by Garrison Rutledge · March 20, 2017
Of all the security threats facing the U.S. today, cyber threats are among the most pernicious. Thankfully, the administration is taking some concrete steps to confront them.
Last week, the Justice Department indicted four individuals on charges relating back to the 2016 hack into Yahoo’s network that compromised at least 500 million user accounts. Of those indicted, two are officers of the Russian Federal Security Service, an agency very similar in function to the United States’ FBI.
According to remarks made by acting Assistant Attorney General Mary McCord, the Russian officers “protected, directed, facilitated, and paid criminal hackers to collect information through computer intrusions in the United States.”
The hackers that worked with the Russian officers have also been indicted on numerous charges. One hacker has been apprehended in Canada, while the other hacker and the two Russian officers are in Russia, where they are safe because the United States does not have an extradition treaty with Russia.
Though these three individuals in Russia cannot be prosecuted in the United States, the indictment charges against them are not useless. The decision by the administration to bring these charges sends a strong message to other nation-states about committing cyberattacks on private companies in the United States.
Private companies such as Yahoo already face a daunting challenge in defending themselves from cyber criminals and hacktivists. But when these cyberattacks come from nation-states, the defenses of a private company are outmatched.
The U.S. government has a responsibility to protect U.S. companies and other domestic computer networks from nation-state hackers, and it has a myriad of tools at its disposal to punish and deter such cyber aggressors.
These tools include the legal charges we saw last week, as well as charges the U.S. brought against five members of the Chinese Liberation Army in 2013 following their cyber espionage against businesses in the United States.
By using legal charges to combat cyber aggression, the United States shows that it is serious about protecting its interests and its companies, and has the evidence to prove other nations are acting maliciously.
Other options to respond to cyber aggression include leveling sanctions against offending nation-states.
A recent example of this came last fall following the hacks on the Democratic National Convention. In response to these hacks, the Obama administration enacted sanctions against five Russian intelligence agencies and three Russian companies, which froze assets and halted transactions and travel between those Russian companies and the United States.
Visa, commercial, and financial restrictions, diplomatic condemnations, actions in international organizations such as the World Trade Organization, and other strategic responses to hacking should all be on the table.
The Trump administration has set a strong precedent by indicting the two Russian Federal Security Service officers and the two hackers that worked with them. But this is just a first step.
Further steps will need to be taken to improve the U.S. deterrence posture against nations who would engage in cyber aggression against the United States.