10 years on: The 10th anniversary of the first indictment of Chinese PLA actors.
Dave Bittner: Hello everyone, and welcome to this special edition N2K "CyberWire" podcast. I'm your host, Dave Bittner. It's been 10 years since a grand jury in the Western District of Pennsylvania indicted five Chinese military hackers for computer hacking, economic espionage, and other offenses directed at six American victims in the US nuclear power, metals, and solar products industries. This was the first major indictment of its kind. Our guest today, Dave Hickton, is founding director at the Institute for Cyber Law, Policy, and Security at the University of Pittsburgh. Back then, he was the US attorney responsible for bringing these charges. And it was not a decision without controversy among his peers and the powers that be within the US Justice and Intelligence communities. In the end, it's a story of one person sticking their neck out and doing what they believe is right. Stay with us. [ Music ] So, today we are taking a look back as we're just about at the 10-year anniversary of a significant event in cybersecurity. Can you take us back and give us an idea of what things were like for you in the position you were in, and then also your colleagues at the FBI?
Dave Hickton: Certainly. So, I was sworn in in August 2010, and I was very serious about discharging the primary responsibility at my hands, which was to allocate the resources, which were the people and the dollars in my office, to deal with the greatest threats to the district. So, I did a survey directly with many of the stakeholders in the district by going out and meeting with people and asking them what concerned them. And one of the most pivotal moments in that survey was a breakfast meeting with United Steelworkers President Leo Gerard and then-US Steel President John Surma, where they described to me the problem of hacking of intellectual property of our basic industries, especially our steel industry in Pittsburgh, also our aluminum industry, and they talked about the tire industry up in Ohio. And they told me the consequences of this hacking, and they asked me to make it a priority to investigate this hacking and, if possible, bring cases charging those who were stealing the technology.
Dave Bittner: And what was your understanding of cybersecurity at the time and the various players? Was this something that in your position you were already familiar with?
Dave Hickton: I was basically a little bit familiar with, because I was not a career DOJ civil servant. I had worked in private industry and I had represented a lot of clients on a national basis. And it was becoming clear that the ubiquitous nature of the internet, we were now going away from our day calendars, we were placing all of our records on the internet at that time. We're creating an exposure risk. And I also am married to a woman who's been an executive in the metals and aerospace industry herself. And while we're so busy, we don't talk a lot about our work, I was aware in passing that she had been also concerned about being hacked. And I put those two things together and decided that was probably a good -- good thing to work on.
Dave Bittner: Well, take us through the process here. I mean, you decide this is something you want to pursue. How does that translate into the -- the actual physical actions that came to pass?
Dave Hickton: Well, the next thing that happened was is that I went to Washington early in my tenure, I think it was around Labor Day, and this all happened very fast for a session with -- an orientation session with other new US attorneys. And it was kind of like the speed dating process. We met for 15 minutes to a half an hour with the attorney general and all of his deputies. And then we met with the leadership of the various federal investigative components. And one of the most important meetings there was with FBI Director Bob Mueller, who had been a hero of mine. He had been a former US attorney. I had great respect for him. But his wife also was from Pittsburgh, and at that time one of my children was working at the FBI. So after the meeting proper where everybody was involved, I pulled him aside and I said to him, I really want to do something important in the cyber arena. And he said to me, Well, you have a lot of the assets in Pittsburgh. And he talked to me about Carnegie Mellon and the Computer Emergency Response Team, which had been there since the late '90s. He told me about the National Cyber Forensic Training Alliance, which he had opened in Pittsburgh which was the first public-private partnership co-locating FBI investigators with their counterparts in business so that they could clock the grid of all the cyberthreats together and work on attacks and remedies and patches. And he told me about a book that he had given to a lot of the FBI agents called "The Cuckoo's Egg", which was a cyberattack on our national labs. And he told me that in addition to working on the issue of terrorism, which was important then and how it was going to evolve and morph, that creating a cyber group in my office would probably be a good idea. So I went back to Pittsburgh and I announced in October, a month later, that I was going to create a dedicated unit called Cyber and National Security. And then I took the risk of putting almost 20% of my office, directly or indirectly, in that group. So, I had only about 40 lawyers, and there were eight of them that were either directly working in that group or indirectly working in that group, including my civil division, which was the key part of all this. And we met every Monday morning at 9 o'clock like the entire world depended on us. And we took very seriously all the intelligence that we could get from the FBI. We invited them to participate in our meetings, and we -- we demonstrated that we were serious about it, and we went about the business of doing big league investigations in this area.
Dave Bittner: How long did it take for you and your colleagues to realize that you were really onto something here?
Dave Hickton: Well, two things happened almost simultaneously. One is there was a big cyber extortion attempt at the University of Pittsburgh, ironically where I work now. But it's our flagship university in the community, and what had happened was an individual, who we later identified as a Scottish separatist who was hiding in Dublin, had decided to use commercial remailers to anonymize his bomb threats against the University of Pittsburgh. Which occurred because he was unhappy that the university had issued a reward for someone who had put a scroll bomb threat in handwriting on one of the bathroom stalls at the Johnstown campus at the University of Pittsburgh. And this bomb threat that was written on the walls was as a result of the university policy with respect to transgender access to bathrooms. At that time, we really didn't have co-ed bathrooms, and so for transgender students, there was a question of whether their biological gender or their gender as changed or in transition was the proper bathroom. And this was an issue back then in 2012. And the university dealt with the problem, but then someone decided to put a bomb threat in in handwriting on the bathroom stall. And the university issued a reward for the perpetrator, and we then began to receive, published through the local media, hundreds and hundreds of bomb threats that paralyzed the university, paralyzed the community, did great damage to the students, and particularly some of the patients who were in critical care units in our hospitals which were on campus, there were these horrible images of chemo patients walking down the street in the middle of the night with their ports as they were evacuating university hospitals. And I decided to go all in on this investigation. And I had a lot of resistance on this because some people thought it was an overreaction, but I decided that if we were not going to defend the University of Pittsburgh, what did we stand for? And I also felt that if we could not solve this case, how were we going to get after the problem of hacking our corporations? So, the long story short is we started this case in April, right about this time in 2012, and I announced the indictment on August 14th. I know that, because that's my birthday [laughing]. And we -- we solved the case in record time, and no one could believe it, including the FBI and my partners there who were skeptical when we started. There was a funny story that sort of tells the picture, if you will, in a thousand words, is I was so insistent that we do this that I was showing up at the FBI at night to prod them in their work, because I was afraid that they weren't taking me seriously. And I pulled up to the FBI security booth at 9:45 one night, and the security guard was unaware that I could hear what he was saying on the microphone back to the office and he said, That crazy US Attorney Hickton is here and he wants in the building.
Dave Bittner: Oh my.
Dave Hickton: And -- and we all had a big laugh about it later, but, you know, there were people who said this was like activating the Joint Terrorism Task Force for someone who pulled a lever on a fire alarm in a building. And I said, No, this is a different age, and we need to do this, and trust me. And then the next thing I was told was, Well, this is like trying to find a single grain of sand on the beaches of the East Coast of the United States. And I said, Well, then we better get to work. And we worked very hard. We established some critical partnerships which paid dividends later with MI5 and MI6. I actually sent one of my assistants over to Dublin. We had the fortuitous circumstance that the late, great Dan Rooney was ambassador to Ireland at that time, and he cared about what was going on in Pittsburgh. So, I went myself to a Fourth of July party at Phoenix Park, the Ambassador's official residence there. There was a Steelers touch football game and highlights of all the Steelers Super Bowl on big screens, and they dropped the football with a paratrooper. But I was there to get the Garda to help us. And so we learned that cyber was borderless and we needed international partnerships, and we developed them with the Irish and the English. And then there was this very, very -- moment that still gives me goosebumps, where we were on a phone call, a secure phone call with the MI5 and MI6 people, and they said, We think we know who did this. And they identified Adam Stewart Busby, who had been prosecuted for terror threats previously. We were able to locate him. We ultimately created some honeypot evidence, which was we created some lures for him to do some additional threatening, including the last threat was that he was going to kill me and blow up the Federal Building. And we were able to trace back to his IP address that last threat, which sort of cinched the case. And so once we did that case, Keith Mularski, who was my ace FBI agent, and I were invited to go over to London in September. We announced the case in August and the Steelers were playing the Minnesota Vikings at Wembley Stadium. It was the early era of the periodic NFL games in London. And boy, did we want to go.
Dave Bittner: [Laughing] of course.
Dave Hickton: But we couldn't go because we were too busy. So we agreed, through the courtesy of one of the big law firms in the country, Jones Day, to use their video facilities, and we did a Zoom call. And we participated in the conference virtually. And after that session, Keith said, I want to talk to you a minute. And Keith pulled me aside. He said, How serious are you about doing these cases? I said, Very. He said, how many of you can -- can you do? I said, We can do all of them. I said, Keith, I don't think anyone else in the Department of Justice really wants to invest in these cases. And I'm committed to it. I believe it's important. I know it's going to be hard. But if you're in, I'm in. And Keith had been in and around virtually every cyber case that had been done at that point, and he basically said, Okay, let's go. And at that time, we were starting to develop some evidence on the case against China that we're here to talk about today. But really, we sort of just went, you know, Warp Factor six, and I began to devote more resources to it. The FBI ultimately had two squads and then three squads. They had a China squad, a Russia squad. And effectively, if you get to the end of the story, by the time I left, we had the ball, the primary responsibility for China and Russia. The big cases involving Iran were being done out of the Southern District of New York, the Sony case, which was the biggest case. And there was another case involving North Korea, which was being done out of L.A. And those were our four principal adversaries. So, we were really punching above our weight. And we were -- we were really working very hard. And, you know, to this day, I'm very proud that we took the risk. I know now, and I shudder sometimes, that it could have been a disaster, that we could have ended up with no cases and 20% of the office working on stuff that, for whatever reason, we couldn't get to the finish line. But there were a lot of events that happened along the way that nudged the case to the finish line when, you know, the Las Vegas odds, if you will, were that if you did these cases, there were just too many opportunities for them to fail. You know, you could -- you could fail to establish attribution, which is, you know, pin the tail on the cyber donkey, in the parlance of the little kid's birthday party game.
Dave Bittner: Yeah.
Dave Hickton: Or you could establish attribution and someone could say, Well, there's countervailing reasons why we don't want to bring that case. You know, that's a person that we may be cooperating with, or there's reasons with, you know, in the State Department or other components of the government. Or you could get ready to bring it, and there could be an agreement reached that would avert the announcement of the case. So, that's one of the reasons that a lot of US attorneys didn't want to do this. But I thought it was hugely important to do. I also felt that it could never be done from Washington, that even though US attorneys come and go, there's just a basic trust deficit between the corporate community and main Justice that can never be resolved fully. So that the cases really have to be driven by local US Attorneys' Offices. So I was then, I became, and I remain a missionary for the position that everything is local in this area. This is -- when you're talking about nation state hacking and intellectual property theft, this is an assault on our sovereignty by a foreign power, I recognize that. But the threat comes through the private portal of companies who must be convinced that they will not be revictimized if we bring the case. And that was a huge piece of my work. [ Music ]
Dave Bittner: Ten years ago, when the indictments came down on these Chinese PLA actors, among your peers, among the folks in DC, how bold a move was this considered at the time?
Dave Hickton: Well, I don't want to exaggerate. To some people, it was extraordinarily bold and unbelievable, because it just wasn't really on their radar screen as a threat. And the idea that we would indict the People's Liberation Army in Pittsburgh just seems far-fetched. But there were a lot of people who were, you know, in some of the bigger districts that were dealing with national security concerns that were not only aware of it but they coveted the case. And, you know, I spent, as part of the great humorous tradition of the DOJ, that you spend more time doing intramural competing sometimes than you do competing with the adversary. And, you know, districts like Eastern District of Virginia, which sits where the FISA court is, they wanted the case. They made a play for the case. The Southern District of New York, which is, you know, a storied district and DOJ, you know, five, six times bigger than my office. You know, they -- they made a play for the case. They tried to get the case. And there were others. So, it was kind of different depending on where you sat at the DOJ. But the thing was, is that we kept it really quiet. Even within my office, it was kept very quiet. There were very few people who knew we were working on this case, and we kept the victims separate until three days before the case. We, you know, we worked very hard because I knew that if the case was talked about before it was ready to go, it was just too irresistible if it was, you know, in the -- in the chatterbox lane, and I just wouldn't let that happen. So, I think there were five people in my office who knew about it. We talked on secure phones whenever we were talking business about it. Went in the SCF to do a lot of our work and then, you know, three days before we announced, we announced on a Monday, that Friday we had a meeting at the FBI and we introduced the victims in the case to each other, which was a fairly pivotal moment. You know, that could have gone either way or sideways. But it ended up being a galvanizing force, because I was afraid that one or the others of them would back out. And it was very courageous for these companies to do this. It wasn't up to them really, but we went to great lengths, and I was primarily responsible for this, to build credibility with them and make them understand how important this was. And we understood that they were potentially financially at risk, their commercial interests were at risk, their people were at risk, and we went to great lengths to tell them what steps we were going to take to ameliorate that risk. And it would not be an exaggeration that I spent a thousand hours meeting with CEOs and boards and -- and chief information officers and general counsels and business people with the various victims separately. And at that time, that meant all my meetings were 6X because -- and you can assume that there were others that were possible participants in the case, so more than 6X. Because I took the extra step of having the same conversation multiple times separately to pay respect to the fact that each victim in the case deserved to be heard, deserved to feel that I was their advocate, that I was their protector, and that, you know, we were not going to let them be hung out here.
Dave Bittner: When you look back on it, what are your thoughts now? You're ten years removed from it and you see the effect that it's had going forward. What are your feelings there?
Dave Hickton: Well, I'm very proud of it, and I think no matter what I do the rest of my life, if I somehow accidentally stumble to win the British Open Golf Tournament, that will be the second thing that they say about me. The first thing will always be -- you know, there was only one signature on this indictment and it was mine. And I feel it is the most important thing we did. We did a lot of important things. I know that I have had to defend, and I still hear and -- and I respect the point of view the people who say, Well, when are you going to bring the guys to Pittsburgh and have the trial? But something far more important happened that I didn't even imagine could happen. And that was President Xi came to the Rose Garden in September of 2015, you know, 11 months later, or not quite, I guess, how many months later? 16 months later. And they, with specific reference to our case in Pittsburgh, announced an agreement to deal with the intellectual property theft problem. And as we had when we announced the case, they made a distinction between regular spying, which always goes on, it's gone on pre-digitally, and we should probably embrace the idea that we have an intelligence network because it's a stabilizing force in the world. If we don't have surprise, the world is a lot of, say, you know, a safer place. But doing intelligence for intelligence purposes is different than doing cyber infiltration for commercial purposes. And that was the key point we made in this case. I also feel the case was important because President Obama's order in 2011, where he staked out the protection of our intellectual property as a national asset to be protected, that this case vindicated that direction of the president. So, to that extent, I felt like I was a one-star general on the battlefield who had achieved the goal that the five-star had announced. And I felt that it was extremely important that we tell the story with the indictment. That's why the indictment was 50 pages long. It reads like a novel, and it had exhibits at the back of it, including pictures of the perpetrators, and a schedule to reflect that they did their work as a business. It was really an identified unit of the PLA that sat at an identified address in Shanghai. They had business cards, and their work followed the normal work day, 9 to 12, with a recess at lunch and then 1:30 to 5, just like anyone else doing another job. And we therefore identified the Chinese signature, which was a volume hacker of our material with a dedicated unit of their army. And the agreement between President Obama and President Xi was a good agreement. And it provided that the Attorney General and the Secretary of Homeland Security would have biannual meetings, one in Washington, one in Beijing, with their counterparts. And in the main, most commentators believe that for a period of time, this basically held. And Unit 61398, who we indicted, was Advanced Persistent Threat Group 1, the top cyber adversary of the United states. So of course I feel it's very important. And then I think it's really important to understand it wasn't the only case against China we did while I was US Attorney. We did Advanced Persistent Threat Group Number 3, which was Boyusec, which was the commercial company which was the forward-facing anonymizer for the Chinese Ministry of State Security. And when you do APT1 and APT3, you know, that's important. And we did that on the trust and verify moniker because it looked like while the Chinese army, the PLA, had stopped hacking for intellectual property theft, we found that Boyusec was hacking two pretty important American companies, and maybe more, for global positioning satellite technology. And it wasn't just regular spying, it was kind of important commercially. The supposition was that they were trying to get it for precision agriculture. But if you think about global positioning satellite technology, for everything from our communications, our MapQuest that gets us around in our cars, our cellphones. But, you know, there's military applications that are obvious. There's -- there's highly sensitive intelligence applications that are obvious. And so I led the investigation. It was actually announced a little bit after I left, but we did the Boyusec case. And then we did two other cases to purposefully illustrate the China threat, and they were done in May of 2015. One was called United States of America vs. Rukavina. Thomas Rukavina was an engineer at PPG Industries who had responsibility for highly sensitive windscreens for commercial and military jets. And for reasons I still don't fully understand, he had a bad end to his career at PPG and he was approached by an on-the-ground spy in the United States, in California, and for money offered to sell some of his proprietary information. And we caught him and charged him, and very sadly he committed suicide after the first hearing in court. That case remained important because that's a threat, that's a risk, that's something that everybody needs to know about, and putting a spotlight on that was important. And then just a week or two later, we did a fairly significant case involving the Chinese hack of our educational testing service. The SAT exam, the GRE exam, the MedCAT exam. We uncovered an architecture of spies in the United States, who were called hitmen, who would take the test here as if they were a person applying from China. So they were imposters at the test center. And we indicted 15 of them. They all pled guilty, and they were deported. But we learned that there was a wide network of this going on. It led to the suspension of the Educational Testing Service for a period of time. And we uncovered five other schemes, including a scheme to give people answers to tests, a scheme to change test answers. No one is a bigger champion than I am of a cosmopolitan educational opportunity, an international educational opportunity. I benefited from that. Our children have benefited from that. But you cannot cheat on a test. You have to take the test yourself. And so the entire approach of this effort, of which the PLA case was sort of the crown jewel, was applying law to digital space. And so it was important for that reason. It was also to apply law evenly so that if you or I did what these people were doing, either Unit 61398 or these test taker impostors, we would be in prison. And so why would it be that we would let that go on and not charge it, even if it's difficult and it's going to be complicated? And -- and we go forward now today, and there's been tremendous progress built off that case. And the current administration is doing an outstanding job. But I still believe everyone recognizes that this is not only the foundation of that work, but the keystone in that foundation.
Dave Bittner: You know, as you've acknowledged, there were a lot of folks involved in this and you worked with some really top-notch folks along the way. I've -- personally I've had the pleasure of meeting and interviewing Keith Mularski, an outstanding person who was with the FBI. Your story really, in my mind, reinforces this notion that one person can make a difference. Your ability to take this risk, your perseverance, really blazed a trail that folks are continuing down today.
Dave Hickton: Well, that's very kind. I certainly didn't do it myself. I had three really key people around me at the US Attorney's Office. There's nobody better than Keith, and Chris Geary was involved and Mike Crisman. There were three key people at the FBI. Mike Rodriguez was the SAC at the time and we had great support from those that followed him. Doug Perdue and late Scott Smith came into town just in time to announce it. He had come from the Human Resource Department. And then he left Pittsburgh to go head FBI Cyber. I'm very proud of the fact that several of my former assistants received the Attorney General's Award for their work in Cyber. That was a group that didn't even exist when I got there. And, you know, I think that one of the key ingredients of leadership is, you know, the campfire is just a little bit better when you left than it was when you arrived. And, you know, we had some great partners at the Department of Justice who helped us. They were -- they were critical. In terms of working with the other components of the government, and I think the real star of that group was Lisa Monaco, who is now the Deputy Attorney General in the middle of the case. She went over to the White House and became the Deputy National Security Advisor. And that was a -- that was a key moment. And she was a great partner. And I really credit her with being my key Washington partner on this. But, you know, it was lonely at times. And, you know, I find it funny now that I asked others to sign with me at the Department of Justice when it was time to sign. Nobody wanted to sign. So I signed it really large, like John Hancock signed the Declaration of Independence, just in case. I worried that meant that if it didn't go bad -- but we had no idea what the reaction was going to be. We had no idea. There was no precedent for what the reaction would be. China could have called our debt. China could have seized our companies. They could have imprisoned Americans. They could have declared a trade war, or worse. We did not know what their reaction was going to be. We now know that President Xi came to the Rose Garden and said he wouldn't do it anymore. I mean, I never imagined that that would happen, and that is a far better result than if we had gotten guilty pleas from the five defendants and we put them in prison and gave them housing and three square meals a day. So, I didn't know that, but I will tell you that, you know, if you really want to get the essence of it from my standpoint, my ride to Washington DC on Sunday, May 18th, 2014, before I was to announce it with Attorney General Eric Holder on Monday, I could hear my heart beating. It was a ride I know so well that at the Starbucks in Breezewood, they gave me my order without me ordering it. I used to do that all the time, which I think is part of the story here. I think the fact was I was outside the Beltway. I was close enough but far enough away, if you know what I mean.
Dave Bittner: Sure.
Dave Hickton: And you know, Pittsburgh to Washington is somewhere between 3 hours 45 and 5 hours, depending on how fast you're driving and how bad the traffic is. And the Starbucks at Breezewood is halfway there. And I go there all the time. And so when I was driving down there, I was just, like, Oh, my God, what have I done? But it turned out well. And I still remember I got some pretty high-level phone calls from people I don't even want to identify today. You know, by the time they were done, you know, they were in tears, I was in tears. You know, this was something that a lot of people have been working towards for a long time. And I do recognize that I was either determined enough or hard-headed enough that I felt that it was important we do it. And there were not a lot of people who agreed with me when we started. [ Music ]
Dave Bittner: And that is our special edition N2K "CyberWire" program. Thank you all for joining us, and thanks to our special guest, Dave Hickton, former US Attorney and founding director at the Institute for Cyber Law, Policy, and Security at the University of Pittsburgh. Remember, N2K Strategic Workforce Intelligence optimizes the value of your biggest investment - your people. We make you smarter about your team while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Tre Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]