Cybersecurity

The Folly of “Naming and Shaming” Iran

By Dave Aitel
Tuesday, April 19, 2016, 2:00 PM

The Department of Justice’s recent indictment of seven Iranian Revolutionary Guard hackers is a problem for the security community. The criminal charges—which name the seven Iranian hackers the US claims were responsible for penetrating a New York dam and disrupting US banking websites in 2013—expose inconsistencies in national cyber policy that will impact future operations. There has been commentary on the political and legal consequences of the indictments, but the practical implications for the work of individuals who conduct offensive cyber operations on behalf of the US government have been largely overlooked.

It matters where we draw red lines

There is a fundamental hypocrisy in the US government admonishing foreign governments for activity that the US itself conducts, namely probing critical infrastructure systems. After all, the Stuxnet project—widely believed to be a joint US-Israeli operation—targeted Iran’s nuclear facilities in 2010 and is likely what propelled Iran into offensive cyber operations in the first place.

Avoiding hypocrisy here is not a matter of fairness, it is a matter of norms. The US previously indicted and named hackers from China and North Korea and has levied sanctions of private Chinese companies. And it was wise to do so. The indictments and sanctions served to confront China on its aggressive economic cyber-espionage against American companies and industries. Intellectual property theft is not a legitimate activity of nation-states, and it is not activity in which the US engages. The threat of targeted sanctions on Chinese citizens and private companies for data theft was justified and overdue—and it would appear the move is impacting Chinese policy at the highest level.

But the Iran indictments are markedly different. Just as the foreign intelligence service behind the Office of Personnel Management (OPM) breach was operating within customary espionage norms, so too are the Iranians operating within these boundaries when probing US systems without producing a “kinetic” effect (such as triggering a physical malfunction, damage or outage). There is some speculation that the hackers intended to open a sluice gate but failed because the dam was offline for repairs. But speculations about intention are not sufficient to support this activity as “crossing the line” and attempting to access a system does not equate to trying to operate it.

At present, there are no established norms regarding the use of distributed denial-of-service (DDoS) attacks, the method Iranians used against the US financial sector in 2012 and 2013. But this mode of attack cannot legitimately be claimed to pose a serious threat to our critical infrastructure. DDoS is inconvenient, but it’s not permanently damaging. The Iranians use of DDoS likely was intended to send a message to Washington regarding its use of economic sanctions. But the disproportionate response of indicting—naming and shaming—these hackers would seem to draw a red line at DDoS attacks, rather than reserving an escalated response for more serious activity.

Unintended consequences of attribution

By releasing this indictment, the US government showed the world—and showed Iran—what it knows about the Iranian effort. Some have argued that demonstrating our capacity to attribute attacks serves as a deterrent and warning. But by doing so, we’ve also probably exposed—and therefore lost—some number of intelligence sources and methods. Sacrificing operational security is foolish unless we actually get something better in return. This is why it is standard practice for the US government to undergo an “equities process” to evaluate these types of risks before proceeding with a public disclosure. And here it is not at all clear that the tradeoffs are worth it.

Beyond some vague messaging about attribution capacity, the US government gets relatively little from this announcement. Certainly the indicted Iranians will never actually face jail time here in the States. At best, we’ve put a damper on their international travel plans to countries with US extradition treaties. And outstanding US indictments of Iranian citizens could have consequences to those Americans still held in Iranian prisons, increasing their value for future exchanges and potentially prolonging their detentions.

But more importantly, this announcement reveals more than just what the US is able to attribute. It also signals what it does not know. For example, does the US have less information about last year’s DDoS attack on GitHub? That attack is believed to have been a Chinese operation. But if we are willing to indict the Iranians for DDoSing the banking system—and willing to indict the Chinese for other hacking activities—then why not the Chinese team behind the GitHub attack?

It is possible the United States does not know who was behind the GitHub attack, or does not know with sufficient certainty. Alternatively, it is possible that some different set of rules apply for the Chinese and the Iranians. But either we are revealing the limits of our knowledge regarding cyber attacks or we are revealing our lack of commitment to responding to DDOS attacks in court. Creating uncertainty as to our capabilities and boundaries is not an effective or strategic policy.

The indictments put US cyber operatives in the cross-hairs

The Justice Department move also fails to account for the consequences to the US intelligence community employees and contractors who are involved in offensive cyber operations around the world.

These indictments create a type of international precedent which will allow other countries to justify actions against private citizens in the US and its allies. By blurring the established cyber norms, the DOJ further complicates an already complex situation. Can Russia indict and imprison British or German cyber teams? Can Hezbollah interdict American computer scientists travelling in the region? And are we comfortable with the application of the laws in those countries, which might prohibit a great deal more activity than our own laws do?

The Department of Justice indictments bring domestic criminal law to matters customarily resolved through nation-state to nation-state channels. Foreign diplomacy—especially when trying to change a nation’s behavior—is typically reserved to the State Department, and not the FBI or local police. By pursing these charges, DOJ is signaling to our adversaries that criminal charges are an appropriate response to individuals acting on behalf of their country in cyberspace. And that could have real consequences for the men and women who serve the US. By indicting these Iranians the Department of Justice has created for ourselves a “Red-line” that we cannot afford to enforce, which is the worst kind of public policy.