DOJ official warns of Sony repeat

SAN FRANCISCO -- Bad news, corporate America: A top U.S. law enforcement official sees more state-sponsored, destructive cyberattacks on U.S. companies on the horizon.

"Now that everything that we value is stored digitally, and so much of it is connected to the Internet, nation-states are going to use this as an instrument of power," John Carlin, the assistant attorney general for national security, told FCW in an April 21 interview.

Carlin's statement highlighted the volume and sophistication of cyber threats facing U.S. companies -- and the challenges in deterring them.

Incursions of physical boundaries are well understood as violations of sovereignty, but that is far less clear in cyberspace, he noted. For Carlin, developing norms of cyber behavior "starts with showing that you’re not anonymous," he said.

The assistant attorney general has been at the forefront of the U.S. government's strategy of publicly identifying alleged state-sponsored hacking in an effort to deter future attacks. The Justice Department brought its first charges of cyber espionage against a nation-state last May when it indicted five officers in China’s People's Liberation Army. Carlin also said the sensitive climate around nuclear negotiations with Iran would not keep his office from tackling cyber threats originating from that country.

Carlin spoke to FCW prior to his presentation at the RSA conference in San Francisco, which is billed as the world's biggest IT security conference. Later in the week, he will meet with entertainment executives in southern California, where he predicted his message of proactive cooperation with federal officials on cybersecurity will resonate, particularly after the attack on Sony Pictures Entertainment in November. U.S. officials have attributed the digital dismemberment of the film studio to North Korea.

The assistant attorney general said that multiple Fortune 100 companies contacted him in the wake of the Sony Pictures hack and expressed heightened concern about cybersecurity. "In their minds, they weren’t expecting a major nation-state, national security incident to occur in the entertainment sector," he said.

Carlin said he wants cooperation with the private sector to be built "into the DNA of what we do," echoing a theme for Obama administration officials who have repeatedly stressed that the great majority of Internet infrastructure lies in private hands.

The Justice Department is but one of many agencies that work cyber espionage and hacking cases. The National Security Agency has helped investigate every major cyber intrusion in the private sector in the last six months, NSA Director Adm. Michael Rogers said recently.

Carlin said the NSA's signals intelligence capabilities complement DOJ’s focus on cyber forensics. "What we need to try to do is figure out a way to protect the sensitive sources and methods, but still be able to use the information" to publicly identify alleged cyber spies, he said.