In an indictment released this morning, the Justice Department charged seven Iranians with carrying out distributed denial of service (DDoS) attacks on US financial institutions and also charged one of the seven with hacking a dam in New York. The indictment is the latest instance of a ramped up effort by the US government to publicly attribute cyber intrusions to foreign governments and foreign government-linked hackers. According to the indictment, the seven defendants worked for two “private computer security companies based in” Iran that “performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.” One of the defendants allegedly even received credit toward his mandatory military service for participating in DDoS attacks on US financial institutions.
Today’s indictment is reminiscent of the May 2014 indictment of Chinese People’s Liberation Army (PLA) officials for hacking US companies. The indictments seem designed to serve similar purposes, and they also raise similar questions.
Both indictments draw a line under behavior that the United States has pushed at the international level to have deemed off limits. The indictments focus on different kinds of behavior: The Chinese indictment addressed intellectual property theft from US companies, whereas the Iranian indictment is aimed at DDoS attacks and a non-intellectual property theft intrusion into a critical infrastructure entity. But the United States has sought international agreement on the impermissibility of both intellectual property theft for commercial gain and of attacks that damage critical infrastructure. The United States and China agreed in September 2015 that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” In a report last summer, the UN Group of Governmental Experts, which includes the United States, China, and Russia, among others, agreed that states “should not conduct or knowingly support [information and communications technology] activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public” (para. 13(f)).
Both indictments are also designed to deter future cyber intrusions. FBI Director James Comey explained in a statement this morning, “By calling out the individuals and nations who use cyber attacks to threaten American enterprise, as we have done in this indictment, we will change behavior.” The indictments serve to demonstrate the US government’s attribution capabilities. Assistant Attorney General John Carlin highlighted this point in announcing the Iran indictment, explaining that “the days of perceived anonymity are gone. … No matter where a hacker is located or who he is affiliated with – China or North Korea, ISIL or SEA – we can figure who did it, by name and face, we can do so publicly and we can impose consequences.”
Although today’s indictment focuses mostly on DDoS attacks on US financial institutions, the need to deter more incidents like the hacking of the New York dam — which receives only two paragraphs out of 18 pages — may be the driving force behind the decision to charge the Iranian hackers. The DDoS attacks on US financial institutions were disruptive and costly, but the dam hacking poses a qualitatively different risk of harm. The fact that a defendant involved with the DDoS attacks also carried out the dam hack may have prompted the Justice Department to bring charges for both crimes.
Beyond the similarity in purpose, the Chinese and Iranian indictments also raise similar questions, including their effect and potential next steps.
The biggest question is whether the naming-and-shaming of the indictments actually have the deterrent effect that the Justice Department envisions. In a speech in December, Assistant Attorney General Carlin asserted that the 2014 PLA indictment “had a lasting impact” and “illustrates how public attribution alone can have a deterrent effect.” But others have alleged that Chinese-sponsored IP theft has continued after the September deal. More recently, Director of National Intelligence James Clapper acknowledged claims by “[p]rivate-sector security experts” about ongoing IP theft from China and noted that the United States will monitor China’s compliance with the September 2015 deal. Moreover, on March 16, National Security Agency Director Michael Rogers made comments in testimony before a House Armed Services Committee subcommittee that, as Jack Goldsmith has noted, were “suggestive” with respect to China’s non-compliance with the September deal. Twenty-two months after the PLA indictment and six months after the IP theft deal, the effect of both is still unclear, and similar difficulties are likely in gauging the effect of the Iran indictment. A further complication for judging the effect of the Iran indictment is that, as the indictment explains, the DDoS attacks ended around May 2013 (paras. 8, 18). Proving any incremental effect of the indictment in deterring the resumption of attacks that ceased nearly three years ago will be difficult; on the other hand, any resumption of DDoS attacks from Iran would quite clearly show that deterrence failed.
Another question is whether the indictments will eventually serve as the predicate for sanctions against the named individuals or others affiliated with them. The Obama Administration created a cybersecurity sanctions regime by Executive Order nearly a year ago, but it has yet to apply the sanctions to any individual or entity. The sanctions regime could apply to the activities covered in both indictments. As I noted in a post last spring:
The Order’s provisions regarding theft of intellectual property may be most directed to China, as others have suggested (see here), but at least one provision appears aimed at past Iranian actions, namely DDOS attacks against U.S. financial institutions. The Order refers to actions that “(C) caus[e] a significant disruption to the availability of a computer or network of computers,” and the White House fact sheet lists a DDOS attack as an example for that provision. This provision seems very broad—covering “significant disruption to the availability” of even a single computer, with no requirement that the computer even be in a critical infrastructure sector. But it becomes more commensurate with the other provisions of the Order if it is understood as a response to the massive DDOS attacks on U.S. financial institutions in 2012 and 2013 that have been attributed to Iran. Indeed, President Obama’s post on the sanctions specifically alludes to “Iranian hackers” targeting U.S. banks. Iran, of course, is already subject to heavy sanctions, but if those sanctions were to be loosened as part of a nuclear deal, the new cyber sanctions might have more bite.
In announcing the Iran indictment, Assistant Attorney General Carlin mentioned sanctions, explaining that the United States will “use every available tool” to hold hackers accountable, which “means more public actions, more charges, more arrests and more sanctions, until the conduct changes” (emphasis added).
With the one-year anniversary of the cybersecurity sanctions Executive Order coming up on April 1, the Iran indictment may be laying the groundwork for finally announcing sanctions. And the sanctions could be aimed at multiple types of bad acts from nationals of multiple countries.