The U.S. Department of Justice indicted four suspects accused of being behind the 2014 Yahoo breach, but experts...
are unsure if this show of force will be an effective hacker deterrent in the future.
In the press release announcing the indictment of the alleged Yahoo hackers, acting Assistant Attorney General Mary McCord said, "The Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable." But experts said McCord was only half right in that statement.
"I wish this was reality," Tom Kellermann, CEO of Strategic Cyber Ventures, based in Washington, D.C., told SearchSecurity. "They can be exposed, but only held accountable in the western world should they dare set foot in it. They are untouchable east of the Iron Curtain."
Philip Bezanson, white collar partner at Bracewell LLP, based in Seattle, agreed with that assessment.
"Certainly, the Department [of Justice] and the FBI demonstrated that hackers can be identified and that cases can be built that merit charging them. But as long as hackers seek refuge in countries where -- in practical terms -- they are protected from facing charges in the U.S., they are not truly being held accountable," Bezanson told SearchSecurity.
Mike Buratowski, senior vice president of cybersecurity services at Fidelis Cybersecurity, based in Bethesda, Md., said there are benefits to the government and investigative agencies "calling these hackers out and charging them for their crimes.
"The United States needs to get the awareness of these crimes occurring and who is perpetrating them out into the public arena. By doing this, the country is taking a stand against our nation being attacked in cyberspace," Buratowski told SearchSecurity. "I am hopeful that, by naming the individuals and potentially their nation-state backers, it will elevate the level of concern -- or even anger -- the public feels when events like this happen. I believe that the nation has become somewhat desensitized and even apathetic to cybercrime and cyberespionage."
Potential hacker deterrent
Experts generally lauded the success in proving the U.S. can accurately identify the perpetrators of cybercrime, but said if this indictment could not yield full prosecutions, then it might not prove to be an effective hacker deterrent.
"This is shot across the bow to the Russian cyber militia community and should serve as a warning that the USA is beginning to take her gloves off," Kellerman said. "That being said, the dark web's closed forums; bulletproof hosts and anonymous payment systems are still insulating the cybercrime syndicates."
Brian Vecci, tech evangelist at Varonis, based in New York, said this indictment could prove to be an outlier.
"The size and scope of this breach meant that the DOJ brought a great deal of resources to bear in order to identify and indict the attackers. That certainly is not always the case with data breaches, especially ones that affect enterprises who don't have anywhere near these kinds of resources," Vecci told SearchSecurity. "I don't think this indictment will have much of an effect in curbing the rise of attacks on public and private institutions of all sizes."
Albert Gidari, director of privacy for the Center for Internet and Society at Stanford Law School, said, at best, an "indictment is better than silence or inaction," but may not be an effective hacker deterrent.
"I don't think an indictment is much of a deterrent for state-sponsored attacks in particular, but more generally, either," Gidari told SearchSecurity. "As long as there is a robust market for hacked data and the chances of getting caught are low, it will continue."
Richard Goldberg, principal and litigator for Goldberg and Clements PLLC in Washington, D.C., said although one alleged Yahoo hacker was arrested in Canada, "surely any country that wants to attack the U.S. government or American companies can find someone domestically" who would be immune to extradition. He continued:
This leads to the inevitable conclusion by international hackers that the U.S. government poses little risk to them. And that's largely correct. Moreover, any hacker worth focusing on likely has a very particular set of skills that are quite valuable -- especially in a depressed Russian economy. And if the [Russian Federal Security Service] shows up to your house in Russia with a job, you can probably assume it isn't a request. Imagine the FBI or CIA were to approach an American hacker, who may be making decent money pilfering credit cards, and demand help hacking the Iranians. Would the American hacker see that as a crime for which he may be prosecuted? Probably not.
Better hacker deterrents
Amit Yoran, CEO for Tenable Network Security, based in Columbia, Md., said it's good to hold people accountable, "but this isn't a game-changer for U.S. policy or for economic incentives."
"Cybercriminals are used to operating with complete impunity. The more proactive and aggressive governments get in creating a cyberdeterrence, the better off society is. But the midterm effectiveness in the cyber realm is still inconsequential by comparison," Yoran told SearchSecurity. "The best near-term way to raise the cost for cybercriminals is through investing in security technology that helps organizations understand and improve overall security posture."
Gidari also questioned if an indictment was "a proportional response for this kind of hacking."
"There are tough questions to be answered in regard to state actors, and those answers would apply to U.S. cyberefforts, too," Gidari said. "What would have a greater impact is recognition that strong encryption needs to be implemented ubiquitously. We need a policy that is rooted in protecting our [intellectual property] and data."
Bezanson said, at best, the indictment would be a partial hacker deterrent.
"People have been committing crimes for a long time, and civil societies have spent just as long trying to deter wrongdoing. But wrongdoing persists," Bezanson said. "The indictment illustrates that the U.S. is committing resources to investigate and pursue hackers, no matter where they are. What remains to be seen is the steps that might be taken to convince the countries that provide refuge to hackers to extradite hackers to the U.S. to face the criminal charges against them."
Learn more about whether threat intelligence can improve your security posture.
Find out if state-sponsored attacks on mobile devices can be traced.
Get info on if we should worry more about cybercrime attribution.