five members of the people’s liberation army, this specialized unit, six, one, three, nine, eight. And all that unit did was attack the private sector. So they would hit places like universities, they’d hop from there into companies, and then they stole massive amounts of data, intellectual property, trade secrets, billions of dollars worth of data. The former head of the national security agency, Keith Alexander called it the largest transfer of wealth in human history. So this was significant. It’s why president Obama declared it an economic, national security economic emergency. President Trump has has reauthorized that same, that same declaration, and China continues to be quite active at now. Maybe less stealing from a company for the direct commercial gain of its adversary, thanks to an agreement that had been reached between the two countries. They’re definitely still quite active at stealing from companies for the benefit of the state. And that’s a hard if from the U S perspective, we don’t see that distinction the same way. Same way they do. Right.

SREENIVASAN:                  Yelling, stealing.

CARLIN:                                Yeah. Right. And they also, in addition to tilling stealing state secrets or trade secrets and they do both. They also have been taking just bulk data. So you saw the attacks on Anthem, you’ve seen attacks on the hospitality sector and what they’re taking there is just as much data about you and me as they can. So if you have my, my, my Marriott travel habits and possibly healthcare records, what do you do with it? Is this something that you use to compromise an individual? So I can see some ways they would use what they’ve stolen now to try to track law enforcement agents or Intel operatives they disliked to target human rights activists. I also think though, we’re on the cusp of new developments and so-called artificial intelligence or machine learning that are collecting this massive repository of data and they may not know how they’re going to use it yet, but data is the new oil or gold for this age, the way oil gold had been for previous ages. They’re sitting now on this huge, um, pool of data and so it may be they end up generating insights or more effective algorithms or artificial intelligence. Five or 10 years from now.

SREENIVASAN:                  Let’s get to Russia. I mean, our concern primarily as Americans has been watching Russia metal in the U S elections in 2016. Um, is that continuing?

CARLIN:                                Yes. So we should be concerned about Russian activity heading into our 2020 elections. Russia is increasingly a rogue nation when it comes to its cyber activity. They view democracy as an existential threat and we’re not the first democracy that they’ve tried to attack or undermined confidence in. But they’ve also done things like unleash what’s called a ransom worm. And this was something called not Pecha. So this is, there’s a technique called ransomware that the crooks are using. And what that does is it puts malware on your computer. So when you go to log on, you get, often it’s a skull or something scary and it says all your data is locked up, it’s encrypted. If you want to access it, go here and pay a fee. And there’s a reason why that’s been just exploding and it’s because many people are paying and the criminal groups are making a lot of money doing it. We’ve even seen police departments, hospitals in municipalities in the U S pay these crooks ransomware. What Russia did in this ransom worm is, it was like ransomware, but it’s self propagated. And where it started was for specific national security purpose. They deployed it in Ukraine trying to attack Ukrainian institutions. But then it spread all through the world. And unlike the, the criminal version of it, there was no way to pay to get access to your data. Again, this caused, uh, over I think $500 million worth of damage. We’ll have it to a mayor’s shipping alone. It hit Merck. It hit a cost $300 million to FedEx. So it hit everyone, hit all of our allies. We did not do enough, I think, in response to that utterly irresponsible indiscriminant use of this tool to deter them from doing that type type of thing again.

SREENIVASAN:                  So our intelligence says that at least three voting system vendors were compromised. We’ve had another kind of investigation show that at least a few dozen different voting systems connected to the internet when we were told that they’re not right. Um, how safe are we from cyber meddling in the upcoming election?

CARLIN:                                We’re, we’re better than we were, but we still, uh, every state at this point should have a paper ballot backup system. There’s just no excuse for not having it. And a couple of States don’t. And, uh, just go drives a pro bono suit or we’ve sued the state of Georgia and it’s a year and a half, two years into the suit now to try to force them to adopt better protections and not use unsafe technology for, for voting. That’s one area. It was great that the federal government, uh, finally UN released funds because the problem, and we’re seeing this with the ransomware plague hitting cities like Baltimore and others, is it’s not just the election system. They’re generally their infrastructure that they rely on to provide city services. So, so our health and safety depend on it are, they don’t have the resources and they don’t have the technical skillset. And so they’re not hardened against even not particularly sophisticated adversaries. And people make mistakes as you talked about, and take systems that should be off, uh, off the internet and plug them in or put a thumb drive where it shouldn’t, shouldn’t be. And that’s the way to get code in. So we need to have a funding just like we do in other areas to help them get up to speed and protect their systems.

SREENIVASAN:                  Uh, recently a local reporter, uh, I want to say in Topeka asked, uh, the president, uh, a question about our cyber capabilities. Let’s take a look.

REPORTER:                          What is the administration doing to guarantee the, uh, the safety of, of our systems? Our banking systems are our grid. So our computer systems in this country.

PRESIDENT TRUMP:        Well, that’s a great question. Whole new thing. It’s a whole new field. We have some tremendous people. We’re better at cyber than anybody else in the world, but we weren’t really using that power, that intellect on cyber. We weren’t doing it. And now we are and we have, I have incredible people in charge of cyber. Uh, if we ever get hit, we’ll hit very hard. We’ll be able to hit very hard. But it’s a new form of warfare and I think we have it very well under control.

SREENIVASAN:                  Do we have it under control?

CARLIN:                                Uh, no. Uh, I think there have been improvements and there are some good, uh, excellent officials still at the department of justice, FBI, department of Homeland security and our military and intelligence services. But the problem is getting worse right now, not better. And a couple of reasons. One is we continue to move into vulnerable areas. And so right now the technology does not exist to keep a dedicated adversary out of a government or a company’s system, no matter how much you invest. Uh, and so that’s true. If it’s an internet connected system that’s true of sophisticated nation States and it’s increasingly true of these organized criminal groups. What we need to do as a nation, it’s an urgent time and we need leadership from the commander in chief on down is to say we’re at an inflection point. You know, before we move towards adding these billions of new devices on the internet of things using this insecure technology, we need to think about risk and price it into our decisions. There are major gains. I mean, having self driving cars might massively reduce traffic fatalities.

SREENIVASAN:                  Sure.

CARLIN:                                But we got to do so in a way that takes into account. It’s not just whether they work, it’s whether they’ll work. If a bad guy wants them to incentivize security by design. And we haven’t taken the steps yet to do that. It’s not forced by regulation. Congress hasn’t taken action to try to, uh, improve safety on it. I know when I wrote my book and talked about real cases that we did at the department, when I go around and talk about them, people think it’s science fiction. They don’t realize that it already already occurred. So we need to have a demand for action before we start putting new things into this vulnerable space. So we, so we do it safely.

SREENIVASAN:                  John Carlin, thanks so much for joining us.

CARLIN:                                Thank you.

About This Episode EXPAND

Nobel Prize-winning economist Joseph Stiglitz joins the program from the World Economic Forum in Davos to discuss the economy, growth and the climate crisis and legal scholar Noah Feldman
gives insight into the first day of the Senate impeachment trial. Plus, John P. Carlin tells Hari about rising cyber threats to the 2020 election.