Recent federal indictments of Iranians and Syrians for cyber attacks on U.S. networks further highlight the failure of President Obama and his administration to counter the growing threat of foreign hacker strikes on American networks.
In March, the Justice Department indicted two groups of hackers, one from Iran linked to cyber intrusions of an industrial control system operating a New York dam, and a second from Syria engaged in illegal activities that included causing damage to computers and extortion.
The indictments are largely symbolic, since none of the Iranians or Syrians are within reach of U.S. law enforcement and the chances the hackers will ever face justice in a courtroom are slim.
Like many of President Obama’s foreign policies, the indictments appear designed to provide the president and his administration with political cover by adopting seemingly proactive measures, but without having much impact.
The approach to cyber threats coincides with the president’s generally pacifistic approach to foreign affairs, which he is reported to have summed up as "don’t do stupid shit." In practice, this approach often amounts to doing as little as possible, and doing nothing that might require the use of military force.
The policy was captured in a New York Times profile last week of Ben Rhodes, the White House deputy national security adviser for communications who was described as "The Boy Wonder" of the White House.
Leon Panetta, who served as CIA director and defense secretary under Obama, explained that the president’s approach to foreign affairs has been dominated by the desire to avoid possible conflicts.
"I think the whole legacy that he was working on was, ‘I’m the guy who’s going to bring these wars to an end, and the last goddamn thing I need is to start another war,’" Panetta said of Obama’s approach to Iran and the nuclear deal. The former defense secretary said the president believes that "if you ratchet up sanctions, it could cause a war. If you start opposing their interests in Syria, well, that could start a war, too."
On cyber security, the president and his advisers have rejected policy options from military and civilian national security experts since at least 2011 for a show of force in cyberspace against China or other states and groups engaged in widespread cyber attacks, according to officials familiar with internal discussions.
Private industry, which is barred by federal statute from conducting its own cyber counterattacks, has pressed the White House and the U.S. intelligence community to do more against the onslaught of hacks. So far the response has been a firm "no" from the president.
Symbolic indictments or other diplomatic measures have not worked to deter cyber attacks. The FBI announced in July it was revamping its cyber counter-espionage unit after logging a 53 percent increase in its caseload.
A State Department security report published on March 30 noted that in the indictments of the Iranian Syrian hackers, U.S. private sector institutions were the main victims.
"These cyber attacks resulted in disrupted customer communications, data infringement, and significant financial losses," the report said, adding, "the hackers will likely not face prosecution in the U.S. for their actions … [h]owever, some analysts believe the U.S. government will continue publicly blaming foreign hackers in an effort to deter future attacks."
The indictments followed a similar May 2014 action by the Justice Department against five Chinese military hackers who also remain out of reach of law enforcement and who likely will never be brought to trial.
The indictment was a response to Chinese government denials to the Justice Department about its cyber activities and a demand to produce legal evidence implicating China’s cyber warfare troops in what the United States has charged is widespread theft of corporate and government secrets.
John Carlin, the Justice Department’s national security chief, explained that the indictment was simply following through on Beijing’s dare.
"We heard directly from the Chinese who said, ‘If you have evidence, hard evidence, that we’re committing this type of activity that you can prove in court, show us.’ So we did," Carlin told a security conference months after the indictment.
A short time after the indictment, the Chinese military was linked to the theft of 80 million records from Anthem, the American health care provider. Then came the pillaging, also by Chinese military hackers, of Office of Personnel Management networks. The hack resulted in the loss of another 22 million records, including sensitive data from background investigations for security clearances.
Obama came close to imposing sanctions on the Chinese for the large-scale data hacking but backed off in September during the visit to Washington by Chinese President Xi Jinping, who promised to halt Chinese economic espionage in cyberspace. U.S. intelligence officials recently told Congress they were unable to verify that the Chinese ended the cyber attacks, a clear indication they have continued.
The State Department report, produced for a public-private partnership called the Overseas Security Advisory Council, or OSAC, said the indictment of Chinese military hackers was an "an unprecedented announcement, publicly blaming the Chinese government for espionage against the U.S. private sector."
"The five indicted Chinese military officers have also not yet been brought to court in the U.S.," the report said. "However, this case was among the first to highlight the threat of intellectual property theft from a nation-state, which remains a concern among many OSAC constituent organizations operating overseas."
The report said the indictments of the Iranians and Syrians highlighted the "blended threat" posed by foreign government and non-government hackers. It also showed that cyber attacks were behind the economic espionage confirmed in the PLA case, including cyber denial-of-service, intimidation, and extortion activities.
"The threat to the private sector is heightened as hackers look to carry out these various operations for both professional and personal gain," the report said.
"The traditional categories of threat actors—nation-state, criminal, politically-motivated—no longer define all of the malicious network activity affecting U.S. private sector organizations," it added. "The ‘blended threat’ of hackers who are willing to work as proxies for governments or other organizations can hinder detection and prosecution in multiple ways."
The use of non-state hackers for foreign government cyber attacks makes it more difficult for authorities to identify the attackers, and allows nation-states or terrorist groups to benefit from the technical expertise of private sector hackers.
Additionally, proxies give foreign governments what spy agencies call plausible deniability—a key information warfare tactic allowing governments to avoid being linked to cyber attacks, the report said.
The report concluded that the recent indictments of Chinese, Iranian, and Syrian hackers "are unlikely to deter malicious cyber actors from exploiting this blended threat to target the U.S. private sector."
As Obama winds down his final term as president, it appears one of his legacies will be an unwillingness to take effective steps to counter cyber attacks against the United States that have caused serious damage to U.S. security.
As former NSA Director Keith Alexander has said, China is stealing everything it can to boost its economy. "It’s intellectual property, it’s our future. I think it’s the greatest transfer of wealth in history," Alexander said.
The Cyber Threat column appears Mondays. It is co-published on Flash//CRITIC Cyber Threat News at flashcritic.com.