{
"authors": [
"Tim Maurer",
"Garrett Hinck"
],
"type": "legacyinthemedia",
"centerAffiliationAll": "",
"centers": [
"Carnegie Endowment for International Peace"
],
"collections": [],
"englishNewsletterAll": "",
"nonEnglishNewsletterAll": "",
"primaryCenter": "Carnegie Endowment for International Peace",
"programAffiliation": "",
"programs": [],
"projects": [],
"regions": [],
"topics": []
}
Source: Getty
Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity
Malicious cyber activities by foreign states present major challenges to the U.S. government. One tool brought to bear most recently against these state actors is the criminal indictment.
Source: Journal of National Security Law and Policy
The question of how states attribute responsibility for malicious cyber activity to other state actors has provoked much attention from both policymakers and scholars.1 Yet one approach to this problem has not been analyzed in depth: the use of criminal charges to allege or suggest state responsibility for cyber incidents. The United States has increasingly used this instrument since 2014. Its Department of Justice in fact adopted an explicit goal of bringing charges against foreign actors responsible for cyber activity.2 Federal prosecutors have unsealed a series of indictments and criminal charges against Chinese intelligence officers involved in the theft of intellectual property and Iranian and North Korean individuals who carried out destructive cyberattacks on behalf of their governments. This also includes charges against Russian intelligence officers alleged to have interfered in the 2016 U.S. election.
This increasing number of criminal charges raises several important questions: What are the goals of these criminal charges, especially those against foreign intelligence officers unlikely ever to be arrested by U.S. law enforcement? Are criminal charges merely a more formal approach to alleging state responsibility than leaking statements from “senior administration officials” to the media about cyber threats from other states? And how should this strategy of bringing criminal charges be evaluated in the context of broader U.S. policy efforts to combat malicious cyber activity? How does it interact with the Justice Department’s stance of independence from political considerations?
This article was originally published in the Journal of National Security Law and Policy.
Notes
1 Scott J. Shackelford & Richard B. Andres, State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem, 42 GEO.J.INT’L L.971, 974 (2011).
2 SeeAdam Hickey, senior Dep’t of Justice official, Remarks at CyberNext DC (Oct. 4, 2018), https://perma.cc/5FQX-MT5G.
About the Authors
Tim Maurer
Former Senior Fellow, Technology and International Affairs Program
Dr. Tim Maurer was a senior fellow in Carnegie’s Technology and International Affairs program.
Garrett Hinck
Former Research Assistant
Garrett Hinck was a research assistant with the Nuclear Policy Program at the Carnegie Endowment for International Peace.
Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.