This week, the Department of Justice (DOJ) created a potentially dangerous precedent when it indicted seven Iranian hackers involved in attacks on the US financial sector. The US is charging the seven Iranians for cyber attacks in the form of a distributed denial of service (DDoS) that hit a part of the US financial sector, as well as an intrusion into a small dam in Bowman, New York. While the dam intrusion offered no potential for harm the extended DDoS against US banks and their infrastructure is worth the DOJ’s attention. However, focusing on the people that conducted the attacks instead of just the Iranian government introduces the potential for a serious backlash against US military and intelligence professionals who conduct cyber operations on behalf of the US government. As a former US military cyber warfare operations officer, this is troubling to me. Such indictments should focus on stemming the actions of governments—not on highlighting the operators themselves.
This is not the first time the DOJ has taken this approach to shaming individuals rather than nation-states for cyber attacks. In 2014, the DOJ indicted five Chinese military members in a series of cyber espionage campaigns against US companies. Publicly blaming the Chinese government for the espionage and illustrating direct gain for private companies in China was a strong move. However, the US placed the focus on the five military members, including wild west-styled wanted posters showing the individuals’ faces, two of which featured the men in their military uniforms.
As a military officer at the time working in the US intelligence community and later under US CYBERCOMMAND, the government’s move gave me pause, considering my own actions for the US, my troops, and peers. Seeing the government take a stronger stance against Chinese economic espionage delighted me; but the focus on military members, particularly the campaign to plaster their faces on the international scene, felt wrong and misplaced. These military members were following commands their government had deemed legal. They hadn’t committed war crimes. And nations around the world conduct similar cyber operations with impunity, as the norms and international laws surrounding these activities have not been decided.
The DOJ’s indictment of these Iranian hackers continues this troubling trend. In this week’s indictment, the DOJ identified the Iranian individuals, their ages, and the companies they worked for during the attacks. Interestingly, the indictment identified which individuals took part in different portions of the attacks. For example, it highlighted just one individual for the Bowman dam case.
Attribution for cyber attacks has been evolving for years, but seeing the US government attribute down to specific people for specific portions of a case involving a foreign nation-state could be more of a show of force than it is useful. It sends a message that the US government cannot only attribute the government and any companies it is using, but also individuals conducting operations at specific times. Attribution to that level is an impressive feat, but is also costly.
It shapes the story to be about the individuals themselves and not the actions of the Iranian government. This narrative allows governments to have an out when they hack foreign nations—rather than bearing the responsibility for their cyber attacks, they can sacrifice individual hackers as rogue agents, especially when they work at civilian companies, which is the case in the Iranian indictment. We’ve already seen this in action in the year after the DOJ indicted members of the Chinese military: A number of Chinese hackers were arrested, and all the while the Chinese government continued to claim that it does not, and has not, supported cyber espionage operations.
The US CYBERCOMMAND and the NSA have been very public about their willingness to use cyber operations to support US interests and military operations. It has also become common knowledge now that the NSA conducts intelligence operations worldwide. The US and many international community members see these intelligence operations as legitimate and legal, but the recipients of the NSA’s attention likely do not feel the same way. What is legal in one country is not necessarily legal in another, and international laws and understanding around cyber operations is still in a juvenile stage.
After the US’ indictments against Chinese and Iranian hackers, other governments could feel justified in identifying US military and intelligence cyber operations, and the individuals behind them, and declaring them illegal. This is a compelling reason why the US government must focus on the government behind the attacks, and not the people behind the operations. If the government doesn’t do this, it accepts personal risk for the professionals it employs. The DOJ should continue its hard work in attributing and calling out cyber attacks that impact the US and its citizens, but it should focus on the governments involved, not the individuals. The first time that a US military member or intelligence professional is held responsible for the cyber operations of the government and is publicly shamed, the US government will only be able to blame itself.
