Cybersecurity and Deterrence
What’s the Point of Charging Foreign State-Linked Hackers?
The May 7 indictment of a Chinese national and unnamed conspirator for hacking and stealing data from nearly 80 million customers of the health care company Anthem in 2015, which researchers previously linked to Chinese state-sponsored actors, is the latest iteration of a four-year U.S. government trend of publicly charging state-backed hackers. The use of criminal charges as an instrument of foreign policy is striking in its recent prominence and in the complex equities it implicates for policymakers.
Two camps have emerged in the debate on the deterrent power of charging foreign hackers. Some argue that charging hackers lacks serious impact. For example, Jack Goldsmith and Robert Williams have argued in Lawfare that the strategy of charging Chinese hackers for theft of U.S. trade secrets has failed to deter such activity, citing the public charges against Chinese state-affiliated hackers in 2017 and 2018 as reason to believe Chinese cyber theft of American intellectual property had not ceased. Others consider such charges an effective tool for deterring malicious cyber activity. John Carlin, who oversaw the early charging of foreign hackers as assistant attorney general for national security from 2014 to 2016, has written about charging foreign hackers more broadly as part of a package of tools that the U.S. government can use to disrupt and deter state-sponsored hacking.
We believe the value of bringing criminal charges against foreign hackers is more complicated than the arguments about their deterrent value have so far suggested. In our view, these actions are not without impact. In some cases, charges have led to the arrest of those accused and may deter individual hackers from working with particular states. At the same time, because arrests have been the exception and the charging documents are primarily “speaking indictments” that communicate important details about hacking operations to the public, we conclude that charging foreign hackers, as well as online influence operators, serves purposes other than merely arresting specific individuals. We therefore distinguish between criminal charges as a tool for long-term deterrence versus as a tool for operational disruption.
We identify the following objectives to which charging foreign hackers can contribute: (a) attributing malicious cyber activity, (b) disrupting hacker networks, (c) coordinating with further U.S. government actions, (d) providing restitution for the victims and credit to defenders, (e) pressuring states to refrain from future malicious activity and (f) supporting the emergence of robust norms. These dimensions show that the decision to charge foreign hackers goes beyond considerations of deterrence and that prosecutors and policymakers should make those decisions carefully. It takes intensive effort by investigators and prosecutors to compile criminal cases—in some cases, years of work—so the effect of the act of unsealing them should be maximized and tailored to the strategic goals an indictment is most likely to advance.
Since 2013, the Department of Justice has brought 24 cases and 195 counts against 93 foreign nationals for state-linked hacking activity and foreign online influence operations. (Monica Witt, a U.S. national charged in a hacking conspiracy on behalf of the government of Iran, is not included in this tally.) Under the Trump administration, the pace has quickened—16 of the 24 cases were charged after January 2017. A full list is provided below and includes charges against foreign state-linked hackers involved in influence operations, which is often considered together with hacking in discussions of deterrence and responding to malicious cyber activity. This post proposes a framework for evaluating the record of publicly disclosed charges to date and considers the implications for U.S. cyber policy.
The framework we describe below illustrates that criminal charges against foreign hackers can serve important objectives, including attribution, disrupting state-proxy relationships, providing punishment and retribution, the so-called “naming and shaming” of adversaries, contributing to joint international actions and building international norms. We outline a few policy considerations involved in charging criminal foreign hacking and discuss some trends and outstanding questions observed from the 24 public cases.
A Conceptual Framework for Charging Foreign Hacking
Bringing criminal charges against foreign hackers differs in important ways from other options available to policymakers—like press conferences, sanctions or offensive cyber operations—for responding to a cyber incident.
- First, criminal charging documents are individual-centric—that is, they name specific individuals as responsible for the criminal charges they allege. Other ways that states attribute cyber attacks, such as public statements or technical alerts, have typically named an entire nation-state or a specific government agency (although they could name an individual). For instance, the joint attribution by the U.S., U.K., Australia, Denmark and eight other governments of the 2017 NotPetya ransomware attack named the Russian military intelligence unit, the GRU, responsible. In contrast, all indictments to date have named individual defendants—for instance, in October 2018, the Justice Department charged seven GRU officers as the perpetrators of a hacking scheme against the Organization for the Prohibition of Chemical Weapons (OPCW) and the World Anti-Doping Agency.
- Second, bringing criminal charges requires evidence that meets a finding of probable cause by a grand jury or a federal judge to bring charges. This is in contrast to intelligence assessments that rely on information gathered from classified sources and methods, which may not be admissible in court. Unsealed indictments or criminal complaints often present evidence to the public, lending them greater credibility, especially to potentially skeptical observers in the technical community.
- Third, criminal charging documents are a predicate for law enforcement action. The Justice Department needs an indictment or a criminal complaint to make an arrest in most cases. Unlike a public attribution or diplomatic demarche, a formal criminal charge has the distinct aim of bringing its target to face justice, even though arrests may be unlikely.
It is clear that every set of charges serves a different purpose, and potentially more than one. Six objectives stand out:
First, public criminal charges are a way of publicizing attribution of threat actors and foreign governments. Attribution by indictment or criminal complaint is often effective because an indictment must present facts and reasoning that persuade a judge or grand jury that there is probable cause to believe that the described conduct meets a criminal standard. When the first indictment of foreign state-linked hackers was unsealed in 2014, the challenge of attributing cyber incidents to foreign actors was still widely seen as being nearly insurmountable. When the U.S. government started to publicly attribute cyber attacks, it faced significant pushback and criticism not only by the accused but also by the tech community in the United States. Over time, these indictments helped demonstrate, with an unprecedented level of detail about foreign governments’ cyber operations for public releases from government sources about specific cases of state-linked cyber activity, that attribution is indeed possible. (For a detailed discussion of criminal charges as a tool for attribution, see Chimène Keitner’s recent article on the subject.)
Attribution can transition into a second purpose—disruption—because indictments name specific hackers or operators. In most cases, criminally charging foreign state-linked individuals does not lead to arrest (one notable exception being when Canadian authorities arrested the hacker Karim Baratov for aiding in the 2014 Yahoo hack). Proxies collaborating with U.S. adversaries might decide that the costs of their association have become too high, particularly the cost of risking arrest anytime they travel to one of the more than 100 countries with which the U.S. has concluded an extradition treaty. (However, it is hard to judge whether this has happened since there have not been detailed follow-ups about many of the charged individuals who remain abroad.) States may reach the same conclusion regarding proxies that have been “outed” by criminal charges.
Further, the individual-centric attribution that indictments provide undermines a core goal of many hackers: secrecy. One of the main reasons states turn to hacking is secrecy, and while an indictment may prompt skilled hackers to up their tradecraft and more skillfully avoid attribution in the future, for hackers the U.S. attribution capability may pose a fearsome barrier to surmount and may thus deter further actions on their part.
Third, criminal charges can complement other U.S. government actions responding to state-sponsored hacking. The Treasury Department has imposed sanctions on individuals and companies named in foreign hacking indictments, like the Islamic Revolutionary Guard Corps (IRGC)-linked hackers named in the 2016 indictment for distributed denial of service (DDoS) attacks against the U.S. financial sector, as well as the GRU operatives named in indictments in 2018. The same week that the Justice Department indicted the Chinese semiconductor firm Fujian Jinhua for funding a scheme to steal U.S. chip designs, the Commerce Department, acting under its own statutory authority, banned Fujian Jinhua from receiving exports of U.S. chip components, cutting off its supplies.
Fourth, when criminal charges do lead to arrests and penalties, they punish those responsible for a cybercrime and provide some psychological restitution for the victims of their crimes. Simply knowing that law enforcement has investigated and charged those responsible counters the perception that there is no accountability or justice for state-backed hackers. This can have a beneficial effect on domestic constituencies—arrests can provide a measure of redress for victims to know a perpetrator was identified. Moreover, public charging documents also help validate the work of cybersecurity defenders, who in many cases make their own attributions of major cyber incidents. The credibility these defenders get from having their attributions backed up by the U.S. government makes it easier for them to work with future victims and act as a front line against state-backed intrusions.
Fifth, the deterrent power of criminal charges is the dimension where expectations often exceed practical effects. The record so far suggests that bringing criminal charges against foreign hackers and online influence operators does not impose enough costs on adversaries to convince them to cease from further malicious activity. Deterring some state activity as well as individual hackers, as states must factor the cost of attribution or arrests of their hackers or proxies into their calculations. In this way, the operational costs of criminal charges contribute to partial deterrence of the state’s broader activities, as state-backed hackers might follow much stricter operational security procedures to avoid detection by U.S. law enforcement.
Bringing criminal charges has also increasingly become a way to denounce malicious cyber activity in concert with U.S. allies. When the United Kingdom, the Netherlands, and Canada attributed the hacking of the World Anti-Doping Agency and the OPCW to the GRU, the Justice Department timed the unsealing of an indictment against several GRU officers for the same offenses to coordinate the denunciations.
Lastly, criminal charges contribute to the growing body of state practice related to cyber norms. They provide clear evidence of what types of activities the United States views as unacceptable, enhancing U.S. efforts to build international cyber norms. While some might argue that the routine violation of these norms by states like North Korea and Russia could undermine these efforts, the U.S. has worked to build support for its condemnations of their activity among U.S. allies and other nations. And, over time, the record of indictments may contribute to the formation of customary international law and new norms, such as the proposed norm against foreign cyber-enabled election interference endorsed by the G-7 in 2018.
Policymakers looking to use criminal charges as foreign policy instruments face considerations and trade-offs that can limit the effectiveness of and raise potential risks with future uses of indictments.
First, consider the questions that Justice Department prosecutors and policymakers bringing foreign hacking charges face: Is there a chance that the indictment will lead to an arrest? Are any targets in a country that has an extradition treaty with the U.S.—and if so, are they prominent public figures or foreign government officers or officials and how will their governments react when they are arrested? How high up the chain of command is the target?
Another risk with criminal charges is whether the risk of revealing U.S. intelligence sources and methods from information revealed in a charging document outweighs the possible benefit. Since criminal charges require a public stipulation of facts, policymakers and prosecutors must decide what they are willing to reveal while preserving any potentially sensitive means through which the evidence was obtained. But waiting until the relevant sources go dry or methods fall out of use reduces the impact that criminal charges are likely to have, as individual hackers are likely to have changed their behaviors and may not be working with the foreign government at that point.
In addition, using criminal charges for foreign policy purposes raises the risk that governments will respond in kind and detain U.S. government employees or U.S. nationals. Former National Security Agency security scientist Dave Aitel expressed serious concern about that type of retaliation on Lawfare in 2016. And in other contexts, China has detained foreign nationals to respond to their governments’ arrests of Chinese citizens. For instance, Chinese authorities have detained Canadian citizen Michael Kovrig in what is widely seen as retaliation for Canada’s arrest of Meng Wanzhou pursuant to a U.S. extradition request. It appears likely that China and Russia would apply the same logic of retaliation in response to a U.S. arrest of one of their hackers.
The Justice Department’s process for developing cases and bringing criminal charges is traditionally independent from political considerations. For policymakers hoping to gain some of the benefits discussed above—for instance, providing redress to victims domestically or denouncing malicious activity in concert with foreign allies—that independence can pose barriers to coordination across the federal government. (While the Department of Justice informally consults with other agencies about politically sensitive charges, it maintains that only it has final say when bringing them.) Accused foreign governments have responded to charges by arguing that they are political actions, saying the U.S. is attempting to worsen relations with them.
This leads to a broader consideration about the impact that the charging strategy may have on multinational law enforcement efforts to combat international cybercrime. In recent years, the U.S. and Europe have been increasingly worried about the politicization of international law enforcement efforts and institutions by countries such as Russia. Even if Washington does not use criminal charges against foreign hackers and other foreigners engaged in state-linked malicious behavior in apolitical fashion, its adversaries may act more aggressively to politicize international law enforcement in an effort to undermine cooperation on combating cybercrime. Further, they may specifically push back against U.S. allies that aid its law enforcement efforts—especially for cases where the U.S. asks its allies to assist in highly sensitive investigations, such as the arrest in Vancouver of Huawei chief financial officer Meng Wanzhou. Other U.S. allies might face the choice of cooperating with U.S. law enforcement and risking losing their relationships with states like China or jeopardizing their cooperation efforts with the U.S.
Lastly, in some cases of nation-state hacking, policymakers and prosecutors will have good reasons not to bring criminal charges, as discussed above. However, in those cases policymakers would have to turn to alternative means of condemning the behavior, such as sanctions or coordinated press releases from top officials (this was the response to the NotPetya ransomware attack). If there is no response, the U.S. could risk normalizing the behavior through tacit acceptance.
Trends in Cases to Dates
The 24 cases of international state-linked cybercrime and foreign influence operations that the Justice Department has charged show some clear trends relevant to the conceptual framework this post lays out. First, the diplomatic effects were heavily context dependent. For instance, according to U.S. analysts, the 2014 indictment of People’s Liberation Army (PLA) hackers contributed to the 2015 U.S.-China cyber espionage deal as part of a broader pressure campaign, but amid the 2018 trade war, reports emerged that China had resumed its intellectual property theft. The U.S. responded with a series of criminal charges to put increased pressure on China, all of which have been part of the “China Initiative” that then-Attorney General Jeff Session announced in November 2018. The context for the hacking charges has now merged with the broader trade war—especially now with the related charges against Huawei and Meng Wanzhou.
Hacking charges that provided original attribution have had significant beneficial effects. For instance, the indictment of several Iranians for targeting banks in the U.S. clearly communicated to the U.S. public and the financial institutions that Iran had orchestrated the attacks. The OPCW indictment helped to mobilize U.S. allies to condemn Russia’s malign activities. And interestingly, the U.S. government has done all of its attributions of Chinese trade secret theft through criminal charges. Trade secret theft is the most common type of activity that all foreign hacking criminal charges allege.
Although protection of critical infrastructure is at the top of the U.S. government’s cybersecurity priorities, only two indictments—the 2016 Iran indictment and the 2018 SamSam ransomware indictment—have involved attacks against critical infrastructure entities (counting election infrastructure as a separate category). This is somewhat curious—given widespread reports of intrusions into critical infrastructure. One potential risk is that criminal charges for critical infrastructure hacking would provide a road map for future attempts—and especially if they did not lead to any arrests, adversaries could perceive it as an announcement of vulnerability. This may suggest that criminal charges are better suited to respond to trade secret theft than critical infrastructure hacking.
Finally, in the past two years, the number of public criminal charges has grown at an increasing pace. Yet, it is worth noting that criminal charges take time to prepare, often years; many of the charges unsealed in 2018 likely started as investigations back in the Obama administration. The pace is therefore likely to diminish somewhat, although the Department of Justice clearly has made an effort to develop its capacity to investigate such cases and to continue to bring them forward in the future. And with every new set of charges, adversaries come to expect them, factoring them into their plans, and the marginal effectiveness as a means of diplomatic pressure decreases. When criminal charges become commonplace, their value is lessened.
When the Justice Department unsealed the first foreign hacking indictment in 2014, many doubted that the U.S. had and was willing to use a robust attribution capability. No more. The question is now, what comes after attribution? As our conceptual framework shows, foreign hacking charges have a number of ways of advancing U.S. interests—including in the diplomatic arena and as a response to domestic pressure to “do something.” Further, in recent years, the interagency policy process has clearly deliberated on how to use existing policy tools and how to build additional ones from indictments, such as sanctions and export controls, and those are a good start in the right direction.
Many observers have questioned the worth of the charging strategy by arguing that it has not improved “cyber deterrence.” That is to reject the charging strategy for the wrong reason—for many of the reasons discussed above, but also because that view avoids addressing many of the other consequences that criminal charges against foreign hackers raise. It also masks some of the positive aspects of the charges where they have more potential to aid U.S. policies, namely as tools of disruption. One promising area is their effects against proxies—against which the U.S. has made some successful arrests and for which criminal charges might sufficiently dissuade hackers from cooperating with hostile states. This disruptive effect may also contribute to limited disruption on an operational level as states experience more costs to avoid attribution.
Some of the confusion about the worth of criminal charges is the result of built-up expectations, partly fueled by statements of U.S. government officials and press coverage. For example, the 2014 PLA indictment has been highlighted as a key part of a U.S. strategy to bring Beijing to the table and agree to a strategic commitment limiting cyber-enabled economic espionage in 2015. Since then, charges have not led to similar results, although the Department of Justice’s press conferences continually trumpeted them as a key instrument in the government’s toolbox to deter malicious cyber activity. There is also the analytical challenge that while charges often become public, their disruptive effects—or lack thereof—may remain classified and unknown to the public.
In this vein, criminal charges have fit well with the Trump administration’s efforts to adopt a “Peace Through Strength” approach to cyberspace, as the 2017 National Security Strategy outlined. However, this strategy risks undermining itself if public perceptions about charges continue to exceed their (known) impact. Importantly, the Department of Justice should make sure not to overstate the impact of the criminal charges on adversary states—which would also help it avoid having them become perceived as a purely foreign policy tool.
Criminal charges against foreign hackers should be framed as “persistent law enforcement”—continued efforts to disrupt and deter hackers. Charges are valuable in this framework as a type of routine action, one that states should come to expect as the cost of using hackers for their ends. To build on this, one key policy goal should be encouraging other countries to do the same. By doing so, the U.S. would develop criminal charges as a standard response to state-linked hacking and contribute to broader efforts to encourage holding states responsible for their behavior in cyberspace.
In light of the diminishing returns of continuously bringing charges against state-linked hackers, the U.S. government should develop a more tailored strategy carefully considering which types of behavior that law enforcement actions are best suited to address and then focus on bringing charges against those specific activities. More broadly, policymakers should consider what message they intend to send with a set of criminal charges in terms of international norms—and clarify how charges contribute to U.S. efforts to build cyber norms. Upholding the rule of law in cyberspace will require a careful approach to foreign hacking charges that recognizes they have more ends than just deterrence.