A pair of recent international cybercrime cases out of Pittsburgh—one against an organized conspiracy based in Russia and another against a hacking unit of the Chinese military—have been heralded as groundbreaking and likely forecast a focus on that kind of prosecution.
The suit announced last week against Evgeniy Bogachev, who allegedly ran a “botnet” scheme from Russia that stole millions of dollars, involved orders from the U.S. District Court for the Western District of Pennsylvania to allow officials to sever computers that had been swept into the “botnet” and redirect them away from the servers that illegally collected money and toward government-controlled servers. Criminal charges are pending in both Pittsburgh and Omaha, Neb., according to the FBI.
The suit against five members of the Chinese military that was unsealed last month is the first suit to bring criminal charges against state actors for hacking, according to the FBI.
While it is questionable whether the named defendants, who are based in Shanghai, will ever be brought to America to stand trial, David Hickton, U.S. attorney for the Western District of Pennsylvania, said he is optimistic.
His “first responsibility is to charge the crime,” Hickton said. He declined to say what the next step would be, explaining that he didn’t want to give up the prosecution’s strategy.
Regardless of whether there is a trial, he said, the case is still an important one because “it changes the landscape.”
Hickton referred to a 2013 report issued by Mandiant, a cybersecurity company, that laid out the structure and purpose of the People’s Liberation Army’s Unit 61398, which was to conduct economic cyberespionage against companies competing with China’s state-owned enterprises. According to that report, the unit attacked companies around the world, including 115 in the United States.
The Chinese government had objected to the allegations, saying that they were not specific. A quote issued by the Chinese defense ministry in January 2013 and included in the Mandiant report said, “It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence.”
The indictment from the Western District provides that conclusive evidence, Hickton said.
Among the several Pittsburgh-based companies implicated in the case is Westinghouse, which had started negotiating in 2007 with a Chinese state-owned nuclear power company to build four nuclear power plants, according to the indictment. The cyberespionage unit 61398 took from Westinghouse’s computers technical and design information as well as internal communications about its strategy for doing business with the Chinese company, which Westinghouse treated as a potential competitor in the future.
Five members of Unit 61398 were indicted. They are charged with: conspiring to commit computer fraud and abuse; accessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain; transmitting a program, information, code, or command with the intent to cause damage to protected computers; aggravated identity theft; economic espionage; and trade-secret theft.
Hickton positioned his office to be near the forefront for prosecuting cybercrimes, creating a section for national security and cybercrime shortly after he took office in 2010.
He established that priority, he said, in part because of the resources in Pittsburgh, which has an FBI cybergroup; the National Cyber-Forensics & Training Alliance, which is a nonprofit organization that partners public, private and academic entities in order to quell cybercrime; and CERT, which is a leading cybersecurity research group in Carnegie Mellon University’s Software Engineering Institute.
Although he wouldn’t say what had prompted the investigation, Hickton said they were “driven by law enforcement” and were labor-intensive. In order to bring the case, he said, investigators needed three things: knowledge of the intrusion, the ability to tie it to an individual, and evidence that can be charged.
“That’s hard work,” Hickton said, especially in the cyber context, which he characterized as a “very open environment.”
At one point, 20 percent of his office was working on the case against the alleged Chinese hackers, Hickton said.
The suit signals the government’s willingness to use the “criminal toolbox” in prosecuting cybercrime, Hickton said.
Legal observers also noted that the case, even without a trial, is sending a signal.
“It’s a first step,” said David Thaw, a law professor who will be joining the law school and information sciences department of the University of Pittsburgh. “It’s a very necessary first step.”
The second step will depend on the administration’s priorities, Thaw said.
Responsive enforcement, like the charges just filed, is important, Thaw said, but proactive measures, like regulations, is more important.
The state of cybersecurity in the private companies involved with critical infrastructure in the United States is “woefully inadequate,” Thaw said.
When dealing with private actors, he said, the question is, do they have the ability to invest in cybersecurity and do they have the incentive to invest in it?
For most consumer companies, if left to the market, there will always be another issue on which they will compete rather than security. So, the incentive has to come from somewhere else, like regulation.
Thaw used the example of HIPAA, the Health Insurance Portability and Accountability Act that was originally passed in 1996 and later amended to include rules about security in addition to widely known rules about patient privacy. Various stakeholders—including members of the health care industry and subject-matter experts—were consulted on the security rule in the late 1990s, he said.
Both the health care and finance industries have security regulations, Thaw said, and in an analysis he did spanning the decade from 2000 to 2010, he found that those two industries were four times better at deterring security breaches than their counterparts in other industries without security regulations.
As far as the participation of companies that have been hacked in the investigation of the breaches, Thaw said, “They have very interesting mixed incentives.”
On one side of the scale, he said, it is generally considered to be bad for a company’s image to publicize a hack, with the Target security breach being the most visible recent example. On the other side, however, is getting assistance from law enforcement.
Michael J. Madison, a professor at the University of Pittsburgh School of Law, saw the recent activity out of the Western District as a “major statement to the business community,” both domestically and globally.
The cases send a signal to large-scale businesses that the federal government is behind them, he said.
He saw the combination of law enforcement interest—with Hickton’s office and the U.S. Department of Justice not far away in Washington, D.C.; technical expertise—with Carnegie Mellon’s CERT; and a broad base of businesses that need protection as a “perfect storm” over Pittsburgh, giving rise to the suits there.
Robert Anderson, the executive assistant director of the criminal, cyber, response, and services branch of the FBI, was involved in both investigations and suggested that cybercrimes will be more regularly charged.
At a press conference held last week for the Bogachev indictment, Anderson referred to the press conference held for the Chinese case, saying, “As I said two weeks ago on this same stage when we announced the unprecedented indictment of five Chinese military hackers: ‘This is the new normal.’”