America’s Hackers Are at Risk
America professes to love its men and women in uniform, but the penalty for its reflexive use of indictments and sanctions – America’s standoff weapons used to avoid politics – against foreign militaries may one day fall on them, far away from the Washington, D.C. grandees and activists who created those policies.
Recently, the U.S. government indicted Russian and Chinese intelligence officers for collecting intelligence and may soon sanction Iranian soldiers for soldering. Why? Officialdom’s stated reason is to “use all the tools in the toolbox” against America’s enemies, but it’s also a reluctance to engage with people one doesn’t like. More a matter of taste than a coherent policy.
It is the job of our nation’s state security organizations to break the laws of the target country in the pursuit of intelligence information. Former Vice-President Al Gore put it best when he said: “Of course it's a violation of international law, that's why it's a covert action.”
However, the spread of cyber weapons and hacking techniques has made it easier for foreign intelligence agencies to break U.S. laws and steal America’s secrets without putting a foot in this country or placing their intelligence officers at risk. And their American opposite numbers who are hacking back – breaking the law in Russia or China - are taking the place of intelligence agency case officers in some instances. But they don’t have the training or temperament of case officers; they are technical adepts working from low-profile buildings in suburban office parks.
The hacking workforce has a lot of military and civil service members, but that’s just the most visible part. However, first a side trip to Iran…
The U.S. recently indicted nine Iranian hackers for conducting a cyber theft campaign 0n behalf of Iran’s Revolutionary Guards. The hackers, employees of the Mabna Institute, were likely acting as contractors for the Guards, which brings us to the role contractors play in collecting intelligence.
The current budget for U.S. intelligence agencies is about $80 billion. In 2006, the staff of the Director of National Intelligence (DNI) estimated by 2017 contractors might consume 70% of the intelligence budget, so we can safely assume contractors are making a lot of money, even if the DNI projection didn’t come to pass. The contractors run the gamut from one-man shops to large publicly-traded corporations, and five corporations - Booz Allen Hamilton, CSRA Inc., SAIC, CACI International, and Leidos Holdings - are believed to dominate the outsourced share of the intelligence industry.
Corporate employees and the corporations themselves are also targets for retaliation which will be uncomfortable for them and their biggest customer, Uncle Sam, as the companies have a robust interest in staying out of newspapers and courtrooms. (Over)reliance on contractors may have put us in a place where a foreign government can target them to try to disrupt intelligence collection, but it’s too late to have that conversation now.
Also at risk are former National Security Agency (NSA) employees bragging about their exploits with exploits, also known as “business development.” But some NSA veterans understand the risk and think to charge government or military hackers will “eventually hurt the U.S.” It will, but the first order of business is: Don’t make yourself a target.
So, what should we do?
First, come to a formal or informal understanding with our Russian and Chinese adversaries about who is and who isn’t out of bounds for indictment and sanctions. Military and civil service personnel doing their legal duty and conducting intelligence collection and covert operations in cyberspace shouldn’t be targets. The parties will also have to consider the status of contractors and the extent of their duties. Prosecutors tend to only think about what’s in front of them and not the wider issues, so they may have to involve the accountable political level if the urge strikes them to indict a foreign intelligence officer or government hacker.
We probably won’t come close to agreement on the definition of “legal duty” if Russia and China think that includes the theft of trade secrets. The U.S. claims that it doesn’t steal technical information for the benefit of U.S. businesses and that is probably true, but much the technical intelligence collected is sent to specialized analysis centers, many in the Department of Defense, that work closely with laboratories and test ranges to develop countermeasures to foreign technologies, saving the U.S. a lot of money. And with names like “Foreign Aerospace Science and Technology Center,” it’s pretty simple to figure out they analyze. If we’re making headway in other areas, it may be best to settle for “good enough” and attack intellectual property theft via other means.
Second, shape the hacking workforce to bring as many people as possible “in bounds.” Even so, the threat of foreign legal action may hurt recruiting, so the government may have to consider significant financial incentives and provisions for legal representation. A goal will be to avoid future debacles like Italy’s indictment of 26 CIA officers for the 2003 rendition of Hassan Mustafa Osama Nasr (“Abu Omar”).
The first time one of our hackers is arrested overseas will be too late to argue what he was doing was legal and approved by a judge. We’ll eventually get him back somewhat the worse for wear, maybe in trade for honest-to-goodness bad guys, as we run up the tab with any intermediaries who facilitate the deal.
Last, socialize the technician workforce, so they understand the need to act like a former case officer, that is, with discretion for the rest of his life, so he never has to learn the Russian phrase for “sealed indictment.”
James Durso (@james_durso) served as a U.S. Navy officer for 20 years specializing in logistics and security assistance. His overseas military postings were in Kuwait and Saudi Arabia, and he served in Iraq as a civilian transport advisor with the Coalition Provisional Authority. He was a professional staff member at the 2005 Defense Base Closure and Realignment Commission and the Commission on Wartime Contracting in Iraq and Afghanistan. He is presently managing director of Corsair LLC, a consulting firm specializing in project management and marketing support in the Middle East and Central Asia.