National Security and the Cyber Threat Landscape

In cyberspace, the past few months have been turbulent. Over the summer, the attack on the Office of Personnel Management dominated the news; many labeled the attack as “the biggest breach in US history.” In September, the United States and China reached a historic agreement to end commercial cyber espionage. And just a few weeks ago, a hacker was detained in Malaysia on a US arrest warrant, accused of stealing the personal information of over a thousand members of the US military and providing this information to ISIS.

At a talk hosted at the Atlantic Council on November 10, 2015, the Hon. John Carlin, Assistant Attorney General for National Security at the US Department of Justice, discussed the current national security threat landscape and recent trends in the US government’s approach to disrupting cyber threats. The discussion was moderated by Benjamin Wittes, Editor in Chief at Lawfare.

Here are the main things we learned:

1. Cyberspace is contributing to a change in the terrorist threat.

The desire to launch large-scale attacks persists, but terror groups are now crowdsourcing their brand of terrorism. The platforms used to instantly and inexpensively send data across the globe are used by terror groups to indiscriminately disseminate propaganda and incite individuals overseas to join their cause. “Radicalization no longer needs person-to-person connections,” said Mr. Carlin, “this can occur entirely online.”

2. Law enforcement, the intelligence community, and the industry need to work together.

The threat posed by terrorism prompted law enforcement and intelligence communities to collaborate more closely in the early 2000s. Similarly, cyber threats now require close collaboration of law enforcement, intelligence, and business communities. “The forums being attacked never dealt with national security events before,” commented Mr. Carlin. Companies may not recognize an incident is more than a traditional criminal intrusion until it is too late.

Mr. Carlin maintained that the US government has a responsibility to protect US companies and citizens, but that this will require all stakeholders to engage with each other to reach a point where the cost of engaging in malicious cyber activity outweighs the benefit.

3. We are making progress on cybersecurity, but have a way to go.

“Five or six years ago, this was not on the radar. Now, it is.” Mr. Carlin commented. “And this is an important precursor for solving the problem.” After years of technical and creative input to build up the Internet into what it is today, it will take several more years to get to a secure state. Ultimately, “we may innovate our way out of the problem.”

Through outreach, the federal government hopes to reach a point where every thought leader thinks about what the threats are and how best to respond to them. Ultimately, the legal tools used to punish malicious cyber activity should become “routine enough that their use no longer warrants the front page of the papers,” stated Mr. Carlin. To prevent the strategic advantage that the United States gains from information technology from becoming a strategic liability, we need to move quickly on defense.