Why the US bothered indicting Russian agents for Yahoo breach

AP17030438446092.jpg

In this Friday, Dec. 30, 2016 file photo FSB headquarters, grey building at center, in downtown Moscow, Russia. Moscow has been awash with rumours of a hacking-linked espionage plot at the highest level since cyber-security firm Kaspersky said one of its executives with ties to the Russian intelligence services had been arrested on treason charges. (AP Photo/Alexander Zemlianichenko, File)

Earlier this week, the Department of Justice indicted several individuals — two of whom are members of Russian intelligence services — for cyber breaches at Yahoo.

While many experts outside the government are skeptical the Russian intelligence officials will see the inside of a U.S. courtroom anytime soon — one reason being the U.S. does not have an extradition treaty with Russia — the indictments shed light into advancing capabilities of the U.S. in cyberspace and the seeming continued reliance on indictments as a tool in cyber deterrence.

Attribution is immensely difficult given the obfuscation cyberspace affords actors. In the intelligence world, often times when attribution is made, it is a best guess based upon numerous sources of intelligence such as signals intelligence intercepts, human sources and cyber forensics. While intelligence is never 100 percent, the threshold for bringing a case in front of a judge is a much higher bar to clear.

Speaking at the Heritage Foundation last fall, former CIA and NSA director Michael Hayden noted there are different standards of proof. One of the problems he said he has when talking to certain audiences, is they want a standard of proof for attribution of malicious actions, “affiliated with the American court system — beyond all reasonable doubt.”

“I can’t tell you the last thing we ever got beyond any reasonable doubt. Our job is to enable action in the face of lingering doubt,” he added of the intelligence community.

The Justice Department’s ability to issue indictments was a pillar of the previous administration’s whole-of-government cyber deterrence framework. This was built up over several years with the previous chief of Justice’s National Security Division John Carlin reorganizing the division and training prosecutors in the lexicon and technical aspects of cyber to better posture them to pursue cybercrime. This was seen with the indictments of members of China’s People’s Liberation Army, members of the Syrian Electronic Army and Iranian naitonals.

Working together, the intelligence and law enforcement communities share information, usually to corroborate a story, explained Mark Kuhr, a former NSA analyst and co-founder and CTO at Synack, an exploitation discovery company. If anything, Kuhr said, intelligence guides the investigation by eliminating suspects that can’t be attributed to an attack.

For criminal cases, the FBI must identify the actual person whose hands were on the keyboard, John Boles, former assistant director of the FBI told FifthDomain in an email. That identification must be solid enough to meet the reasonable doubt standard in trial, he added.

“Based on these issues, neither DOJ nor FBI seek indictments on cyber actors without sufficient solid, and direct, evidence to support the charges,” Boles, now director at Navigant Information Security Services, wrote. “Nation-states are frequently identified by their ‘cyber fingerprints;’ their hacking techniques and tools, historical targets, and other traces they leave behind during and after an attack. To narrow it down to the specific hacker in order to bring charges, law enforcement adds certain other technical and analytical techniques to make the identification.”

There is, however, a tradeoff when deciding how much to include in an indictment as to not expose sources and methods to adversaries. In an indictment, the U.S. must detail how it knows what it knows and how intelligence agencies collect that data. Once that information gets out, adversaries might alter their collection capabilities, a trend Kuhr called “going dark.”

Rather than expose those methods, the intelligence community can guide law enforcement to look for other corroborating information bring in court without necessarily having to expose their sensitive sources and methods, Kuhr explained.

“What strikes us as quite unusual is just how much information DOJ chose to make public — information about those individuals now indicted, and about their hacking tactics and techniques,” Charley Snyder and Michael Sulmeyer, both of the Belfer Center at the Harvard Kennedy School, wrote in an essay this week posted on the Lawfare Blog.

“DoJ could have kept this indictment under seal if it thought such publicity might tip off the accused before a potential arrest. Or DoJ could have opted to leave out many of the technical details, as it did in its indictment of several Iranian hackers in 2015. Instead, the department decided to put it all out there in public — sending a message to Russia and sharing information that could help other organizations protect themselves from this set of actors and others.”

Philip Celestini, senior executive FBI representative to the NSA and Cyber Command for FBI’s Cyber Division, said these are common conversations the law enforcement community has with interagency partners if they want to unseal an indictment based on intelligence that could compromise interagency partner intelligence tactics, techniques and procedures.  Sometimes law enforcement officials believe putting these folks in handcuffs is worth exposing intelligence secrets, he added.

In cases involving indicting a hacker working on behalf of a nation-state, Boles said, the intelligence community has a robust discussion prior to going forward, in which the interagency must agree the case won’t negatively impact other ongoing intelligence or foreign policy activities.

Some believe these moves, which essentially amount to public naming and shaming, are an effective measure in deterring malicious cyber activity.

The Chinese “were really stunned at our attribution capabilities; that we identified which office in the PLA was doing it, who was doing it and we even went onto the Facebook page of one of the guys doing it. So that must have kind of woken them up and wondered what else we can do,” Robert Manning, senior fellow at the Atlantic Council, said in September.

Boles said indictments as a deterrent are an effective tool, citing travel warnings issued from the Russian Ministry of Foreign Affairs to citizens to countries friendly to the U.S. if they have a pending indictment.

Others aren’t so convinced. The Russians aren’t going to stop what they’re doing as a result of the indictment, Kuhr said, adding they won’t stand down their espionage activity. They’ve probably moved on already, he said, describing this as part of the typical cat and mouse espionage game.

The Defense Department’s Science Board in a recent report on cyber deterrence called for greater attribution capability. Attribution is essential for deterrence, the report noted. The report’s authors also assert that the U.S. government will have to consider whether to declassify intelligence based upon human sources or cyber exploitation to make attribution cases more public under the guise of deterrence.

However, without being able to point to specific examples — as to protect sources and methods — those being named and shamed will always have plausible deniability. Sean Kanuck, who most recently served as national intelligence officer for cyber issues in the Office of the Director of National Intelligence, told FifthDomain at the 2016 Intelligence and National Security Summit that in the Sony case, while confident attribution was given, there was no supporting evidence.

“I’ve actually been in an international meeting where a Russian government official challenged Christopher Painter from the U.S State Department saying that North Korea was not responsible for that and said no sufficient evidence has been provided,” he said.