In an intriguing push against the ever-increasing number of foreign-governments sponsored cyber attacks against U.S. companies, the U.S. Department of Justice intends to turn to its roots with an old-fashioned tactic that has worked against the mafia, drug traffickers and white collar crime: criminal prosecutions.
It is no secret that Chinese state-sponsored hackers have been running advanced persistent attacks against U.S. defense contractors in recent years — often virtually living on their computer networks. But until now, responses to cyber attacks were viewed as either a legislative challenge, an intelligence riddle for the FBI, or a potential Defense Department and National Security Agency job.
The riddle has consistently been this: If defenses aren’t working against better and better attackers, how to make the attackers pay? State Department demarches? Ineffectual. Offensive cyber retaliation? What’s the legal basis for it, and to what end?
One answer: indictments.
“I’ll give you a prediction,” said John Carlin, the principal deputy assistant Attorney General in Justice’s national security division. “Now that we are having people look at bringing one of these cases, it’s there to be brought, and you’ll see a case brought.”
The Justice Department recently stood up a little-noticed program under its National Security Division, called the National Security Cyber Specialist, or NSCS, network. It’s pronounced “niscus” and it brings the department into a relatively new arena.
Various efforts to pass cyber legislation have crashed and burned on Capitol Hill and the federal response is at best clumsy. The Department of Homeland Security technically coordinates the response to cyber attacks, working with the FBI and the Defense Department. DoD’s Cyber Command, which has the most capacity in cyber, defends military networks but can only get brought into civilian issues when it is ordered in by the executive branch.
The Justice Department initiative, Carlin said, will be multifaceted. More then 100 prosecutors are being specially trained. They’ll get more involved in each agency’s efforts.
“NSA, we have some oversight function on them but they are our client when we go in front of the foreign intelligence surveillance court,” Carlin said.
And for the FBI, he said, the DOJ will ask investigators to start looking for cases they can bring to court — something where they can finally take legal action, rather then just follow cyber leads, as they’ve been doing.
Carlin said there were a variety of potential targets to indict in these cases. The first, he said, would be the actual hackers. That certainly might have historical precedent. It could be like charging a spy caught in the U.S.
But here’s where things get interesting: Carlin said the DOJ could actually name the government behind the operation, or officials in that government.
“It could also mean prosecuting,” he said, “laying out in a prosecution document the governments, the people in the government who are doing it.”
Foreign government officials can, theoretically, be indicted, or simply named in an indictment, which itself could be punitive. Carlin points out that indicting foreign officials isn’t unheard of. In 2011 an Iranian Al Qods official was charged with conspiring to kill Saudi Arabia’s ambassador to the U.S. That doesn’t mean there’s an expectation that he’ll ever be brought to court.
But Carlin said the best possible target for a prosecution might be a case where a company that uses stolen technology could be charged.
“Whether it is a state-owned enterprise or a state-supported enterprise in China — if you can figure out and prove that they’ve committed the crime, charging the company means they can’t do business in the U.S., or in Europe,” he said. “It affects their reputation and that then causes them to recalculate: ‘Hey, is this worth it?’”