DOJ official says 'name and shame' is one piece of the puzzle
- By Derek B. Johnson
- Jan 18, 2019
Assistant Attorney General John Demers defended the government's policy of indicting hackers linked to foreign governments, even if those charged never see the inside of a courtroom.
Demers said that DOJ indictments are "just a piece of the puzzle" that extend beyond law enforcement aims and represent a critical first step to imposing meaningful consequences. He added that law enforcement action was part of building consensus both inside and outside the United States about the responsible parties behind cyberattacks.
"What the government is saying is not only, 'We think this is happening' or 'We assess with a high likelihood this is happening,' but it's saying 'I can get up in court and prove every element of what I've laid out in this indictment beyond a reasonable doubt,'" Demers said at a Jan. 15 event hosted by the Center for Strategic and International Studies.
Indictments and public attribution -- "naming and shaming" -- have formed the centerpiece of the Trump administration's response to a steady rise in state-sponsored cyberattacks. The practice has been criticized in some quarters for being an ineffective deterrent, for leaving breadcrumbs that offending nations could follow to suss out sources and methods and for opening the door to similar "doxing" and extradition of U.S. intelligence officials in the future.
In a December 2018 article in Lawfare, former Assistant Attorney General Jack Goldsmith and Robert Williams, a senior research scholar at Yale, called the U.S. government's name and shame policy "a magnificent failure" in deterring bad behavior by other countries.
While noting that it's not clear whether or how the strategy is being paired with other U.S. operations, such actions have corresponded with an increase, not a decrease, of observed malicious cybertheft from China and other countries. Nor is it the case, Goldsmith argued, that the strategy is meaningfully reinforcing international norms.
"One such aim is to establish a norm against state-sponsored commercial cybertheft to help national firms," wrote Goldsmith. "The continuance of massive theft by China and other countries with little penalty shows that the norm simply does not exist."
While Demers never mentioned the Lawfare piece, he noted that indictments were accompanied by sanctions from the Departments of Commerce and Treasury that severely limit the ability of charged individuals and entities from traveling or doing business in many countries. He also said that indictments reinforced the norm that intelligence agencies aren't supposed to steal intellectual property for commercial purposes.
"We don't do it, and the reason I know it's an international norm is that in the last eight years, 90 percent of the economic espionage cases we have charged involve one country, and that's China, which means the rest of the world isn't doing it."
John Carlin, who held the same post in the DOJ's National Security Division as Demers, also spoke at the CSIS event and concurred with Demers, saying that "criminal action alone will not solve the problem of nation-state cyberactivity and that was never the strategy."
In addition to using existing economic and diplomatic tools, Carlin called for the Trump administration to make expanded use of authorities laid out in previous executive orders to extend certain punishments and sanctions to foreign companies who benefit from state-sponsored cybertheft.
This activity may be accelerating. The U.S. is preparing criminal charges against Chinese telecommunications giant Huawei for theft of technology trade secrets from American companies, the Wall Street Journal reported Jan. 16. China's Foreign Ministry spokesperson Hua Chunying said in reply that Beijing was "concerned" over the reports and accused the U.S. of "arbitrarily using state apparatus to suppress Chinese enterprises."
Derek B. Johnson is a former senior staff writer at FCW.