James Andrew Lewis
The most critical issue in cybersecurity today is creating consequences for actions that disregard the norms for responsible state behavior agreed to globally in 2015. This is one reason for the US decision on October 19 to charge six Russian intelligence officers for a series of damaging cyberattacks, including the disruption of Ukraine’s power grid and release of NotPetya, disruptive malware that cost companies billions of dollars.
The six are from the Russian military intelligence agency GRU (Main Directorate of the General Staff of the Armed Forces of the Russian Federation), which has become the most aggressive Russian actor in cyberspace and the principle source of many of the most damaging cyber actions of the last few years.
Q1: These Russians are unlikely ever to go to jail. What is the point of indicting them?
A1: Indictments send a powerful message. The Russian government hates them, and it regularly warns its hackers of the threat of indictments and the need to avoid foreign travel when indicted because of the risk of arrest. Indictments have become a major irritant for the Russians and send a clear signal of the United States’ ability to identify and attribute the source of cyberattacks. The indictments make the point to the international community that the United States has the ability to determine who is responsible and will take action in response. They are one very public tool in the portfolio of consequences for irresponsible action by a state in cyberspace.
Q2: Why the long period between the crime and the indictment?
A2: The Justice Department is exceptionally thorough in preparing indictments, and in cases like this one, they know the indictments will get international scrutiny. Their intent is to prepare the indictments based on evidence that, if the suspect were brought to trial, would ensure conviction. Unlike Russia or China, these legal actions are not for show. This means not only is it essential to collect confirmable intelligence, which can take time, but also to scrub it of classified information for public release and then prepare the case for the grand jury.
Q3: What is the GRU?
A3: The GRU is Russia’s military intelligence service. Russia considers information on its organization, staffing, and missions classified. It reports to the chief of the General Staff and the defense minister. The GRU expanded its cyber and information capabilities in 2012. Their capabilities are similar to those possessed by the United States’ Cyber Command and National Security Agency but with more focus on information operations. The indicted hackers are from the GRU’s Main Center for Special Technologies, GRU Unit 74455 (the GRU uses numeric unit designators, not names like “Fuzzy Bear”). It likely administered Guccifer 2.0 and DCLeaks in Russia’s 2016 US election operations.
Q4: Are these the first indictments for GRU cybercrimes?
A4: The Justice Department’s announcement is the latest in a series of indictments against Chinese, Russian, and Iranian hackers. There have been several previous indictments of Russian hackers, including against personnel of the Internet Research Agency in February 2018 for influence operations leading up to the 2016 US elections, against a GRU team in July 2018 for its efforts in 2016, and one in October 2018 against a GRU team responsible for hacking anti-doping agencies.
Q5: Are indictments enough to change Russian behavior?
A5: Indictments are a powerful tool, but they are not by themselves enough. They are an essential first step, but they have to be part of a larger strategy of imposing consequences on Russia for its malicious behavior in cyberspace. The United States has begun to work with its allies and partners to develop a larger strategy of consequences, and the European Union has outlined similar measures to sanction Russia for hacking the German parliament’s network. While there are agreed to global norms for responsible state behavior in cyberspace, Russia, China, and Iran routinely ignore them, and the best way to ensure norms are observed is to impose consequences when they are not. It will not be easy to deter an adversary who is unscrupulous about poisoning its political opponents.
The indictment should be seen as a first step. Now the United States and its allies must determine what further actions against Russian hacking are appropriate.