Thursday, March 24, 2016

Lawfare in Cyberspace

Attorney General Loretta Lynch today announced a federal indictment against seven Iranians believed to be responsible for distributed denial of service (DDOS) attacks against several large American financial institutions. The attacks began in December 2011 but became much more intense in December 2012. The indictment also accuses one of the Iranians of hacking into the control system of Bowman Dam in Rye, New York in August and September of 2013, a more worrisome attack because of its potential to threaten lives.

While the indictment does not specifically accuse the Iranian government of being behind the attacks, it does note that the accused "were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Iranian Revolutionary Guard Corps." At the time of the attacks, computer security experts speculated that Iran was retaliating for a series of sophisticated cyberattacks (beginning with Stuxnet but also including Duqu and Flame) most likely engineered by the U.S. and Israeli governments. Those attacks destroyed centrifuges being used to enrich uranium for Iran's nuclear weapons program.

The indictment was brought some time ago by a grand jury in the Southern District of New York but only unsealed today. It is possible the indictment was sealed in order to avoid complicating the negotiations that resulted in the Joint Comprehensive Plan of Action last July by which Iran agreed to halt efforts to develop nuclear weapons. January 16, 2016, marked "Implementation Day" when, having verified Iran's compliance with the JCPOA, the other parties to the agreement (the United States and other UN Security Council and European Union states) lifted a variety of sanctions against Iran.

Today's announcement suggests that the United States intends to continue to use legal means to address cyberattacks emanating from state or state-sponsored actors. It follows on an indictment announced in May 2014 of five Chinese military officers affiliated with the 61398 hacker group, a unit of China's People's Liberation Army. Similar uses of the law in conflicts are addressed in a recently published book by Orde F. Kittrie entitled Lawfare: Law as a Weapon of War (Oxford University Press, 2016).

For more on the indictment unsealed today, see this story in the New York Times by David Sanger.