Anyone who’s followed my recent posts on state-sponsored hacking knows that I’ve been preaching the importance of attribution. (See here, here, and here.)
Well, I have to say that attribution is coming along pretty well, as witness the devastating Mandiant report and the risible Chinese response. (My personal favorite: "A spokesman for China’s Ministry of Foreign Affairs [argued] that cyberattacks were difficult to trace because they were 'often carried out internationally and are typically done so anonymously.'" Hmm, or maybe not quite so anonymously as the Ministry thought, huh?)
But attribution is only half of the formula if we want to deter cyberespionage. The other half is retribution. Somebody has to pay.
In that regard, I was challenged recently by some national security staffers to identify practical ways we could punish cyberspies, especially those attacking our private sector. They asked how to do that without compromising the classified sources and methods we’ll need to do attribution right.
Civil suits, they thought, would never work. It's next to impossible for a U.S. court to get jurisdiction over a hacker in Russia or China. And trials happen in public, after full discovery of the other side’s evidence.
The good news (if that’s what you call it) is that we deal with these sorts of limitations—lack of jurisdiction and the need to protect classified information—all the time with other kinds of bad guys. When it comes to fighting terrorists or narcotraffickers, we already use classified information to identify terrorist supporters or drug kingpins as "specially designated nationals” and to impose sanctions on them – seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them. They do have an opportunity to challenge their designation, but, in both the administrative and the judicial proceedings, classified information used in the designation or the review is protected. The most that a litigant can do is compel an in camera review of the information by a judge – and perhaps obtain an unclassified summary of the information, minus the sources and methods.
Remarkably, the President could start a cyberespionage retribution program like this tomorrow, on his own. Under the International Emergency Economic Powers Act, the President could determine that state-sponsored cyberspying poses “an unusual and extraordinary threat” to the United States and declare a “national emergency.”
Presidents have done that many times in the past. Right now, we have in place sanctions against officials in Belarus for threatening democracy in that country, purveyors of conflict diamonds, transnational organized crime organizations, and drug kingpins. In some cases, Congress has followed suit and passed statutes to consolidate or support sanctions programs (e.g., conflict diamonds, drug kingpins), but the sanctions began with a declaration by the President of a “national emergency.”
Not to sell short the cause of democracy in Belarus, but it seems to me that foreign hackers using the Internet to rob our companies and our government blind is at least as “unusual and extraordinary” a threat to our national interests as many of the individuals and groups already designated under earlier programs.
You might ask, however, whether applying sanctions to an individual hacker will really do any good—after all, sanctions don’t have much of a practical effect on people who don’t do business with the United States in the first place.
There are two answers to that question. First, I'm struck by how many of the guys who've been identified as cyberspies come from a demimonde, half in government and half out. Most of them clearly yearn to become entrepreneurs. They can't do that easily without traveling. Sooner or later, they'll come here.
Second, what if we applied sanctions not just to the hackers themselves but to the companies that benefit from the data they filch from U.S. systems? Legally, there’s not much difference in criminal responsibility between a thief and the guy he’s stealing for. We won’t have to designate more than a few large companies as “cyberspies” and seize their US assets before other companies start saying “Thanks, but no thanks” to offers of stolen data.
Of course, to do that, we'd have to have those companies dead to rights, and so far we don't. US security researchers have done a great job of tracking the thieves back home. But so far researchers have had trouble identifying the companies who ultimately benefit from cyberspying.
That too is an attribution problem – the second and last attribution problem we have to solve if we want to close the loop. It looks pretty difficult, but no harder than the first attribution problem looked five years ago. Nailing the customers is going to take a major intelligence campaign, but in the end I think we can catch both the cyberspies and their spymasters red-handed. (If nothing else, we'll benefit from what I like to think of as Baker's Law: "Our security may suck, but so does theirs.")
Then, when we do catch them, it’ll be time for the toughest available sanctions. A sanctions program along these lines could raise the cost of hacking and dampen demand for hacking services. And it's not like anything else is working. The President could launch it tomorrow without additional legislative authorities.
So why doesn't he? C'mon, let's give those Belorussian kleptocrats a rest and go after a real threat for a change.
Who was it that said, "We can't wait"?
He was right.