On May 10, 2016, Peter Romar, a hacker associated with the Syrian Electronic Army, appeared in a U.S. courtroom after his extradition from Germany to face charges of conspiracy and a host of computer crimes. Romar was one of a trio of Syrian nationals on the FBI’s “Cyber’s Most Wanted” list. This was another in a series of indictments by the Department of Justice (DoJ) against foreign hackers involved in transnational cyber activity, including Chinese and Iranian individuals – some clearly state affiliated and some who were state supported actors using private companies as fronts.
What is really the purpose of this legal strategy? Will it yield results in confronting and deterring transnational cyber criminal activity or economic espionage? What happens when there is no real possibility of extraditing the defendants?
On July 30, 2014, Assistant Attorney General John Carlin, speaking at Carnegie Mellon University, discussed the need for more aggressive legal action aimed at all types of overseas hackers, including those that are engaging in intelligence activities. When the DoJ indicted five members of the People’s Liberation Army for cyber espionage, there was little chance that the Chinese government would turn over members of their cyber intelligence units (not unlike any other sovereign state). Carlin also made it clear that DoJ was applying the counterterrorism model in pursuing cybersecurity threats by building expertise among federal prosecutors and establishing the National Security Cyber Specialists’ Network.
One of the most notable indictments that occurred since Carlin’s speech were the charges against seven Iranians working for companies linked to the Iran’s Islamic Revolutionary Guard Command (IRGC), Tehran’s leading instrument for transnational terrorism and subversion. According to the indictment, these Iranian hackers launched denial of service attacks against “46 of the largest U.S. financial institutions” in New York and accessed the industrial control systems for a dam in Rye, New York.
Since many of those indicted probably will never see the inside of a U.S. courtroom, what is the purpose of this “naming and shaming?” Certainly, these indictments are tools to provide the foundation for sanctions as authorized by an April 2015 Presidential Executive Order targeting state sponsored malicious cyber activity. No such sanctions have been forthcoming against Iran.
However, the Chinese did arrest a number of hackers on a list supplied by the U.S. government immediately before President Xi Jinping’s Washington visit– an obvious response to U.S. threats of sanctions culminating in a bilateral memorandum regarding cyber espionage. It would be quite premature to celebrate a change in China’s cyber-powered economic espionage machine targeting the U.S. A few months of tamping down their “private” cyber spies do not signify a sea change in China’s strategy. Nevertheless, the indictments did play a role in U.S. pressure on the Chinese.
As the counterterrorism effort was built up in the U.S., there was an effort to deter, deny, and disrupt certain terrorist networks by revealing some of their state sponsors and support nodes. Criminal indictments were one of those tools. Now, as part of the cyber defense effort, legal activity is represented in the U.S. cyber strategy and playbook. It is clear that the DoJ pressed for a role in cyber criminal cases. As a result, it is building a significant cyber knowledge and skills base for its prosecutors and investigators, demonstrating the type of expertise that the government can bring to bear without the explicit involvement of the U.S. Intelligence Community. But the DoJ is also making determinations about which state sponsored organizations and individuals will be pursued for legal action, a significant cyber strategy in and of itself. Beyond the issues of evidentiary sufficiency, attribution, and the protection of intelligence sources and methods, what are the strategic and policy factors figuring into the DoJ’s calculus? How are the potential state defendants identified and prioritized?
Attorney General Loretta Lynch lauds DoJ’s effort in “piercing the anonymity” of hackers and the state organizations supporting them. But there is more to deterrence than simply naming and even trying cyber criminals – and this legal strategy can only be one part of an agile cyber deterrence toolbox of actions and sanctions.