The Obama administration’s power to impose economic sanctions in response to malicious cyberspace acts gives companies that have been hacked by foreign governments a new way to deter adversaries and prevent them from reaping the rewards of their intrusions, a former senior U.S. official said.
The sanctions tool, which was authorized by an executive order last April 1, has not been used yet. But it is one of the cutting-edge initiatives that Luke Dembosky, until this week the top cybersecurity official in the Justice Department’s national security division, was involved in during his 14 years at the department.
It is important that the sanctions tool “be used soon so that those who carry out significant cyberattacks on U.S. interests know that we mean business,” said Dembosky, who will soon join the law firm of Debevoise & Plimpton.
At the Justice Department, Dembosky was involved in many of the most significant cybersecurity cases, including North Korea’s hack of Sony Pictures; the intrusions into the Office of Personnel Management, widely attributed to China; the breaches of Target, Home Depot and Anthem; and the takedowns of the GameOver Zeus botnet and the illicit Silk Road online bazaar.
Dembosky has also taken part in other leading-edge efforts. In 2009, he won the conviction of Max Ray Vision, who was at the time the most notorious hacker in U.S. history. Iceman, as he called himself, had stolen and sold nearly 2 million credit card numbers and caused losses of $86 million. He got 13 years behind bars, what was then a record sentence in a cybercrime case.
Dembosky, 47, also was part of a small team of administration officials who last fall negotiated a historic cybersecurity accord with Beijing that led to President Xi Jinping’s announcement in September that China would not engage in economic cyberespionage. Until that point, China had never acknowledged that cybertheft of intellectual property for a country’s commercial advantage violated international norms.
“It was, in my mind, a breakthrough on behalf of businesses to protect their valuable intellectual property,” Dembosky said.
But it remains to be seen whether China will uphold its pledge, he acknowledged.
Dembosky, who will help lead Debevoise’s global cybersecurity practice, noted that most companies traditionally have been wary of cooperating with government investigations into breaches. They fear that disclosing sensitive company materials will expose them to regulatory actions, privacy suits or other civil litigation.
But recent moves by the administration have the potential to change the calculus, he said. Faced with the rapid rise of national-security cyberthreats, he said, the government has expanded its arsenal of weapons to use against cyber adversaries. Besides criminal prosecutions, there are export license restrictions, trade and diplomatic actions, and now sanctions.
“More tools give a savvy victim company a broader range of choices in working with the government,’’ he said.
That is, if a company decides to let federal investigators examine the forensic evidence left by the intruders, the government may be able to build a case against individuals who conducted or directed the hack or who, such as officials in a rival overseas company, stood to benefit from it.
In cases where the perpetrators are overseas and are unlikely to be extradited if indicted, it may be that through sanctions their assets can be frozen and banks can be barred from doing business with them. The same penalties can apply to a sanctioned company.
But having the United States impose sanctions on, say, a Chinese or Russian company may not always be the best move for the victim company, Dembosky noted. Some may make the calculation that such a move may result in retaliation against them and that the risk is not worth it.
The point is, he said, there are more powers the government is able and willing to use to hold adversaries accountable and thus more reasons for companies to work with the government in cybersecurity investigations.
But firms also fear regulators’ whips. Last year, the Federal Trade Commission settled a high-profile lawsuit with Wyndham Hotels and Resorts over a series of data breaches that exposed the credit card information of hundreds of thousands of customers. The settlement required Wyndham to set up a program to protect cardholder data as well as conduct annual information security audits, among other steps.
The Securities and Exchange Commission has begun to fine and hold accountable investment adviser firms for data breaches, and the New York State Department of Financial Services has alerted federal agencies that it is considering imposing cyberspace regulations on financial institutions in the state.
“So for companies, there is risk and opportunity in cooperating with government,” Dembosky said.
Judith Germano, a former federal prosecutor who is now a senior fellow at New York University Law School’s Center on Law and Security and a cybersecurity consultant, noted that the FTC has said it will take into account a firm’s cooperation with law enforcement in a breach investigation in evaluating whether the firm has done all it can to reduce the harm from the breach.
She also said that the sanctions tool may be useful but that it is too soon to tell, given it has not been deployed yet.
Dembosky began his cybersecurity career 14 years ago prosecuting Eastern European criminals stealing credit card data to sell on online black markets. In 2010, he moved to Moscow as the Justice Department’s attache, helping establish a cybersecurity “hotline” and other measures with Russia aimed at defusing tensions in cyberspace. In 2013, he came to Washington to oversee litigation in the department’s computer crime and intellectual-property section. And in 2014, he moved to the national security division.
His national security experience is in demand now, said Bruce Yannett, Debevoise deputy presiding partner. “It is clear that the greatest cyberthreats that companies face are state actors and quasi-state actors” who have the resources and skill to cause the most harm, he said. “If you’re shut down, the way Sony Pictures was, or if your deepest, darkest trade secrets are stolen, that can pose an existential threat to any company.”