What Is the Point of These Nation-State Indictments?

Skyline of Pittsburgh, Pennsylvania. (Pixabay, https://tinyurl.com/1aki1c38; https://pixabay.com/service/license/) When the U.S. Department of Justice unsealed the indictment in 2020 that charged six military intelligence officers in Russia’s GRU with some of the most infamous cyber crimes on record, it did so with great fanfare. Leading off the 30-minute press conference in Washington on Oct. 19, John Demers, the assistant attorney general for national security, called the crimes “the most disruptive and destructive series of computer attacks ever attributed to a single group.” Demers wasn’t being hyperbolic. NotPetya , the most notorious attack engineered by this group, known as Sandworm , victimized dozens of companies and millions of people and caused an estimated $10 billion in damages. The indictment received mixed reviews. Writing in Lawfare , Harvard law professor (and Lawfare co-founder) Jack Goldsmith was highly critical of both the document and the timing, noting that the rollout occurred just two weeks before the presidential election. “What is the point?” Goldsmith asked before answering his own question. “In a word: attribution.” He noted that government officials had asserted that the indictment was a warning to would-be hackers that the government can gather undeniable evidence proving the attack, and it highlighted the government’s ability to identify the perpetrators. Goldsmith was not impressed. “This warning and highlight are not news,” he continued, “at least not to the sponsors of the attacks. The United States has for six years been playing up its extraordinary intelligence capacity to attribute malicious cyber operations. And for six years the attacks have grown worse.” (He wrote this two months before Russia’s SolarWinds hack made even bigger headlines, raising the most serious questions yet about the country’s capacity to sniff out cyber threats.)  Goldsmith couldn’t understand why Demers and the others who took their turns at the podium were congratulating themselves. “None of my criticism is meant to minimize the horror of the Russian actions,” he emphasized. “But naming and shaming is not much accountability. And trumpeting that fact is puzzling.” Especially right before the presidential election, when the government should be assuring citizens that voting will be safe and secure. Instead, Goldsmith suggested, the recitation of these crimes could well have the opposite effect. Many viewers of the press conference may have come away reassured by the “gotcha” speech they heard from Demers. But Goldsmith had a point. Putting aside the timing of the announcement, it does seem worth asking the deeper question. What are these indictments accomplishing? The United States does not have an extradition treaty with Russia. And these guys from the GRU are not exactly going to bring their families to Disney World; if they did, they’d find themselves in handcuffs long before they made it to Space Mountain.  When you look at the tangible results of these nation-state indictments, it’s hard to see a lot of wins. None of the men whose names and photographs have graced their pages has landed in prison. Or even faced trial. That’s a lot of time and money spent for words in a legal document.  But amid all of the doubts, the nation-state hacking indictments have achieved real progress. Investigators have uncovered a great deal of information about this netherworld. They have learned how to build cases, and how to cooperate with their counterparts in far-flung locations. Countries that have seen enough of these crimes have worked together to find common solutions. Some of these collaborations have surprised even the participants—and might surprise their critics, if they were better known. There were similar doubts when the Justice Department rolled out the first of these indictments six years ago. The focus then was China, and the alleged crime was economic espionage. There had been years of complaints about this sort of thing. But back then, it was left to security companies like Mandiant (now part of FireEye) to present evidence of cyber crimes and attribute them publicly (which Mandiant did in China’s case in 2013). Before the Justice Department decided to pursue an indictment against five members of the People’s Liberation Army (PLA), President Obama’s cautious nature seemed to align with the widely perceived futility of attempting legal action against agents of the Chinese government. But behind the scenes , under pressure from the many U.S. companies that claimed they’d been victimized by Chinese attacks, government officials were confronting their counterparts in China with evidence of crimes. And they were drawing a distinction between spying, which they acknowledged that all nations do, and theft. When the evidence they presented to China was repeatedly rejected out of hand, the administration finally decided to act.  The indictment was signed by David Hickton, then-U.S. attorney for the Western District of Pennsylvania, who spearheaded the initiative. The FBI’s Pittsburgh field office had gathered highly detailed evidence that PLA officers had stolen proprietary information from, among others, U.S. Steel and the nuclear power firm Westinghouse. Hickton took it to a grand jury and obtained a sealed indictment. After months of back and forth between Justice and the State Department, which opposed legal action against the PLA, the indictment was finally unsealed in May 2014.  At the time, Goldsmith wrote a measured response . He had reservations. Everyone seemed to have some. Commentary and news articles alike acknowledged the obvious: There was virtually no chance anyone would ever be tried on these charges. But Goldsmith did not dismiss the indictments as political theater. “Until yesterday,” Goldsmith wrote, “the [U.S. government] complaints against China’s cyber-snooping were nothing but talk.…But yesterday’s step clearly (and predictably, and thus purposefully) offended the Chinese in a way that prior talk did not, and to that extent it shows that the [U.S. government] is somewhat more serious about this issue, and might retaliate further regardless of the costs to itself.” A Wall Street Journal editorial was less charitable. “The U.S. should respond with its own cyber battle plan that attacks Chinese targets and forces China to play defense rather than devote all of its resources to hacking U.S. targets.” The editorial concluded: “We can say with certainty that an indictment of five junior PLA hackers will be no deterrent at all.” As it turned out, the editorial was wrong. The indictment may not have accomplished a great deal by itself, but it was part of a strategy the Obama administration used to pressure China to change course. And change it did. As New York Times reporter David Sanger wrote in his book “ The Perfect Weapon ,” China replied by insisting that the indictment contained “fabricated facts,” a pretty flimsy response. Then-Attorney General Eric Holder’s rejoinder, according to Sanger, was: “If we fabricated all of this, then come over to Pittsburgh and embarrass us by forcing us to put up or shut up, and we’ll put up.” The leverage that the administration needed to press its case was President Xi Jinping’s first state visit to Washington in September 2015. Obama’s team was threatening to impose sanctions on China for cyberattacks, including the PLA’s. Xi was determined to avoid anything that would blemish his visit. On the eve of his trip, Xi sent an advance delegation to Washington to negotiate. Before China’s president returned home, he and Obama announced an agreement that their governments would not, in Obama’s words, “ conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” And two months later, leaders of the G-20 all committed to abide by the same agreement. So, was the PLA indictment a game-changer? Not exactly. There was no way to enforce it. And it didn’t end China’s hacking. Yet the Justice Department continued issuing these indictments and expanded the targets to include members of Iran’s Islamic Revolutionary Guard Corps , for its alleged role in a series of distributed denial-of-service attacks on U.S. financial institutions, and North Korean computer programmer Park Jin Hyok , for his alleged involvement in a host of attacks, including those on Sony Pictures Entertainment after the studio released “ The Interview. ” And before the latest GRU indictment, Special Counsel Robert Mueller indicted a dozen members of that organization in 2018 for attacks that sought to influence the 2016 presidential election. Some of these indictments were accompanied by sanctions, but from the look of things, none has matched the success of the first.  So why expend the resources? Because these indi
What Is the Point of These Nation-State Indictments? posted first on http://realempcol.tumblr.com/rss