A Conversation With the DoJ Attorney Who Is Exposing State-Sponsored Hackers

Over the last several weeks, the Department of Justice has unsealed charges against a wide assortment of alleged state-sponsored hackers, including five Chinese nationals, two Malaysian businessmen, two Iranian nationals, and—on Monday—six Russian intelligence officers.

As the deputy assistant attorney general of the DoJ’s National Security Division, Adam Hickey is the lawyer who oversees investigations and prosecutions involving cyberattacks linked to foreign states. For the better part of a decade, Hickey has made it a priority to hold these actors accountable and expose the murky intersection of cybercrime and nation-state attacks.

Hickey got his start in government as a prosecutor in the Southern District of New York focusing mainly on counterterrorism cases, and gravitated toward technology issues. “I’m the kind of guy that would read the manuals that came with computers and VCR players—I’ve always been interested in understanding how things work,” he said.

In addition to his work investigating and prosecuting state-sponsored cyberattacks, Hickey supervises the National Security Division’s foreign investment and telecom security reviews, and represents the DoJ on interagency cybersecurity policy committees. During a phone interview last week, Hickey discussed recent charges unsealed against state-sponsored hackers, and the motivation behind making indictments even when arrests aren’t possible. The conversation below has been lightly edited for length and clarity. 

The Record: It seems like you’ve been up to a lot lately, which is impressive given the state of the world. How has it been so far for you and the DoJ?

Adam Hickey: I would say that the work we do that has a classified component, you can’t do it from home. There’s just a certain level of operational sensitivity where people have to be in the office. But I have been really wowed by the team of lawyers and agents who work on these issues because they found a way to pay attention to health guidance and still get the work done, and that has usually meant shifting schedules—the team of lawyers who work for me, only a couple will come in at any particular time and they stretch the workday to nights and weekends so that everyone can get in and get the work done without feeling like there’s too many people in the office at once.

Initially people were prioritizing other things, but pretty early on in the pandemic we found a way to keep the trains moving. It feels like we’re pretty much back to full strength on the operational side.

TR: As an outside observer it seems like indictments have increased if anything—there have been charges against Russian, Chinese, and Iranian hackers in recent weeks. Has there been an uptick? And if so, is it about sending a message to adversaries, or is it a coincidence that they’re all coming out around the same time?

AH: It’s mostly the later. If you look at the sum total of our cases when we began the state-sponsored program in 2012, it took a while to ramp up and maybe peaked in 2018 or thereabout with the single largest number of charges. And then there were fewer charges last year and now a number of investigations have come to completion. The honest truth is if we’re going to be public about charges, we’re going to charge the case when it’s ready to be charged, when we’re able to line up what we need to operationally, allowing for things like engaging foreign partners and rally like-minded nations into joining us on commenting on the activity. We’re going to do that when we can do it, and if you don’t hear from us for a couple months it just means we’re working on something else. We have a policy of bringing these cases for years and bringing as many as we can when the work is done and we’re ready to charge it. There are obviously cases you don’t see because we think there’s a possibility of arresting someone, or we might make a decision that we thought might happen but it won’t. You might have seen we unsealed a few cases against Iranians a few weeks ago—some of those charges had been brought months ago, and then we reassessed if we should keep them under seal or not.

The other thing that I think has made a difference is that over time the prosecutors we have in the field who have to make decisions about where to devote their resources have increasingly gravitated towards this type of work and are willing to bring these cases. If you go back 10 years, no one would have begun a criminal investigation of a PLA officer or anything like that. They would say it’s state-sponsored activity and think we would never charge someone like that, so they wouldn’t work on it. Changing that policy needle from off to on and showing you can charge these cases and there are consequences has led people into this work. That means we have more cases in the pipeline than we used to.

TR: On the topic of arrests, there has been a debate in the public sphere about whether these indictments are meaningful without arrests. Can you make the case for why you would unseal charges if you can’t extradite these people to the U.S.?

AH: Definitely. And I’ll pause before I answer this to say that while we often aren’t able to get arrests, that’s always the top goal—disrupting the actor and their activity. And we have been successful, as recently as a few weeks ago we announced charges against essentially some APT41 actors as well as two Malaysians accused of helping them monetize what they stole. We do get people and we do have some success in that regard, but you’re right. And I think there’s some fair criticism. In many of these cases they’re public in part because we’ve made an assessment that we’re unlikely to win an arrest anytime soon. 

I still think it’s worth it for a few reasons. Even when someone can’t be arrested, there is a consequence to them being outed publicly. We often see indications that the groups we charge pause and retool after they’ve been exposed. So there’s at least some period of time where they stop attacking us and our allies and try to figure out how we know what we know, who is responsible for it, whether they’ve got people on the inside who have been compromised. If your job as a hacker is to get away with stealing without anyone knowing who you are, our defendants are obviously failures at their job, and that has some consequences for them and those who employ them and supervise them. It also means they know they can’t really travel without fear of arrest. That’s not as satisfying as an extradition, but I truly believe if you are a smart, young, computer-savvy individual, you want to explore the world and other career opportunities. If you’re 23 or 24 or 25 and someone says to you that you can never leave the country or you’ll likely get extradited to the U.S., I have to imagine your peers look at that and might think twice about whether to go into this type of activity. There are other meaningful consequences, like sanctions, showing our peers that we’ll do our best to defend them against actions of a nation state, provide more indicators and contribute to the sum-total knowledge about a particular group.

"If you’re 23 or 24 or 25 and someone says to you that you can never leave the country or you’ll likely get extradited to the U.S., I have to imagine your peers look at that and might think twice about whether to go into this type of activity."

And finally, I think about the hypothetical opposite world in which we don’t charge them. It suggests if you’re associated with a nation state, you have a free pass. We’re not going to expose you, we’re not going to charge you with a crime. What message does that send? I think it’s a damaging one. It suggests this kind of activity is going to be ignored and we’re not going to try to bring consequences to the actor, and I think it’s the wrong signal to send particularly to the nations that sponsor it. I’d rather be noisy about it and increasingly rally like-minded nations.

TR: When you make these indictments, do you worry about repercussions?

AH: I don’t think China or Russia or Iran are looking at our charges to determine what they’re going to do. I think if those nations assess that it would be in their advantage to retaliate or be aggressive, they’ll do so. So it would be a mistake to take our tools off the table and unilaterally disarm and not enforce our laws because we’re worried about provoking them. I don’t think I respect the position that we should not enforce our laws.

TR: Right. But is there any fear of them indicting someone at the NSA or Cyber Command as a scare tactic?

AH: A couple points… I wouldn’t say there’s fear. I think among senior policymakers there’s an understanding that that’s a potential response. We’re pretty careful to charge the kind of conduct that we don’t engage in ourselves, that doesn’t qualify as classic spy vs. spy. Some of our indictments highlight activity that’s sort of a mixed threat or hybrid threat, where the actors collect conventional intelligence as well as engage in other activity, but by and large if you look at our charges we’re highlighting behavior where folks at the NSA or CIA or elsewhere don’t engage in. The second piece of this is obviously we do our best to collect intelligence and do it in a way to protect our sources and methods—it’s on the intelligence community to do that and I’m sure the folks who work in those agencies  have to be smart when they conduct their day jobs and travel abroad, and not giving those nations the opportunities to do what we do. 

Part of what you see us able to do is we identify largely unregulated criminal actors who are working as proxies. Those are folks who don’t necessarily operate with the same operational security as intelligence officers in countries like Russia or China. It’s precisely the point that they aren’t uniform, they aren’t members of the service, and they aren’t disciplined in the same protocols that our intelligence officers operate under. We catch them and identify them, and we can do that precisely because the services running them aren’t exercising the controls that we exercise.

TR: Taking a few steps back, what do you think is the greatest national security threat to the U.S. when it comes to cybersecurity?

AH: I’ve spent a fair bit of time thinking about this, and hope my answer isn’t disappointingly obvious. I don’t think of it in terms of a cyber 9/11 or in terms of a specific sector that’s most vulnerable—that if you pull out the Jenga block the whole thing collapses. I think the greatest problem is the breadth of the problem. It’s extremely easy to be disruptive of systems and society without getting into national security systems or critical infrastructure. Disruptions of ATM services, broadcasting companies, ransomware that has gotten out of control—the nature of how the internet is built, essentially as a system of trust, makes it easy to exploit and cause havoc. The second ingredient is that we’re really trying to preserve day-to-day confidence in the government and critical infrastructure, and you can disrupt that confidence without ever attacking a power plant or causing a physical effect. You can do that momentarily through a tweet about a bomb going off in the White House. 

Computer hacking and intrusions are essentially inevitable. Any adversary with enough time and resources is ultimately going to be able to breach their target. What matters is how quickly you know that they’ve got your Twitter account and how quickly you’re able to retract the tweet or correct the information. The greatest threat I guess is the extent that we rely on the internet in every aspect of our lives and increasingly so.

"I don’t think of it in terms of a cyber 9/11 or in terms of a specific sector that’s most vulnerable—that if you pull out the Jenga block the whole thing collapses. I think the greatest problem is the breadth of the problem."

TR: I want to make sure I understand your point about the confidence in the system. Are you saying that cybercriminals might not even have to engage in attacks to cause a lot of damage?

AH: Yeah. One thing your question picks up on is the importance of integrity or availability, not just confidentiality. Another way to answer your question is to say I’m much more concerned about the trust in the integrity of data than I am about confidentiality. Long-term, integrity attacks can be more disruptive. When someone asks what’s the biggest national security cyberthreat, it’s easy to start thinking about what's more important: the water system, the power system, utilities, banking… you can list any number of critical infrastructure sectors and ask which is most important. I take a slightly different approach, which is the bigger picture that everything is interconnected and is easy to be disrupted on the internet. You can create the perception of a threat when you can’t control reality. So yes to what you’re saying. People when they hear something has happened might not wait for the forensic team to arrive.

TR: So the obvious question is what is there to be done about this? How do we maintain security if the problem is so broad?

AH: I think there are some bright spots. Baseline levels of technical education and sophistication are probably increasing. People become less naive every year. I think every generation is much more savvy than the last, with maybe a caveat that it’s becoming easier to use a computer without understanding it. The other thing that gives me some comfort is a lot of the systems that we rely on that are the most critical are distributed, so you might have localized disruption but that’s different from bringing entire systems down. And the worst consequences you can imagine, which are probably physical effects, take more than just hacking skill—it probably requires some understanding of the engineering behind the system itself. If we can help people understand that there will always be computer intrusions, but that isn’t the end of the game—that those who do network security have backup plans and can be resilient and absorb attacks and can quickly pivot to recovery, that helps. Focusing on resilience and not just defense is probably one of the best things we can do.

TR: You’ve written and spoken a lot about cyberthreats linked to China. How would you describe the U.S.’s cybersecurity strategy or posture towards China, and do you think it’s successful so far?

AH: If you look at this administration’s cybersecurity strategy—we had one that came out in August of last year—what you’ll notice is it’s country agnostic and threat agnostic, and I think that’s for a very good reason. It also has a number of pillars to it, including norms, attribution, deterrence. The first pillar is securing federal systems and critical infrastructure… the point to take away is that the best part of our cybersecurity strategy when it comes to China is that our strategy isn’t first and foremost focused on China. It’s focused on defense and resilience before you get to country-specific issues like attribution and threats. 

The second point is we have a very integrated cybersecurity strategy. We don’t treat China and cyber as its own isolated bucket of issues, and we shouldn’t. Instead, we look at the computer hacking that Chinese actors engage in as part of a holistic Chinese strategy that also uses insiders, foreign investment, and other levers that China has to try to accomplish some overarching strategic objective. We are responding with a similarly holistic strategy—we understand that computer hacking is just one thing that they’re doing to obtain IP and the like. Our response is pretty broad, including economic actions you’ve seen through tariffs and the like. This administration has identified the big picture of what Chinese government behavior we want to change, and push back on it in a big picture way. That’s important, because cyber is just a tool of achieving a state objective, and if you just try to change behavior in cyberspace without addressing the larger objective and the other means by which they try to achieve it, you will probably fail.

So is it working? Well, I think we should think of this as a long-term strategic competition, and I think cyberspace is going to be one channel in which that competition manifests. We are better where we were years ago when we were hesitant to identify the behavior China was engaging in, and we weren’t rallying other nations to be concerned about technology providers based in China, like Huawei. We’ve done a good job at identifying and proving the case that Chinese providers often cannot be trusted to provide services that we rely on for critical infrastructure. We’re making important progress, but this is a very long game and we need to have a very long-term strategy—well beyond any one administration—to engage in this competition.

TR: To follow-up on the insider threat issue, I imagine that’s frustrating for the DoJ because you can’t control companies and don’t have visibility into them the same way you would for public sector organizations. What can private companies do to protect themselves against this and assist the government, besides the normal recommended advice of reporting breaches and engaging in public-private information sharing programs?

AH: A couple things come to mind. And when I was speaking of insiders, I wasn’t strictly speaking of hacking—I’m also thinking of employees that just take a bunch of IP with them out the door and move abroad. Two things I would say if I was giving advice to any businessperson… One would be if you’re doing business in China or with a Chinese partner, be savvy about the legal environment you’re operating in and what the objectives are and how power moves in that system. If you read how the U.S. Chamber of Commerce and others pivoted with respect to describing China, it’s eye opening. The market access there is very appealing, but the bargain hasn’t turned out to be as good as many companies hope. I think businesses are a little more careful about what data goes to China and how they do business there, and that’s a good thing. The second piece about insiders is companies obviously do not want to create an environment where their employees don’t feel trusted, but you’ve got to create a culture where everyone has a stake in the security of the company. You can create an insider threat program—do you notice odd behavior and is there a way you can notify someone for further investigation—that doesn’t rely on xenophobia or racism or anything of the sort. There’s always a risk that for the right reward, whether it’s money or something else, someone might choose to betray the interest we all have in protecting the company, so we all have a responsibility to be on the lookout for behavior that’s concerning.

TR: In March, you briefed members of the Senate—or at least I think it was March?

AH: It’s very hard to remember time at this point.

TR: Very true. But in this Senate testimony, you advocated for amendments to the Computer Fraud and Abuse Act. Can you talk more about what you would like to see changed there and why?

AH: Sure. With respect to the CFAA in particular, number one is addressing some court decisions that have narrowed the reach of that statute and our ability to apply it to insiders who exceed authorized access. That provision is designed to reach people like the police officer who uses his or her access to a database to research an ex or an enemy. It reaches people who are employees of a company who use access to the network to take data that’s beyond the scope of their job. It’s a critical part of the statute but right now it’s become very difficult to use the statute to address those that have access to a system who misuse that access. First and foremost we have to find a way to reinforce what Congress said when it first passed that so we have a real way of addressing insiders who abuse that access. 

There are other relatively smaller but important changes… we’re looking for injunctive authority so we can do more in terms of botnet takedowns and other disruptive operations. There was concern at some point that a lot of election infrastructure, if it’s not connected to the internet, then it falls out of the definition of a protected computer. There might be systems that aren’t internet-connected but we should still think of as being vulnerable to hacking and subject to investigation under section 1030.

TR: The last thing I was going to ask about is your comments on data breach notification laws. It feels like I’ve been writing the same story for years around whether we’ll have a national law—I won’t ask you about the likelihood of that, but I do want to know that if one were passed, what would you like to see in it?

AH: So the good news there is that every day that goes by it seems like an even better idea. Even from the private sector perspective… there are 50 different laws and more in the territories setting data breach reporting requirements, and any breach potentially implicates all of them in addition to GDPR. Harmonizing at least U.S. law with one single standard would be very helpful to the private sector, and would be one reason why I hope they would support a federal standard.

I’m looking for two things. One is when you think about data breach notification, traditionally we’ve been focused on the consumer and breaches of consumer information—credit cards, identifying information, health information. And that’s important, but when you think about what data breaches matter to you as a citizen, I’m guessing you are also concerned about breaches that implicate election security, export controls information, COVID research. There’s data besides PII and PHI that’s going to be important for the federal government to know about, so I think the notification shouldn’t be limited to that type of data or the individual who might be implicated. The second part is we need a mechanism by which law enforcement is also notified of the breach.