The US Justice Department Is Just Getting Started Against State-Backed Hackers
Zhu Hua and Zhang Shilong are unlikely to be the last alleged state-backed hackers to be indicted by the United States.
By Ankit Panda
January 03, 2019
The announcement of charges against two Chinese nationals by the U.S. Department of Justice earlier this year in connection with various alleged computer intrusion crimes might seem like yet another salvo in the growing cold war between Beijing and Washington.
But it’s part of something much greater. The United States appears to be working to find a way to deter, and build an international norm against, state-backed espionage against private companies. The indictment of the Chinese nationals is part of a broader pattern being undertaken by the Trump administration, iterating on the previous administration’s softer approach that had favoured diplomacy over hitting wrongdoers with criminal charges.
On December 20, U.S. Deputy Attorney General Rod J. Rosenstein announced the criminal indictment of two individuals – Zhu Hua and Zhang Shilong – who were alleged to be part of a China-based hacking group known to the information security community as APT10 – an acronym for “advanced persistent threat”, a type of cyberattack in which the attacker gains and maintains unauthorized access to a targeted network.
“We want China to cease illegal cyber activities and honour its commitment to the international community, but the evidence suggests that China may not intend to live up to its promises,” Rosenstein said.
This latest indictment must be placed in context to be fully understood. The charges against the two named individuals allegedly affiliated with APT10 come after the U.S. Justice Department unsealed complaints against Russian hackers, Iranian hackers and Park Jin Hyok, a North Korean hacker who, along with the Reconnaissance General Bureau, was involved in the 2014 hack against Sony Pictures Entertainment and other major attacks, including the global WannaCry ransomware attack.
In all the above cases, the targets of the illegal computer intrusions and other methods used were not elements of the U.S. state, but a range of private companies, individuals and entities.
Note, for instance, that despite multiple reports that the U.S. attributes the 2015 breach of the federal government’s Office of Personnel Management (OPM) to China – one of the most devastating personnel breaches in American history – it is unlikely to take action.
Former U.S. officials have drawn the distinction behind the two kinds of cyber activities. In a 2015 interview, the former head of the U.S. National Security Agency and Central Intelligence Agency, General Michael Hayden, while discussing the implications of the breach of the personnel management office, described the federal agency as a “legitimate foreign intelligence target”.
“To grab the equivalent in the Chinese system, I would not have thought twice. I would not have asked permission … This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information,” Hayden said at the time.
By contrast, the organisations, entities and individuals targeted by APT10 and the other state-backed groups charged this year by the Justice Department cannot be “shamed” for their cybersecurity practices beyond a certain point. A determined state-backed hacking group, after all, may have unlimited resources at its disposal to target any number of resource-constrained private organisations and individuals.
That reveals the fundamental logic behind the ongoing U.S. indictments of hackers, including the Chinese nationals allegedly involved with APT10.
By showing that it is willing to use legal instruments against these groups, the U.S. is hoping to shed light on the practices of these groups and ultimately deter them from future actions against non-state targets – even if none of the charged individuals are likely to be tried in the U.S. court any time soon.
There are exceptions, of course, like Su Bin, a Chinese national who was convicted on hacking charges and sentenced to 46 months in a U.S. federal prison back in July 2016.
If anything, the indictments against Zhu and Zhang – and against those from other countries – suggest that we may see an increase in the number of these types of cases the Justice Department is willing to pursue to firm up the rules on the road on espionage.
Thus, it differentiates against the kinds of “legitimate” targets Hayden described and the illegitimate theft of private intellectual property.
The bottom line is that we should expect to see much more legal action against state-backed hackers from the U.S. in the coming months.
This article first appeared in the South China Morning Post. It is republished here with kind permission.