How the Justice Department Is Stepping up Its Efforts To Indict State-Sponsored Hackers

2020_0922 - DoJ
2020_0922 - DoJ

How the Justice Department Is Stepping up Its Efforts To Indict State-Sponsored Hackers

When it comes to indicting state-sponsored hackers, 2020 was one of the busiest years yet for the U.S. Justice Department. 

The DOJ unsealed seven such indictments last year, charging 22 foreign hackers with working in whole or in part for foreign governments. In terms of both indictments unsealed and foreign hackers charged, that makes 2020 the second most prolific year ever for the DOJ, an investigation by The Record has found.

The only time the Justice Department surpassed that tally was in 2018, a record-breaking year marked with an asterisk. That year, the Special Counsel’s office unsealed two landmark indictments against 25 Russian cyber operators for their interference in the 2016 U.S. presidential election, inflating the Department’s overall numbers. 

<script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
<script type="text/javascript">
  google.charts.load('current', {'packages':['corechart']});
  google.charts.setOnLoadCallback(drawIndictmentChart);
  

function drawIndictmentChart() { var data = google.visualization.arrayToDataTable([ ['Nation State', 'Russia', 'China', 'Iran', 'North Korea', 'Syria', 'ISIS', { role: 'annotation', role:'style' } ], ['2014', 0, 1, 0, 0, 0, 0, ''], ['2015', 0, 0, 0, 0, 0, 1, ''], ['2016', 0, 0, 1, 0, 2, 0, ''], ['2017', 1, 0, 0, 0, 0, 0, ''], ['2018', 3, 2, 1, 1, 1, 0, ''], ['2019', 0, 0, 1, 0, 0, 0, ''], ['2020', 1, 4, 2, 0, 0, 0, ''], ]);

  var options = {
    width: 665,
    height: 425,
    legend: { position: 'right', maxLines: 1 },
    bar: { groupWidth: '50%' },
    isStacked: true,
    title: 'Indictments Per Year',
    vAxis: {
        minValue: 0,
        ticks: [0, 1, 2, 3, 4, 5, 6, 7, 8]
      },
    
    series: {
    // Russia
    0:{color:'#233e94', dataOpacity: 0.8},

    // China
    1:{color:'#dd2d26', dataOpacity: 0.8 },

    // Iran
    2:{color:'#249f49', dataOpacity: 0.8 },

    // North Korea
    3:{color:'#fec300', dataOpacity: 0.8 },

    // Syria
    4:{color:'#8a3324', dataOpacity: 0.8 },

    // ISIS
    5:{color:'#222222', dataOpacity: 0.8 },

},

vAxes: {
            
            0: { title: 'Indictments' },
        },

};

  var chart = new google.visualization.ColumnChart(document.getElementById('indictment_chart_div'));
  chart.draw(data, options);
}
</script>

<div id="indictment_chart_div" style="width:665; height:425"></div>

The uptick in indictments last year reflects a number of factors, said Adam Hickey, the Deputy Assistant Attorney General of the Justice Department’s National Security Division, which heads up hacking cases with a nexus to state actors. Above all, Hickey pointed to a greater willingness among U.S. Attorneys’ Offices to take up state-backed hacking cases and the refinement of the tools, processes, and procedures necessary to prosecute them at the federal level. 

“Prior to 2012, no one was even looking at national security, or state actor, cases through a criminal lens with the objective of charging them,” said Hickey. “To charge the first case took an incredible amount of both effort and changes in policy to allow prosecutors to look at the information and build this type of case.”

The watershed “first case” Hickey referred to came in 2014, when the DOJ unsealed an indictment charging five hackers working for China’s People’s Liberation Army with commercial espionage and intellectual property theft. The case made waves because prior to that, state-sponsored hacking rarely made it into the public eye. 

“What happened next was that, gradually, U.S. Attorneys’ Offices and federal prosecutors around the country began to see that these cases can be brought,” continued Hickey. “It took time for the momentum to gather. The spike [since 2018] reflects years of effort by an increasing number of prosecutors around the country.” 

Other former DOJ and FBI officials that spoke with The Record confirmed Hickey’s assessment. They described an upward trajectory shaped less by any top-down strategy to bring greater pressure to bear on foreign cyber operators or changes in the external threat environment than improvements in the government’s skill at prosecuting these cases within the middle levels of the federal bureaucracy. 

 “The uptick is partly about muscle memory, and it's partly about the establishment of the process by which to go through a public indictment,” said Milan Patel, global head of managed security services at cybersecurity firm BlueVoyant. “The charging process is much more sure-footed now because different government agencies know what DOJ and FBI are looking for in these cases.” 

<script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
<script type="text/javascript">
  google.charts.load('current', {'packages':['corechart']});
  google.charts.setOnLoadCallback(drawHackerChart);
  

function drawHackerChart() { var data = google.visualization.arrayToDataTable([ ['Nation State', 'Russia', 'China', 'Iran', 'North Korea', 'Syria', 'ISIS', { role: 'annotation', role:'style' } ], ['2014', 0, 5, 0, 0, 0, 0, ''], ['2015', 0, 0, 0, 0, 0, 1, ''], ['2016', 0, 0, 7, 0, 3, 0, ''], ['2017', 4, 0, 0, 0, 0, 0, ''], ['2018', 32, 12, 9, 1, 2, 0, ''], ['2019', 0, 0, 4, 0, 0, 0, ''], ['2020', 6, 11, 5, 0, 0, 0, ''], ]);

  var options = {
    width: 665,
    height: 425,
    legend: { position: 'right', maxLines: 1 },
    bar: { groupWidth: '50%' },
    isStacked: true,
    title: 'Indicted Hackers Per Year',
    vAxis: {
        minValue: 0,
        ticks: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60]
      },
    
    series: {
    // Russia
    0:{color:'#233e94', dataOpacity: 0.8},

    // China
    1:{color:'#dd2d26', dataOpacity: 0.8 },

    // Iran
    2:{color:'#249f49', dataOpacity: 0.8 },

    // North Korea
    3:{color:'#fec300', dataOpacity: 0.8 },

    // Syria
    4:{color:'#8a3324', dataOpacity: 0.8 },

    // ISIS
    5:{color:'#222222', dataOpacity: 0.8 },

},

vAxes: {
            
            0: { title: 'Indicted Hackers' },
        },

};

  var chart = new google.visualization.ColumnChart(document.getElementById('hacker_chart_div'));
  chart.draw(data, options);
}
</script>

<div id="hacker_chart_div" style="width:665; height:425"></div>

Patel, who previously led investigations within the FBI’s Cyber Division, cautioned that the approvals and equities checks across the intelligence community remain extensive, but that the process became much more efficient once agencies learned how to cooperate. 

Luke Dembosky, who served as deputy assistant attorney general at the National Security Division between 2014 and 2016, said the decision to unseal indictments against state-sponsored hackers was controversial at first, but over time it was accepted as an effective “tool in the Department’s toolbox.”

Even if the hackers cannot be arrested, outing them “allows investigators and their leadership to show their capabilities to U.S. stakeholders,” said Dembosky, now co-chair of Debevoise & Plimpton’s cyber practice. “To cyber adversaries, it lets them know the U.S. can identify them, and will hold them and those who harbor them to account in one form or another.”

The policy of unsealing indictments against state-sponsored hackers has come under some criticism in recent years, in part due to the impression that it has become a hollow ritual. The vast majority of the defendants charged in these cases remain beyond the reach of U.S. law enforcement. The swell of cases over time suggests that the threat of legal sanction has not deterred foreign cyber-operators from targeting U.S. companies. 

Instead, critics argue, the government should keep the charges sealed in hopes of catching the defendants in the future or simply to avoid alerting adversaries that they are being watched.

Cybersecurity and law enforcement experts interviewed for this story strongly defended the Justice Department’s actions. They contended that the indictments were never intended as a panacea for state-sponsored cyber-activity and had to be viewed in context of other U.S. government actions.

“Nobody would suggest that these indictments are supposed to solve the problem [of state cyber-activity], particularly when so much of the activity is happening overseas and in places where countries proudly refuse to extradite their criminals to rule-of-law nations,” said Sujit Raman, who recently worked as associate deputy attorney general at the Justice Department, where he chaired the Cyber-Digital Task Force. 

Raman, who is now a partner at Sidley Austin LLP, said it would be a “mistake” to assess the indictments in isolation from other tools of national power.

“I don’t think you can isolate what the Justice Department is doing from what is happening at the Commerce Department, the Treasury Department, the State Department or the Defense Department,” said Raman. 

Dembosky agreed the indictments had to be viewed according to a broader set of criteria that is often difficult to quantify, such as delineating norms and establishing a credible and transparent record of what U.S. adversaries are doing in cyberspace—information that can buttress a wide range of diplomatic, legal, and policy initiatives.

But there is another, simpler explanation for why the DOJ chooses to unseal indictments. 

“When there are no extradition treaties and you can’t necessarily get your hands on the actors, the U.S. government can’t just let that activity go,” said Keith Mularski, who worked on some of the nation’s first indictments against state-sponsored hackers while at the FBI’s Cyber Division. “At some point they learn as much as they can from an operation. This is one of the few ways left to impact these actors.”

Hickey, the current Justice Department official, confirmed that the DOJ generally unseals indictments in cases where it has assessed that the defendants are unlikely to travel to the U.S. or to an allied country where they can be extradited. 

In that sense, unsealing indictments does represent a measure of last resort. But Hickey believes the perception that the indictments are ineffective has a lot to do with branding. Among the public, the act of unsealing indictments against state-sponsored hackers is often understood as a strategy to “name and shame” the attackers—a catchy label that Hickey and Raman confirmed does not hold currency in the current Justice Department. 

“It always bothers me that people might think the Justice Department would bring charges just for the purpose of saying something ‘bad’ about someone,” said Hickey. “What we do is build credible, public cases to hold someone, or even a nation, to account for their actions.” 

The ultimate goal, Hickey said, is to create a foundation for every other tool the U.S. government might use—tools, like sanctions or asset seizures, that can reach across borders. “That’s different from finger-wagging from a podium.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles