United States of America v. Dmitry Dokuchaev, a/k/a “Patrick Nagel,” Igor Sushchin, Alexsey Belan, a/k/a “Magg,” and Karim Baratov, a/k/a “Kay,” a/k/a “Karim Taloverov,” a/k/a “Karim Akehmet Tokbergenov” Defendants.
If we include economic espionage and unauthorized hacking as a type of cyber warfare, then this indictment released yesterday opens up a window into the techniques being used by organized crime, individuals, and nation states, to get into computing systems and steal or manipulate information.
Here are a few of the techniques exposed in the indictment:
Judging from the indictment, the hackers focused primarily on Russian nationals, or people who in some way were associated with a Russian interest. Here are a few examples of targets:
In addition, one of the hackers ran an e-commerce scam on the side and seemed to have earned a bit of money from it. The indictment demands seizure a grey Aston Martin DBS and a black Mercedes Benz C54, among other assets such as a number of PayPal accounts.
There are a number of violations cited in the indictment. They can be divided up into classes:
General hacking violations. Conspiracy to commit computer fraud and abuse 18 USC §1030(b); Unauthorized access to protected computers 18 USC §1030(a)(2)(C); Damaging protected computers §1030(a)(5)(A); and Trafficking in counterfeit access devices §1029(a)(1).
Espionage. Conspiracy to commit economic espionage §1831(a)(5); Economic espionage §1831(a)(1); Conspiracy to steal trade secrets §1832(a)(5); Theft of trade secrets §1832(a)(1). These charges involve the access to Yahoo’s proprietary software that controls the User Data Base (UDB) and Account Management Tool (AMT).
It is interesting that the espionage charges relate only to Yahoo, whereas there also were other companies compromised.
Fraud and Identify Theft. The other charges related to Computer Fraud and Abuse §1020(b); Wire fraud §1349 (moving the money to and from PayPal and getting people to pay for products after being tricked into going to a different website); and Aggravated identity theft §1028(a).
The defendants involved are associated with the Russian Federal Security Service (FSB) [Федеральная служба безопасности Российской Федерации (ФСБ)] which is an intelligence and law enforcement agency of the Russian Federation and a successor service to the Soviet Union’s Committee of State Security (KGB) [Комите́т госуда́рственной безопа́сности (КГБ)]. Their office is in the old KGB headquarters building in Lubyanka Square in Moscow. The FSB is a military service of the Russian Federation.
It should be noted that the FSB is different from Russia’s Foreign Intelligence Service of the Russian Federation (SVR) [Слу́жба вне́шней разве́дки (СВР РФ)].
As a comparison, in the United States the CIA is responsible for foreign intelligence, and the FBI for criminal intelligence within the United States.
So the bulk of the espionage efforts by the defendants appears to be a Russian investigation of Russians. But the investigation was taking place inside US “cyber” territory. Other parts involve non-Russian citizens.
Does this set a precedent? Here are a few questions raised by this incident:
This blogger knows of no other time in history when espionage and intelligence activities by nation states has been subjected to this type of legal procedure. Does this set a dangerous precedent? Only time will tell.
Ultimately if there were a criminal investigation underway by the FSB, and the criminal investigation was of Russian nationals, then there should be a way for the FSB to file a surveillance request to US authorities, and then get assistance in the criminal investigation. This could happen if there were some type of reciprocal agreement for each country to aide the other in law enforcement actions. At this time, there is no such mechanism of international cooperation between governments that would allow this type of coordination.
This is one of the problems that could be solved by negotiation of an international convention for the control of cyber weapons.
In his analysis of why détente between the United States and the Soviet Union broke down in the period of 1975 to 1980, Olav Njølstad, of the Norwegian Nobel Institute, identified five factors. We can test these factors to today’s environment to suggest the prospects for conclusion of an international treaty for the control of cyber arms proliferation.
Détente was a policy adopted by the Soviet Union and United States to lessen geopolitical tensions, establish mutually beneficial relationships, and importantly, engage in strategic (nuclear) arms control. It resulted in the conclusion of the SALT I treaty, but not the SALT II treaty. (SALT = “Strategic Arms Limitations Talks“)
Here are Njølstad’s Five Factors and what they might suggest for cyber arms control.
Njølstad argues that the leaders of the USA and USSR never really trusted each other. Although between Nixon and Brezhnev there gradually had been a build-up of personal trust, the large interest groups led by elites on both sides never understood each other. Nixon, for example, had Brezhnev out to his home in California for extensive discussions, and the photographs of the moment show a relaxed cordiality and workmanlike attitude present between these two leaders. But when Nixon left office, one leg of the table collapsed, and things fell apart finally under the administration of Jimmy Carter.
Application to Cyber Arms Control. It is difficult to judge the amount of “trust” between the superpowers today. But it is safe to assume that it is not different from twenty years ago, and may be even worse. Under that line of thinking, the lack lack of trust argues against agreement on a cyber treaty. A counter-argument may be that unlike the situation in the Cold War, in cyberspace, there is not such a compelling groups of elites on either side. That is, whereas in the kinetic warfare realm, there automatically is a sharp division between competing parties, in the cyber realm the interest group may be the entire Internet community, worldwide. An additional consideration is that there is no strong “cyber war” faction we have noticed at least in the United States. Or is there? A counter-counter argument is that the cyber realm is so new, sensitivities are such that it is much more difficult to build trust, in no small part because so little is understood of this new realm of interaction between nation states.
Conclusion: The lack of trust will inhibit agreement on a cyber arms limitation treaty.
Njølstad also argues that the United States and Soviet Union had very different values, and this was another element in why détente fell apart. In its simplest form, this difference was Communist orthodoxy versus the human rights, democracy and justice values of the United States. In the Communist view, “peaceful coexistence” was possible between the superpowers, but there always would remain a competition in the realm of ideology. Many observers have argued that the Third Basket of the Helsinki Accords, concerning human rights, was responsible for generating a wave of anti-regime behavior throughout the Soviet Union, ultimately leading to its collapse.
Application to Cyber Arms Control. As pointed out elsewhere in this blog, China, Russia and the United States have very different views regarding Internet governance, and regarding the role of information in society. In particular, in Russia and China, there is an acceptance of the role of the government in controlling information and communications. Generally, these actions of censorship, or information regulation, are carried out with a view to maintaining stability. So that is a very different point of view from much of the West. The counter-argument is that whereas there are different views on the role of government in controlling information, there actually is an almost perfect agreement regarding the need to control cyber crime. In this connection, there is obviously a great potential for international agreement. The counter-counter argument is that although there is a shared interest in controlling cyber crime, this does not necessarily translate into interest in getting cyber arms control.
Conclusion: There are strong points of agreement between the superpowers on the need to control cyber crime. This would indicate potential for some type of international agreement to help accomplish this goal. In this connection, different philosophies regarding the role of government in controlling information is not relevant. So there are places where it should be possible to reach international agreement, but it remains to be seen what advantage countries would have in limiting their own ability to develop and deploy cyber weapons.
Between the United States and Soviet Union, there was no substantial economic interdependence. There was little produced in the Soviet Union that was needed in the United States. The Soviet Union produced little of value except oil and raw materials. More than 40% of its GDP was being spent in the military industrial complex, and almost all of the money from oil exports was being used to pay for importation of meat and grains from the West. In addition, the Soviet Union was burdened by its overseas commitments, all of which were costing substantial amounts of money. Njølstad’s notion is that had there been greater economic integration, then this would be a booster of détente, or at least something to prevent its deterioration.
Application to Cyber Arms Control. Between China and the United States, there is significant economic integration; between the US and Russia, the situation has not changed much since the 1980s. Between China and Russia, there is some trading for energy, but little else. Compared to China, Russia’s economy is very small. In the area of cyberspace, the United States is dominant, and it does not need either of the other two markets to have a viable Internet ecosystem. Nevertheless, there is acknowledgement on all sides that cyberspace, the Internet, plays a crucial role in economic development. Therefore, it is a priority on all sides for the Internet to continue to function so that infrastructure and economic functions can continue to operate smoothly. Even though each nation views development of defensive weapons in its own jurisdiction a sovereign right, in the realm of cyberspace, there may be an incentive on all sides to reach agreement on international procedures and other mechanisms to keep cyberspace open for business.
Conclusion: Favorable for cyber arms control.
Njølstad argued there is a “zero-sum logic of Cold War geopolitics”. That is, if one side gained, the other lost. In the Cold War, there was a mistaken tendency for the two superpowers to consider detente to be a bilateral matter but without reference to competition taking place in the developing world. So under this thinking, it would be possible to continue to probe for geopolitical advantages elsewhere while maintaining détente between the superpowers themselves. It didn’t work. The Soviet invasion of Afghanistan, and the problems in the Middle East, Angola and the Horn of Africa (Ethiopia, Somalia) led to continued problems. The fall of the Shah of Iran and the Soviet Invasion of Afghanistan led to the “Carter Doctrine” which threatened war if the Soviet Union moved to exert control in the Persian Gulf. It also lead to a giant military build-up, which President Reagan inherited.
Application to Cyber Arms Control. For this analogy to work, we would need to see evidence of continued probing for advantage in cyberspace while at the same time attempting to maintain a regime of cyber arms control. We can expect that nations would continue to engage in cyber espionage, and therefore it would not be possible to have any international agreement limiting this important government function, on any side. On the other hand, cyberspace is such that there may not necessarily be a zero sum game. Does innovation in one area (country, application portfolio) automatically lead to losses on the other side? One could argue “yes”, and give the example of how China has discriminated against foreign social media and other Internet services groups so as to create its own native Chinese companies. But it is difficult to show harm to the other side, which continues to grow and prosper. It can also be argued that the interest in keeping the Internet running will be strong enough to encourage work at international agreements that limit cyber weapons and their proliferation. For example, cyber weapons should not be allowed to fall into the hands of non-state actors (information terrorists). This would be also the case if other nations were coaxed into joining the control regime, because the superpowers would see the treaty as a way to limit weapons developed elsewhere. This would limit threats to Internet (cyberspace) stability and thus be of benefit to everyone. And at the same time it would not prevent competition from continuing.
Conclusion: Favorable for cyber arms control.
Njølstad argues that on each side there were “intellectual, institutional, and economic pressures” coming from “groups, companies, and bureaucracies with a vested interest in the arms race”. As a result, it became much easier after détente began to weaken to raise voices calling for a harder line. In the same way Carter eventually was overwhelmed by hard liners, Brezhnev faced the same problem in the Soviet Union with pressures from the military and intelligence parts of the government.
Application to Cyber Arms Control. There is no strong institutional or economic pressure to continue building cyber weapons. They are not expensive to build. For example, the cost of cyber arms are nothing compared to the price of rolling out a new strategic bomber, fighter jet, or missile system. So we can conclude that there is no such strong institutional lobby standing by to back up hard liners should this possibility emerge.
Conclusion: Favorable for cyber arms control.
Njølstad’s analysis gives crucial insights into why détente between the Soviet Union and the United States eventually fell apart. When we apply these same factors to the possibilities for cyber arms control, the picture is not as negative. But it is not completely positive either.
One limitation (of many) in this analysis is that détente was seen as a bilateral policy between the United States and the Soviet Union. This is quite different from what would be required for the negotiation of a multilateral treaty for cyber arms control. So in a strict sense, applying a bilateral framework of explanation against a possible multilateral problem set is problematical. The counter-argument to this is that in arms control, leadership can be shown by superpowers, with the prospect that smaller less consequential nations will follow the example of the superpowers. A second counter-argument is that this bilateral framework can be applied to any set of multi-lateral relationships. For example, one could apply it to US-Russia relations, then to US-China relations, then to Russia-China relations. So it probably is possible to apply it to multilateral relations, although that is not its original design intent.
Olav Njølstad, “The collapse of superpower détente, 1975-1980”, in Melyn P. Leffler and Odd Arne Westad, Eds., The Cambridge History of the Cold War, Vol. III Endings, Cambridge U. Press, 2010, pps. 135-155