The U.S. government’s multi-pronged approach of deterring, prosecuting and threatening sanctions against China’s cyberspies is bearing fruit, and Chinese online economic espionage has fallen off since last year’s deal between Beijing and Washington, one of the Justice Department’s top cyber prosecutors said Tuesday.
“There’s folks in the intelligence community actively doing that assessment,” Assistant Attorney General John Carlin said. “But you’re also seeing many private sector companies doing their own assessments and it seems like generally people have seen a change in activity. There’s a debate as to how long lasting it might be, but there has been a change.”
Last week, cyber firm FireEye reported they had seen a sharp falling off in activity by Chinese state-sponsored hackers.
[Read more: Experts: U.S.-China cyber deal worked, up to a point]
Carlin drew a direct line between the public indictments of Chinese military hackers in May 2014, the cyber sanctions authority laid out in an April 2015 executive order and the so-called Five Point Agreement reached last fall between President Barack Obama and his Chinese counterpart Xi Jinping.
“Significantly, that [executive] order allows us to sanction not just the country that did the hack, but, if you’re able to prove it, to sanction those who are the beneficiaries of the stolen trade secrets,” Carlin told a briefing at the Center for Strategic and International Studies.
“We think that combination, of showing we could do the investigation and attribution, and that we were willing make it public and endure potentially costs to our relationship led to a significant event … the so-called Five Point Agreement,” he said.
The deal, inked in September 2014, laid out redlines or no-go areas in state-sponsored hacking, including no commercial cyberespionage.
“Time will tell,” Carlin cautioned, “but I think that already in a relatively short period of time [during which] there haven’t been that many enforcement actions you’ve seen a change in activity.”
But he also noted that, as both the likelihood of being discovered and the intensity of the consequences grows, states will increasingly turn to proxies to hide their hand online. The result, he said, will be a new category of “blended threat actors” — cybercrime gangs who operate with the connivance of intelligence agencies; or even state-sponsored cyberspies moonlighting as online fraudsters.
Carlin said two targets of recent cybercrime prosecutions were blended threat actors: Ardit Ferizi, who pled guilty last month to providing material support for the terror group ISIS by hacking the personally identifiable information of more than 1,000 U.S. military and federal personnel; and members of the Syrian Electronic Army indicted in March.
Ferizi was caught after he tried to extort an American company for a few hundred dollars, Carlin said.
An attacker “may be someone …. who is a state actor, but [the attack might not be] a state action,” Carlin explained. A hacker could be “someone who has access to those [sophisticated, state-developed cyber] tools for their day job … and then for their own personal profit they use those tools corruptly during the nighttime hours to do a hack.”
“You can figure out who did it, but disaggregating why they did it is a bigger challenge,” he said.
No matter what their motive, nation-state hackers can be deterred, Carlin said. Until two or three years ago, their job was “pretty easy.”
“If you got caught, there was absolutely no consequence,” he said, adding that “that’s changed, there’s an awareness, people are looking over their shoulder wondering if they might get picked up … they’re wondering if their government changes its mind … they might get picked up by their own government for activities that they thought were [regarded as] OK.”
But others were not. “There are some groups we know are out there that are not going to be deterrable like terrorists,” he said.
Groups like ISIS have openly declared their intention to carry out destructive attacks, for example against the U.S. power grid.
“Because we know they would use these tools if they had them, we know that they haven’t been successful” in obtaining the tools needed for such attacks, he said.
But that meant, Carlin said, that a top priority of U.S. policy had to be preventing such tools from falling into terrorists’ hands
“We need to do everything we can to disrupt their ability of getting the tools that they want to do destructive attacks,” he said. “Right now certain nation states have the capability, but not the intent, to use it.”
Contact the reporter on this story via email Shaun.Waterman@FedScoop.com, or follow him on Twitter @WatermanReports. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.