Are the U.S. Indictments for Iran Cyberattacks Hypocrital?

At Time I have a piece examining the DOJ indictments of the Iranians allegedly involved in the DDOS cyberattacks on financial services in New York. The Iranians appear to have been indicted for retaliating against U.S. cyberattacks on Iran’s nuclear weapons infrastructure, and they got caught because the NSA had penetrated Iranian networks. On its face this seems hypocritical. I examine that question and then ask whether and how the indictments might deter cyberattacks:

The Iranians will almost certainly never appear in the United States and thus never go to trial. John Carlin, the Justice Department’s top national security lawyer, argued late last year that indictments for cybercrimes can contribute to deterrence even if the defendants are never prosecuted because they expose the responsible actors and demonstrate more broadly that the United States has powerful tools to discover and identify those behind cyberattacks. “The world is small, and our memories are long,” Director Comey said yesterday, explaining the government’s deterrence logic. “People often like to travel for vacation or education, and we want them looking over their shoulder.”

It is hard to assess whether the deterrence effect of the indictments will be large enough to stop further attacks on financial infrastructure or so small that they invite more attacks. Moreover, any deterrence achieved by the indictments comes at the cost of exposing U.S. intelligence capabilities and inviting similarly theatric retaliatory indictments. So it’s not clear that the United States has an obviously winning cost-benefit tradeoff here.

UPDATE: When I wrote the Time piece I had missed this important piece by Josh Gerstein. Gerstein notes that the indictment, unsealed on Thursday, was actually “returned just a few days after the U.S. and Iran implemented a high-profile nuclear deal and carried out a series of parallel deals, including prisoner releases and a $1.7 billion U.S. payment to settle longstanding Iranian financial claims.” He then questions the deterrence effectiveness of the indictment when he notes that two months ago “the U.S. dropped the slew of export-control-related cases and released Iranian convicts — including a convicted hacker — in connection with the U.S-Iran deal.” It is easy to imagine that these events together – an indictment that will lead to no arrests and the release of a convicted hacker – will embolden rather than chill Iranian cyberattackers. Unless, as I said in my piece, there is something quite different going on behind the scenes, as one hopes.