National Security

As U.S. indicts foreign hackers, American cyber spies fear arrests in tit-for-tat action

Some former employees of the National Security Agency, at Fort Meade, Maryland, worry that they might be arrested if they travel overseas. Such detentions would be retaliation for U.S. indictments against state hackers from nations such as China, Iran and Russia.
Some former employees of the National Security Agency, at Fort Meade, Maryland, worry that they might be arrested if they travel overseas. Such detentions would be retaliation for U.S. indictments against state hackers from nations such as China, Iran and Russia. AP

Federal prosecutors call it a “naming and shaming” strategy against hackers working for adversary nations, but former U.S. cyber spies worry they will be the ones ending up in a foreign prison.

Repeatedly in recent years, U.S. prosecutors have filed criminal charges against hackers working for foreign governments, saying that even if the hackers never get hauled into a U.S. courtroom, the indictments serve as a warning shot across the bow of nations like China, Iran and Russia.

Now, a handful of former employees of the National Security Agency say they worry about retaliatory action. They say foreign nations may charge U.S. cyber warriors with crimes.

They are altering plans for travel, concerned that they may get arrested overseas. And they are warning that such arrests would sink morale among fellow cyber spies.

“It’ll surprise me if some folks who have already been outed, like myself, don’t get charged eventually by a foreign country,” said Jake Williams, a former elite hacker at the National Security Agency who went on to found an Augusta, Ga., cybersecurity firm, Rendition Infosec.

The fear of reprisals against U.S. cyber spies are part of a larger dilemma for U.S. officials over how to punish nations that hack or meddle in U.S. networks, sending a message of strength and deterrence, even as U.S. cyber warriors are engaged in some of the same actions against foreign governments.

U.S. government officials say they will choose when and how to retaliate, perhaps imposing economic or political pain as a price. But politicians are growing impatient.

“We seem to be the cyber punching bag of the world, and it is common knowledge,” Sen. Dan Sullivan, an Alaska Republican, told a Senate Armed Services Committee hearing March 1.

The Trump administration’s nominee to lead the NSA, Army Lt. Gen. Paul Nakasone, said during the hearing that nations like China, Russia, North Korea and Iran believe there are few costs associated with cyberattacks on the United States.

“Right now, they do not think that much will happen. They don’t fear us. That is not good,” Nakasone said.

The Treasury Department Thursday slapped new sanctions on Russia for meddling in the 2016 elections, barring any financial transactions with 13 Russians accused as “trolls” and their supporters for organizing political rallies on U.S. soil and creating online fake personas to influence the vote.

Former federal cyber combatants, meantime, said they are casting an eye over their shoulder while traveling abroad, selecting carefully where they are willing to go.

“Life is short. I don’t want to spend it in a Chinese jail,” said Dave Aitel, a former chief scientist at the NSA who leads Immunity Inc., a vulnerability research firm in Miami, Florida.

In their first major salvo in May 2014, U.S. prosecutors indicted five soldier/hackers from Unit 61398 of the People’s Liberation Army in China, charging them with pilfering U.S. trade secrets. In an effort to embarrass China, prosecutors distributed wanted posters of the Chinese hackers in their military uniforms.

Two years later, U.S. prosecutors charged seven Iranian hackers doing work for the Islamic Revolutionary Guard Corps, accusing them of trying to hack into a small dam northeast of New York City as well as attacks on the networks of the U.S. financial system. The accused Chinese and Iranian hackers remain free.

Last month, Special Prosecutor Robert Mueller indicted 13 Russians that he described as part of a Russian intelligence operation to interfere in the 2016 presidential campaign. The Russians are said to have worked in a “troll farm” that used social media to help elect Donald Trump while attacking Democratic candidate Hillary Clinton. They also have not been arrested.

Aitel said some of the indictments are “a little silly” since those charged are lower-level hackers operating in a larger hierarchical organization.

“If your government tells you to do this operation, and you do it, it’s not your fault,” Aitel said, adding that indicting the lower level employees is “ineffectual.”

Williams said foreign governments will eventually retaliate.

“There will absolutely be blowback from charging foreign hackers — and it will fall on people like me, not those policymakers who aren’t impacted by this tit for tat,” Williams said.

He said many of those officials involved in prosecutions of foreign hackers face little threat of reprisal themselves — unlike onetime U.S. cyber warriors who must travel abroad.

“If you don’t do any international travel, it’s very easy to sit on the sidelines and say, ‘meh,’” he said. “If some of your business takes you out of the country regularly, you start caring a little more.”

Another former NSA employee, who spoke on condition of anonymity for fear of legal consequences, voiced anger at the repeated Justice Department indictments.

“I think it’s detrimental,” he said. “We’re not going to get these guys.”

“For the most part, it’s grandstanding, and it does put our own people at risk. … If it’s going to get a prosecutor’s name in the news, then they are going to do it,” he said.

The NSA itself declined comment.

A former NSA lawyer, who also asked to remain anonymous, said most indictments of foreign hackers “are mainly for naming and shaming.” The lawyer said the larger internal debate within the intelligence community is whether the indictments “give away some of your sources — that would be the biggest concern for me. And there has always been debate about that.”

Intelligence officials recoil at the prospect of indictments revealing sources and methods of intelligence collection. If such methods are spilled, the officials say, foreign countries would alter their strategies and become harder targets.

Williams found himself thrust into the spotlight last year when a murky group calling itself the Shadow Brokers began releasing stolen NSA cyber tools. In addition to leaking the sophisticated hacking tools, the group took to Twitter and issued veiled threats against various former NSA employees, suggesting that Williams was a former member of an elite unit, known as Tailored Access Operations, that designed complex NSA hacking coding.

Subsequent releases by the Shadow Brokers revealed that the group, which Williams believes is linked to the Russian government, knows vast internal details about how the now-defunct NSA unit operated.

Williams is certain that others could face peril if the information slips out.

“I’ve talked to some people who think that they’ll never get charged. I think that’s naïve,” Williams said. “I’ve talked to several who are acutely aware that that’s a possibility.”

Aitel, for his part, said the Shadow Brokers could be arming a case on behalf of Russia.

“They know exactly who our teams are. They know their families. They know everything about them,” Aitel said. “If they wanted to, they (the Russians) could start indicting people.”

Tim Johnson: 202-383-6028, @timjohnson4