The growing implementation of indictments throughout 2017 was arguably the most impactful government action to counter cyber attacks, and yet received little attention. In November, federal prosecutors indicted an Iranian national with military links for his role in the HBO data exfiltration. A week later, indictments were issued against three members of the Chinese threat group known as APT 3, or Gothic Panda, for corporate espionage. The following day, a Canadian pled guilty to collaborating with Russian nationals in the Yahoo breach, the same FSB officers and criminals who were issued indictments earlier this year.
These are perhaps the most high profile indictments for 2017, but criminals have also been indicted or arrested recently for masterminding global botnets, including Andromeda and Kelihos. In fact, there have been as many high profile indictments in 2017 as there have been in the last few years combined, and there already are rumors that the Department of Justice may indict six Russian nationals in 2018 in connection with the 2016 DNC hack.
Unfortunately, many of the indictments don’t actually lead to criminal convictions. For instance, the indictments against the PLA members in 2014 ostensibly demarks the first, prominent use of indictments to counter cyber theft and other crimes, but have yet to result in arrests. Nevertheless, there are a number of valuable aspects of this naming and shaming strategy that point to a clearer path for the future cyber policy and crime.
First, indictments are foundational to any deterrent strategy. The increasing use of indictments may help prompt policymakers to pursue more comprehensive legislation and strategy to finally take steps toward impacting the risk calculus of state and non-state attackers. This is long overdue and necessary. As Senator Angus King has noted, “This country has no strategy or doctrine around cyber attacks.”
In addition, while not 100% guaranteed, the naming and shaming does directly impact attackers. Although these mercenaries may enjoy safe haven within their own countries, they cannot travel freely outside those borders without risk getting caught. Russian cyber criminals have been caught in the Maldives, Barcelona, and Prague (to name a few), and one of them was recently sentenced to 27 years in jail.
The arrests of attackers for breaches such as OPM, Yahoo, and HBO further illustrates that attackers no longer can act entirely without impunity. These mercenaries likely have a wealth of information about the government and military activities on whose behalf they conducted the attacks. As more indictments lead to arrests, foreign governments will likely be concerned over the intelligence that could be gained when these attackers are captured.
Importantly, the indictments also demonstrate that attribution, although difficult, is possible. By bringing the full force of investigative capabilities and data sources, the DoJ is able to attribute some of the largest breaches. This is important not only for making arrests, but also because it provides a significant signaling mechanism to nation-states.
As the line is increasingly blurred between the cyber activities of quasi-affiliated criminal groups and foreign governments, the indictments provide a means to condemn foreign nation-state activity without directly implicating the governments, which minimizes the risk of escalation and spillover into military, economic, or diplomatic retaliation. For instance, in last month’s indictments of the Chinese nationals, U.S. attorney Soo C. Song clearly specified, “It is not an element or subject of this indictment that there is state sponsorship.” This is important, since state-sponsorship would negate the 2015 U.S.-Sino cyber agreement against corporate espionage.
With the DoJ considering charges against at least six Russian nationals for the DNC breach, the rule of law is proving a valuable tool to finally counter widespread cybercrime and espionage. While indictments alone are not sufficient to fill the current vacuum in U.S. strategy when it comes to countering cyber attacks, they provide the necessary foundation for a U.S. legal response that results in real-world consequences for the attackers. As indictments increasingly play an integral component in the U.S. response to cybercrime and espionage throughout 2018, it will be necessary to see if and how they change the risk calculus of both nation-state and non-state attackers.