Blaming cyber attacks on governments has become routine, but has it resulted in accountability, punishment, or reduction in hostile cyber activities?
In the ongoing cyber tete-a-tete between nation states, the digital domain has been used to conduct an array of operations including network exploitation, data theft, network disruption, and network destruction. Additionally, states have used the cyber domain and the tools therein (e.g., social media, chat rooms, bulletin boards, blogs) to enable other more traditional operations of statecraft such as propaganda, disinformation, and social/political influence operations. Long considered difficult to attribute, governments are more confident in publicly identifying the states they believe are responsible for covert cyber activities against them. In an effort to strengthen such claims, levying legal indictments against the individuals responsible—often foreign nationals with a direct tie to a government or a military—has become popular. The United States in particular has engaged in this practice, executing indictments for cyber activities since 2014 against state actors with direct or tangential ties to foreign governments.
The tactic seemed practical at first, bringing formal charges against suspected government actors, and by extension, implicating that government for supporting, or at least, giving tacit approval of, the activities. The May 2014 indictment against five actors tied to the People’s Liberation Army appears to have had direct influence in China and the United States agreeing not to not to hack each other for commercial advantage in 2015. For a brief period after, this seemed to work with a noticeable reduction in the volume of Chinese theft of intellectual property. However, this was short lived with China allegedly resuming normal level of cyber operations in 2018.
Still, proponents of the indictment strategy have pointed out that an important gain was made—persuading China to curb its previous levels of data theft; in essence, the indictment appeared to have influenced a state’s cyber behavior. While it did not last, it could be argued that even the momentary success suggested that the approach was viable and just needed adjustment for to accomplish strategic deterrence. After all, shortly after the 2014 China-U.S. agreement was made, China entered into similar understanding with Russia in 2015, and ultimately led the G20 (including China) to make a comparable arrangement in November 2015. Many G20 nations were among those that China had also targeted via its global cyber espionage and intellectual property theft operations.
Unsurprisingly, these agreements have not deterred commercial cyber theft, nor more traditional cyber espionage activities, particularly from China that likely views industrial cyber theft a national security imperative for the country’s continued economic development. As long as China sees economic strength as essential to its emergence as a global leader, supporting Chinese companies that are important to accomplishing this goal could be perceived as less about commercial advantage and more about preserving its national interests. This is an important nuance to keep in mind when understanding why China continues to do what it does. Countries finally began to see the futility in trying to make certain countries like China honor these agreements in 2019 when 27 governments signed a joint statement to advance responsible state behavior in cyberspace. Notably, neither China nor Russia were signatories.
Where diplomatic overtures have thus failed, the U.S. has resorted to indictments and has since levied them against official and non-official actors linked to Iran, North Korea, and Russia. As of this writing, these indictments have not yielded the obvious objective—state deterrence from conducting the crimes for which they have been charged. However, this raises the hopeful question—if deterrence wasn’t the primary objective, have indictments achieved what was truly intended? Certainly, indictments could be foils used to further other U.S. political or economic objectives. If so, their influence may not be readily seen as instrumental to achieving seemingly unrelated strategic goals.
Another likely objective is to get on record that a particular government is responsible for illicit cyber activity, thereby letting the world know of its culpability. This seems to be closer to the mark. Prior to May 2014, attribution made in public was mostly accusatory and based on speculation and suspicion, or at least without providing classified evidence to strengthen claims. Indictments have since changed that paradigm, purposefully made for global consumption and to make it clear who the charging state believes to be behind a specific incident. Since there is little hope that any of these individuals will be extradited to the United States, indictments seem less about arrest and prosecution and more about demonstrating capability to identify culprits by detailing their operations. Simply, punishment does not appear to be the primary motive.
Other states have now joined the public attribution bandwagon. In March 2020, Chinese computer security company Qihoo 360 reported that the CIA had been conducting an 11-year cyber espionage campaign against Chinese organizations and in April identified South Korean cyber espionage activity targeting Chinese health organizations for COVID-19 information. Qihoo 360 works closely with the Chinese government, which has prompted concerns with companies like Microsoft collaborating with the company. Although not an official arm of the Chinese government, its stature as a global cyber security leader and a primary supplier of security and monitoring equipment to the People’s Republic of China raises the question of how the company could be used as the voice for leadership. Iran, too, is no stranger to calling out perpetrators of cyber attacks, citing the United States and Israel for various cyber attacks. Even North Korea blamed the United States for knocking it off the Internet, after the former had accused North Korean hackers of attacking Sony in November 2014.
It remains to be seen if or when other foreign governments will step up to the next level and levy cyber indictments against other countries. It is likely that they will wait and see how the United States fares with this approach and if any favorable results are realized. The recent removal of two Russian companies from indictment set forth by special counsel Robert Mueller illustrates a potential impediment to indictment strategy, further raising the question of its effectiveness at deterring future cyber incidents by state and/or state-related entities. One of the companies challenged the charges, hiring a law firm to defend it, marking the first time a defendant has been willing to go to court on a cyber-related indictment. The potential threat of exposing classified information was one reason provided for this result. The fact that the charges were dropped may encourage other indicted individuals and entities to follow suit, potentially derailing the strategy, reducing it to an exercise in making formal attribution.
Cyber operations were once clandestine and mysterious; now, states are emboldened to pull back the curtain and sanitize them in the public spotlight. What remains consistent for now is that public attribution—whether via accusation, indictment, or naming and shaming—has done little to change state behavior, decrease volume of activity, or deter future activity. It’s clear that any one approach—whether it be a legal action, economic influence, a retaliatory strike, or diplomatic engagement—is not a silver bullet, and should not be done independently of each other if any progress is to be made in how cyber space is used for and against states. They must be done in concert and in proportion to the inciting incident, and with a quantifiable, reachable, goal in mind. Absent that, the stakes are not high enough to incite the change that’s often talked about but never done. Perhaps states should consider the fable of the shepherd boy who called wolf before making public attribution. Calling wolf frequently does not get the volume of support to stop the threat; rather, it numbs ears so that they don’t listen and ignore signs that that pack is closing in.