The United States Department of Justice (DOJ) released a powerful – and incredibly detailed – indictment of 12 named individuals working for the Russian GRU. While many will see this as similar to the indictment of several Chinese nationals for spying in 2014, the cases seem far different in my opinion. For one, the sheer level of released technical and operational detail serves not just a “name and shame” function but also broadcasts quite clearly the level of access, research, and knowledge around the target operation: intrusion into a US political party in the run-up to the 2016 election.
There is also a question of intended audience. While both indictments are certainly focused on the named individuals (and their sponsoring governments), there is also a powerful subtext to the latest Russian action. Namely, making an authoritative case to a domestic audience that such action took place. In the wake of “fake news” and so many conspiracies pushed via social media, this indictment is designed to persuade the American people as much as external audiences that Russian intelligence operatives acted against a US political party to influence an election. The depth and level of detail in the report dives right into the question of “sources and methods” previously addressed, and as a result of this very public action a number of likely access points and methods will almost certainly be identified or closed off. This high cost – in terms of ongoing intelligence collection value – can only be justified by a perceived equal or greater return in disclosure. In this case, one could argue that the benefit to disclosure in this case is nothing less than saving American public debate and democracy from itself by presenting a definitive, legal case outlining just how and who (one of those cases where “who” really is important) for actions surrounding the DNC breaches.
Yet there is pushback within the community over the methodology applied. Most significantly (at least in terms of potential audience within the cybersecurity community) would be Jake Williams’ continued opposition to the practice of charging government-sponsored hackers with crimes in espionage cases. A very basic outline of Jake’s argument would be: espionage is something all states engage in (including the US); espionage is a valid and meaningful endeavor in state-to-state interaction; and bringing legal sanction against individuals sets a potentially dangerous precedent. I appreciate some of Jake’s concerns, especially in light of his well-documented personal interest in these matters. At the same time, I also disagree with his position.
In this specific case I have already outlined some of the reasons why this indictment may be far more significant from a domestic, US standpoint as arguments continue over whether the DNC really was breached and if so if it was a foreign entity. Answering these questions in a manner as definitive as possible (in other words, better than GRIZZLY STEPPE v1) appears a vital national interest: to definitively persuade others that such an action actually took place while linking it to a concrete entity. This latter aspect is especially important, and goes against my typical “who doesn’t matter” approach to attribution – largely because this isn’t attribution for the purpose of network defense, but instead for public consumption and persuasion. In this case, the form utilized for presenting and disseminating this information – a legal indictment complete with summary of evidence, as opposed to a dry technical report with many indicators out of context – is a deliberate and powerful choice as it allows for a clear presentation of facts while assigning them to an easily-understood entity (or entities): Russian state-sponsored actors working to influence a foreign election campaign. For presenting a case to the American people at large, no other comparable mechanism combining completeness, authority, and seriousness is available.
But enough about the US itself and its domestic troubles. One of Jake’s concerns is establishing a precedent where individuals working (legally, within their own countries) on behalf of state interests in espionage can later be arrested if/when they travel abroad. The central point here appears to be that notionally “innocent” individuals can be prosecuted abroad for actions legally undertaken as part of well-established norms of espionage – cyber or otherwise. Yet with some scrutiny, this claim makes no sense and does not appear to have ever been “honored” previously, at least not with any consistency.
First, long-standing tradition and precedent holds official agents of a foreign power to be immune from prosecution in foreign countries. But this has not universally been extended to those working unofficially – so called “illegals” – in similar roles. Here matters get more complicated with reactions ranging from expulsion to execution. The thorny questions here are “what counts as official” and “do state-sponsored hackers fall into this definition”. For the former, “official” has typically meant individuals in clear, named positions corresponding to the sponsoring government: diplomat, military attache, etc. This seems pretty clear – but gets murky when moving to where “hackers” fall. On the one hand, government sponsored hackers – from Jake Williams to the named Russians in the report – are employed by their respective governments and may even be uniformed officers in that country’s armed forces. Yet in acting abroad, their actions are designed to avoid not merely detection but also association with the sponsoring government: this is why no competent foreign intelligence agency hits targets directly from clear nation-state owned network infrastructure. So it can be argued (in my opinion at least) that individuals operating in this space are acting as “illegals” in the sense of clearly working to hide association with the parent organization in the course of operations – yet I will also accept that this is far from an iron-clad case. Overall, this digression is meant to serve one purpose: that the status of government hackers within the traditional scope of spycraft and espionage is at best indeterminate right now, so tradition and legal precedent do not effectively exist in this space.
Second, the practice of arresting (or issuing warrants for arrest) seems fairly common in recent history and impacts multiple agencies. In addition to Russian state-linked (if not exactly state-sponsored) hackers being arrested on holiday, there are stories of more traditional spies facing similar calls for prosecution. One can therefore argue that criminal prosecution in cases of actual or potential espionage (the exact matters for the two Russian individuals cited previously are unclear, and may be purely criminal in nature although scale and impunity imply at minimum state sanction of activity) are not rare and apply to traditional espionage operators (such as the CIA team in Italy) as well as hackers.
Finally, there is a question of motive and messaging, which I feel is most important and that Jake and others have ignored or overlooked in this matter. The matter of domestic messaging was addressed earlier, but external messaging forms another significant part of this indictment mostly from the perspective of attempting to define norms within state-sponsored cyber operations. Looking at previous indictments, the US made a legal case against Chinese operators not for conducting espionage per se, but for using state-sponsored espionage activity for purposes of industrial espionage. Essentially, a norm was claimed: stealing state secrets and such is fine for government/state use, but taking such action to benefit (notionally) private companies to compete with other firms is unacceptable. Similarly, a norm is implicitly claimed in this most recent indictment: that information collection and gathering in traditional senses merits no sanction, but moving beyond this to facilitate active influence operations is unacceptable. Campaign hacking has occurred multiple times in the past by multiple adversaries – but never with (an observed) follow-on of using that information to influence processes and results. Essentially, the criminal indictment serves to draw a line in the sand with respect to acceptable versus unacceptable behavior. Considering that more quiet methods to communicate such norms (if attempted, which in these cases I will assert that they most likely were at some point in time) proved unsuccessful, this type of naming and shaming combined with casting such behavior as criminal in nature serves to unequivocally establish the bounds of acceptability.
Concerns such as Jake’s that this type of messaging may blowback on US (or other) operators are well-founded – but also overwrought in my opinion, and for reasons that play into the same topic of messaging. As shown in the earlier examples of arrests in Spain and Prague, the reach of US justice is quite wide, with many nations ready and willing to work with US justice operations to arrest and extradite those we find to be serious criminals. Conversely, Russia’s reach is significantly more circumscribed. While Russia has worked tirelessly to weaponize INTERPOL among other efforts, success in this endeavor has been hard to find and has likely produced greater frustration and blowback than actual results. Meanwhile, even with increasing calls from some quarters to hold American (or American-linked) personnel to account for various intelligence and other operations in the post-9/11 era, actual examples of individuals arrested and prosecuted on foreign soil are vanishingly small. That doesn’t mean that such an action could never happen – but the status and stature of the US (and the pressure that can be brought to bear in response to such actions on other non-hostile countries) means that the likelihood of such an action except in the most egregious of cases seems quite faint.
Basically, the US can act in this fashion because hard- and soft-power capabilities let it do so without suffering consequences itself – and this indictment is a message to Russia that it lacks such power itself. As demonstrated in the INTERPOL cases, Russia can (and will) certainly try and will likely inconvenience people for a period of time, but moving beyond detention (still a scary thought) to actual prosecution and incarceration seems incredibly unlikely – unless former members of government hacking units suddenly decide to spend their holidays along the Black Sea coast of Russia or take in the sights of Minsk. This is powerful messaging to the global community and potentially to personnel within Russia itself: that the US feels quite comfortable in setting these norms irrespective of possible “blowback” because by-and-large the system of international law and nation-to-nation legal cooperation overwhelmingly benefits US interests. The US can act almost with impunity and without significant risk in this fashion because its operations align with (at least the perception of) the “global system” – while Russia and its sponsored actions is an outlier that can expect no protection outside its own (significantly smaller) sphere of influence.
This last point brings up a very important consideration related but slightly tangential to the argument: the importance of soft power. The reason the US can “get away” with items such as avoiding the enforcement of an Italian call for the arrest of CIA personnel or any credible calls for prosecution following any of the various NSA leaks is simple. The US is perceived as a reasonably benign actor in the international sphere (at least by the “people that matter” who hold power in other governments), and governments are better off handling matters privately than resorting to indictments and arrests of US personnel. Such a beneficial arrangement relies not just on US hard power, but on maintaining a perception (reflected in action) that the US is a reasonable actor on the world stage and that such matters can be worked out to some degree in discussion out of the limelight. However, such a situation need not be the case, and can be undermined or even eliminated through bombast, unilateralism, and a refusal to heed the concerns and apprehensions of other countries. So while former US hackers probably need not worry about vacationing in Prague or Budapest or Dubai or many other places right now – this set of circumstances need not hold indefinitely. And it is largely up to US leaders through word and action to maintain this happy state of affairs overwhelmingly benefiting US interests.