It isn’t a matter of if a foreign country outs a hacker who works for the US government. It’s when.
Starting near the end of the second Obama administration and rapidly escalating under Trump’s, the US has employed a tactic of “name-and-shame” in which it identifies and charges individuals who were hacking under orders of foreign governments. The idea is that the hackers will be arrested and likely extradited if they ever set foot in a country that’s friendly to the US.
As of September, when the Justice Department indicted North Korea’s Park Jin Hyok and accused him of being employed by the government when he helped hack Sony Pictures Entertainment and stole millions from the Bank of Bangladesh, the US has formally accused people of working for all four of its primary adversaries in cyberspace: China, Iran, North Korea, and Russia.
To date, none of those countries have returned the favor. But it’s just a matter of time, said Michael Daniel, who served as cybersecurity coordinator during Obama’s second term, when the Justice Department issued the first such indictment in 2014, accusing five members of China’s People’s Liberation Army of hacking Americans.
“They will,” Daniel told BuzzFeed News. “I’m shocked they haven’t already. It’s the logical thing to do, right?”
Adm. Michael Rogers, who stepped down as the director of the National Security Agency and US Cyber Command in May, said that the US only charges foreign hackers for activities that the US doesn’t engage in. China and the US both routinely spy on foreign businesses, for instance, but the US has long maintained that it’s only China that then leaks what it finds to its businesses to give them a competitive advantage.
“We certainly always acknowledged that that was a potential,” Rogers told BuzzFeed News about the prospect of other countries outing his former agencies’ elite hackers. “Our comment would be we think the activities we engage in fit within a legal framework that provides some measure of protection for those who engage in it. Other states will make the choices they make.”
The US has consistently issued that justification for its cyber activities, with little protest from the international community: While the US certainly engages in activities like hacking targets to spy on them, or occasionally to derail an adversary’s nuclear program, it claims only to create a fuss about other countries crossing a line it won’t.
But the US’s adversaries are unlikely to agree to those exact standards. In response to the Democratic Party’s ongoing lawsuit against Russia for hacking and releasing emails in 2016, for instance, Russia claimed in a letter to the court that it was the US that violates norms.
“The United States benefits significantly from the sovereign immunity that it enjoys (and US officials enjoy) in foreign courts around the world with respect to the United States' frequent acts of cyber intrusion and political interference," the letter said. "As current and former US officials have acknowledged on many occasions, the United States —acting primarily through the NSA within the US Department of Defense — is one of the most prolific practitioners of cyber attacks and cyber-intrusions on the planet."
There doesn’t appear to be a single, overarching plan for what to do in such a scenario. Variables like where the US hacker works, which country outs them, and the way they do so would all likely influence the response.
“We do need to get prepared,” Daniel said. “I’m sure at least on some level it would involve the Justice Department, the State Department, and some form of the employee’s home agency. Beyond that, I don't think anybody’s gone far enough down that road to actually tell you.”
The White House, CIA, FBI, National Security Agency, Cyber Command, Justice Department, Office of Personnel Management, Office of the Director of National Intelligence, Department of Homeland Security, State Department, and Department of Defense all declined to comment or didn’t respond, with most referring the matter to other agencies or declining to address a hypothetical. “Off the record, I’d be really interested to see how the story turns out!” said a spokesperson for one of the agencies that declined to comment.
But there are some indicators. The CIA has extraction plans for when an officer in a foreign country has their cover blown. And dozens of Americans experienced a dry run with ISIS, which issued several “kill lists” at its height, listing US service members and government employees and personal information like their home addresses, though they often got that wrong. In at least some of those cases, those employees’ agencies warned them and contacted local police to be on alert.
In September 2017, DHS and the FBI put out a law enforcement guide for how to deal with online extremist threats to private citizens. It offers several reassurances, such as telling people it’s unlikely that an online threat will lead to real-life violence, but the actual remedial measures offered to victims are limited to stepped-up police patrols and a referral to identitytheft.gov if personal data has been compromised.
That echoes the response the US government gave when China hacked the Office of Personnel Management in 2015, giving the Chinese government a comprehensive, unencrypted list of tens of millions of American government employees and their families. Victims were given three years’ worth of credit monitoring.
But outed American hackers can slip through the system, too. In 2016, someone using the name Shadow Brokers appeared online, posting bizarre blog rants alongside incredibly powerful tools created by NSA’s Tailored Access Operations unit, the crème de la crème of US hackers, that had never been made public, a breach regarded as among the most damaging in the history of US intelligence.
In a blog post, Shadow Brokers named Jake Williams, a former NSA TAO hacker who had left government work to start his own cybersecurity company. It left him shaken, all the more so because the government didn’t reach out.
“I had no communication from anyone in any official capacity,” Williams told BuzzFeed News. “To be honest, I don't know what the correct response was. I know it wasn't ‘do nothing, say nothing.’”
The fear that American hackers might get exposed by a rival government isn’t prohibitive, of course — it’s why the US, which has considerably more diplomatic pull than Iran and Russia, finds its indictments a good strategic tool.
And while the US indictment strategy is usually designed to out behavior more than actually capture criminals, the US has indicted Russians accused of criminal hacking and gotten its allies to extradite them. In October, it was able to so with an accused Chinese spy.
On Friday, Chinese state TV made the rare public announcement that it had been the victim of sustained hacking campaigns for espionage purposes, the kind the US is known to engage in.
“I don’t wanna give the impression the indictments we’ve done to date were wrong or inappropriate somehow. I fully support them. I just think there’s a logical consequence to those actions,” Daniel said.
“China could actually exercise influence over a country that might not really want to go along with it but might feel pressure to,” Daniel said. ●