The US government has been indicting foreign government hackers, and American government hackers are worried China and Russia might start doing the same to them.
Image: Fort George G. Meade Public Affairs Office/Flickr
Earlier this week, US prosecutors charged three Chinese nationals for allegedly hacking into several companies in the span of six years. The three hackers worked for a Chinese cybersecurity company and their alleged crimes were not apparently part of a government operation, according to the US Department of Justice. But two anonymous US government officials told Reuters that the company the hackers worked for is affiliated with the Chinese military’s hacking unit, and that “most if not all its hacking operations are state-sponsored and directed.”
In light of this latest round of indictments against foreign hackers some ex-NSA hackers are starting to worry they might get the same treatment from China or Russia in the future.
“It’s not a question of if, it’s just a question of when and how bad,” Jake Williams, a cybersecurity consultant who used to work at the NSA’s elite hacking unit Tailored Access Operations (TAO), told Motherboard in a phone call. “What goes around comes around.”
Williams called for the US government to openly and publicly promise former and current government hackers that they will be “protected” for their work, in case foreign governments come after them. Ever since the mysterious hacking group The Shadow Brokers, who have called out by name and doxed some ex-NSA hackers, including him, Williams said he has canceled one trip abroad, and refused to take jobs overseas that he would have otherwise taken in the past.
And he’s not the only one who’s worried about becoming the victim of geopolitics.
“I haven't changed my habits but I do have that nagging fear in the back of my head when traveling to countries with extradition treaties with China,” a hacker who used to work on cyber operations for the US intelligence community, and asked to remain anonymous to avoid drawing attention to his identity, told me via encrypted chat. “Mostly, I worry about there being a time in the future where my travel would be limited because I've been charged.”
The hacker said that many people have been worried ever since 2014, when the US government accused members of China’s military of hacking into and stealing American companies’ secrets. That was the first time the US government went after foreign government hackers. Since then, there have been a handful of other cases brought against Chinese, Russian, and Iranian government hackers, including this week’s indictments.
Robert Lee, who used to work for the US military hacking unit Cyber Command, told me in a Twitter direct message that “it’s a horrible and dangerous precedent” for the US government to charge other government’s hackers.
Read more: The Motherboard Guide To Not Getting Hacked
Dave Aitel worked at the NSA in the early 2000s has been an outspoken critic of the US government’s strategy to formally accuse individual foreign government hackers since 2014. For Aitel, who is now the head of cybersecurity firm Immunity, the US government does not appear to know what to do when other governments retaliate.
“It’s a 100 percent chance that eventually they will indict somebody just to be a tit for tat kind of operation,” Aitel told me in a phone call, adding that it’s more likely that Russia will do it rather than China. “We do not have the answer for what happens when they do that—and that worries me.”
Others, however, don’t seem to be particularly concerned. Patrick Wardle, a security researcher who used to work at NSA’s TAO, said he has “zero” concerns about this, and he has traveled to both China and Russia in the last year to speak at cybersecurity conferences.
”I do have that nagging fear in the back of my head when traveling to countries with extradition treaties with China.”
Another former defense official who worked on cyber operations said he wasn’t “terribly worried.”
“On one hand I think that we shouldn't set the precedent of going after specific operators, but highlighting the role of the sponsoring government instead,” the hacker, who asked to remain anonymous to protect his identity, said in an online chat. “However, the countries most likely to retaliate legally, Russia and China, are already sort of an off-limits zone for cleared people outside of official business.”
The hacker said ever since the OPM hack, which exposed the personal data of more than 20 million US workers, those two countries are off limits. “Just better safe than sorry,” he said.
Susan Hennessey, a former counsel for the NSA, said that she isn’t sure that a public declaration of support for current or former government hackers would accomplish anything substantial. Still, “whatever we’re thinking about for external deterrent strategy, we always need to be thinking about the impact on our own people,” she told me over the phone.
Hennessey also added that perhaps the risk of being indicted should be seen as part of the job of an intelligence officer. After all, she explained, spies who work undercover in dangerous places are aware that they are risking their lives and freedom.
Williams, however, said that if he had known that the US government would start going after foreign government hackers, he probably would not have worked at TAO.
“I didn’t sign up for this,” he said.
In response to a request for comment, a spokesperson for the Department of Justice sent Motherboard a statement:
“The Justice Department charges activity that violates our laws, and in this case, alleges that three Chinese individuals who founded a purported network security firm in fact stole trade secrets, among other information, for commercial advantage and private commercial gain.”
The spokesperson declined to answer further questions on the record.
Correction: an earlier version of this piece said that Williams would not have worked in the intelligence community had he known about the US government plans to charge foreign hackers. Williams said he would not have worked at TAO specifically.
UPDATE, Monday Dec. 4, 1:56 p.m. ET: This piece has been updated to include a comment from the Department of Justice.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.