The Puzzle of the GRU Indictment

It’s about two weeks before the 2020 presidential election. According to a bipartisan report released by the Senate Intelligence Committee, Russia engaged in “an aggressive, multifaceted effort to influence, or attempt to influence, the outcome of the 2016 presidential election.” And in the words of the FBI director, Russia is engaged in “very active efforts ... to influence our election in 2020.” Unsurprisingly, three-quarters of Americans are “somewhat concerned about interference, whether in the form of tampering with voting systems and election results, stealing data from campaigns, or influencing the candidates themselves or the way voters think about them,” and half are “extremely” or “very” concerned.

And so, at this propitious moment, the Justice Department decides to hold a self-congratulatory press conference to scare the American people even more about Russian capabilities and intentions while at the same time unequivocally signaling its inability to stop Russian cyber actions. I am speaking, of course, of the announcement on Oct. 19 of federal indictments against six officers in the GRU (Russia’s military intelligence agency) for cyberattacks from 2015 to 2019 against the Olympics in South Korea, a French presidential election, Ukrainian infrastructure and (among other things) the NotPetya attacks on numerous companies around the globe. These indictments were unusual because they focused primarily on damage outside the United States from Russian cyber operations. But in other respects they were all too typical.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said National Security Division chief John Demers. He added that the Russian officers conducted “the most disruptive and destructive series of computer attacks ever attributed to a single group”—the same group, by the way, that interfered in the 2016 election. “Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” echoed FBI Deputy Director David Bowdich in a press release.

So one message the indictment sends is that Russia is indeed bent on using its cyber capabilities to wreak havoc around the world. There is little news here—the actions subject to indictment had long been unofficially attributed to Russia. But perhaps the detailed conclusory allegations in the indictments aimed to make the Russia threat yet more credible—as if the public needed more credible information on that score.

Another message that comes through crystal clear is the Justice Department’s inability to stop or even slow these activities. Across two administrations and over the course of six years, the department has been issuing indictments against Russian, Iranian, North Korean and Chinese officials (or state agents) for their destructive cyber actions from abroad. Not one (to my knowledge) has resulted in prosecution. And yet Justice Department officials continue to hold these press conferences, describe the cyber threats in dire terms, crow about attribution capabilities and tout the indictments, even while the attacks grow and grow.

What is the point? In a word: attribution. The Washington Post reported, based on a briefing following the press conference with several Justice Department officials, that “the indictment was not a specific warning to Moscow to avoid interfering in this year’s election,” but that it was meant to serve as a “‘general’ warning that such activities are not deniable.” Or as Bowdich noted: “[T]his indictment … highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators[.]”

But this warning and highlight are not news, at least not to the sponsors of the attacks. The United States has for six years been playing up its extraordinary intelligence capacity to attribute malicious cyber operations. And for six years the attacks have grown worse. As President Obama said in December 2016: “The idea that somehow public shaming is going to be effective, I think doesn’t read the thought process in Russia very well.”

Bowdich added that the indictments also show that the Justice Department can “impose risks and consequences” on the alleged criminals. These risks and consequences are mainly that the named foreign officials cannot travel outside their countries, or they will surely be arrested. This is not nothing. But it is not much when, on the other side, Russia throws its cyber weight around globally, causes billions of dollars in “unprecedented damage” and seems not to be deterred one bit by the indictments. Whether Russia is actually deterred at the margins is, of course, impossible to know. But the message here is of U.S. weakness in the face of a Russian cyber onslaught—a message that potential third-party adversaries clearly absorb.

This signal of weakness is part of a pattern. “In the past three months alone, the department has charged computer intrusions or taken legal action related to the activities of China, Iran, and North Korea,” said Demers. “Each of these cases charged significant and malicious conduct that we have called out in part to reinforce norms of responsible nation state behavior in cyberspace.” The raft of charges without legal consequences in the face of persistent and destructive cyber operations does not reinforce norms—it highlights that norms do not work here. “Time and again, Russia has made it clear they will not abide by accepted norms, and instead, they intend to continue their destructive and destabilizing cyber behavior,” said Bowdich. What Russia has made clear is either that there are no “accepted norms” or at least that the norms can be thrashed without consequence.

The press conference featured more self-congratulations. “These criminals underestimated the power of shared intelligence, resources and expertise through law enforcement, private sector and international partnerships,” said FBI Pittsburgh Special Agent in Charge Michael A. Christman in a press release. I doubt the criminals underestimated U.S. intelligence capabilities, which the U.S. government has been showing off for years. But I bet they are wondering why the Justice Department continues to trump up its intelligence capabilities in the context of flagging its law enforcement failures. Without apparent self-awareness, Bowdich confirmed the fecklessness of the indictment strategy: “We’ve been fighting the cyber threat for years now, addressing hack after hack, as our adversaries continue to escalate their crimes and use their capabilities not just to gather intelligence, but also to disrupt, degrade, and destroy.”

None of my criticism is meant to minimize the horror of the Russian actions. The “crimes committed by Russian government officials were against real victims who suffered real harm,” stated U.S. Attorney for the Western District of Pennsylvania Scott Brady. “We have an obligation to hold accountable those who commit crimes—no matter where they reside and no matter for whom they work—in order to seek justice on behalf of these victims.” But naming and shaming is not much accountability. And trumpeting that fact is puzzling.

There is surely more going on to meet these cyber threats than this press conference let on—certainly by U.S. Cyber Command and the Treasury Department, and perhaps by the Justice Department and other agencies. When asked whether the Justice Department had “taken any action against [the Russian threat] in the last few weeks or months,” Demers said only: “I’m not going to go beyond what I just said.” I am sure the government is doing everything it can to stop these threats, and hopefully it is more successful in meeting or preempting them than it lets on. The puzzle is why its main public posture is to laud indictments that communicate weakness.

When asked whether Russia was “actively trying to hack or [take] negative actions towards the 2020 American election,” Demers stated that “Americans should be confident that a vote cast for their candidate will be counted for that candidate.” I admire Demers enormously, and I certainly could not do better if I sat where he sits. But my confidence in Justice Department protections against cyber interference in the election dropped after watching that press conference. I cannot fathom why senior Justice Department officials thought it was a good idea.