Indictments, Countermeasures, and Deterrence
March 25, 2016
“What counts are the political and military consequences of a violation…since these alone will determine whether or not the violator stands to gain in the end.”
Fred Ikle, “After Detection, What?” 1961
The announcement of the indictment of seven Iranian hackers is part of a larger effort to reshape adversary thinking about the costs of attacking the United States. There has been a sequence of linked events - the PLA indictments, the response to Sony, the threat of sanctions before the Xi-Obama summit, and now these indictments. The effect is to push back against foreign-state hackers. These actions create consequences for malicious actions in cyberspace (recommended in a 2013 CSIS Report). When there is no consequence or penalty, there is no incentive to stop. Cyberspace has been largely penalty-free until recently. The indictments signal to our opponents to realize that attacking the United States can have consequences.
Iran rapidly developed its cyber-attacks capabilities after its “Green Revolution,” where political opponents of the regime used the internet to organize protests and dissent. These attack capabilities let them manage and then eliminate the political threat created by the internet. In developing these capabilities, Iran was helped by Russia, or at least by Russian hackers with the approval of the Russian state. There are no freelance hackers in Iran - the attackers are funded and controlled by the Iranian Revolutionary Guard. Iran routinely probes American critical infrastructure networks to locate vulnerabilities, has launched massive denial of service attacks against leading U.S. banks (apparently to protest sanctions) and disrupted networks and data at the Sand Casino in an effort to intimidate and punish its owner. What Iran did to Aramco in 2012 shows the kind of damage they could do in the United States, if they thought they could get away with it.
The United States has been aware of Iranian activities for several years, but was hesitant to say so. When the Department of Homeland Security (DHS) briefed critical infrastructure companies on how their networks were being probed, they were denied permission by the Intelligence Community, for reasons best known to itself, to even say the word “Iran” in the briefing even though it was an open secret. Actions like this (the DHS briefing was reported in the press) inspire more ridicule than caution in opponents. The likely cause for the self-imposed restraint was probably a desire not to put the nuclear talks at risk. This may explain why Sony received presidential attention while Sands did not.
This is not name-and-shame. Iran’s leaders do not burst into tears when they are named. Naming must be accompanied by consequences or the threat of consequences if it is to have effect. The Department of Justice’s approach has been to develop the case as if it was really going to court. They do a lot of work on evidence. We will probably never see these people stand trial (as with the PLA indictments) but Justice prepares as if this was a possibility. This slows any response - as does the need to find companies willing to go public about being the victim of hacking - but the wealth of evidence in an indictment is compelling, perhaps even frightening to opponents.
The latest indictments send a powerful message. The responses to China, North Korea and now Iran say two things: attackers are no longer invisible and there will be consequences for their actions. This message reshapes opponent thinking about the risk and potential costs of cyber actions against the United States. The effect of this is not always clear to American commentators - diplomacy and espionage are colored in half tones, not the black-and-white, clear distinction of popular culture. The most obvious evidence of change is that the PLA indictments, widely questioned when they were announced, contributed significantly to the Chinese decision to agree to refrain from commercial cyber-spying.
The United States faces four major opponents in cyberspace and the name missing from this list is Russia. Russian hackers, presumably acting with the permission of the Russian state, are the most energetic and skilled in committing financial crimes against Wall Street and other financial centers. There have been indictments against Russian hackers and some, foolish enough to travel outside of Russia, have been arrested, but these have not stopped cybercrime, suggesting that Russia has a higher tolerance for risk and a greater willingness (or desire) to flout the United States. This has implications for future actions - the United States cannot rest on its laurels and stop with these actions against China, North Korea and Iran, but must continue to create consequences for hacking incidents.
We can draw lessons from these incidents about what should be the nature of any future action. Signaling to opponents that U.S. attribution capabilities have improved markedly is a first step - the President’s 2015 State of the Union Address briefly revealed how and why they have improved when he said “we're making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.” This means the ability to blend cyber espionage, signals intelligence and human sources gives the United States an unparalleled advantage in identifying hackers.
The second step involves countermeasures. The United States has held a long, painful discussion of cyber-deterrence that has been handicapped by approaching deterrence as a military problem, as if we were still in the Cold War. Complications arise from trying to identify how military force can be used in a “proportional response” to hacking and cybercrime, where no incident would justify a military response. The most effective actions to date in causing state attackers to recalculate risk have not depended on the Department of Defense or Cyber Command, but on attribution, indictments and the threat of sanctions. Looking for a military solution to cyber deterrence has tied us in knots. The better response lies in countermeasures that fall below the level of the use of force. Indictment and sanctions can make opponents wary. This will wear off if not refreshed, but the latest indictment are something we should have done a long time ago to construct the rule of law in cyberspace. Indictments make clear that the Wild West days of cyberspace are (slowly) coming to an end.
James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2016 by the Center for Strategic and International Studies. All rights reserved.