 Well, I get the honor and privilege of introducing our next speaker, John Carlin, who's the Assistant Attorney General for National Security. He runs the National Security Division, which is about 350 federal employees who basically are responsible for prosecuting cases of terrorism, espionage, cyber issues, and national security in general. Previously, he was Chief of Staff and Senior Counsel to FBI Director Robert Mueller. He's a graduate of Harvard Law School, and I'm going to engage him in conversation and then open it up to you. So John, what is the role of the National Security Division when it comes to cyber? Well, thanks, Peter. So the National Security Division is the first new litigating division at the Department of Justice in about 50 years, and relatively new. We were founded in 2006. It was one of the reforms from post-911, and the recommendation was relatively simple. Prior to its existence at the Department of Justice, spy cases, terrorism cases, applications for intelligence before the Foreign Intelligence Surveillance Court, and cyber cases all reported through different chains at the Department of Justice. So the idea was to set up a one-stop shop at the Department of Justice that would be, have the sole responsibility for the national security portfolio, and thus be a bridge to the intelligence community and law enforcement. And in particular, one of the founding reasons for our creation was to tear down the wall that had existed prior to 9-11, both legally and culturally, between law enforcement and national security. And based on the fact that we were so, formed so much in response to 9-11 and terrorist events, in our beginning we really focused on the terrorism portfolio, but with time it became clear that the national security cyber threat was growing, both a threat that's here in terms of the theft of our economic information by nation-state actors and the gathering of intelligence, and the growing threat of the future, which would be to use a cyber-enabled attack for destructive means by a nation-state or a terrorist group. So starting in 2012, we really started to try to apply the lessons we had learned in terrorism to the cyberspace, and that meant engaging and developing in every U.S. attorney's office across the country, so 93, 94 offices, specially trained prosecutors who were trained on the one hand to handle the bits, the bites, and the particularities of electronic evidence that are in cyber cases, and on the other hand, how to handle classified sources and methods, and to learn the patterns and practices and the intelligence about terrorist groups and nation-states. That network is called the National Security Cyber Specialist Network, and we administer it through the National Security Division, and as part of it we make sure we have our criminal colleagues, because at the beginning of a cyber case it can be very difficult to determine who the actor is. That approach and change in 2012, I think simultaneously the FBI put out an edict to the field that said we're going to start sharing what we're formally on the intelligence side of our house with these new specially trained prosecutors just like we do in terrorism cases, and we're going to use this new approach to make sure we're bringing all tools to the fight against those who would harm our nation through cyber-enabled means. It was a direct result of that approach that led to the first-ever indictment of state actors in the case against the five PLA officers in the spring of last year. I think last year was really a significant sea change where you saw the results of this new approach, and I think it also led to the ability to very, very quickly have attribution in the case of the Sony hack, which we were able to, from the beginning, treat as a national security matter. So you mentioned the cases against the five People's Liberation Army officers that you pursued. I mean, do you think that's going to be an effective approach with China? To what extent is it possible you'd have these guys would ever get inside an American courtroom? So I think it was a necessary change in approach. We got really, really good as a community when I was overworking for Director Mueller, the FBI, and the rest of the intelligence community vastly improved their game at being able to watch what our nation-state adversaries were doing to our system and see the amount of information that was being exfiltrated daily from our private systems. But with that increased ability to watch came an increased obligation to act. We can't just watch this data going out. We need to do something. Part of that approach, I think just like in the terrorism arena, and we use this phrase often in terrorism cases, is the all-tools approach, meaning we got to look at the threat actor. What are they doing? In this case, they're stealing from American companies for the economic benefit of their companies. How can we increase the cost using every lever of American power? So at the end of the day, they say, it's not worth this approach. We're going to stop stealing day in and day out what American ingenuity is producing. Instead, we're going to compete fairly. So in order to do that, that means we effectively decriminalized it because we weren't before looking to make these cases. That means applying the resources to look and if the facts and the evidence lead to a criminal group in the U.S. if they lead to a criminal group in Europe or if they happen to lead to nation-state actors in China, we're going to follow it and bring charges where appropriate. But it also means looking, as you saw in the Sony case, can we do sanctions through the Treasury Department? Can you designate certain entities based on their conduct through the Commerce Department? Can you use the levers of diplomatic power through the State Department? So looking across the spectrum of U.S. levers of power and then gradually increasing the cost to make it clear there are consequences. And when it comes to these cyber events, number one, I think for too long people assumed that you can be anonymous. We won't find out who you are. We've proven that is not the case. We can find out who you are and who did it. And number two, when we do, there are going to be consequences. There was very quick attribution on the Sony hack. Do you expect indictments to come? So I'll just say this, that we continue to investigate it as a criminal case. And I think with each one of these national security-related intrusions, we're going to be looking to do as we did in PLA and see whether one of the tools we can bring to the table would be a criminal charge. These five Chinese PLA officers, if they left China, would they be arrested by Interpol or by some sort of other entity? Well, I won't talk specifically about what we do, but I'd say it's a charged criminal case. And we very much hope to bring them to a United States courtroom, whether it be a courted all-do process under the law and tried as we have other individuals. Are they subject to a red notice or whatever? You're a Paul Interpol, these kinds of entities. So I'm not going to discuss the specifics as how we might try to bring them to a US courtroom, although we have asked the Chinese government to provide them. But backing up a little bit on this approach, and you're someone who's followed this a long time, but in the beginning when we were doing our non-proliferation approach, and so one of the tools we brought to prevent the proliferation of weapons of mass destruction was the prosecution of export-related cases that violated the proliferation regime. And in the beginning, I think some in China and others thought that this was a proxy for a trade war with them, that we weren't really serious about the proliferation problem, but we were using it for economic reasons. Over time, they realized, no, we really want to stop the weapons of mass destruction from getting into the hands of terrorists in rogue states, and have realized that's why we're using the criminal tool in that arena. And we've had countless cases of individuals arrested overseas, extradited and brought to face justice in the United States courtroom for export control and proliferation cases. And similarly with narcotics kingpins in the beginning, folks asked, well, why would you bring a criminal charge against someone who's protected by their home country because they're the head of a cartel? And over time, it's taken a long time in some cases, but we've brought those heads of cartels and they're sitting in US, in US jail. So it's an approach that's been used on other threats. It will not solve the problem, the criminal justice system. It will not solve the nation state national security problem, but it needs to be a tool in our arsenal. Would you consider criminal charges against people who are kind of proliferating ISIS social media sites or involved in ISIS's social media production? Yes. I think you've seen, you need to look at the particular facts and evidence, and that brings up a broader point, the use of the material support statute. So this would be when there's a designated terrorist group and you're providing your services to that terrorist group, either by providing them actual material, money, technical expertise, or yourself, that these are cases we have and will charge under our criminal justice system. And that approach, I think you saw in 2012, about 27 countries were part of the Global Countering Terrorist Forum, or GCTF, and produced something called the Robot Memorandum of Best Practices. What type of legal code should be on the books to enable you to bring criminal charges before someone commits a terrorist act? And what I think you've seen since then is the adoption by nearly over 20 countries of new criminal codes to address this type of conduct, some modeled after our material support approach. And you saw this fall, unprecedented, unanimous approach at the United Nations of both through the Security Council and that same global counterterrorism forum group, talked specifically about the problem of foreign terrorist fighters, how it's international, there are over 90 countries that have contributed foreign terrorist fighters to the Syria-Iraq region, and that part of the approach to stopping that problem, similar to the All Tools approach, would be making sure that nations have on their books, now they're required to have on their books, statutes so that they could take criminal action to prevent citizens from their country from joining that fight before they become the terrorists. So ISIS is using social media to recruit, but it's also a huge advantage for people in the Justice Department, because they can completely legally monitor Twitter and Facebook. And we've had quite a lot of cases in this country of Americans who've tried to join ISIS, been stopped at the airport. To what extent is social media a good thing or a bad thing for you? That's it. So pulling it even further back, I mean, social media is here and it's been an enormous boon to the American economy. It's a change in technology that has many advantages to the world and can be used for many positive expressive intent. It is also a presents a new challenge to those who want to combat the terrorism threat. It's essentially a free form of communication that you can use to plot and plan. This is something that people would invest billions of dollars to come up with a communication system this fast and sometimes this secure for their armies. Now we provide it essentially for free. It's a new way to propagandize and reach individuals in a very targeted fashion in their home. The ability to produce slick propaganda is cheap and widely available. So it presents a new threat. There are some intelligence collection opportunities that come from that threat. But I'd say it's one that we're and you saw this in the recent events now that in meeting with my counterparts, ministers of interior from France, Germany, the UK, Bania, Kosovo, Australia, Canada, that as nation states, we're still learning how to confront this new threat. What's the best way to counter the use of social media in particular for this targeted type of recruiting? The private sector owns much of the infrastructure in this country, the cyber infrastructure. What's the responsibility of the private sector for... Let me just take Twitter for instance, which has actually been quite slow when it comes to taking down content from ISIS and other groups like this, which of course is against their terms of use. So what role should a Twitter or a Facebook or Havin really being careful about the kind of content that's going up? We've talked about two issues. The cyber security, so much of what we value now we store in cyber space and so we need to worry about it being stolen or destroyed in that space, social media for the purposes of propaganda or communicating. I think in both instances, these are areas where we really need public private sector cooperation, particularly when we talk about our critical infrastructure. It's pretty much all in state or private hands. And so in order to effectively defend the American people from threat, we need to work with companies so they improve their defenses. But we also need to work at ways in which they can effectively share information to the government so we can coordinate and put out threats that cut across sectors. And also we need to be able to share information that we have collected as a government to them to best enable them to protect themselves. I think we've made enormous strides in this area, but given the scope and scale of the threat as the 9-11 Commission report put it out earlier this summer then in some respects, we're in a pre-9-11 moment given the threats we can see coming to the cyber infrastructure. And so although we've made progress, we still need to do more and faster to meet this threat. And when you say we're in a pre-9-11 moment, what do you mean? So I think in some respects, the terrorist groups have the intent to cause the maximum amount of harm that they can against our critical infrastructure and they define it broadly against things that people associate with the West or with America and would cause damage here. So back in 2012, you had Zawa Hiri formally, publicly call upon jihadists to and take these types of attacks. And since then you've had numerous groups issue similar calls. So we know what they want to do. We've seen a pattern and practiced in the past of these terrorist groups announcing what it is that they want to do and then doing it and attempting to do it. So that means as a country before that devastating attack occurs, we need to put the attention, resources, statutory changes into place. So hopefully we never reach the moment where that catastrophic attack has occurred. And then we're suddenly putting in a variety of new procedures. You know, on 9 11, Al Qaeda have both the intent and the capability. The question is, we know, I'm sure these groups have this intention, but I mean cyber terrorism so far is really being in the area of cyber nuisance rather than national security problem. So I think it's characterizing a couple different ways. One, I don't think they have the capability to do the type of destructive attack that they've talked about, or they would have done it because they have the intent and there's really no barrier to entry. You have seen some destructive cyber attacks. You saw the attack against Saudi Aramco, where they essentially turned in oil companies, computers into bricks. You saw the Sony attack, which wasn't done for economic advantage or intelligence gain, but was done to destroy and coerce. And the damage that nation states in particular doing by stealing our economic information day in, day out, not for strategic purposes, but to use it in direct competition where their companies is real. I agree, though, that we haven't seen the kind of sophisticated nation state capability make its way into the hands of a terrorist group. But that's a matter of time. And when you look at the criminal groups, I'll use one example, great criminal case that was taken down last spring game over Zeus. It was a botnet that was composed of thousands and thousands of computers all across the year. A botnet is just a term for essentially an internet of compromised computers. So they've gone into people's computers and they use a vulnerability to take control of your computer and use it for their purposes. And that can be used to launch attacks like a denial of service attack, but it can also be used as it was by this criminal group. They used a type of code called Cryptolocker. And what they would do is they'd encrypt people's computers and they were doing it for profit. So they would blackmail you and say, if you ever want to see your data again, and for all of you in your different fields, I'm sure there's so much that you value on your computer that you need to pay us money. Well, if a terrorist group gets access to that type of botnet, they could use it to block people's access to health information or try to keep people out of the financial sector and they're not going to offer a payment to set it loose. They're just going to cause the massive amount of destruction as they can. So it doesn't take too much imagination to you and some of those botnets are for rent. So even without having the in-house capability as a terrorist group, you can see how over the horizon this is a capability they're going to develop. And what about states that are sort of quasi-criminal enterprises like North Korea or terrorist groups which are proxies for states like Hezbollah? I think we need to look at the particularly sophisticated nation-states like Russia and China and see what we can do to deter their activity and pay particular attention to the North Korea and the Iran's who might launch destructive attacks. And part of that approach has to be proving that it's not cost-free because we can do attribution, we can determine who you are behind that keyboard, which is why that PLA case was important and why the attribution to North Korea was important. And then we also need to show that after we do that we're not afraid to publicly say what we've found. So you won't be hiding in the world stage. And third, that there will be consequences for that type of activity. But it's a threat that I'm very concerned about. One final question before throwing it open to everybody in the audience. What is the sort of international legal framework that exists or should exist for that would prevent, that would sort of be employed for a future Sony? I mean, I understand there's an American law, but is there enough international law to prevent this going forward, at least make it harder for states like Iran or others to do a Saudi or Ramco attack? So I think we need to continue to work both on norms in this area, which is relatively new, although some of the activity that takes place, I think, clearly violates already established international norms. But secondly, to make sure we develop the partnerships and capability, the same way we do with the traditional terrorist threat, for instance, with our partner nation-state. So that means getting prosecutors, getting FBI agents, getting experts from the Department of Homeland Security out to meet, train, familiarize themselves with their counterparts. It's a fundamentally international threat. And even when your threat actor is in one place, the tools that they're using to launch the attack may come from another country's infrastructure. So just like here in the United States, we need to work with places like universities who have a lot of bandwidth and server space so that they're attempting target for criminal groups or bad actors who want to use that space not necessarily to steal something from the university, but to launch attacks against others. We also need to have that same concern with certain other partner countries, work with them so that we can take action when other people are trying to maliciously use their infrastructure. And you're seeing this new approach. Some of those cases, like the Botnet case I was talking about, involved coordinated action by public and private sector partners throughout the world, 30, 40 different companies and countries taking simultaneous action to disrupt these threats. That's got to be the model moving forward. Thank you. If you have a question raise your hand, wait for the mic and identify yourself. Thank you. Hi, it's John Tio here from the Australian Financial Review. I'm just interested in relation to the terrorist propaganda that we see in social media or on websites. The internet service providers and social media companies taking those down and deleting them or with the security agencies and law enforcement agencies here in the US like to see them do that more, remove some of those insightful postings or inciting postings. So I think there was a call, one with the Attorney General to Paris after the attacks there when we met with the interior ministers and many of our partner nations. And from that meeting there was a call that was echoed again when 60 countries were in town last week. And we need to find a way where we can work with internet service providers to obtain the information that law enforcement intelligence services need to prevent terrorist attacks before they occur. And at the same time, we need to do that in a way that's protective of the civil rights and civil liberties of the many users who are using these systems for innocent purposes. And I think that's a balance that we can obtain. And it's something that there's great interest, not just in the United States, but with partner countries across the world to make sure that we find that proper balance. The other thing we need to do, which is not my expertise, is someone who focuses more on finding who did it and holding them accountable, but is to figure out the best way to counter message so when you're competing for those who are getting propagandized by these very targeted social media campaigns. How do you reach that audience in a way to explain what is a war of ideas we ought to be able to win? Why a ideology that's based on enslaving other individuals, killing children and innocent civilians and is fundamentally nihilistic is one that you shouldn't join. And so that's where we also need the creativity of those who are experts in this space and the private sector married up, particularly with our partner countries in the Middle East on making sure both that you have that message and that you figure out a way to reach those most at risk of being targeted for propaganda and recruitment. Great. Another question? Over here, this gentleman. Can you wait for the mic? My name's Harbour Shikoff and I'm with American Bar Association. John, thank you for your service. It's been wonderful to be involved in the government. My question is, you know, is that there's a lot of legislation on the Hill and from the private sector perspective, the issue for sharing information to help the government concerns immunity issues. So I'd like to hear your sort of perspective on what's going to what you think may happen and how far the immunity issue can be pushed vis-à-vis the private sector and sharing information for you guys. Now, thanks for that question. Harvey, legislation in this area is needed. We know that we need the information and the private sector needs to be able to share information effectively with each other and they need to be able to share information effectively with the government when it comes to cybersecurity threat information. And likewise, the government needs to have a method of giving, for instance. You find a bad signature, meaning an identification for a piece of malicious code. We need to have mechanisms where we can push that out so that private companies can harden their own infrastructure and protect against those who would use that bad signature to attack their systems. And that's why the president has called upon Congress and introduced legislation that would provide immunity from suit, for instance, so that private companies know clearly what the type of information it is that they can share to the government and know that when they do that they can do so legally. In the absence of legislation, we've tried at the Department of Justice talking to private sector partners. We've issued guidance saying, you know, meeting together in a sector to talk about cybersecurity issues and share signatures is not going to be a violation of the antitrust law. We've tried to issue clarifying, again, based on questions that we heard from when I was doing outreach with general councils that the Electronic Communication Privacy Act is not a bar to the sharing of information in certain instances in this space. And you've seen the president more recently issue a new executive order on information sharing to try to set up these industry-specific groups that could share the information. But what I've heard again and again from general councils and doing outreach is that to reach the optimum level where they feel they can share in this space, we need legislation. And so I very much hope and I know members of both parties have been very engaged and active on this issue and I hope we'll see legislation in the coming year. This lady in front. Can you wait for your mic? Thanks. Hello, I have a question that was sent in on Twitter for the two of you. The question is from Casper Bowden and it says for... On February 5th, EU privacy authorities demanded that the United States stop bulk collection of European data. Will you? So... LAUGHTER It's Twitter. I look forward to hearing Peter's answer to this question. Well, I think it's... Peter has the power to press you for an answer to that question. So it says, I think the... I think the United States alone really at this point among nations throughout the world has had a president who's announced what we'll do and what we won't do in terms of our intelligence collection. You'll find that every major country in the world, Western and otherwise, has an intelligence service that... And that intelligence services have been recognized under international law. And what the president has said is it's not a question... We need to make sure it's not a question of what we can do but what we ought to be doing with those technical expertise and authorities. And so he's put self-constraints on what the intelligence community can do in this space. And that you also see in the American system a unique system of oversight as well that dates back to the original passage of the FISA Act or Foreign Intelligence Surveillance Act where it's not just the executive branch but that you have the involvement of the court system. And these are the same judges that I appeared before as a prosecutor who are doing, in addition to their regular duties, sit on the Foreign Intelligence Surveillance Court. And we set up a unique structure in terms of having the Intelligence Committees of the Hill. And it was in response to abuses that this was structure was set up and rightly so where they were regularly needed to be briefed on every significant intelligence activity. And what you've seen is with the advent of new technology and the way these are being applied against threats, a national debate as to whether the involvement of the Intelligence Committees, the Foreign Intelligence Surveillance Court and the restrictions in our executive branch are sufficient for whether we should change that structure. And you've had different versions but the House, the Senate and the President all endorse different statutory proposals to change the current structure. But I would make, since that sounds like a question that's perhaps from someone overseas, the point that there isn't another country in the world I think that has this robust and transparent and an approach to the collection of intelligence. But I guarantee you that they are collecting intelligence. So although we should continue to hold ourselves to the highest standards and make sure we reach the right balance that we're comfortable with here, I also look forward to seeing what approaches that other countries, including European partners, apply to reach that same type of balance. It seems that you asked the Obama administration realize the section 215 collection of phone metadata for several years was, by the government was sort of an overreach. So I'm not sure, I think what you've heard the President say and what we're talking about here is the potential for abuse on the one hand but they haven't said that they found actual abuse which I think is an important report in a very different place than where we stood say after the church report where we found information being used for improper purposes. Here there's a potential of abuse because of the amount of information that you're collecting and on the other hand you're balancing against that, against the potential to prevent terrorist attacks. Looking at that balance I think what you find is that there's another way to achieve that goal which is what they've called for in the legislation. There are important national security implications to the type of information. There's another way to get it that doesn't involve in that instance the government holding the data so decreases that potential for abuse and that's the change that's been called for in part and the President has said this overtly because the law enforcement, the intel agencies they're working for you and they need the trust and confidence ultimately of the American people to do their jobs and so if that can increase the trust and confidence then we should do it. One more question, this lady over here. Katie, that lady over here. Hi, my name is Jessica Deer and I'm from Social Media Exchange which is a Lebanese NGO and we do a lot of research on digital rights in the Arab region. So thanks for being here and I'm particularly interested in this partnerships with countries in the Middle East and I'm concerned about these partnerships because I see in the Middle East there's so much lack of respect for freedom of expression online in particular and that these partnerships could actually basically what I want to ask is what are you going to do as a Justice Department when you're partnering with these countries and there's an initiative announced last week at the Violent Extremism Summit about working with the UEAE to message on social media but what are you going to do to make sure that we're not drawn closer to their idea of what should be free expression online versus asserting what is our first amendment right for freedom of expression online. I see a lot of potential. Okay, we got it. Yeah, thanks. So this is partly as we discussed with Peter earlier that there's so much good that can be done through social media, through giving people access to this new forum for expression and so while we need to work to make sure that we can approach and meet the national security threats, I think we can do so in a way that's consistent with our values and just speaking for my own division, that's why we have lawyers who are steeped in the protection of civil liberties and civil rights but also the use of genuinely independent court systems and the execution of those rights and how to balance that against national security threats. So what we're working to do is and we don't have all of the answers but here's how we were able to draw those balances in our system, here's the protections that we were able to provide. Here are the limitations in terms of the protection of First Amendment speech and we're trying to draw up best practices with partners that would enshrine those rights in laws and it'll obviously be an ongoing conversation. I wanna thank Assistant Attorney General John Carlin who has one of the most responsible jobs in the American government for taking time out of his busy day to come and speak with us today. Thank you Peter. Thank you sir.