Prosecuting a Cyberattack

Five years ago, dozens of the nation’s biggest banks became targets of a sustained cyberattack on the financial infrastructure of the United States. The attacks began sporadically in December 2011, but then escalated-by September of the next year, they occurred on a near-weekly basis, frequently making it impossible for hundreds of thousands of customers to access their accounts online and forcing 46 financial institutions to spend tens of millions of dollars to keep their websites up and running.

It soon became clear who was behind the so-called distributed denial of service attack, or DDoS, which harnessed an extensive network of compromised computers to overwhelm the banks’ servers with a flood of traffic. It was a small group of employees at two computer companies based in Iran and working in part at the behest of the Iranian government, according to the indictment. They were retaliating for a series of cyberattacks on their own systems, according to news reports, which the United States and Israel had unleashed to slow the progress of Iran’s nuclear program.

U.S. law enforcement agencies made their move three years later following an extensive investigation. Seven employees of the companies were indicted by a grand jury at the beginning of last year on computer hacking charges. The indictment was unsealed a couple months later, revealing not only the names of the accused hackers, but also their photographs. The seven defendants face maximum sentences of 10 years in prison.

“Like past nation state-sponsored hackers, these defendants and their backers believed that they could attack our critical infrastructure without consequence, from behind a veil of cyber anonymity,” said then-Assistant Attorney General John Carlin when the charges were unsealed. FBI Director James Comey added, “The FBI will find those behind cyber intrusions and hold them accountable-wherever they are, and whoever they are…by calling out the individuals and nations who use cyberattacks to threaten American enterprise, as we have done in this indictment, we will change behavior.”

Yet, more than five years after the attacks began, all seven of the defendants remain on the FBI’s Cyber’s Most Wanted list, based in Iran and thus outside the grasp of U.S. law enforcement. If anything, say cybersecurity experts, attacks like these emanating from abroad have since become an even more routine reality of life for banks.

“There’s been an explosion of threat actors, and they have a much better ability to steal in secrecy and with impunity because they’re located halfway around the world,” says Serrin Turner, a partner at Latham & Watkins and former assistant U.S. attorney in the Southern District of New York, where he was the lead cybercrimes prosecutor. “For prosecutors, it’s similar to going after terrorists in the sense that terrorists are often operating in far-flung jurisdictions where we have limited ability to get cooperation from.”

This is why collaboration both within the government and private industry as well as between the two is so important, says Carlin, who now chairs Morrison & Foerster’s global risk and crisis management team and advises companies on cyber and other national security matters.

“One of the lessons from the Iranian DDoS attacks was that we needed to tear down the wall between the intelligence and law enforcement agencies in terms of sharing information,” explains Carlin. The government did so toward the end of 2012 by training hundreds of federal prosecutors across the country on how to handle sensitive sources and methods. Simultaneously, the Federal Bureau of Investigation issued an edict stating that it would share information with the Justice Department, information that had formerly only been accessible to intelligence personnel.

Another lesson was that the government “didn’t do as good of a job as we could have at sharing information back with the financial sector,” Carlin continued. “As time went on, the government got much better at this, even if that meant having folks at the banks with security clearances so they could receive classified information or working hard to declassify information which we could then share with them.”

It’s important that the relationship goes both ways, too. Carlin brought up the case of a hacker who gained access a few years ago to an internet retailer’s systems and demanded $500 worth of Bitcoins. It appeared from the retailer’s perspective to be a small-scale extortion attempt combined with an effort to steal customer data. “The vast majority of companies wouldn’t take special steps to report that to the government,” says Carlin.

However, a subsequent investigation revealed that the stolen data was then handed over to a member of the Islamic State, an international terrorist organization, who used it to compile a “kill list” of over 1,000 U.S. government and military employees. That list was later disseminated to the group’s adherents in the United States. Carlin always mentions this when he briefs bank boards because the plot was only uncovered after the targeted company brought the matter to the attention of law enforcement.

One organization that facilitates the exchange of such information is the Financial Services Information Sharing and Analysis Center, or FS-ISAC. It was launched in 1999 in response to a presidential directive mandating that the public and private sectors share information about cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure, says its chief of staff John Carlson.

Bank industry regulators also play an important part in this collaboration. “The Office of the Comptroller of the Currency’s role is to spur banks to act and to educate them on the risks,” says the OCC’s Beth Dugan, deputy comptroller for operational risk. To this end, the Federal Financial Institutions Examination Council, or FFIEC, developed the Cybersecurity Assessment Tool to help banks identify risks and determine cybersecurity preparedness.

And on the private industry level, a number of third-party service providers have cropped up to leverage collaboration not to prosecute cybercriminals but instead to help secure companies’ networks and data. An example is Cloudflare, which protects millions of websites from the exact kind of attack waged by the Iranian hackers in this case. “Attackers are constantly looking for flaws, chinks in the armor which they can exploit,” says John Graham-Cumming, chief technology officer at Cloudflare. By sharing information, new threats can be identified early and preemptively defended against before they spread to other banks.

The Iran-based DDoS attacks on U.S. banks five years ago signified a watershed moment for both the government and the financial services industry by helping to spur many of these changes. The resulting charges “show what the benefit can be when we work together because the government can’t successfully pursue these types of cases without the help and assistance of victims, and the victims don’t have access to the same degree of information as the government or the tools to make it public in order to hold the perpetrators accountable,” says Carlin.

Fortunately, because bankers have long been conditioned to respond to risk, the industry is at the forefront of being prepared for these types of threats, says Dugan. But it’s nevertheless critical for the officers and directors of banks to stay vigilant on this front, as the challenges associated with apprehending and prosecuting cybercriminals almost certainly mean that the risk will continue only to grow in the years ahead. As Dugan notes, “cybersecurity is a fast-moving, evolving target that’s here to stay.”