Prosecuting Cyberspies — And Their Customers — The Shape of a New Deterrence Strategy

The Justice Department’s National Security Division may be getting on the cyberspace attribution/retribution bandwagon — and in the process, reshaping US strategy for deterring cyberespionage.

First, NSD is creating a new liaison position in US Attorney offices across the country — the National Security Cybersecurity Specialist, or NSCS (rhymes with “discus meniscus” for you knee trauma buffs).  The idea is that companies across the country are suffering from cyberespionage, much of it state-sponsored, and there need to be cleared, cyber-smart prosecutors in each federal prosecutor’s office who can work with local victims, not to mention the FBI, which already has specialists in each field office who deal with local victims of cyberespionage.

This is a good thing, and part of NSD’s coming of age.  But what’s most important is this simple fact:  the Justice Department doesn’t designate prosecutors to give speeches, or to hold industry’s hand and offer sympathy.  It designates prosecutors to prosecute. 

So, implicit in this new initiative is a new willingness to prosecute cyberespionage cases — a development very much fueled by the growing body of attribution evidence accumulating in federal files.

In fact, John Carlin, a top NSD official, has more or less declared that the Department will start prosecuting cyberspies, perhaps soon.

Well big whoop, you might say.  Why should a foreign government cyberspy care that he’s being investigated by some prosecutor from the Northern District of Minnesota?  Maybe it is mildly embarrassing to be indicted, but it won’t make a real difference in his life. He can just give Justice the finger.

But Justice isn’t limiting its focus to the guys stealing the data.  The real targets are the guys consuming the stolen data:

  Carlin said the best possible target for a prosecution might be a case where a company that uses stolen technology could be charged.

“Whether it is a state-owned enterprise or a state-supported enterprise in China — if you can figure out and prove that they’ve committed the crime, charging the company means they can’t do business in the U.S., or in Europe,” he said. “It affects their reputation and that then causes them to recalculate: ‘Hey, is this worth it?’”

I think Carlin is exactly right.  There’s no point in stealing data from Exxon or Nortel if it’s just going to sit in some military intelligence filing cabinet somewhere. It’s only worth stealing if you can give it to Exxon’s or Nortel’s state-sponsored competitors, because those are the only people who can actually use it effectively. That simple observation drives a surprising conclusion: Most of the cyberspies now infesting US companies are very likely working in the end for state-owned enterprises that compete with Western commercial enterprises. 

And that’s their vulnerability.  Those enterprises can’t compete with Western companies unless they compete globally.  Which means doing business in Japan, Europe, and the United States. And companies that do business here can be prosecuted here.  They can’t give prosecutors the finger, at least not if they want to stay in business here.

So if NSD is successful, it can force state-owned companies to choose between the value of cyberespionage and the value of their US business. There are a lot of uncertainties in this approach.  We’ll have to take our newfound attribution capabilities another long step forward, identifying not just the thief but his customer.  But if we can pull that off, and I think we can, this is the first plausible strategy for deterring mass Chinese cyberespionage we’ve come up with in twenty years. 

Plus, think of the entertainment value.  What I really want is the popcorn concession at that first trial.