*Ellen Pruitt
I. Introduction
On October 19, 2020, the U.S. Justice Department indicted six Russian Military Officers in connection with a series of cyberattacks.[1] The indictment charges the officers in connection with the 2015 and 2016 blackouts in Ukraine, 2017 economic losses to three corporations, 2018 attacks on computers supporting the PyeongChang Olympics, meddling in the 2017 French elections, targeting Georgian companies and government offices, and damaging computer networks in the U.S. and six other countries.[2]
The indictments are not a new strategy—the U.S. has also indicted Chinese, Iranian, and other Russian hackers.[3] U.S. use of indictments to target international hackers has received sharp criticism as being ineffective and weakening international norms to combat cyberattacks.[4] Critics of U.S. preference for indicting foreign hackers point to another tool used, though sparingly, to penalize foreign hackers: sanctions.[5] Sanctions may be preferable to indictments in their ability to deter broader engagement in cyberattacks and their protection of national cyber capabilities.[6] The continued use of indictments instead of sanctions for cyber actors raises the questions: which works better? And why does the trend favor indictments?
II. The Pros and Cons of the Indictment Strategy
Realistically, it is highly unlikely that the individuals named in the indictments will ever stand trial in a U.S. courtroom.[7] As of 2019, out of over fifty indictments since the Obama Administration, only five of the indicted individuals have been arrested for their crimes.[8]
Proponents of indictments argue that regardless of the actual conviction of the individual cyber actor, indictments are an effective tool for deterring future cyberattacks.[9] The main way indictments achieve deterrence is through deterrence messaging.[10] The message is intended for both U.S. adversaries and potential targets of the cyberattacks.[11] Indictments notify adversaries that the U.S. is aware of ongoing cyberactivity and possesses the capability to trace cyberattacks to their perpetrators.[12] Targets named in the indictments and the industries affiliated with those targets are also notified that potential interference is occurring.[13] Indictments achieve this level of broad messaging because they include a detailed report on the cyberattacks and incriminating acts of the named parties.[14] These reports contain information so damning that if an indicted individual were ever brought to trial, a conviction would be almost certain.[15]
However, the indictment’s content also poses problems for broader national security interests.[16] Because the indictments lay out the entire investigation and case of the prosecution, they typically include national security details.[17] These national security details tell adversaries in no uncertain terms how the U.S. is obtaining the information on the cyber actors.[18] Because cyber space is an area of rapid technological development, the methods and channels to monitor malicious cyber activity are dependent on their confidentiality. [19] Once the U.S. intelligence community reveals its hand, its ability to continue utilizing those resources becomes extremely limited.[20] The named cyber actors can simply stop operating via the channels identified in the indictment and switch to an alternative method that the U.S. cannot monitor or track.[21]
In addition, it is unclear if deterrence is actually achieved through indictments.[22] While there is some evidence that Chinese officials at least publicly agreed to limit cyber espionage following the indictments issued by the Obama Administration, it is questionable whether the cyberattacks actually decreased as a result.[23] Indictments also typically target individual actors, not government entities.[24] As a result, there is a gray area between official government action and private hackers acting with a government’s blessing.[25] Many critics of the indictments argue the unlikely result of an actual conviction or any deterrence at the expense of revealing U.S. intelligence efforts is disproportionate; in laymen’s terms, the juice just isn’t worth the squeeze.[26]
III. Potential Congruent Use of Sanctions to Deter Cybersecurity Threats
Sanctioning of these same cyber actors poses an alternative to indictments.[27] Sanctions could be used with indictments to further deter cyberattacks.[28] Sanctions are issued pursuant to the International Emergency Economic Powers Act (IEEPA), which allows the Executive Branch to sanction individuals following the declaration of a state of emergency.[29] It is not a new idea for sanctions to be applied to cyber hackers; the U.S. sanctioned Iranian and North Korean hacking teams in congruence with indictments.[30] Sanctions have also recently been applied by the European Union in response to cyber threats.[31] The benefit of sanctions as opposed to indictments is three-fold.[32] First, sanctions can be imposed quickly without exposure of sensitive information detailed in indictments.[33] Second, sanctions can reach a broader group cooperating with¾or orchestrating¾cyberattacks.[34] And third, sanctions have immediate consequences, as opposed to the long waiting period to prepare an indictment.[35] Sanctions grant the power to immediately seize all assets and restrict travel of any actors named, as well as any actors who are connected with and support the cyber operation.[36] Arguably, this could also lead to greater deterrence as it puts pressure on businesses and governments to restrict access to technology and funds by known cyber operators.[37]
A potential drawback of sanctions is they do not have the same weight as indictments or the same powerful messaging.[38] The best apparent solution is for the congruent use of both sanctions and indictments.[39] While this has been done in the past, it is unclear why it is not done consistently in response to cyberattacks on U.S. assets.[40] It is clear, however, that the U.S. strategy to deter cyberattacks needs adjusting to meet the increased disruption of U.S. interests both domestically and abroad.[41]
*Ellen Pruitt is a second-year day student at the University of Baltimore School of Law where she is a Staff Editor for Law Review. Ellen is a student fellow with the Center for International and Comparative Law, research assistant for Professor Grossman and Professor Sellers, teaching assistant for Professor Modesitt’s Torts course, and Career Development Officer for the International Law Society. Ellen is currently preparing for the International Committee of the Red Cross’s Clara Barton International Humanitarian Law Competition. Later this year, Ellen will join DLA Piper as a Summer Associate.
[1] Zoe Gujral, DOJ Charges Russia Military Officers for Worldwide Cyberattacks, Jurist (Oct. 20, 2020, 10:12 AM), https://www.jurist.org/news/2020/10/doj-charges-russia-military-officers-for-worldwide-cyberattacks/.
[2] Id. (including that other than the U.S., computer networks were damaged by the Russian hackers in France, Georgia, the Netherlands, the Republic of Korea, Ukraine, and the United Kingdom).
[3] James A. Lewis, The Russian Cyber Indictments, Ctr. Strategic Int’l Stud. (Oct. 20, 2020), https://www.csis.org/analysis/russian-cyber-indictments.
[4] See Peter Machtiger, Disrupt, Don’t Indict: Why the United States Should Stop Indicting Foreign State Actor Hackers, Just Security (Apr. 3, 2020), https://www.justsecurity.org/69104/disrupt-dont-indict-why-the-united-states-should-stop-indicting-foreign-state-actor-hackers/.
[5] See Trevor Logan, U.S. Should Indict and Sanction Cyber Adversaries, Found. Def. Democracies (Feb. 27, 2019), https://www.fdd.org/analysis/2019/02/27/u-s-should-indict-and-sanction-cyber-adversaries/.
[6] See infra Part III.
[7] Ryan Lucas, Charges Against Chinese Hackers Are Now Common. Why Don’t They Deter Cyberattacks?, NPR (Feb. 5, 2019, 5:00 AM), https://www.npr.org/2019/02/05/691403968/charges-against-chinese-hackers-are-now-common-why-dont-they-deter-cyberattacks.
[8] See Logan, supra note 5.
[9] See Lewis, supra note 3.
[10] Id.
[11] Id.
[12] Id.
[13] See Lucas, supra note 7; see also Philip Ewing & Miles Parks, Russian Hackers Break Into 2 County Systems, Stoking Election Security Fears, NPR (Oct. 22, 2020, 4:42 PM), https://www.npr.org/20
20/10/22/926825699/ongoing-russian-cyberattacks-are-targeting-u-s-election-systems-feds-say (arguing indictments are useful for warning about Russian interference with election reporting so that election results may appear inaccurate, although the voting system itself will not be affected).
[14] See Lewis, supra note 3; see, e.g., Press Release, U.S. Dep’t of Just., Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware andOther Disruptive Actions in Cyberspace (Oct. 19, 2020), https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and (detailing official indictment of Russian GRU officers, including criminal charges and known aliases online).
[15] See Lewis, supra note 3.
[16] See Robert D. Williams, The Dubious Strategy of Indicting the Chinese Equifax Hackers, Brookings (Feb. 18, 2020), https://www.brookings.edu/blog/order-from-chaos/2020/02/18/the-dubious-strategy-of-indicting-the-chinese-equifax-hackers/.
[17] Garrett Hinck & Tim Maurer, What’s the Point of Charging Foreign State-Linked Hackers?, Lawfare (May 24, 2019, 11:20 AM), https://www.lawfareblog.com/whats-point-charging-foreign-state-linked-hackers.
[18] Id.
[19] See generally Michael Chertoff, Why Cybersecurity Is National Security, Aspen Inst. (July 17, 2017), https://www.aspeninstitute.org/blog-posts/looming-national-security-threats/ (discussing how cyberattacks threaten U.S. domestic and international interests).
[20] See Hinck & Maurer, supra note 17.
[21] See id.
[22] Ben Buchanan & Robert D. Williams, A Deepening U.S.-China Cybersecurity Dilemma, Lawfare (Oct. 24, 2018, 8:00 AM), https://www.lawfareblog.com/deepening-us-china-cybersecurity-dilemma.
[23] See Lucas, supra note 7; see also Buchanan & Williams, supra note 22 (discussing the tension between the U.S.-China relationship following China’s continued cyber activity following cybertheft agreement in 2015).
[24] Machtiger, supra note 4.
[25] Adam Segal, Cyber Week in Review, Council on Foreign Rel. (Sept. 18, 2020), https://www.cfr.org/
blog/cyber-week-review-september-18-2020 (discussing the indictment of Chinese and Malaysian hackers’ association with the Chinese Ministry of State Security, but also acting for personal profit in exploiting gaming systems).
[26] Machtiger, supra note 4.
[27] Id.; Logan, supra note 5.
[28] Id.
[29] James Andrew Lewis, Sanction or Indict?, Ctr. Strategic Int’l Stud.: Tech. Pol. Blog (Mar. 27, 2015), https://www.csis.org/blogs/strategic-technologies-blog/sanction-or-indict; see generally Christopher A. Casey et al., Cong. Rsch. Serv., R45618, The International Emergency Economic Powers Act: Origins, Evolution, and Use 8–11 (2020), https://crsreports.congress.gov/
product/pdf/R/R45618 (detailing the historical application of IEEPA since its adoption in 1977 and referencing the 1979 hostage crisis at the U.S. embassy in Iran as one of its early applications).
[30] Eric Geller, U.S. Calls Out Iranian Hacker Threat with Indictment, Sanctions and Threat Analysis, Politico (Sept. 17, 2020, 12:27 PM), https://www.politico.com/news/2020/09/17/iran-hacker-threat-indictment-sanctions-417014; Ian Talley & Dustin Volz, U.S. Treasury Sanctions North Korean Cyber Groups, Wall Street J. (Sept. 13, 2019, 12:43 PM), https://www.wsj.com/articles/u-s-treasury-sanctions-north-korean-cyber-groups-11568392994.
[31] See Press Release, Council of the European Union, Cyber-Attacks: Council Is Now Able to Impose Sanctions,Eur. Council (May 17, 2019, 11:52 AM), https://www.consilium.europa.eu/en/press/press-releases/2019/05/17/cyber-attacks-council-is-now-able-to-impose-sanctions/ (announcing the new EU framework and authorization to impose sanctions on cyber actors responsible for attacks and entities that provide support for the actors, including a ban on travel and immediate seizure of assets); see also Catherine Stupp, First EU Sanctions for Cyberattacks Point to Alignment with U.S. on Foreign Hacking, Wall Street J. (Aug. 5, 2020, 5:30 AM), https://www.wsj.com/articles/first-eu-sanctions-for-cyber
attacks-point-to-alignment-with-u-s-on-foreign-hacking-11596619801 (arguing congruence between U.S. indictments and EU sanctions).
[32] See infra notes 33–34 and accompanying text.
[33] Lewis, supra note 29.
[34] Stupp, supra note 31.
[35] Id.
[36] Id.
[37] Logan, supra note 5.
[38] See Lewis, supra note 3.
[39] Logan, supra note 5.
[40] See supra Part II.
[41] See Significant Cyber Incidents, Ctr. Strategic Int’l Stud., https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents (last visited Oct. 26, 2020) (identifying chronologically significant cyber incidents since 2006).
University of Baltimore Law Review 