Last week, prosecutors announced charges against four Russians and one Ukrainian for what is being called the largest-known hacking and data theft operation to be prosecuted in the U.S.
The hackers are accused of several high-profile hacks over the past six years that netted them over 160 million credit and debit card numbers as well access to other sensitive networks and information.
According to U.S. Attorney Paul Fishman, “The losses in this case are staggering. The conspirators breached the networks of at least 17 major retailers, financial institutions, and payment processors.… This scheme was so sophisticated and brought together some of the most experienced and skilled hackers in the world.” The U.S. has estimated that the losses to just three of these companies to be at least $300 million and this number will only increase as the losses are calculated for more companies.
Such a story indicates the potential damage that just a small group of hackers can do to American organizations. As bad as these small gangs are, imagine how dangerous a foreign government with greater cyber manpower and resources can be.
This story also reveals the increasing capability of cyber cops to identify and attribute hacks to specific hackers or nations. U.S. cybersecurity experts were able to collect and analyze the bits of leftover coding and malware and follow the breadcrumbs back to these five individuals. Such attribution is critical to stopping not only cyber crime but also state-sponsored cyber espionage.
Armed with the knowledge of who is doing the hacking, the U.S can take firm action against bad cyber nations. For example, when cybersecurity experts analyze a hack and are able to link it to a Chinese military unit, the U.S. can and should respond by punishing China for its aggression.
Such punishment should start by naming and shaming bad cyber actors, but it should not stop there. The U.S. should also stop its naïve cyber cooperation with these bad actors and also limit visa and travel privileges for organizations known to support these nations’ campaigns of cyber espionage. Criminal and civil actions against hackers and companies that use hacked information are additional tools that the U.S. should use to cause financial and reputational damage to deter future hacking.
Attribution is important to stopping cyber criminals and state-sponsored cyber espionage. Despite the fact that the U.S. can use attribution to hammer cyber criminals, the Obama Administration has been relatively timid in using it against bad cyber nations. It is time for this to change, since these nations are stealing more than just credit card numbers.