Speaking at the CyberNext security conference in Washington today, a top Department of Justice official explained the DOJ's recent proclivity for indicting members of foreign cyber-espionage units, something that no other country except the US has done until now.
The DOJ official's comments came after the US justice system has been recently heavily criticized for their actions.
Until now, members of government-backed hacking units have been considered off limits in terms of criminal prosecution, being awarded the same protections as intelligence officers and military combatants. Many legal experts argued that these "hackers" had not committed any crimes because they merely acted on orders received from superiors executing intelligence gathering operations.
But in recent years, the US has broken this unwritten rule among nations with cyber capabilities.
The first indictment came in 2014 when the US charged five Chinese hackers, members of Unit 61398 of the Third Department of the Chinese People's Liberation Army (PLA) for hacks against a slew of US government agencies and private companies (ATI, US Steel, SolarWorld, Westinghouse, others).
The US then charged another three Chinese hackers in 2017, claiming they hacked US companies on behalf of the Chinese state under the guise of Boyusec, a Chinese cyber-security company.
Then in March 2018, the US charged nine Iranian hackers employed by the Mabna Institute. The DOJ claimed the nine hacked on behalf of Iran's Islamic Revolutionary Guard Corps.
The next indictment came in July 2018, when the US charged 12 Russian hackers for the DNC hack. The indictment included charges against members of Unit 26165 of the Russian Main Intelligence Directorate (GRU), the country's foreign intelligence service.
Last month, the DOJ also indicted a North Korean national, claiming he worked for the country's famous Lazarus Group hacking unit and was involved in a slew of hacks, including the Sony Pictures hack of 2014 and the WannaCry ransomware outbreak of 2017.
Last but not least, the US charged yesterday another seven GRU officers for hacks against World Anti-Doping Agency (WADA) and the Organisation for the Prohibition of Chemical Weapons (OPCW).
But the DOJ has heard everyone's criticism, including from the US' own cyberspies, and has responded.
"There are some who question this approach, of criminally investigating and charging hackers sponsored by foreign states, often because we have not yet arrested the defendants," said Adam Hickey, Deputy Assistant Attorney General of the DOJ National Security Division.
"It is probably easy to forget that, until relatively recently, such charges were unheard of, because for a long time, we viewed the problem of foreign state-sponsored hacking through the lens of intelligence collection alone, without regard to disruption and deterrence (which are our objectives in confronting terrorism, espionage, and other challenging national security threats)," Hickey added.
"But imagine a world in which there are no criminal charges, no detailed, formal allegation of wrongdoing (which the government is prepared to stand behind in court). The private sector would be left alone to accuse the guilty, without recourse. What message does that send to a foreign hacker?"
The official argues that these hacks and indicted hackers have crossed the boundary from intelligence gathering into legitimate criminal activity.
For example, the Iranian hackers associated with the Mabna Institute had targeted over 140 US universities and stolen proprietary researcher, which they later sold online on privately-run portals, which had nothing to do with cyber-espionage-related operations, even if other of their hacks did.
Similarly, it's been long proven that Chinese hackers, while some operate to gather information in tune with China's political interests, some also steal proprietary information from US companies, which later mysteriously makes its way into the hands of Chinese competing firms. Here, there is no better case than the one put forward by US Steel in 2016.
But Hickey also argues that just by filing the indictments, the US is also sending a message.
"Even in the cases above (where we have yet to apprehend a defendant), the charges were never the end of the story: whether it is trade remedies, sanctions, contributions to network defense, or diplomatic efforts to rally likeminded nations to confront an adversary together, all of those charges served a greater purpose."
That purpose was to signal to other states that naming and shaming is acceptable and that all should act together [1, 2] against countries whose hackers go beyond cyber-espionage into the realm of criminal behavior.