The U.S. Department of Justice announced the indictment of Nicolás Maduro, who the United States ceased to recognize as Venezuela’s president in early 2019, for narco-terrorism on March 26. This announcement was reminiscent of the 1988 indictment of Manuel Noriega, the former leader of Panama, soon after the U.S. government refused to recognize him as head of state. These two cases are exceptions that prove the rule of a general U.S. policy of not criminally indicting foreign officials whose acts may carry some imprimatur of state action. In both instances, the U.S. waited to indict until it no longer considered its targets state actors. In contrast, one area where the U.S. government has pursued a different course and decided to indict state actors for state actions is in the realm of cyber operations.
In February, the Justice Department announced the indictment of four members of China’s People’s Liberation Army for the 2017 hacking of Equifax, the credit reporting agency. The presumably State-directed operation conducted by uniformed members of China’s military resulted in the theft of trade secrets and the personal information of about 145 million Americans. The Justice Department’s action is the latest in a series of public indictments against foreign hackers in recent years, including members of foreign militaries and intelligence services. There are two general schools of thought about the efficacy of these indictments. One school views the indictment of State actor hackers positively as “one tool in a broader approach.” The other school contends that the indictments “have achieved no discernibly positive effects” and might be “self-defeating.” With the track record to date, it’s plain that the indictments should generally, if not uniformly, be discontinued for State actor hackers in favor of a disruption campaign. A benefit of this different approach would be to allow federal prosecutors to focus their limited resources on non-State cybercriminals.
For purposes of this brief analysis, the term “State actor” hacker includes both uniformed personnel and State-sponsored non-uniformed personnel acting on behalf of a foreign government (like the Internet Research Agency in Russia), whether to access email accounts, interfere in elections, steal intellectual property, or commit any number of malicious cyber acts.
I first discuss how the policy of indicting State actor hackers is bad for the development of international cyber norms. I then focus on why a sustained disruption campaign, similar to elements of the U.S. government’s strategy to counter various other kinds of malicious acts by States, is the best approach to counter State actor hackers.
State Actor Indictments and Norm Development
As a country of great cyber capability, the United States is highly influential in the development of international cyber norms. Institutionalizing the indictment of government employees for State-directed acts sets a dangerous precedent, especially considering the number of government employees who support cyber operations on behalf of the U.S. government.
The indictment approach reinforces a frame of “individualizing” cyber operations. Just as countries must accept responsibility for State-directed uses of armed force (rather than charging individual enemy soldiers with murder), our ire for cyber operations should be focused on the States that direct them. Proponents of the indictment strategy argue that countries should not be allowed to break U.S. laws and get away with it, and that indictments are powerful tools for publicly shaming countries like China that are “acutely sensitive to their international relationships.” But, a sufficiently effective, if not even more powerful, norm the United States should encourage is “naming and shaming” at international fora like the United Nations, rather than before domestic courts. This is especially true for cyber operations like intellectual property theft and economic espionage intended to provide a competitive advantage to domestic companies, which the U.S. has renounced and which should be considered serious deviations from responsible State behavior. Emphasizing an international framework does not mean that more “traditional” cyber operations (e.g., the WannaCry ransomware attacks or the Democratic National Committee hacks) need to be equated to “uses of force” to trigger State accountability (although certain destructive attacks might reach that threshold). Such malicious activities can perhaps be addressed through existing norms, such as the principle of non-intervention, which protect the right of every sovereign State to conduct its affairs without external coercion. Due to the broad range of cyber operations that fall below the threshold of use of force or into a normative grey zone, achieving sufficient clarity for the applicability of international law probably requires the development of a cyber-specific view of the principles of non-intervention and sovereignty, as proposed in a recent Chatham House report.
What’s more, if the United States develops the norm of indicting State actor hackers, a significant State actor cyber operation that is not met with an indictment may signal a lack of capability. The number of cyber incidents will undoubtedly continue to grow and they will likely become even more complex; a government policy of responding to State actors more quickly with other tools based on the “scope, duration, and intensity” of the activity will free up federal prosecutors to spend more time indicting non-State cybercriminals.
Sustained Disruption is the Best Strategy to Counter State Actor Hackers
Focusing primarily on a sustained disruption campaign, like the United States has conducted as part of its counterterrorism fight against State-sponsored terrorism, is a more effective strategy for countering State actor hackers than periodic indictments. Experts have described “deterrence” as the biggest problem in cyberspace, and also the least transferable framework from traditional conflict to cyber.
Many of the benefits of indictments against State actors can be achieved without the time and resource intensive process of producing an actual indictment. Apart from the threat of arrest that comes with an active indictment, most of the pro-indictment arguments, like revealing the identities of the hackers, standing up for American companies whose secrets were stolen by foreign governments, and imposing punitive consequences like financial sanctions, can be achieved with a press release and traditional diplomatic and economic actions. For example, in May 2019, the European Union established a sanctions framework including travel bans and asset freezes to deter and respond to malicious cyber operations.
While the Justice Department’s criminal division should move away from individualizing malicious cyber acts committed by or on behalf of States, the government might still decide to use tools like sanctions to target senior foreign officials who actually have the ability to influence policy. By abandoning the indictment strategy, the administration, as a whole-of-government approach, could also choose to levy these sanctions and name specific individuals, without having to wait until an indictment is ready for fear of showing their hand too early. The indictments themselves add little “bite” at the cost of significant time and energy spent by government lawyers. While proponents of indictments point to the People’s Liberation Army indictment of 2014 as pushing China toward a pledge to stop committing economic espionage, in reality, “State-sponsored commercial cybertheft from China never came close to ceasing.”
Another benefit of using a press release and public statements rather than an indictment to “name and shame” is the greater flexibility in concealing sources and methods. By not having to provide the level of detail required for an indictment, the government can reveal less about any U.S. presence in adversary systems and how the United States accessed those systems or attributed an attack. Keeping such secrets makes it easier for the United States to respond with an appropriate countermeasure and continue monitoring adversary networks, benefitting both intelligence collectors and offensive and defensive cyber actors within the U.S. government.
Most important in a sustained disruption campaign would be the ability to swiftly inflict and, when helpful, publicize retorsions and countermeasures, along the lines of what is sometimes called “defending forward.” Cyber Command is becoming more known for its activities in this area, with moves like temporarily blocking internet access to the Internet Research Agency and revealing strategic U.S. cyber incursions into Russia’s power grid. When the United States can reasonably confirm that a State directed private actors to conduct a malicious cyber operation, the optimal policy option might be to forego indictment, but conduct retorsions or countermeasures against the State entities directly. This could have the benefit of encouraging countries to better police cybercriminals within their borders to minimize the risk that their government would incur costs for the activities of such criminal actors.
Although there are risks to pursuing a more aggressive disruption campaign — like the accidental spreading of dangerous malware, unanticipated collateral damage, and spirals of retaliation — these risks need to be considered against the possibility that foreign adversaries will continue to exploit and attack the American public and private sectors if left undeterred.
Due to the sensitive nature of this topic, U.S. disruption campaigns currently carried out in response to cyberattacks might already be far more significant than publicly reported. If so, the effort should be continued and may need to be expanded to deter the growth of malicious cyber activity especially by State actors.
Conclusion: Ceasing Indictments a Tough, but Correct Choice
As the growth in cyber exploits and other attacks outpaces the growth in personnel focused on responding, the government must make tough choices about how to allocate time and materiel. Ceasing the indictment of State actor hackers so government prosecutors can focus on indicting growing numbers of private cybercriminals, while Cyber Command and the National Security Agency fight State actors and their proxies through other means is a tough choice. Nevertheless, it remains the choice that makes the most sense in a world of limited resources.