The indictment of seven Iranian hackers for launching distributed denial-of-service (DDoS) attacks against financial institutions and hacking a dam was infuriating because it assigned blame to the wrong parties.
The real culprit didn’t go unmentioned in the indictment announced by U.S. Attorney General Loretta Lynch. The indictment clearly states that the seven Iranians charged with criminal hacking worked for private companies that had been hired by various elements of the Iranian government to launch the attacks, which were perpetrated in 2012 and 2013.
According to the charges, the alleged hackers acted at the behest of the Iranian government and received logistical and monetary support from it. Reportedly, one of the people indicted received a waiver from mandatory military service because he was supporting the Iranian government by committing criminal acts.
What infuriates me is that there are many people within the Iranian government who are more complicit in the attacks than the people charged but were not indicted. This is cowardice. It is also a bad precedent.
I say that because it puts U.S. military personnel and employees of U.S. intelligence agencies at risk of facing similar charges for doing their jobs. The National Security Agency’s Tailored Access Office (TAO) is now widely acknowledged as being behind the Stuxnet attack, which caused significant damage to Iran’s nuclear efforts. Is the U.S. government comfortable with the possibility that Iran could exact revenge by indicting NSA employees for that cyberattack? (For that matter, given that Stuxnet caused damage in countries other than Iran, can all of those countries now charge NSA employees as well?)
And Stuxnet isn’t the only potential vulnerability for the U.S. The TAO was probably responsible for the Duqu malware that was implanted on the systems of the Iranian negotiation team during the run-up to the nuclear treaty between the U.S. and Iran.
The charges against the Iranians are similar to those filed against five Chinese military officers for hacking U.S. companies. But the failure to indict higher-ups was even starker in that case, since the crimes outlined in the indictment were said to have been perpetrated entirely within a military context. Those officers would not have acted except on orders, just as the seven Iranians would never have had the opportunity or motive to hack U.S. institutions and infrastructure without government support. Individual soldiers aren’t charged with murder, as long as they were operating under orders within a code of conduct. Why, then, does the FBI put those five Chinese military officers, who were clearly operating under orders and did not violate any international convention, on its 10 Most Wanted Cybercriminals list?
Much as it was U.S. policy to disrupt the Iranian nuclear program — and I’m sure Iran did not like that — it was (and maybe is) Iranian policy to disrupt the U.S. economy and prepare to launch asymmetric warfare and disrupt the U.S. infrastructure. Similarly, it was, and still appears to be, China’s policy to have its military cyber units target and collect intellectual property and then provide that intellectual property to Chinese businesses or otherwise use that information for the benefit of the Chinese government and economy.
The Iranian hackers were just the cogs of Iranian policy. If the U.S. government had issues with this policy, they should have been addressed before the signing of the nuclear treaty, which happened after the hacking incidents were attributed to Iran, and especially before the release of $150 billion in frozen Iranian assets. However, should there still be an issue with Iranian or Chinese cyber-network operations, Lynch should have indicted the entire chain of command that authorized and supported those operations.
The crimes outlined in the indictments against the Iranian and the Chinese hackers are like Stuxnet in that they were clearly perpetrated by the respective states. To treat these acts as if they were perpetrated by a group of rogue cybercriminals demonstrates a willful ignorance, or a lack of desire to take any meaningful actions against the entities actually responsible for the crimes.
This sort of willful ignorance is not limited to U.S. law enforcement. The Italian government filed criminal charges against 24 CIA-affiliated operatives who allegedly were responsible for Abu Omar’s rendition from Italy. Now, at least that alleged crime actually occurred in Italy. But in a parallel to the Iranian and Chinese cases, Italy filed no charges against the U.S. officials who presumably would have ordered the rendition and provided all of the resources necessary to accomplish it.
I’ll leave you with one final irony: The U.S. government protested the Italian charges.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.