Cybercriminals acting on behalf of national governments and nation-backed espionage agents carrying out cybercrimes for cash on the side is the future of security threats facing corporations and governments, says the former top U.S. attorney in charge of the Department of Justice’s national security division.
“I think this blending of criminal and national security, whether it’s terrorists or state actors moonlighting as crooks or state actors using criminal groups as a way to distance themselves from the action, I think that is a trend that we saw increasing that’s just going to continue to increase over the next three to five years,” says John Carlin, now an attorney with Morrison & Foerster.
He says that as a result, cooperation between businesses and law enforcement is vital to catching these foreign adversaries. What seems a simple criminal act may actually be traceable to an act of espionage or terrorism.
For example, he cites the case of Ardit Ferizi, who stole personal information from a U.S. internet hosting company and sought $500 in bitcoin or he’d release it to the public. It seemed a simple extortion, but when it was reported to the government, it turned out to be more complicated.
It seems Ferizi was conspiring with a well-known cyberterrorist, Junaid Hussein, who was number three on the Pentagon’s kill list among ISIL terrorists. Ferizi’s job was to get personal information from businesses in order to create an assassination list of individuals that held government jobs. The list of names and addresses would be turned over to Hussein, who would distribute it to ISIL affiliates in the U.S. via Twitter who would carry out the murders, Carlin says.
The $500 extortion attempt was apparently Ferizi’s freelancing for a little cash on the side, he says.
Ferizi was extradited to the U.S., tried, convicted and is spending 20 years in prison. Hussein was killed in a drone strike.
“That’s the type of case where I think sometimes people don’t realize what the risk is,” Carlin says. “If a company knew that was a terrorist group, they would definitely report it … but because you don’t work with government to connect those dots, you don’t always know on your end alone.”
He spoke about another case in which the Department of Justice filed criminal charges against five officers in China’s People’s Liberation Army for committing economic espionage. It’s unlikely they’ll ever come to trial, so what’s the point? “We did that both to bring the terms to the table and show we can figure out who did it and when we do there will be consequences and also by making it public,” he says.
Filing the charges also drew attention to the fact that the U.S. is declaring this type of activity illegal, even though there’s not much they can do about it in court. Not taking action would tacitly condone it, he says. “Otherwise you’re creating, under international law, essentially an easement that says, ‘OK it’s OK to use your intel services to steal this type of information.’ In some ways this was a giant no-trespassing sign; get off our lawn.”
And he says the tactic was effective. There’s been a decrease in China’s use of military and intelligence services to target private companies. When China’s President Xi Jinping met with former President Barack Obama last year after the charges had been filed, he agreed to the principle that the military should not be used to steal private information for private gain.
The internet of things poses a different kind of threat, he says. The IoT is plagued by the same problems the internet itself is: it was never designed with security in mind and largely neither are IoT devices. Just as add-on security technologies protect conventional networks and devices, such add-ons are needed for IoT.
The consequences are already large – witness the use of internet-connected cameras and routers to launch 1TB Mirai DDoS attacks last year. And they are only getting bigger, he says, with the growing reliance on computers in cars, passenger-less vehicles, the proliferation of drones and medical devices implanted in our bodies.
That’s “a massive, massive increase in the surface area of items that will be at risk if they’re connected to the internet,” Carlin says. “I think of an actual case that we were involved with, what one terrorist did with one truck in Nice. It doesn’t take too much imagination to think what a terrorist group could do if there was an automated fleet of trucks.”
He says progress is already being made. Cybersecurity experts are being assigned to the design teams for cars. Government will start looking at what regulations are already in place that can be applied to IoT gear. New legislation and regulations may be needed. Civil liability for insecure devices may be used to encourage better security on devices out-of-the-box. “You’re trying to reach the right balance,” he says.
He says the DoJ has started educating manufacturers about the threats. “It’s not good for the brand if you end up being compromised,” he says. Everyday consumer products and private companies are “on the front lines of national security threats.”