Will the New DoJ’s New National Security Cyber Section Bite or Just Bark?

On June 20, 2023, the Department of Justice (DoJ) announced a new National Security Cyber Section within its National Security Division.  According to the U.S. assistant attorney general, the purpose of the section is to “increase the scale and speed” of DoJ’s disruption and prosecution of state actors, as well as state-sanctioned cybercriminals.  This section will foster collaboration between the DoJ’s Criminal Division’s Computer Crimes and Intellectual Property Section and the Federal Bureau of Investigation’s (FBI) cyber division, in order to streamline activities and execute resources in a harmonious and expedited manner.  Prosecutors linked to the National Security Cyber Section will be experienced professionals able to act quickly as soon as a law enforcement or intelligence agency identifies a cyber threat of note.  In addition to combating exterior threats, the Section will be a resource for the 94 U.S. attorney offices throughout the United States and strengthening their capabilities to handle cyber cases that occur within their jurisdictions.

Cyber-related indictments are nothing new for the United States who has used them to bring light to and punish state cyber actors by publicly “naming and shaming” their ties to foreign governments the DoJ has identified as being culpable for hostile cyber activity.  Since their implementation, indictments have connected actors tied to the intelligence and military organizations of China, Iran, North Korea, and Russia. The United States adopted this tactic sometime around 2014 in an attempt to both penalize foreign governments for these actions, as well as deter them from engaging in future activity.  The message was bold and clear:  not only could the United States attribute cyber incidents to foreign states, but it could also get granular and identify the specific individuals behind them in a show of intelligence capability and reach.  Nevertheless, to date, none of these indicted state actors have been arrested and prosecuted in a U.S. court, though the threat always looms for potential extradition of these actors if they get careless in their overseas travels.

The DoJ’s new litigation section has obtained Congressional approval and comes nearly a year after the findings of the DoJ’s July 2022 Comprehensive Cyber Review, which advocated a more “offensive” DoJ approach to how it investigates, prosecutes, and combats cyber threats.  Perhaps more important is the fact that this new legal approach further reinforces the Biden Administration’s more aggressive position of tackling cyber malfeasance at its source, as advocated in the United States’ latest National Cybersecurity Strategy and building on the Department of Defense’s “defend-forward” operations.  A more forceful DoJ provides a legal tool to address cyber threats that could be used independently of or in concert with other nations’ law enforcement and intelligence apparatuses.  The move essentially formalizes a part of the national security cyber mission into the DoJ’s hierarchy.

The DoJ has some successes in bolstering justification for such moves.  Recently, it helped in the disruption of the Russian intelligence cyber espionage activities dubbed Turla, obtaining a court authorization that allowed U.S. law enforcement to “wipe out” the malicious code.  The mission required international cooperation and collaboration due to the global nature of the infrastructure used by these actors.  In the beginning of 2023, the DoJ led the coordinated disruption of the Hive ransomware group, a ransomware-as-a-service offering that had targeted more than 1,500 victims globally and made more than USD $100 million in ransom payments.  These two operations are indicative of the type of work the DoJ’s new cyber sanction are looking to undertake, making it clear to both state adversaries and the more prolific cybercrime gangs that the United States is prepared to go after perpetrators both legally and via hunt forward operations.

While the United States has been implementing cyber indictments and cyber sanctions to punish state and nonstate cyber threat actors, its primary adversaries like China, Iran, North Korea, and Russia have not followed suit in turn.  At best, these governments have preferred to combat such claims via official denials in the press, or else reciprocate by accusing the United States of its own. cyber malfeasance, arguing that the U.S. has provided cyber support to oppositionist groups, and conducted hacking in pursuit of its own surveillance interests.  China specifically has countered with tactics that mirror what the United States has done, using a combination of press denials, as well as published reports from at least one cybersecurity company and one government cybersecurity agency to expose alleged U.S. cyber attacks.  

Beijing has especially upped its game, moving away from its pre-Xi non-confrontation strategy and engaging in a robust media campaign pointing to U.S. transgressions with respect to sanctions, slander, and what it has described as hegemonistic practices akin to hybrid warfare.  China has even questioned the reporting of U.S. cybersecurity companies after a recent vendor report alleged China-linked hackers had attacked hundreds of targets around the world.  In rebuttal, a Chinese foreign ministry spokesperson refuted these claims and intimated that U.S. cybersecurity companies were “accomplices for the U.S. government’s political smear against other countries.”  

While Beijing has imitated some U.S. methods with respect to calling out nation state cyber activity, it has not yet fully replicated Washington’s playbook.  It is no doubt looking closely at the recent establishment of the DoJ National Security Cyber Section with concern, especially in the wake of U.S. engagement in cyberspace with its  Cyber National Mission Force.  A recent Chinese news piece called out the United States penchant for forming what it calls “tight circles” of likeminded governments to be able to execute its plans in cyberspace whether that be to impose its views of how the Internet should be run, standards, or in the case of hunt forward operations, have the justification to offensively engage its adversaries under the umbrella of cyber assistance.  Still, while Beijing remains fixed in challenging the United States at every turn, shoring up its ties with allies and trying to cultivate new ones, it has not yet adopted similar hunt forward operations, likely in order to preserve its self-described image of a law abiding, defensive minded country that will not strike first/

But the legal aspect is neither a digital nor kinetic course of action.  China already continues to revamp its laws to improve its national security, that have implications for both domestic and foreign presences within China.  This is an important instrument for Beijing, as it is used to cast doubts on the legalities of foreign activities in areas like land and maritime disputes, and trade, for example, but give the government justification to take action against them.  Beijing will likely sit and watch how the United States implements this new DoJ power and mission before making any overtures to replicating it or implementing a different initiative to counter its reach and effect.  While the DoJ has indicted several Chinese intelligence and military officers, there has been no apparent mission to actual pursue, arrest, and extradite these individuals.  A curious turn of events for a country labeled an “unparalleled” cyber threat by the director of the FBI.

The U.S. never mentioned China specifically when it announced the creation of the DoJ National Security Cyber Section, though the intimation was clearly there.  This can certainly be interpreted as a signal of a possible course of action if Beijing doesn’t cut back its cyber activities.  However, while the United States has frequently condemned Chinese cyber espionage activities, Washington has fallen short of imposing severe penalties that might risk other areas of engagement where the two countries benefit more from collaboration and mutual interest.  This will truly be a test to see how willing the United States will go with China in this regard.  For state-sanctioned nonstate criminal actors, they will likely be in the immediate crosshairs, especially as this program tries to establish itself and work out any kinks before moving onto more accomplished government and military actors.  The success of this initiative at that level will largely demonstrate to those closely observing these DoJ developments whether this is a viable tool for the United States, or just another symbolic gesture that might bark loudly but lacks any real punitive bite.