Naming the parties responsible for cyberattacks is a vital part of reducing the criminals’ power, a Department of Justice (DOJ) official argued.
John P. Carlin, assistant attorney general for national security, referred to the DOJ’s 2014 indictment of five members of the Chinese People’s Liberation Army for hacking U.S. companies.
{mosads}While the accused men are unlikely to be detained or appear in court, Carlin said that identifying them sends a crucial message to hackers around the world: “There are no free passes.”
He made the comments Wednesday at a major security conference in San Francisco, as the Obama administration seeks to bolster its strategy against cyber criminals.
Earlier this month, President Obama declared cyberattacks a “national emergency” and announced a new sanctions regime targeting bad actors online.
“Targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst,” Obama said in a post on blog publishing platform Medium.
The administration has also identified North Korea as responsible for the hack of Sony Pictures, triggering further sanctions.
Some members of the cybersecurity community have wondered whether the new sanctions will actually deter criminals, given the difficulty of attributing attacks.
Carlin acknowledged the difficulty of this task but argued that threat-sharing with the private sector will help.
“One, we have to be able to figure out who did it, and that’s where we need the private sector’s help. Two, we can’t be afraid of saying it; otherwise, it’s cost-free. Three, then there have to be costs,” he said.
“These are hard cases to prove up … but they’re not impossible.”