Assistant attorney-general John Carlin remembers when FBI cyber intelligence specialists sat in a locked room at the US attorney’s office in Washington, cut off from criminal prosecutors in the same building. Now those walls have broken down as law enforcement officials rethink how they work with intelligence to fight the mounting risk from cyber attacks that threaten national security. The shift helps explain why authorities named North Korea as the culprit behind the Sony Pictures cyber attack less than a month after the Hollywood studio was hacked. The approach also represents a more aggressive strategy of naming and shaming cyber attackers. “The world is watching so you need to send a message to regimes about what they can expect our response to be so you’re not operating in a cost-free environment where you think it will never be attributed to you,” said Mr Carlin, head of the national security division in the Department of Justice. “We’re not afraid to say it and after we say it, there will be a proportionate response.” Previously, national security cyber cases were seen as an issue for the intelligence community. The strategy meant those incidents were usually kept quiet and, with no prosecutors involved, Bringing charges was not an option. The siloed structure went against the trend for more information sharing between agencies after 2001’s September 11 US terrorist attacks. “When it came to cyber, we didn’t think we were applying some of the lessons we’d learned in combating the terrorism threat,” Mr Carlin said. “If you don’t have prosecutors looking at it, you don’t know whether that’s a tool in the toolbox.” The approach changed in 2012, when the DoJ’s national security division created the national security cyber specialist network. It meant retraining prosecutors in the division, and in US attorney offices to ensure each had at least one prosecutor focused on national security cyber threats. At the same time, the FBI allowed agents to share intelligence with these prosecutors, who also began working with the FBI’s national cyber investigative joint task force made up of the Central Intelligence Agency, the National Security Agency, the Defence Intelligence Agency and others. For the FBI, that meant taking classified information from the NSA, CIA and other agencies and translating that into evidence that could be declassified, which could be used in a criminal prosecution or cited to name a culprit, like in the Sony case. “Simply collecting ‘intel’ may not be in the national interest when it comes to cyber attacks that threaten the national interest,” said John Riggi, the FBI’s cyber division section chief. “We learnt post 9/11 that taking highly classified intelligence and turning it into evidence that can be used is a highly successful way to disrupt our adversaries.” The first public sign that the new approach was working came in the 2014 indictment of five Chinese soldiers accused of cyber hacking and economic espionage against US Steel, Westinghouse Electric and others. It was the first time state actors had been charged in that type of cyber case. FBI agents, the US attorney’s office in Pittsburgh, the NSD and others worked on the case in a way that it could be brought to a criminal court. “There was scepticism in some corners as to whether we’d be able to bring a case,” Mr Carlin said. “It was important to show that yes, it can be done.” But the doubts have not disappeared. In the Sony case, sceptics were quick to say the evidence of IP addresses linked to North Korea could have been faked, for example. But translating intelligence into evidence helped authorities put the pieces together to name North Korea and issue new sanctions against the country and some of its officials. Bringing criminal charges could still be an option. The DoJ and the FBI have stepped up their efforts to encourage companies to come forward. Many are still reluctant to report breaches because they distrust agencies. “It makes it very challenging,” Mr Riggi said. “Cyber is like no other threat we face and we can’t do our job without private sector help.” 美国助理总检察官约翰•卡林(John Carlin)还记得以前,美国联邦调查局(FBI)的网络情报专家坐在他在华盛顿的办公室中一间上锁的房间里,把同一栋大楼里的刑事检察官隔绝在外。现在,随着执法人员重新思考如何运用情报,以对抗威胁国家安全的网络攻击带来的越来越大的风险,隔绝情报人员和检察官的高墙轰然倒塌。 这种转变有助于解释为何好莱坞制片公司索尼影视(Sony Pictures)遭受黑客攻击还不到一月,美国当局就指出朝鲜是这次网络攻击的幕后黑手。这种策略也表明美国当局对网络攻击者采用了更强硬的策略——直接点名曝光使其蒙羞。 “世界都在看,因此你需要向其他政权发出信息,告诉他们我们会有什么反应,让他们明白:这不是一个做事没有代价的环境,别以为永远追查不到你头上,”现任美国司法部(Department of Justice)国家安全司主管的卡林说,“我们不怕说出来,而且说了以后,对方就会采取相应的反应。” 以前,涉及国家安全的网络案件被视为情报人员要解决的问题。这种策略意味着当局对这些案件往往秘而不宣,没有检察官参与其中,因此根本不可能提起诉讼。 这种封闭的机制有悖于2001年9/11恐怖袭击之后加强各机构间信息分享的趋势。 “对于网络案件,我们认为我们以前没有把对抗恐怖主义威胁时吸取的一些经验运用到其中,”卡林说,“如果没有检察官参与查证,你就不知道这个方法可不可用。” 2012年这种策略发生了改变,美国司法部国家安全司创建了国家安全网络专家网,对该司和各个检察官办公室里的检察官重新培训,确保每个办公室都至少有一名检察官重点关注国家安全网络威胁。 与此同时,FBI批准探员与这些检察官分享情报,这些检察官也开始与FBI国家网络调查联合特别工作组合作,小组成员来自美国中央情报局(CIA)、美国国家安全局(NSA)和美国国防情报局(Defence Intelligence Agency)。 对FBI而言,这意味着将NSA、CIA和其他一些政府部门的机密信息转化成能够解密的证据,以用于刑事诉讼,或者就像索尼影视的事件中那样,引为证据点出肇事者的身份。“对于危及国家利益的网络攻击,仅仅收集‘情报’或许并不符合国家利益,”FBI网络部的科长约翰•里吉(John Riggi)说,“9/11以后,我们意识到,将高度机密的情报转化成能够利用的证据,是打垮我们的敌人的绝佳办法。” 这种新策略首次公开亮相是在2014年,美国当局起诉5名中国军人,指控其对美国钢铁公司(US Steel)、西屋电气(Westinghouse Electric)等公司发起网络黑客活动和经济间谍活动。这类网络案件中,这是国家人员首次成为被控告的对象。 FBI探员、匹兹堡检察官办公室、美国司法部国家安全司和其他参与方共同合作,使案件可以进入刑事诉讼程序。 “有些人怀疑我们是否能够提起诉讼,”卡林说,“向世人展示我们能做到,这很重要。” 但人们的怀疑并未消散。比如,在索尼影视的事件中,怀疑论者很快就表示,与朝鲜相关的IP地址证据很可能是捏造的。 然而,将情报化为证据帮助当局将碎片拼凑在一起,指证朝鲜为罪魁祸首,对朝鲜和一些朝鲜官员采取了新的制裁措施。提起刑事诉讼是可能做到的事情。 司法部和FBI已加大努力鼓励企业挺身而出。许多企业在上报违法情况时依然态度勉强,因为它们不信任政府部门。“这让事情极具挑战性,”里吉说,“网络不像我们面临的任何其他威胁,如果没有私人部门的帮助,我们就无法开展工作。”
