By: Kaitlyn C. Conway
After three years of investigation, indictments have finally been made for several hacking attacks made from Iran to the United States. The impending results of this investigation and trial could not only mean heightened cyber security in the future, but a major reformation in how criminal investigations are implemented through the use of the Internet.
On March 24, 2016, seven Iranians were indicted by a grand jury in the Southern District of New York on computer hacking charges. The seven Iranian individuals were employed by two Iran-based computer companies, named ITSecTeam (ITSEC) and Mersad Company (MERSAD). These companies have performed work for the Iranian government, including the Iranian Revolutionary Guard Corps. The hacking incidents ranged from DDos Botnet attacks, which commenced in December 2011 and continued until September 2012, to an intrusion in the Bowman Dam between August 28, 2013 and September 18, 2013. The entire hacking campaign lasted a total of 176 days. As a result of these attacks, the DDos Botnet server attack overwhelmed victim servers and disabled them from allowing customers to use them to access their online bank accounts. The cost of remediation for the Dam incident alone was $30,000.
The indictment was announced by U.S. Attorney General Loretta Lynch, who further stated that: “[W]e will continue to pursue national security cyber threats through the use of all available tools, including public criminal charges. And as today’s unsealing makes clear, individuals who engage in computer hacking will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.”
The investigation itself, which lead to the indictment, took over three years. The applicable laws that were used to indict the seven men included Computer Fraud and Abuse Act 18 U.S.C. § 1030 (2008), specifically sections (a)(7) and (c), which states that anyone who accesses a computer with intent to extort money or anything of value via interstate or international communication shall be punished either by fines or imprisonment. Also, under Cyber Crimes Act, 6 U.S.C. § 473 (2015), it states that the Secretary of State shall operate the Cyber Crimes Center, which shall provide assistance and training specifically to the Department of United States Immigration and Custom Enforcement’s domestic and international investigations of cyber-related crimes. Under subsection (d)(2)(B), the Cyber Crimes Unit (CCU) shall specifically focus on areas including but not limited to: cyber economic crime, illicit e-commerce, and cyber-related smuggling and money laundering. Subsection (d)(2)(C) also provides that the CCU shall provide training and technical support on both state and federal levels.
What is important to note is how incredibly recent both these acts in the United States Code are, especially the Cyber Crimes Act, which was enacted during the investigation for which the seven Iranian individuals have been recently indicted. Looking at the timeline of the incidents, the investigation, and the eventual indictments, it is not easy to ignore how impactful the Cyber Crimes Act is, not only because of the time in which it was codified, but because of the breadth of authority it commands. The first two sub-paragraphs of the act both state that the Cyber Crimes Center shall operate specifically under the auspices of United States Immigration and Customs Enforcement, specifically creating a department that is devoted for the sole purpose of combating international cyber crime. This could have a tremendous impact on other well-known forms of international cyber crime, such as Nigerian 419 scams, which end up garnering billions of US dollars through fraud.
The act also provides that extensive training shall be provided on both state and federal levels, which essentially means that the tide is changing in terms of both criminal investigation and prosecution. What was once something out of bad science-fiction movies is now a common fear for anyone who does online banking. This issue has now been formally addressed by both the legislature and several administrative departments. This could either mean that news of cyber security attacks will be on the rise due to the increased ability to detect and prosecute, or they will decrease due to a focus on prevention. It remains to be seen whether this will be the definite panacea to the nightmare of hacking and data theft, but it is a relief that now agencies and courts are, on face value, enforced to protect individuals against cyber crime.
Kaitlyn is a staff member on the Journal of High Technology Law. She is currently a 2L at Suffolk Law. She holds a BM in Vocal Performance from Westminster Choir College of Rider University.