The FBI and other federal agencies are increasingly looking to counter cyber threats through tools other than criminal indictments, the head of the bureau’s cyber division said in an interview with The Associated Press.
Arrests and indictments of foreign cybercriminals are still appropriate in certain circumstances and something the FBI pursues “every day of the week,” said Assistant Director Bryan Vorndran. But as federal agencies look to have the most disruptive impact possible on cyber crime, FBI officials are thinking carefully about how best to time an indictment, or whether an indictment is even the best action.
“We’re just much more mature in the space of working with our interagency partners, and really keeping an eye down the road in terms of how we have the biggest impact,” Vorndran said.
The FBI, he said, is now “very open to being told” that when it comes to an adversary, ”‘You know what, as a team member, it may not be the right time to deploy an indictment, but it very much may be the right time to deploy’” an action from U.S. Cyber Command.
The evolution reflects the fact that multiple government agencies share responsibility for, and have unique roles in, countering a cyber threat that has only deepened over the last decade. The Justice Department has long regarded indictments of foreign hackers as a way to “name-and-shame” them and deter the hostile governments that employ them. Other government agencies, though, are bringing their own powers to the table that may take may precedence over the use of criminal charges or been seen as imposing greater costs or deterrence.
Cyber Command, an arm of the Defense Department established in 2010, has grown aggressive in its pursuit of hackers, conducting more than two dozen operations intended to thwart interference in the 2020 presidential election and more recently against ransomware gangs. The White House has shared information about Russian hackers with the Kremlin for it to take action on its own. Last week, Russia’s Federal Security Service, or FSB, announced the detention of members of the REvil ransomware gang.
The FBI itself has used actions other than indictments. In June, it recovered the majority of a roughly $4.4 million ransom that Colonial Pipeline paid to hackers responsible for a ransomware attack that caused gas shortages for days. It secured a court warrant in April that gave it remote access to hundreds of computers to counter a massive hack of Microsoft Exchange email server software.
Vorndran spoke to the AP after participating last week in a Silverado Policy Accelerator discussion in which he said the FBI was moving away from “an indictment and arrest first model, and to the totality of imposing costs on our adversaries.”
“That probably is a simple way of saying we’re really trying to work with everybody, public and private sector partners, to understand the totality of the capabilities and the authorities that exist … so that we have the biggest impact at the moment in matters,” he said in the interview.
Indictments, a bread-and-butter tactic of law enforcement, can lock accused hackers inside their home countries and put adversaries on notice that their actions have been detected. But their practical impact is often limited since there’s generally minimal chance of a defendant being brought to the U.S. for trial.
Perhaps the first prominent example was a 2014 case against five Chinese military hackers accused of siphoning secrets from major American corporations. In the years since, federal prosecutors have charged North Korean computer programmers in hacks of Sony Pictures Entertainment; Russian intelligence agents in a breach of Yahoo; Iranian hackers in an attack on a small dam outside New York City; and Chinese operatives with targeting firms developing vaccines for the coronavirus.
The cases have all generated publicity splashes, though they’ve hardly curbed hacking from foreign countries. And given the absence of extradition treaties with countries the U.S. regards as the biggest cyber offenders, arrests of indicted hackers are exceedingly rare.
There have, however, been isolated exceptions when hackers wanted by the U.S. have traveled from their home countries and been arrested. That happened last fall when the Justice Department unsealed an indictment charging Yaroslav Vasinskyi in the Kaseya ransomware attack after the suspected Ukrainian hacker traveled to Poland.
The arrest resulted in a Justice Department press conference with Attorney General Merrick Garland, a sure sign that prosecutors won’t abandon their pursuit of indictments when they think it makes sense.
“That’s certainly a tool that the interagency and the FBI are prepared to use and are working towards,” Vorndran said of indictments, “but it’s not the only tool.”