The U.S. Department of Justice indicted seven agents associated with the Russian Main Intelligence Directorate, or GRU — a Moscow military intelligence agency — for hacking anti-doping agencies overseas and organizations in the United States. The Oct. 4 charges are the latest example of the United States’ whole-of-government approach to deterring malicious cyber activity via naming and shaming perpetrators, an approach that has detractors and defenders.
Russia's GRU military spy agency is blamed for "brazen" attacks across the globe.
Many experts outside government have been skeptical of the approach sand note that hackers from Russia, China, Iran, North Korea and Syria will never see the inside of a U.S. courtroom and thus won’t feel pressure to cease hacking activity. But current and former U.S. officials disagree, however, and see the merit of indicting actors for conducting malicious cyber activity in cyberspace.
“I would take issue with the premise of your question that name and shame doesn’t work. There is deterrent value even if we can’t put our hands on the defendants at this time,” Scott Brady, U.S. attorney for the Western District of Pennsylvania, said during an Oct. 4 press conference. “Number one they are limited form traveling because they know if they travel in countries with which we have extradition that they will be sent to the United States and they will be held accountable.”
The United States could begin attributing cyber incidents publicly with more frequency.
While many of these hackers in large nations, such as Russia and China, are unlikely to travel to begin with, thus eliminating the deterrent value, some travel limitations can stop future attacks.
“For people claiming that indictments of foreign nation-state cyber operatives won’t have any effects, here is a counterexample: These folks were conducting close-access ops against hard targets requiring travel. They won’t be able to do that anymore,” Dmitri Alperovitch, co-founder and CTO of cyber firm CrowdStrike, tweeted Oct. 4.
According to the indictment, if remote hacking was unsuccessful, “on-site” or “close access” hacking operations were conducted by the conspirators, which involved GRU hackers with sophisticated equipment traveling to victims’ locations around the world.
And even homebody hackers might face consequences by naming and shaming, as unwanted notoriety could limit their ability to secure official government business or moonlighting opportunities, as many Chinese military hackers do.
“I think it’s a very interesting [question], bringing this issue home to the individual operators, whether it’s indicting individuals even though you know they will never be extradited. Is that a career un-enhancing move if you are a member of the [Chinese People’s Liberation Army] or the member of a proxy group in Russia or Iran? Is your cover burned forever doing more things for that government?” asked Sean Kanuck, visiting fellow at the Hoover Institution and former national intelligence Officer for cyber issues, at a media roundtable discussion hosted by Stanford’s Hoover Institution in California Oct. 1.
“Who knows? But if you can make this personal, such that someone’s career and their financial livelihood or the special benefits their family gets in certain countries are no longer available to them, will it make future very talented people not interested in following a similar career path?”
This is only a successful tool if the Russians are trying not to get caught, something many, including Kanuck, believe may no longer be the case.
“Russia actually wants to be seen doing certain things. Plausible deniability but clearly sending geopolitical signals,” he said.
Kevin Mandia, chief executive of the cyber firm FireEye, said at the same event that Russia has changed its behavior in cyberspace since 2015. One critical way includes letting responders obverse their behavior.
Prior to 2015, Mandia said he never observed Russian behavior in cyberspace because if they detected they’d been caught inside a network, they would cut and run. Now, Russian hackers are much more noisy and brazen and less prone to doing counter-forensics and cleaning up the tools and directories used for specific breaches and missions.
Officials point to China as an example of a successful naming and shaming campaign, while recognizing that public lectures and action directed against state hackers was coupled with parallel diplomatic efforts at the head-of-state level.
“We have seen a change in at least China ... their corporate espionage practices and those were a part of bilateral discussions between the president and the State Department,” Brady said during the Oct. 4 press conference.
Brady was referencing a 2015 agreement between China’s resident Xi Jinping and former U.S. President Barack Obama pledging not to use cyber means for economic gain against each other. However,, some experts note China’s activity resumed following the conclusion of the Obama administration.
Regardless, Brady said the government sees the indictment as effective. He added it’s also important that the victims of these crimes understand that the government is behind them and will hold people accountable publicly for crimes.