Government Giving 'No More Free Passes' To Cybercriminals

At RSA Conference Wednesday, Assistant Attorney General for National Security John Carlin explained the government's new "all tools approach" to cracking down on cyberespionage and other crime.

SAN FRANCISCO, WEDNESDAY, APR. 22  -- Attribution, extradition, diplomacy and other factors have largely helped cyberiminals evade the law. Yet, as John P. Carlin, assistant attorney general for national security at the U.S. Department of Justice explained at the RSA Conference today, the US has become more aggressive, aiming to increase the costs of cybercrime and make it clear "that it is not okay to steal from American companies." 

"There are no free passes," said Carlin. "That is where the PLA case came from."  

In May 2014, DOJ indicted five members of the Chinese People's Liberation Army (PLA) for hacking and espionage offenses against American companies in the nuclear power, metals and solar products industries. Although Carlin said it's likely those five people may never be apprehended and see their day in court, it is important that they be publicly named and formally charged. "We don't want to send the wrong message that we're decriminalizing theft," he said.

In December 2014, the FBI officially named North Korea as the culprit behind the attacks on Sony Pictures Entertainment, and President Obama stated "We will respond. We will respond proportionately and we'll respond in a place and time and manner that we choose."

"That's an important message," said Carlin, "not just to the North Koreans, but to all the [malicious] actors out there."

Carlin explained that attribution is not always easy, but that to the degree it is possible, the government aims to act upon it. "One, we have to be able to figure out who did it, and that's where we need the private sector's help. Two, we can't be afraid of saying it, otherwise it's cost-free. Three, then there have to be costs." 

Those costs, said Carlin, may include indictments or a variety of diplomatic of economic sanctions; and those measures must increase until the activity stops.

"These are hard cases to prove up," he said. "But they're not impossible."