In August 2016, Roman Seleznev, the son of a Russian lawmaker, was convicted of hacking into U.S. businesses' point-of-sale systems to steal credit card numbers and sell them on the dark web. The guilty verdict was the culmination of an arduous decade-long investigation and manhunt, made all the more difficult because Seleznev remained virtually untouchable so long as he remained ensconced within Russia's protective borders.
His ultimate downfall? Russia gets cold.
It was during a quick getaway to the warm, tropical Maldives in July 2014 that U.S. authorities finally caught up to him. Acting on a tip, the Secret Service contacted the Maldivian police via the U.S. State Department, according to Bloomberg. With the assist of an Interpol “Red Notice,” the agency arranged the arrest and transfer of Seleznev, despite the lack of an extradition treaty.
In comments she made this past September at the New York University Center for Cybersecurity, Leslie Caldwell, assistant attorney general at the Department of Justice, reported that 33 individuals have been convicted as a result of an aggressive U.S. government campaign against Carden.su, Seleznev's online marketplace for stolen credit cards and counterfeit IDs. Another 23 individuals have been charged. “Despite their sophisticated technologies, these groups remained vulnerable to a tried-and-true mob-busting technique: infiltration by undercover agents or confidential informants,” said Caldwell.
The conviction of Seleznev, who awaits sentencing in December, represents a notch on the belt of U.S. authorities, who have recently secured a few high-profile international arrests, thanks in part to improved diplomatic efforts with allies.
Romanian citizen Marcel Lehel Lazar, known as the original Guccifer, was extradited from his home country and sentenced this past September for computer crimes that exposed presidential candidate Hillary Clinton's use of a private email server. Later that same month, Syrian national Peter Romar, a Syrian national affiliated with the Syrian Electronic Army (SEA), pleaded guilty to hacking and conspiracy charges after being extradited from Germany.
But the wheels of justice still turn slowly. “As organized crime digitizes its operations, law enforcement faces two significant challenges: first, the use by criminals of new encryption technologies to victimize innocent people while avoiding identification; and second, territorial limits on our ability to gather digital evidence of crimes,” said Caldwell.
To Caldwell's point, even the friendliest of nations have laws and regulations that the U.S. must honor with regards to gathering evidence, pursuing suspects and preserving citizens' privacy. And there still remain large corners of the world where bad actors can operate with impunity, in some cases at the behest of their countries.
“Any time you're talking about investigating, arresting and extraditing an individual from overseas, it's challenging, said Nathaniel Gleicher, head of cybersecurity strategy at data center and cloud security firm Illumio, and formerly a director for cybersecurity policy with the White House's National Security Council. “There's lot of friction, even when you're two countries that are very closely aligned… simply because of different legal systems, different societal expectations,” he added in an interview with SCMagazine.com.
The countries that are best suited to help the U.S. extend its prosecutorial reach are those that possess not only the technical capabilities to investigate a cybercrime but also the substantive and procedural laws necessary to help prosecutors build a strong case, explained Megan Stifel, a nonresident senior fellow with the Atlantic Council's Cyber Statecraft Initiative, in an interview with SCMagazine.com.
For years, “the Justice Department has been working with countries to modernize their substantive laws to criminalize cybercrime activities and help investigators” acquire the data they need, said Stifel, also a former attorney with the DOJ's National Security Division and a former director for international cyber policy in the White House's National Security Council. But even so, acquiring evidence “in a manner that will satisfy the judicial process – that can sometimes be slow.”
“The greatest hurdle is the antiquated information exchange protocols between police agencies,” said Leo Taddeo, Chief Security Officer at security and compliance solution provider Cryptzone, and a former special agent in charge of the Special Operations/Cyber Division of the FBI's New York Office. “These processes involve multiple layers of bureaucracies on both sides. This type of system worked in the age of steamships but quickly breaks down in present-day cyber investigations,” he told SCMagazine.com.
One of the most important tools available to U.S. investigators seeking information from another country is the MLAT or Mutual Legal Assistance Treaty, which governs data exchange across international jurisdictions. Unfortunately, the MLATs process was developed back in the 1970s, and thus was never designed to accommodate complex cyber investigations.
Appearing before members of Congress last February, David Bitkower, the DOJ's principal deputy assistant attorney general, testified that it takes an average of 10 months for the U.S. to respond to another nation's MLAT request – and when the U.S. requests information from a foreign entity, a 10-month response time is a “best case-scenario.”
Edward J. McAndrew, a partner at law firm Ballard Spahr who represents victims of cybercrimes, told SCMagazine.com that the MLAT system can work effectively, but only under specific circumstances. “The MLAT process works fine with truly cooperative nations that are already in possession of the information sought,” explained McAndrew, a former federal cybercrime prosecutor, cybercrime coordinator and national security cyber specialist with the DOJ.
However, when the foreign entity hasn't yet obtained the evidence, the time constraints are too impractical. “Using an MLAT to conduct a search of residences or offices in a foreign country weeks or months after targets learn of an investigation is futile,” said McAndrew. “The evidence is long gone before agents actually hit the door to conduct a search.”
Stifel said that ongoing efforts to enhance the MLAT process could eventually “ease some of the burden and reduce some of the backlog” that international law enforcement agencies are currently experiencing. Among the promising ideas she identified was a computerized system that lets investigators track the progress of an evidentiary request.
Even with improvements, the system would still have its flaws: The U.S. has MLAT arrangements with fewer than half the countries in the world, and many of them exclude certain categories of evidence, according to Caldwell.
Of course, sometimes simple, good old-fashioned diplomacy can go a long way, even without an MLAT or extradition treaty. Such strong partnerships can allow the U.S. to strike quickly if a cybercriminal taking refuge in an adversarial country dares to cross its borders, as Seleznev did when he traveled to the Maldives. “Patience is important in such cases. We may need to wait for extended periods of time before someone travels outside of a country that is uncooperative, but eventually they will,” said Richard Jacobs, assistant special agent in-charge of the New York FBI office's Cyber Branch, in an interview with SCMagazine.com.
Still, manpower and resources are precious, and the U.S. must find new ways to rally international support in order to stay afloat amongst the rising tide of cybercrime. One strategy for this is to find a cause that garners near universal support among nations. Tom Kellermann, CEO of venture capital firm Strategic Cyber Ventures, who formerly served on the Commission on Cybersecurity for the 44th Presidency and acted as an advisor to the International Cyber Security Protection Alliance, believes one such cause is the fight against the online sexual exploitation of children. “Using child pornography as a non-partisan, non-ethnocentric, galvanizing issue, I think, can engender greater cooperation,” said Kellermann in an interview with SCMagazine.com. “Who wants to say no to someone who has a better way of eradicating global child pornography?”
Are Privacy Concerns Warranted?
Of course, legally bypassing the MLAT process altogether could also a viable solution. To that end, the U.S. has been working with the U.K. to draft an agreement that would allow U.S. authorities to directly serve U.K.-based companies with warrants for email records, wiretaps and other data pertaining to Americans. (In turn, the U.K. would have the same authority to serve U.S.-based companies without interference when investigating their own citizens.) In July, the DOJ presented to Congress a proposed legislation that would legitimize this accord, which would likely serve as a model for additional bilateral contracts between nations.
“It's really tricky because there are domestic legal challenges here in the U.S. and you have to build a framework where you're comfortable with the privacy protections that are built in, but it's the best pathway forward… for a lot more effective investigations,” said Gleicher. “The question is, can we do it with other partners as well?”
Privacy groups hope not. In a recent online article, Eliza Sweren-Becker, attorney with the ACLU's Speech, Privacy, and Technology Project, warned that the Administration's data-sharing proposal “would weaken privacy protections for both Americans and individuals abroad.”
If approved, the U.S.-U.K. arrangement could serve as an end-around to a July 2016 U.S. appeals court decision that ruled Microsoft Corporation was not legally compelled under the Stored Communication Act to disclose the contents of a specific subscriber's emails, because they were stored outside the U.S., in Ireland.
“In today's world of global cloud computing, it makes little sense to determine the legality of search warrants based on where companies choose to store their data,” Caldwell remarked during her NYU presentation, emphasizing the Obama Administration's intention to submit legislation “to address the significant public safety implications of the Microsoft decision.”
The ruling has already incited other online service providers to begin hosting U.S. customers' data on international servers as well, in order to insulate themselves from warrants and win the mind-share of privacy-conscious customers.
Despite this strategy, Stifel thinks these technology companies could still show some good faith by helping the U.S. government train foreign authorities to optimally leverage forensics techniques and properly follow investigative procedures. “It would be great if we could see some level of cooperation…” said Stifel.
From a law enforcement perspective, the US-EU Privacy Shield and the European Union's General Data Protection Regulation (GDPR) also represent potential impediments to cyber-investigations, as does the advent of so-called “warrant-proof” encryption technologies that inhibit investigators from cracking suspects' electronic devices.
“Encryption and privacy laws that prevent law enforcement from obtaining information after legally serving a subpoena to gather evidence for an investigation don't simply affect cyber cases; they affect all FBI cases,” said Jacobs. “We are at a point where there needs to be a public discussion to weigh privacy vs. security, and the public needs to understand that if we have more of one, we lose the other. The decision regarding where that balance rests should not be made by the government, nor should it be made by private companies.”
“The government's ability to successfully interdict ongoing courses of criminal conduct – from terrorism to child exploitation to hacking, theft, fraud and corruption – is being severely impeded by technology that hides evidence from investigators even where they have judicial authority to search and seize such evidence,” stated McAndrew.
Generally, the U.S. government does not publicize investigative dead-ends caused by technology-enabled obfuscation, added McAndrew, because criminals would leverage that information to become even more evasive. But he believes it's time the government discloses some of these roadblocks “to allow the public to better understand how much is actually at stake in striking a proper balance between legitimate law enforcement efforts and personal privacy.”
U.S. cyber investigators already have enough hoops to jump through when collaborating with close allies. But when a cybercriminal is holed up in Russia, China, Iran and other traditionally uncooperative regimes, bringing that individual to justice is exponentially more challenging, if not impossible.
Such nations are alleged to let bad actors attack foreign entities with impunity, in some instances because the cybercriminal outfits are paying off corrupt officials, and in other cases because the government actively sponsors such tactics against the U.S.
“Countries that are less democratic have viewed the hacker communities that exist the in dark web forums, that utilize their culture or language, as national assets,” said Kellermann. “Some countries have gone so far as to have a Pax Mafiosa between their intelligence apparatus and the elite cybercriminal communities, as evidenced by the untouchable status of the elite Russian hackers” who are acting as cyber militias targeting Western interests.
Historically, when the U.S. would approach countries like Russia to seek help with investigating an individual, it appeared at times that the regime would use the tip “as a way to recruit for its own law enforcement or intelligence agencies,” said Stifel. The U.S. would identify a potential suspect, and suddenly “the person disappears and is no longer around – and you have to wonder where the person's gone. Have they been recruited by whichever government agency has gone out to make an inquiry?”
In circumstances where an arrest appears impossible, the Obama Administration has instead employed the tactic of “naming and shaming” cybercriminals and the countries that shield them. The U.S. employed this strategy in March when it charged seven Iranians for allegedly hacking into computer systems at American banks and a New York State dam facility. No arrests have yet been made.
The policy has arguably yielded mixed results. After repeatedly naming and shaming Chinese operatives for a variety of corporate and governmental system intrusions, China – also under the threat of sanctions – arrested five individuals it claims were responsible for the infamous hack of the U.S. Office of Personnel Management and also agreed to bilateral cybersecurity talks with the U.S.
“When we get to a point where we have an indictment and it is not likely we will have the opportunity to place the culpable individuals in handcuffs, we need to take other steps to ensure that those responsible for the criminal activity know that there are consequences for their actions,” said Jacobs. “Sometimes unsealing the indictment and publicly naming an individual is the most effective alternative, and one that will hopefully send the message to a criminal that we know what you did and that we will find you no matter where in the world you may be.”
But not everyone is convinced of the policy's efficacy. “Naming and shaming – or obtaining an indictment with no realistic hope and zero plan for pursuing prosecution – is a last resort of limited utility,” said McAndrew. “Once the fact of an indictment is publicized, any prospect for arrest and successful prosecution – however slight it may be – is significantly diminished. Thus, any investigator or prosecutor who is serious about pursuing the offenders would not be holding a press conference about an indictment. We need to back up our words in this area with actions.”
But what actions, precisely? Has the U.S. left any stones unturned? Kellermann believes so.
“The true digital dons of cybercrime… remain untouchable because there's been a failure to address the three pillars of the ‘Cybercrime Economy of Scale,'” said Kellermann. “Those are their hacking capabilities; the anonymous payment systems that facilitate the laundering of proceeds and the distribution of capital in exchange for goods and services; and the bulletproof hosts that serve as criminal hideouts – the forums and the warehouses of stolen intellectual property and national secrets that exist in these forums.”
To destroy this underground economy, Kellermann recommends that the U.S. supplement the FBI and NSA's efforts by harnessing the untapped potential of additional federal agencies. Among the options: ordering the Treasury Department to regulate anonymous payment systems and seize electronic currency linked to cybercriminal operations, and expanding the Secret Service's role in investigating financial cybercrime. (See the sidebar on Kellermann for more details.)
Regardless of which agencies takes charge moving forward, the road ahead remains a long and formidable one. A dangerous cybercriminal could be hiding in any remote corner of the globe, ready to strike again. And while authorities must respect international borders in their pursuit of justice, a cyberattack has no such restrictions on its destructive reach.