To be effective in deterring illegal state cyber activities, the US must shift its all-or-nothing strategy and be willing to barter.
The United States government’s primary response to addressing state hacking has been to identify the state agents behind the attacks and indict them. Indeed, the U.S. government has levied indictments against those Chinese as well as Russians it believes to be behind nefarious cyber operations ranging from theft of intellectual property to “computer hacking, wire fraud, aggravated identity theft, and money laundering.” The individuals identified in the indictments are military and intelligence officers of their respective countries.
State hacking has emerged as one of the foremost activities that governments undergo in pursuit of acquiring information that it deems in their interests to know. Certainly, cyberspace has facilitated such activities. More information is stored, transmitted, and processed on information systems that remain poorly or carelessly secured, and sending physical bodies to identify and try to collect such information is no longer required, at least to the extent it might have been twenty years ago. Intelligence collectors need only identify subjects of concern and the people that work in those areas to conduct computer network exploitation in order to gain access to sensitive but unclassified information on official and personal accounts in the hope of acquiring such data. Information associated with cyber espionage has ranged from diplomatic, political, business research and development, intellectual property, economic intelligence, among others.
Cyber deterrence is a concept that has gained traction in both the public and private sectors as a means of retaliating against cyber spying, though little has been developed as to what a deterrence strategy would look like. Courses of action like “hack back” against attackers and using diplomatic and economic pressures are some tactics that have been linked to deterring hostile cyber acts. As U.S. officials continue to weigh and debate these options, it is clear that the government has moved forward using legal indictments as a central pillar to any impending deterrence strategy. Nonetheless, one question lingers – have these indictments done anything to alter adversarial state behavior?
Supporters of levying cyber indictments maintain that despite the fact that these governments will likely not turn over the accused to the United States, it sends a message that the U.S. government is no longer turning a blind eye to these activities. The idea is that not only do indictments publicly “name and shame” these individuals, but they also greatly restrict the accused’s freedom of world travel, a legitimate concern recently contextualized by the late 2018 arrest of a Huawei executive in Canada on behalf of a U.S. warrant . But is the threat of extradition a legitimate concern for these cyber actors who are officials of their respective governments and are presumably acting on direction of the very government they serve?
With respect to the US government’s primary adversaries (e.g., China, Iran, North Korea, Russia), it is evident that such indictments have not made any real impact. Five People of Liberation Army officers were indicted in May 2014, and two more suspected intelligence officers were indicted in December 2018. Similarly, July 2018 cyber indictments targeted 11 Russian individuals tied to Russian military intelligence, which was followed by October 2018 indictments of additional Russian Main Intelligence Directorate officers. Although the U.S. levied cyber sanctions against Iranians in November 2018, the two individuals in question were not directly tied to the government. North Korea was not immune to this tactic. In September 2018, the Department of Justice charged a North Korean national with hacking Sony in 2014 and launching the WannaCry campaign in 2017. Regardless of these indictments, one thing is clear – among the world’s cyber powers, the potential arrest and extradition of government officers has had little effect in influencing their behavior.
The ability to identify foreign intelligence hackers to include name, biographies, ranks, and photos is impressive and certainly demonstrates a sense of power. The stealthiest of spies that have successfully operated in obfuscated channels and hidden behind proxies and hop sites are now being unmasked. What was been historically deemed as an extremely difficult undertaking (i.e., attribution) is now being performed on a fairly consistent basis and at a granular level. The threat is clear – the United States has the resources to pull back the curtain and expose the most secret of operations. But is that enough? While certainly an impressive display of capability, such actions remain a spectacle without a finish if this can’t be leveraged to influence state behavior.
So, the question remains – will these actors really be arrested, tried, and if convicted, be imprisoned in the United States? Unfortunately, if history is a guide, then the answer of that would likely be “no.” The trend of identifying, arresting, and convicting foreign spies (note: this means foreign nationals and not U.S. citizens spying for a foreign government) in the United States has been to label them “persona non grata” – or as an “unwelcome person” – which effectively bans them from the country. That’s what’s typically done with official agents of a foreign country, such as in the case of 35 Russian embassy officials in 2016. (Spies like Anna Chapman have been officially “deported” and “swapped” in spy exchanges.). In the case of the Chinese and Russian cyber indictments, the individuals in question are government officers. If they are eventually captured and arrested, it is unlikely they would be imprisoned. After all, thus far, neither China nor Russia has followed suit, and to think that they don’t possess a similar capability to track U.S. cyber spy efforts (remember the Shadow Brokers ?) is purposefully sticking your head in the sand. Diplomacy is reciprocity and it can be expected that once a threshold has been crossed by one government, similar retaliatory actions will follow at some point at their discretion.
Historically, if foreign spies have been caught, they have either been deported, or else used in spy exchanges . However, an additional option is to gain concessions in other political or economic areas. Take for example, the recent arrest of a senior executive of the Chinese telecom Huawei in Canada. Recent news intimates that the U.S. president could review and intervene in the executive’s arrest in order to gain concessions from China in ongoing trade discussions If cyber operatives are indeed arrested in foreign countries and extradited, governments may use them as leverage to achieve similar results.
Governments spying in support of their national security interests is generally accepted as normal, despite generally being perceived as “unwelcome behavior.” Many if not all, governments have intelligence agencies that engage in some form of overt or covert intelligence collection. Even friendlies have been known to spy on one another without incurring excessive consequence. Perceptions of what is acceptable to target remains a main area of contention between states, and was the catalyst for the 2015 China-U.S. agreement not conduct espionage for private sector commercial gain. What this means is that states ultimately operate (i.e. “spy”) in their national interests regardless of potential retribution and will continually conduct those operations they deem necessary to support these goals and objectives. So, in this context, cyber indictments may not be the best course of action to deter questionable cyber activities, especially if the actors under indictment are state officers being directed by the state. To think that this can be folded in to “deter” state behavior is as misguided as believing that enforcing “persona non grata” will deter a state’s human intelligence collection efforts.
If cyber deterrence is indeed the goal, its best chance of success is its implementation in a comprehensive approach that includes a flexible combination of political, economic, and legal measures. This is because any deterrence strategy must be tailored to address the target, as states are uniquely receptive to certain overtures over others. For example, diplomatic ties have been downgraded and severed in order to influence a state’s behavior. China successfully accomplished this objective when it closed France’s Consulate General in Guangzhou when it found out that a French company had sold military equipment to Taiwan in the 1990s. Finding the right button to push is instrumental in achieving any deterrence.
So, what is the role that these cyber indictments can play in deterring state behavior in cyberspace? At best, they are a legal means used against foreign governments that follow the law. However, in the cases of adversaries such as China, Iran, North Korea, and Russia who have not demonstrated an interest in following other nation’s laws, they only serve to put them on notice. Any chance of real deterrence (or to be more pragmatic, a reduction of hostile cyber activity) will identify areas those governments find more valuable, such as maritime rights, trade issues, or territorial disputes, and leverage them as agents of influence to alter bad cyber behavior. The United States must recognize that cyber deterrence is not a static option, but a multi-faceted one subject to change depending on the geopolitical environment of the U.S. and the offending government. And like any negotiation between sovereigns, both parties are subject to compromise. The United States must weigh whether deterring hostile cyber activity is more important than other security concerns. The problem is that with regards to the countries that it has leveled indictments against, it is apparent that the U.S. hasn’t. Until the U.S. is ready to barter, it will continue to find itself playing an-all-or-nothing strategy that up until this point has done little to influence state behavior in cyberspace. And indictment or no indictment, the status quo will remain intact.