Co-operation between security’s private sector and government agencies must heighten in order to bring cyber-criminals to justice and protect the privacy and civil liberties of US citizens – that was the message delivered today by DoJ Assistant Attorney General John P. Carlin at RSA Conference.
In a live interview with the NYT’s chief Washington correspondent David Sanger, Carlin told conference-goers, “We should use every legal tool at our disposal to prevent terrorist attacks.”
It is essential that cyber-criminals face tough justice, Carlin said, as the government seeks to send out the message that “there are no free passes” for those that engage in malicious online activity against US businesses and citizens.
“We need to keep increasing the costs until behavior changes,” he said, adding that the government still needs to set out more clearly what exactly those costs should comprise.
Sanger quizzed Carlin on the indictment of five Chinese PLA soldiers last year and asked why the same punishment has not been applied to the perpetrators of the recent, high-profile attack against Sony.
Carlin said that, while he declined to comment on an open investigation, “all efforts are being made to hold those individuals responsible to account.”
As to why individuals had not been named and shamed in the process of determining attribution for the Sony hack – given the government’s swift move to point the finger at North Korea – he stated that the government believes it has identified “specific things” done by “specific people.”
The PLA case, meanwhile, sent out “an important message to all the other actors out there that this is not going to be a cost free-activity.”
He added that, “These are hard cases to prove, but when we work together, government and the private sector can figure it out.”
The problem, he said, is that adversaries’ “ability to cause harm far outstrips our ability to mitigate it. We are in a race against time, particularly against those terrorist groups that have announced their intentions [to commit atrocities].”
Regarding the role of cybercrime in terrorism, he said that, “If these groups get the capability, they are going to use it. We need to increase our capability in the private sector before that happens.”
To combat the global and transnational scale of this problem, Carlin said, there is a need to develop international norms of acceptable behavior from nation states.
“Theft is theft,” he said. “It’s a tenet as old as the ten commandments.”
On the inevitable subject of encryption and key escrow, Carlin claimed not to have the answers, but praised RSA-goers as the “best minds in the world.” He said he was confident that the security community would be able to “find a compromise” that would allow government access to encrypted communications when necessary without letting the bad guys in.
Carlin expressed his desire to “change the debate” around breaches, so that the focus would shift from companies being blamed. Instead, he said, the discussion should be around government’s ability to bring those responsible to account.
Attribution, he said, is the major stumbling block to the progression of justice in these cases, and only by more effective collaboration with the private sector could the landscape advance.