Newly unveiled indictments against a group of hackers working for Russian intelligence will do little to deter future cyberattacks against the U.S., former NSA analysts and government lawyers tell CyberScoop.
Under the Obama administration, the Justice Department’s National Security Division pioneered a cybersecurity strategy of deterrence through indictments and criminal prosecutions. Over the last several years, in the aftermath of multiple high-profile data breaches, however, this approach of “naming and shaming” has garnered significant criticism for its lack of clear, deliverable results, experts say.
“The [Yahoo] indictment calls into question whether past ‘name and shame’ indictments of international cybercriminals have had any deterrent effect,” said Edward McAndrew, a former federal cybercrime prosecutor in the U.S. Attorney’s Offices for the Eastern District of Virginia and for the District of Delaware, via email. “Indictments of this type only have deterrent effect if the defendants end up in a US prison — and for longer than a cup of coffee.”
So far only one of the four men indicted by the Justice Department is said to be in custody in the case, which compromised upwards of 500 million Yahoo accounts in 2014 and allowed related attacks on Google accounts. Three of the four suspects — infamous cybercriminal Aleksey Belan and Federal Security Service (FSB) agents Dmitry Dokuchaev and Igor Sushchin — are believed to be currently located in Russia, where the U.S. has no extradition treaty or agreement. Belan has been indicted three separate times and remains atop the FBI’s most wanted list for computer crimes.
Former NSD head John Carlin previously described the strategy as a “giant no trespassing sign” that signaled the U.S.’ intention to treat “criminal activity like other criminal activity.”
The NSD in 2014 helped bring charges against five Chinese military hackers for economic espionage and other computer crime offenses. Two years later, criminal charges were also announced for a group of Iranian hackers that launched a cyberattack against U.S. critical infrastructure. Though neither case saw the accused extradited to the U.S. to appear before court, some believe the DOJ’s consistent pressure helped spur constructive negotiations between the U.S. and China.
Former NSA analysts Blake Darché and Mark Kuhr — two offensive cybersecurity experts familiar with foreign digital espionage operations — both agree that the indictments will have little to no impact on the pace and volume of Russian cyberattacks on the U.S.
“As the APT1 [Chinese military hacker] indictment has proven, the legal process is ill-suited to bring hackers from foreign governments to justice. The name and shame game played by the U.S. Attorney’s Office does little to rectify past or deter future cyber attacks,” said Darché, “Organizations must address cyber security at the board level by allocating budget and resources. Only preemptive action can stop a cyber attack.”
Kuhr worries that besides being ineffective, the indictments may further escalate tension between Washington and the Kremlin, causing a situation in which Russian officials begin to indiscriminately accuse U.S. intelligence officers of crimes.
“While I agree with the prosecution of the criminal elements, indicting FSB agents could put our own operatives at risk,” said Kuhr, the co-founder of vulnerability research firm Synack. “What if Russia in turn takes out indictments on U.S. NSA cyber operators?”
“Historically, we’ve had an understanding with Russia, acknowledging espionage exists, and if exposed swapping each others spies peacefully,” Kuhr said. “This move could change our dynamic and lead to long jail sentences for spies from both countries for cyber intrusions moving forward. … We need to establish international norms.”
Combating cybercrime has become a top priority for the Justice Department in recent years as hackers continue to breach American companies and steal personal information belonging to private citizens.
Unlike traditional criminal prosecutions, however, pursuing hackers often requires international law enforcement cooperation to apprehend suspects, Leslie Caldwell, the former assistant attorney general for the Criminal Division, said last year. In addition, the fact that current international law pertaining to cyberspace remains largely undeveloped adds numerous challenges to U.S. law enforcement efforts.
Indictments — like those levied this week — do have the potential to at least bring together allies to discuss common rules, argued Michael Adams, the former deputy legal counsel to the chairman of the Joint Chiefs of Staff.
“In and of themselves these indictments might deter some relatively small number of potential cyber criminals. [But] if the indictments prove to be part of a recurring — and perhaps escalating— series of meaningful actions by the U.S. Government and like-minded States that are committed to coherent cyber deterrence strategies, then there is definitely the potential for incremental but meaningful cyber deterrence,” Adams told CyberScoop.
“Concepts like credibility, prevention, penalties, and reassurance — or reciprocal guarantees — are very relevant in this domain — even though we may be dealing with non-state actors who are criminals with principally financial motives in many instances,” Adams said, “States have to let other States know what sort of conduct is acceptable and what is not acceptable.”