The question of how states attribute responsibility for malicious cyber activity to other state actors has provoked much attention from both policymakers and scholars.1 Yet one approach to this problem has not been analyzed in depth: the use of criminal charges to allege or suggest state responsibility for cyber incidents. The United States has increasingly used this instrument since 2014. Its Department of Justice in fact adopted an explicit goal of bringing charges against foreign actors responsible for cyber activity.2 Federal prosecutors have unsealed a series of indictments and criminal charges against Chinese intelligence officers involved in the theft of intellectual property and Iranian and North Korean individuals who carried out destructive cyberattacks on behalf of their governments. This also includes charges against Russian intelligence officers alleged to have interfered in the 2016 U.S. election.
This increasing number of criminal charges raises several important questions: What are the goals of these criminal charges, especially those against foreign intelligence officers unlikely ever to be arrested by U.S. law enforcement? Are criminal charges merely a more formal approach to alleging state responsibility than leaking statements from “senior administration officials” to the media about cyber threats from other states? And how should this strategy of bringing criminal charges be evaluated in the context of broader U.S. policy efforts to combat malicious cyber activity? How does it interact with the Justice Department’s stance of independence from political considerations?
1 Scott J. Shackelford & Richard B. Andres, State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem, 42 GEO.J.INT’L L.971, 974 (2011).
2 SeeAdam Hickey, senior Dep’t of Justice official, Remarks at CyberNext DC (Oct. 4, 2018), https://perma.cc/5FQX-MT5G.