While critics say "name and shame" indictments are largely toothless, a top DOJ official said they also help send an important message to victims.
For the past three and a half years, the U.S. government has carried out a deliberate strategy to "name and shame" state-aligned hacking groups for norm-busting behavior in cyberspace, usually in the form of highly detailed indictments.
The Department of Justice uses these to reveal how these groups operate, who they are and what sector or organizations they're targeting. Often they include highly personal details about the individuals involved, including photos, biographical information and place of employment for individual hackers.
Some detractors wonder if these indictments are just public relations campaigns, since those identified typically are outside the reach of U.S. and international law enforcement. Others have warned the efforts will lead to similar retaliation against U.S. cyber operatives.
Assistant Attorney General for National Security John Demers said the department is also banking on other second and third order effects when they out foreign operatives and their work.
Speaking at the Defense One Tech Summit June 18, Demers noted that indictments can be effective if charged individuals travel to countries that have extradition treaties in place with the U.S. government. Such instances are rare but do happen, as it did with Yanjun Xu, a Chinese Ministry of State Security officer who was arrested in Belgium and extradited to the U.S. on charges of stealing trade secrets from U.S. aviation firms.
But bringing charges against these groups gives the department a way to broadly communicate with a different audience: domestic victims of these campaigns inside the U.S., many of whom may be unaware just how intensely they're being targeted.
He used the 2018 indictments of the Mabna Institute and nine associated individuals as an example. The document outlined how the Iranian-linked organization targeted hundreds of universities and thousands of individual professors to steal sensitive technology and research. Follow up research by put out a week later by PhishLabs also illustrated how the organization conducted "general targeting of university students and faculty" in order to collect library account credentials.
"You can take that indictment and go to the research institutions, and you're not just saying 'I'm warning you these things are happening'…that is an indictment that tells a story that is understandable and is all unclassified, so it has an educational aspect as well.
It can also focus legislative efforts: this month a group of senators led by Rob Portman (R-Ohio) and Tom Carper (D-Del.) cited intellectual property theft by Iran and other nations while introducing a bill that would require organizations who sponsor foreign exchange students to put in place additional safeguards if those students will have access to sensitive technologies.
Another audience DOJ is hoping to reach: hackers in Russia, China or Iran who moonlight for their governments but also have "other business interests" that wouldn't benefit from the increased international scrutiny that comes with being named in U.S. charging documents. While a military officer with a nation state "is very rarely deterred by the possibility of indictment," those contractors, particularly ones in the early stages of their careers, might have a different risk calculus.
"Those are individuals who are more deterred by the thought that 'hey, I'm actually a really good computer expert and I'm never going to be able to get a job in Europe,'" said Demers. "So that's a deterrent for a lot of these folks that are on the younger end of things…they've got their whole career and whole lives ahead of them, and having an indictment hanging out there with their name on it and their picture attached to it."