In mid-March 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated five entities and 19 individuals under the Countering America’s Adversaries Through Sanctions Act (CAATSA) as well as Executive Order (E.O.) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”
The measure is intended to be a multi-pronged approach to address and punish the cyber attacks alleged to have been conducted by Russia. These activities include destabilizing operations that range from 2016 U.S. election interference, as well as Russia’s alleged involvement in the NotPetya attacks that initially targeted Ukraine before spreading globally.
This is not the first time the U.S government has instituted such measures in response to alleged involvement in cyber attacks targeting U.S. interests. Chinese nationals, to include members of the Chinese military, have been specifically targeted in relation to nefarious cyber activity. In November 2017, three Chinese nationals were indicted for hacking, trade secret theft, conspiracy, and identity theft operations that transpired between 2011 and 2017 directed against U.S. and foreign employees of organizations in the financial and technology industries. Additionally, in May 2014, five Chinese hackers linked to the military were indicted by the United States for cyber-enabled economic espionage directed at six U.S. organizations associated with nuclear power, metals, and solar products.
In a time when the concept of cyber deterrence has emerged as an important strategic need, identifying courses of action to facilitate this objective has become paramount. Cyber crime continues to proliferate, costing organizations approximately USD $600 billion, or about .08 of the global gross domestic product, according to one report. Cyber espionage – whether conducted by state actors, state agents, or “for hire” hackers – gains international notoriety. Hacktivism has proven to be a steady source of hostile acts, ranging from nuisance-style attacks such as web-page defacements to distributed denial-of-service (DDoS) attacks, and in some cases, destructive malware wiper attacks.
While defenders scramble to identify, mitigate, and remediate the results of such incidents, much thought has been invested in thinking how to proactively deter such activities. Hacking-back
has been a popular albeit controversial option expressed by those believing that immediate repercussion is the only way to dissuade attackers. Some even believe that’s what happened when North Korea got knocked off the Internet after it’s suspected hacking attack against Sony Pictures. But too many unknowns such as misinterpreted signaling, impacting the wrong target, and potential escalatory actions, to name a few, make that strategy an unfeasible solution.
Indicting individuals alleged to have been involved in hostile cyber activity may be seen as a viable alternative. Supporters of this approach point out that after the indictment of five Chinese military individuals suspected in hacking operations (coupled with a “no hack” pact for commercial advantage between China and the United States) immediately reduced the volume of
Chinese hacking. Therefore, it is hoped that a similar approach against Russian actors would achieve the same result, a measure whose success remains to be seen.
There are some immediate benefits to indictments. One, it immediately puts the alleged culpable foreign government on notice of their perceived involvement in such activities and that it will not be tolerated. Two, due to extradition treaties that states have with one another, it confines future international travel of the actors conducting the activities. The former point is more salient, particularly in the context of cyberspace where attribution is difficult, and states consistently deny their involvement, often requesting evidence from the victimized government which is not shared. Indictments can be interpreted as more than just finger-pointing that can – if need be – be supported by incriminating evidence. In this manner, indictments can start a conversation between governments that could ultimately lead to a conclusion like a “no-hack” pact.
That is a favorable perception of indictment. Detractors will point out that accused governments will not give up their own people, and the potential arrest of the indicted actors is very remote, at best. Authoritarian regimes are more likely to adjust cyber activities accordingly, changing up tactics, techniques, and procedures to further obfuscate online operations, than change their behavior. Indictments are another way of “naming and shaming” states. However, in a day and age where governments – including developing nations – are eagerly pursuing offensive cyber capabilities, they seem to more willing to risk being “named and shamed” because they have the capability, rather than not having it.
Deterring cyber actors is about establishing a credible response. Indictments are another prong that can be leveraged to deter cyber activity but cannot and should not operate in a vacuum. They need to be levied in concert with an assortment of other actions such as sanctions, diplomacy, and other punitive economic measures. The harmonious deployment of multiple simultaneous initiatives is the pressure that’s needed to make governments adjust what they do. Conversely, hacking-back, especially against a government with a robust offensive cyber capability, risks reprisals and escalations and too much collateral damage.
In the end, state actors take orders and direction from the state, and if a government feels that it’s in its national interests to use cyber espionage to target a specific entity, it’s going to pursue that end. Applying synchronous pressure may at least help them reduce the volume and severity of that activity, which in cyberspace, may be the best result that can be expected.
About the author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter