After six years of coordinated cyber attacks and data theft, the U.S. Department of Justice (DoJ) issued indictments yesterday against three members of the Chinese threat group known as APT 3 or Gothic Panda. The indictments specifically address data theft and corporate espionage against Siemens, Moody’s Analytics, and Trimble, a company that develops navigation satellite systems. These indictments alone are noteworthy due to their scale and scope. However, they become even more relevant when exploring them in conjunction with the series of indictments and arrests for cyber crimes that have occurred throughout 2017.
The DoJ issued the first high profile indictments for cyber criminal activity against five members of the Chinese PLA for corporate espionage in 2014. Importantly, there have been as many high profile indictments in 2017 as there were between 2014-2016. Indictments are becoming a prominent tool by the U.S. government to hold cyber attackers accountable, while countering the naysayers who claim attribution is simply too difficult in cyberspace. This is an important trend, one which likely will continue into 2018.
A Brief History of Recent Indictments
Prior to 2017, high profile indictments were few and far between. The indictments against the PLA members in 2014 ostensibly demarks the first, prominent use of indictments to counter cyber theft and other crimes. This was an important case, as it specified espionage for corporate gain against at least five U.S. corporations, and likely played a major role in shaping the 2015 U.S.-Sino agreement specifically against these kinds of activities. The global botnet, GameOver Zeus, was also taken down in 2014. An indictment for the botnet’s key administrator, Evgeniy Bogachev, was also issued. He was later sanctioned at the end of December 2016 as part of the U.S. response to Russian interference in the U.S. presidential election.
Between 2015 and 2016 there were a few high profile indictments, but certainly not at a pace comparable to 2017. In 2015, indictments were issued against nine people based in Ukraine and the U.S. for one of the largest securities fraud schemes. The group stole not-yet-released press releases containing financial information and used the information to inform trades. In 2016 there were two significant cases of indictments. The first and most prominent were the indictments against seven Iranians for widespread attacks against U.S. financial institutions and the Rye dam. Seven months later the DoJ issued indictments against a Russian national for hacking DropBox, LinkedIn, and Formspring and stealing data and damaging computers.
In contrast, there have been numerous indictments and arrests of cyber criminals in 2017 across the globe that have received little attention compared to the attacks. Specifically in the U.S. there have been at least four high profile indictments including yesterday’s against the members of APT 3. In March, two Russian nationals and FSB agents were indicted for the Yahoo breach, as well as compromising Gmail and other email accounts. A Canadian national was arrested for supporting the Russians, and there are indications today that he will change his plea to guilty. In August, A Chinese national was arrested for his role in the 2014 OPM breach. Just last week an indictment was issued against an Iranian who had previously worked on behalf of the Iranian military. The U.S. is also increasingly working with international law enforcement. Earlier this year, 19 indictments were issued and accompanied by the arrests of cyber criminals connected to international money laundering and fraud.
The Value of Naming and Shaming
This brief history of recent indictments for cybercrimes reveals the increased reliance on indictments, while also highlighting just how few arrests have actually occurred compared to the size and scope of breaches. So what is the value of indictments? First, as the OPM and Yahoo examples illustrate, arrests still can occur and must be pursued. Indictments are an essential component of a broader deterrent strategy. Indictments, and ideally arrests, signal the potential consequences of cyber crime, demonstrating that the government is responsive to attacks on the private sector. They also signal attribution capabilities and help counter the common narrative that attribution is impossible.
In the fog of geopolitical tensions, indictments also provide transparent communication between governments, signaling acknowledgement of involvement in various malicious cyber activities. It is notable that the majority of the indictments stop short of linking the accused to their government. Yesterday, U.S. attorney Soo C. Song specified, “It is not an element or subject of this indictment that there is state sponsorship.” Other officials interviewed disagreed, noting that these attacks were state-sponsored and directed. This is an especially important delineation for attacks linked to China, who recently reaffirmed their commitment to the 2015 U.S.-Sino agreement against specifically this kind of cyber theft. There are significant implications for directly naming a foreign government as the attacker, including potential retaliation that escalates the cyber activity or spills over into military, economic, or diplomatic domains. Indictments that stop short of connecting the crimes to a foreign government can provide greater transparency between governments, while also putting adversaries on notice that attribution has occurred and may instigate further responses.
Looking Ahead into 2018
The growing implementation of indictments throughout 2017 has received little attention despite the vocal demand for U.S. responses to cyber attacks. Clearly, indictments alone are not sufficient for a broader deterrent, but they are foundational to any comprehensive cyber strategy. With estimated costs and the impact of cyber crime rising for the foreseeable future, the DoJ will likely continue to issue indictments as a foundational tool to counter these threats. There already are rumors that the DoJ may indict six Russian nationals in 2018 in connection with the 2016 DNC hack. As indictments increasingly play an integral component in the U.S. response to cyber crime throughout 2018, it will be necessary to see if and how they change the risk calculus of both nation-state and non-state attackers.