Last week, a federal grand jury in California indicted four people—including two intelligence officers from Russia’s Federal Security Service (FSB)—for hacking into Yahoo’s servers and accounts beginning in 2014.
The case represents a relatively new effort on the part of the U.S. government to address and deter cyber espionage activity. Still in its early stage, the criminal prosecution strategy appears to serve as a soft deterrent. Washington is telling foreign adversaries like Russia: Don’t do this to our government, our companies, or our citizens, or we will expose and embarrass you. It tells the foreign service of those countries in a very public way that American law enforcement and intelligence services know who they are and what they are doing.
The unlikelihood of a foreign intelligence or military official ever actually standing trial in a U.S. court suggests that Washington is using the prosecutorial system as an instrument of national power, not because it necessarily believes that these efforts will result in someone being put in prison. The U.S. government is operating on the theory that the very public nature of criminal charges will change other nations’ behavior.
It remains to be seen, however, whether the risk of public embarrassment from criminal charges will be enough to stop nation-states from supporting or launching cyberattacks against U.S. industry and citizens, particularly with the purpose of stealing trade secrets or other confidential business information. But given Washington’s apparent willingness to publicly attribute specific cyberattacks to foreign nations and bring these cases out into the public, America’s adversaries may begin to more seriously consider whether the information gained from and damage inflicted by a cyberattack is still worth the effort.
An indictment against foreign state actors also sends a signal to American companies that the U.S. government recognizes they are being victimized and is taking steps to hold the sponsoring nation accountable in some way. Although the recent case is only the second case of its nature, Washington is likely hoping that companies will view its criminal enforcement efforts as an indication of government support for American industry and a recognition of the difficulties faced by private corporations attacked with the support and capabilities of a nation-state.
In some ways, the strategy represents a Department of Justice (DOJ) effort to adapt lessons learned from the post-9/11 counterterrorism era to the cyber espionage environment, though the situations are not exactly parallel. As former U.S. Assistant Attorney General David Kris has explained, criminal prosecution has served as an effective tool of counterterrorism strategy, providing a channel for intelligence gathering but also, significantly, disrupting a potential threat. This strategy was employed across both the Bush and Obama administrations.
For example, charging an individual can provide an avenue for cooperation, in which the defendant provides intelligence information regarding a threat. In other instances, arresting an individual may encourage others with knowledge of terrorist activities to offer potential attack information to authorities. As numerous cases in the post-9/11 era have demonstrated, prosecution has often served a very practical purpose, taking potential terrorists off the street before they could take tangible steps toward or actually conduct a physical act of terrorism. Prosecuting terrorists as criminals has been a pragmatic, and often tangible, application of law enforcement in the national security context, and the DOJ has used it robustly for the past 15 years.
The same strategy can be applied in cyberspace. The Russian intelligence officers charged in the Yahoo case are not the first—and probably will not be the last—foreign intelligence officers that the U.S. government brings criminal charges against for conducting hostile cyber acts. In 2014, in the first ever case of its kind, a federal grand jury in Pennsylvania charged five Chinese military officers with directing cyberattacks at American entities in the nuclear power, metals, and solar products industries.
That case also involved economic espionage, with the DOJ alleging that the cyber activity was intended to help Chinese companies, including those that are state-owned. The Obama administration responded with a comprehensive strategy to counter the threat that included not only prosecuting the military officers, but also issuing a 2015 executive order directing sanctions to be imposed in response to cyber espionage and signing an agreement with the Chinese government to refrain from conducting cyber economic espionage operations against one another. It was already U.S. policy not to engage in such activity to benefit U.S. private sector interests.
Successfully adapting the law enforcement counterterrorism strategy to the cyber espionage realm, however, will require that the government recognize its limitations. Law enforcement has been but one prong in an international counterterrorism strategy that has involved many other authorities, activities, and options available to the U.S. government. This prosecutorial strategy will only be an effective deterrent if it is complemented by additional instruments of national power.
Carrie Cordero is an attorney in private practice, adjunct professor at Georgetown Law, and former counsel to the U.S. assistant attorney general for national security.