On March 11, 2017, Preet Bharara, then the long-serving U.S. Attorney for the Southern District of New York, was abruptly fired by the incoming Trump Administration. Many observers rightly noted Bharara's substantial accomplishments in the prosecution of public corruption and insider trading. But the Southern District's efforts under Bharara's leadership to combat the emerging cyber threat appear to have been somewhat overlooked. During Bharara's tenure, the Southern District brought a series of historic criminal cases in the cyber area, which should be included as an important part of Bharara's impressive legacy.
The cyber threat is, of course, a multi-faceted problem. Many cyber security experts focus their efforts, as they should, on national security, privacy, and business continuity issues. The Southern District's recent record in prosecuting cybercrime, however, shows that the criminal law has been, and must remain, an important component of the response to the cyber threat.
Over the past several years, criminal prosecutors have brought notorious cyber criminals out of the shadows, secured lengthy prison sentences that punish wrongdoers and deter others, and recovered precious assets for victims.
Cyber prosecutions present many challenges, including the need to trace complex trails of digital evidence, to gather evidence in multiple international jurisdictions, and to link actions carried out by computers or code to individual human beings. It is well known that cyber criminals can operate from remote locations, with their identities concealed. Sometimes, the trail runs through an intricate web of masked digital identities. Some have suggested, in light of these challenges, that effective criminal prosecution of cyber crime can't succeed. The Southern District's record under Preet Bharara's tenure proves otherwise.
From early in his tenure, Bharara made cyber crime a significant priority for the Southern District. The office assigned more prosecutors to focus on cyber crime, worked hard to develop the necessary expertise, and developed strong working relationships with specialized agents at the FBI, Secret Service, IRS, and other law enforcement agencies who were busy trying to infiltrate the criminal side of the web. Through public speaking and writing, and by convening cyber experts from across industry and government for public panel discussions, Bharara worked hard to raise public awareness of the cyber threat, to educate business leaders on protective measures, and to encourage victims of cyber crime to come forward and share information with law enforcement.
The results make clear that criminal prosecution can be effective in punishing those who commit cybercrimes, and that criminal prosecution must remain an important part of our effort to protect the public from the cyber threat. For example, in the summer of 2014, it was widely reported that unknown hackers had infiltrated certain systems of J.P. Morgan Chase and compromised the personal information of 83 million individuals and small businesses. It was one of the largest scale cyber thefts of personal information in history and some reports speculated that only a state actor or some similar large-scale enterprise could have pulled it off.
A little over one year later, however, Bharara announced that the Southern District had indicted three men for this heist, and had determined that the theft was part of a broader criminal scheme that had affected multiple institutions. While charges against the three men remain pending, all three have been extradited to the United States from abroad, and it recently emerged that the alleged ringleader, Gery Shalon, is in talks about a possible guilty plea and has agreed to forfeit 81 bank accounts to U.S. authorities.
Bharara's record in cyber prosecutions was certainly not limited to tracking down thefts of personal information. It also extended to the so-called "dark web." For years, an unknown criminal using the moniker the "Dread Pirate Roberts" operated a site on the dark web known as the "Silk Road," from which customers were able to anonymously order all manner of illegal goods and services, including dangerous illegal drugs. Due to the coordinated efforts of law enforcement, under the Southern District's leadership, that site was shut down in October 2013, and the "Dread Pirate Roberts" was unmasked to be Ross Ulbricht, a 29-year-old college graduate who had been running the site, at least in part, from his laptop at a public library in San Francisco. In February 2015, after a four-week trial in open court, Ulbricht was convicted by a Manhattan federal jury of computer hacking, drug trafficking, money laundering, and other crimes and was later sentenced to life imprisonment.
Cyber criminals like Ulbricht and the JP Morgan hackers often use digital currencies like Bitcoin in furtherance of their schemes. During Bharara's tenure, the Southern District also prosecuted the operators of one of the largest and most notorious digital currency services in the world, Liberty Reserve. At its peak, Liberty Reserve was believed to have had more than one million users worldwide, including more than 200,000 in the United States. It was estimated to have laundered more than $6 billion in suspected proceeds of crimes including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking. In May 2016, after a dogged Southern District investigation, Arthur Budovsky, the founder and lead operator of Liberty Reserve, was sentenced to 20 years in prison for money laundering and operating an unlicensed money transmitting business, after previously pleading guilty to those crimes.
During Bharara's tenure, the Southern District also prosecuted and secured lengthy prison sentences for the developers of the Blackshades malware, a software tool used to record a victim's keystrokes and thereby steal passwords, hack social media accounts or other sensitive information; Alonzo Knowles, a hacker who infiltrated the email accounts of Hollywood celebrities as part of a plot to demand ransom payments in exchange for the return of pilfered items, such as unreleased television scripts and sexually explicit photographs and videos; and Jeremy Hammond, a so-called political "hacktivist," who pled guilty to participating in the Stratfor hack, among others.
Even in cases where arrests and prosecutions have not yet been possible, the Southern District has demonstrated the value of criminal prosecution in this area by bringing indictments that "name and shame" the perpetrators of cyber attacks. In December 2016, Bharara announced an indictment charging three Chinese nationals with hacking into the systems of law firms advising on mergers and acquisitions and then trading on the information they stole. Whether or not those defendants will eventually face justice in an American courtroom, the indictment itself demonstrates that those who engage in cyber attacks will not remain anonymous, and also served to raise awareness about the threat hackers pose to law firms and other corporate advisers. Similarly, in March 2016, the Southern District charged seven Iranian nationals associated with Iran's Islamic Revolutionary Guard with conducting a coordinated campaign of cyber attacks on U.S. targets, including the Bowman Dam located in Rye, New York.
The lesson of this remarkable string of prosecutions is clear. Cyber criminals can be identified, apprehended, and prosecuted. While the cyber threat undoubtedly requires responses grounded in national security, privacy, and business continuity concerns, the role of criminal prosecutions can't be overlooked. Though cyber investigations involve novel challenges, those challenges can be met and overcome. Cyber criminals are criminals, just like any other, and they deserve to be prosecuted.
Reprinted with permission from the June 5, 2017 edition of New York Law Journal © 2017 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.