Assistant attorney-general John Carlin remembers when FBI cyber intelligence specialists sat in a locked room at the US attorney’s office in Washington, cut off from criminal prosecutors in the same building. Now those walls have broken down as law enforcement officials rethink how they work with intelligence to fight the mounting risk from cyber attacks that threaten national security. The shift helps explain why authorities named North Korea as the culprit behind the Sony Pictures cyber attack less than a month after the Hollywood studio was hacked. The approach also represents a more aggressive strategy of naming and shaming cyber attackers. “The world is watching so you need to send a message to regimes about what they can expect our response to be so you’re not operating in a cost-free environment where you think it will never be attributed to you,” said Mr Carlin, head of the national security division in the Department of Justice. “We’re not afraid to say it and after we say it, there will be a proportionate response.” Previously, national security cyber cases were seen as an issue for the intelligence community. The strategy meant those incidents were usually kept quiet and, with no prosecutors involved, bringing charges was not an option. The siloed structure went against the trend for more information sharing between agencies after 2001’s September 11 US terrorist attacks. “When it came to cyber, we didn’t think we were applying some of the lessons we’d learned in combating the terrorism threat,” Mr Carlin said. “If you don’t have prosecutors looking at it, you don’t know whether that’s a tool in the toolbox.” The approach changed in 2012, when the DoJ’s national security division created the national security cyber specialist network. It meant retraining prosecutors in the division, and in US attorney offices to ensure each had at least one prosecutor focused on national security cyber threats. At the same time, the FBI allowed agents to share intelligence with these prosecutors, who also began working with the FBI’s national cyber investigative joint task force made up of the Central Intelligence Agency, the National Security Agency, the Defence Intelligence Agency and others. For the FBI, that meant taking classified information from the NSA, CIA and other agencies and translating that into evidence that could be declassified, which could be used in a criminal prosecution or cited to name a culprit, like in the Sony case. “Simply collecting ‘intel’ may not be in the national interest when it comes to cyber attacks that threaten the national interest,” said John Riggi, the FBI’s cyber division section chief. “We learnt post 9/11 that taking highly classified intelligence and turning it into evidence that can be used is a highly successful way to disrupt our adversaries.” The first public sign that the new approach was working came in the 2014 indictment of five Chinese soldiers accused of cyber hacking and economic espionage against US Steel, Westinghouse Electric and others. It was the first time state actors had been charged in that type of cyber case. FBI agents, the US attorney’s office in Pittsburgh, the NSD and others worked on the case in a way that it could be brought to a criminal court. “There was scepticism in some corners as to whether we’d be able to bring a case,” Mr Carlin said. “It was important to show that yes, it can be done.” But the doubts have not disappeared. In the Sony case, sceptics were quick to say the evidence of IP addresses linked to North Korea could have been faked, for example. But translating intelligence into evidence helped authorities put the pieces together to name North Korea and issue new sanctions against the country and some of its officials. Bringing criminal charges could still be an option. The DoJ and the FBI have stepped up their efforts to encourage companies to come forward. Many are still reluctant to report breaches because they distrust agencies. “It makes it very challenging,” Mr Riggi said. “Cyber is like no other threat we face and we can’t do our job without private sector help.” 美國助理總檢察官約翰•卡林(John Carlin)還記得以前,美國聯邦調查局(FBI)的網絡情報專家坐在他在華盛頓的辦公室中一間上鎖的房間裏,把同一棟大樓裏的刑事檢察官隔絕在外。現在,隨着執法人員重新思考如何運用情報,以對抗威脅國家安全的網絡攻擊帶來的越來越大的風險,隔絕情報人員和檢察官的高牆轟然倒塌。 這種轉變有助於解釋爲何好萊塢製片公司索尼影視(Sony Pictures)遭受黑客攻擊還不到一月,美國當局就指出朝鮮是這次網絡攻擊的幕後黑手。這種策略也表明美國當局對網絡攻擊者採用了更強硬的策略——直接點名曝光使其蒙羞。 “世界都在看,因此你需要向其他政權發出信息,告訴他們我們會有什麼反應,讓他們明白:這不是一個做事沒有代價的環境,別以爲永遠追查不到你頭上,”現任美國司法部(Department of Justice)國家安全司主管的卡林說,“我們不怕說出來,而且說了以後,對方就會採取相應的反應。” 以前,涉及國家安全的網絡案件被視爲情報人員要解決的問題。這種策略意味着當局對這些案件往往祕而不宣,沒有檢察官參與其中,因此根本不可能提起訴訟。 這種封閉的機制有悖於2001年9/11恐怖襲擊之後加強各機構間信息分享的趨勢。 “對於網絡案件,我們認爲我們以前沒有把對抗恐怖主義威脅時吸取的一些經驗運用到其中,”卡林說,“如果沒有檢察官參與查證,你就不知道這個方法可不可用。” 2012年這種策略發生了改變,美國司法部國家安全司創建了國家安全網絡專家網,對該司和各個檢察官辦公室裏的檢察官重新培訓,確保每個辦公室都至少有一名檢察官重點關注國家安全網絡威脅。 與此同時,FBI批准探員與這些檢察官分享情報,這些檢察官也開始與FBI國家網絡調查聯合特別工作組合作,小組成員來自美國中央情報局(CIA)、美國國家安全局(NSA)和美國國防情報局(Defence Intelligence Agency)。 對FBI而言,這意味着將NSA、CIA和其他一些政府部門的機密信息轉化成能夠解密的證據,以用於刑事訴訟,或者就像索尼影視的事件中那樣,引爲證據點出肇事者的身份。“對於危及國家利益的網絡攻擊,僅僅收集‘情報’或許並不符合國家利益,”FBI網絡部的科長約翰•裏吉(John Riggi)說,“9/11以後,我們意識到,將高度機密的情報轉化成能夠利用的證據,是打垮我們的敵人的絕佳辦法。” 這種新策略首次公開亮相是在2014年,美國當局起訴5名中國軍人,指控其對美國鋼鐵公司(US Steel)、西屋電氣(Westinghouse Electric)等公司發起網絡黑客活動和經濟間諜活動。這類網絡案件中,這是國家人員首次成爲被控告的對象。 FBI探員、匹茲堡檢察官辦公室、美國司法部國家安全司和其他參與方共同合作,使案件可以進入刑事訴訟程序。 “有些人懷疑我們是否能夠提起訴訟,”卡林說,“向世人展示我們能做到,這很重要。” 但人們的懷疑並未消散。比如,在索尼影視的事件中,懷疑論者很快就表示,與朝鮮相關的IP地址證據很可能是捏造的。 然而,將情報化爲證據幫助當局將碎片拼湊在一起,指證朝鮮爲罪魁禍首,對朝鮮和一些朝鮮官員採取了新的制裁措施。提起刑事訴訟是可能做到的事情。 司法部和FBI已加大努力鼓勵企業挺身而出。許多企業在上報違法情況時依然態度勉強,因爲它們不信任政府部門。“這讓事情極具挑戰性,”裏吉說,“網絡不像我們面臨的任何其他威脅,如果沒有私人部門的幫助,我們就無法開展工作。”
