Matt Dahl on Cybercrime and the Executive Order on Transnational Criminal Organizations

By Robert Chesney
Thursday, August 25, 2011, 10:47 AM

Matt Dahl is a 2009 graduate of the University of Richmond School of Law who works on legal and policy issues for a cybersecurity company in Virginia.  We are pleased to welcome his guest post, which discusses the potential application to cybercriminal groups of the recent IEEPA-based executive order on Transnational Criminal Organizations:

The Executive Order issued by the president on July 25, 2011 was aimed at disrupting the operations of transnational criminal organizations (TCOs) through blocking their access to property or property interests in the United States.  As of now, the order targets four TCOs that are specifically named; however, the order’s language not only explicitly allows for the designation of other entities as TCOs, it lends itself to having cybercriminal groups be among them.  

The Order’s introductory paragraph states that TCOs “are increasingly entrenched in the operations of foreign governments and the international financial system, thereby weakening democratic institutions, degrading the rule of law, and the undermining economic markets.” Those descriptors are readily applicable to cybercriminal organizations.  First, it is a fairly common belief among many in the cybersecurity field that national governments (particularly Russia and China) either directly employ groups of hackers to carry out operations against foreign governments and businesses, or that they at least turn a blind eye to their activities.  The latest example of this centers around Chinese government involvement in the recently reported network intrusions associated with what the security company McAfee has dubbed Operation Shady RAT that compromised the networks of 71 government and private entities.  Second, cybercriminal organizations can also have significant effects on the international financial system and international business.  This can happen through high-profile attacks like those that the group Anonymous carried out against MasterCard, Visa, and PayPal, or it can occur through the persistent efforts of cybercriminals to steal the financial assets of individuals and businesses.

The investigation and prosecution of individuals involved in cybercrime can be a long and likely unsuccessful endeavor because of the technical complexity inherent in these cases and the unwillingness of government of foreign countries (where many of these criminals live) to cooperate.  If arresting cybercriminals is not an option the next best thing to do is to separate them from the resources they needs to carry out their crimes.  The designation of a cybercriminal organization as a TCO under this Order would give the U.S. government another avenue through which to do just that, and do it quickly. It paves the way for two specific tactics that would be useful in interfering with a cybercrime organization’s operations: 1) disrupting its flow of money; and 2) disrupting its technical infrastructure.

The most effective way to cause serious damage to a cybercrime organization would be to cut it off from its sources of money without which it would not be able to carry out its operations.  This would likely involve blocking bank accounts and the activities of shell companies that the organizations use to support its operations.  Cybercriminals often use what are called “money mule” networks to transport and launder proceeds from their activities.  The mules route illicit proceeds through their own bank accounts before it ends up in the hands of the criminals.  The organizations also use shell companies to both recruit mules and launder money.  If a cybercrime organization were designated a TCO, the powers granted by the Executive Order would allow the government to block bank accounts and shell companies being used by the organization which could cripple its operations.

Disrupting the technical infrastructure used by these organizations would also be effective in disrupting their operations.  Third-party hosting providers are often used to host malicious domains that spread malware or to act as command and control centers that direct their operations.  Attacking this infrastructure is a tactic recently used by both Microsoft and the FBI in attempting to dismantle botnets used by cybercriminals.  In March Microsoft used a provision of the Lanham Act to seize command and control servers being used by the operators of the Rustock botnet.  A month later the FBI conducted a similar take down by seizing command and control servers used by cybercriminals operating the Coreflood botnet.  Both of these operations significantly reduced the activity of those botnets and degraded the operations of the criminals behind them.

These are just a couple of ways this Executive Order grants powers that will be useful in combating the activities of cybercriminal organizations.  Of course, a lot of this is easier said than done.  it can be exceedingly difficult to identify bank accounts and shell companies associated with cybercrime organizations.  Furthermore, the seizing of technical infrastructure also brings up concerns of collateral damage in which innocent parties see their own services negatively affected.  Despite these difficulties and concerns, this Executive Order could give government officials more options with which to attack the growing concern of threats in cyberspace.