DOJ indictment of Russian hackers shows attribution is possible

The Department of Justice last week announced the indictment of two Russian Federal Security Service members for sponsoring and guiding the 2014 Yahoo breach, marking the only recent case of U.S. criminal cyber indictments levied against Russian government officials. This continues the naming and shaming strategy in select, high profile cases, but is only the third recent case of U.S. cyber indictments targeting foreign governments. The others were in 2014, with the indictments of five PLA officials for IP theft and commercial espionage, and in 2016 when the DOJ indicted seven Iranians for a campaign targeting banks and infrastructure.

Already, it seems unlikely that the spies and criminals will ever serve time in the U.S. (in part due to extradition limits), leading many to view the charges as nothing more than inconsequential slaps on the wrist. However, the reality is that the strategic aims of the indictments can have much more meaningful consequences in the global conversation than a single conviction ever could. Maybe the defendants won’t serve time, but the U.S. is sending a powerful message that cannot be ignored.

{mosads}At their core, the indictments send a strong strategic signal to foreign governments that the United States can attribute specific activity. Or in other words, attribution — often thought to be one of the most difficult-to-secure missing pieces of the digital warfare puzzle — may be more possible than some might think. The fact that the DOJ felt comfortable issuing these indictments signals that they had enough evidence to connect the activity to the Russians, meaning their attribution efforts were likely highly effective. Such a signal could have major consequences, including immediately forcing potential attackers to either stop or change their behavior.

The PLA indictments of May 2014 are a good example of this. Many point to the Obama-Xi accord in September 2015 as a turning point in Chinese commercial espionage. However, espionage activity began to dramatically decline (after an initial spike) in May 2014 after the indictments, leading to speculation of a strong correlation between the Chinese groups associated with the commercial espionage and the indictments. Even though the Chinese government denied the accusation in public, it appears that at best the commercial espionage declined, and at a minimum, it at least forced them to invest more time and resources in other intrusion techniques.

Indictments are also a core component of deterrence, demonstrating that malicious activity will not go unchecked in the global online community. That cyber attacks so often went unpunished left actors feeling nearly invincible and capable of doing whatever they pleased. While digital deterrence encounters enormous obstacles in cyberspace, indictments are a good first step toward impacting the risk calculus of adversaries and raising the costs for specific activities. Alone, they are unlikely to achieve the deterrent effect, but when coupled with other policy tools, these actions could be the first volley in a long-term campaign to demonstrate consequences and deter attackers.

This ability to attribute also gave more teeth to the 2015 executive order, which enabled economic sanctions against people attributed to malicious cyber activity. With reliable attribution, the indictments strengthened the perception that the U.S. government could impose sanctions or other forms of punitive statecraft. If attackers no longer think they can go unidentified and therefore unpunished, the battlefield can be significantly altered. By remaining low on the escalation ladder, the indictments helped minimize diplomatic tension, while also influencing malicious behavior.

Finally, these indictments are a key step in leveraging legal statecraft to influence global norms, and draw the line between what is and is not acceptable behavior. There is much discussion these days around global digital norms, i.e. those mutually agreed upon rules of the road for appropriate behavior between those with specific identities. But in cyberspace, these largely reference the appropriate offensive behavior by nation-states. For instance, some level of espionage may be acceptable, attacking critical infrastructure may not be. But these indictments should help to clarify that. Equally important, if the United States does not take leadership in establishing these rules of the road, other states will, and they likely will not be consistent with the United States’ push for a free and open Internet.

Indictments are much more powerful than simply naming and shaming. While it is naive to assume indictments will stop all malicious activity, it is equally naive to assume they are toothless acts of name-calling. Through these indictments (and likely others to follow in the future), the U.S. can shape national security by signaling U.S. capabilities to attribute, setting clear punitive consequences to improve deterrence, and helping establish those global rules of the road in cyberspace.

While it’s very possible these criminals won’t serve time in a U.S. prison, don’t let the naysayers tell you otherwise: these indictments against Russian spies are significant. They make clear that compromises, especially those targeting U.S. government personnel and journalists, will not be tolerated, especially when they undermine American security and privacy.