U.S. Should Indict and Sanction Cyber Adversaries

The United States both indicted and sanctioned Iranian operatives this month for conducting a cyber espionage campaign targeting current and former members of the U.S. intelligence community. The use of sanctions to complement indictments is typical for cases involving Iranian hackers, yet the U.S. has held back from employing sanctions against Chinese and Russian hackers under indictment.

This month’s actions relate to the defection of a former Air Force counterintelligence officer, Monica Witt, who helped Tehran target her former colleagues. In addition to unsealing the charges against Witt, the Department of Justice announced the indictment of four Iranians with espionage, conspiracy, attempts to commit computer intrusion, and aggravated identity theft. The Department of the Treasury, meanwhile, added three of the Iranians to its sanctions list, along with an affiliated company. Treasury had already sanctioned the fourth Iranian operative, Behzad Mesri, in March 2018 for hacking the television network HBO.

The number of indictments against foreign cyber operatives has tripled during the Trump administration. The previous administration indicted 15 hackers over the course of eight years – 8 Chinese and 7 Iranian. This one, by contrast, has indicted 45 hackers in just two – 16 Chinese, 17 Iranian, 11 Russian, and 1 North Korean. (See Table 1.)

However, while Obama sanctioned all seven of the Iranians he indicted, he did not sanction any of the eight Chinese. He also sanctioned – but did not indict – one Russian operative. Similarly, Trump sanctioned the 17 Iranians and the lone North Korean he indicted, but none of the Russians or Chinese. (See Table 2.)

To date, Washington’s indictments have led to the arrests of only four Chinese, one Russian, and none of the Iranians or North Koreans. (See Table 3.) This likely stems from the refusal of host countries to extradite the operatives or cooperate with federal investigators.

While securing extraditions is likely to remain very difficult, pairing indictments with sanctions could be a more effective means of holding adversaries accountable. Sanctions would put more pressure on the governments sponsoring cyberattacks by restricting the funds and access to technology that facilitate them. These costs will be difficult for states to overlook or ignore, even if they fail to arrest or extradite the perpetrators.

The Trump administration, like its predecessor, appears to grasp this reality in the context of Iran, but has not yet applied the lesson to other cyber adversaries.

Trevor Logan is a cyber research associate at the Foundation for Defense of Democracies, where he also contributes to FDD’s Center on Cyber and Technology Innovation. Follow him on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.

Table 1: Individuals Indicted for State-Sponsored Cyber Operations during the Obama and Trump Administrations

Table 2: Sanctions Issued Based on Indictments in Table 1 during the Obama and Trump Administrations: 

Table 3: Individuals Arrested for Malicious Cyber Activity during the Obama and Trump Administrations

*Arrest figures for Russia include the arrest of Canadian citizen Karim Baratov for hacking Yahoo on behalf of Russia.