2. Sanctions for spies
The U.S. government may not be able to reach hackers located on the other side of the world. And even if we could catch them, we might not want to risk compromising intelligence sources and methods by taking them to court. But that does not mean the United States cannot punish them. The government already uses classified information to label terrorist supporters and drug kingpins as "specially designated nationals" and to impose sanctions on them -- seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them. The United States even has such programs for sanctioning Belarusian kleptocrats and conflict diamond purveyors. Maybe it makes sense for Washington to use sanctions to punish misdeeds in Belarus or West Africa, but shouldn't it first use these measures to punish people who are invading homes and offices in, you know, the United States?
It's unclear why the president hasn't done this already -- he's already got all the authority he needs to impose sanctions on cyber spies and their enablers. Under the International Emergency Economic Powers Act, the president could determine that cyber spying poses "an unusual and extraordinary threat" to the United States and declare it a "national emergency." He could then publish a list of hackers who would be subject to sanctions. In keeping with past practice, he could rely heavily on classified data to make the designations -- without disclosing any of it.
3. Prison break meets prisoner's dilemma
Sometimes carrots work better than sticks, and visas can certainly play that role as well.
The Justice Department is authorized to issue up to 250 "S" visas each year to foreign nationals "in possession of critical reliable information concerning a criminal organization or enterprise." The visa allows family members to enter as well, and it becomes a permanent residency if the witness's "information has substantially contributed to the success of an authorized criminal investigation."
Systematically hacking U.S. companies and agencies surely constitutes a criminal enterprise under domestic law, and even an investigation can be deemed a success without leading to a criminal conviction. If a witness's cooperation helps us to thwart other countries' cyber spying campaigns, that surely counts as a success.
So under current law, the Justice Department could send text messages to all the guys who've already been identified as Chinese hackers, saying: "The first one of you who shows up at a U.S. consulate with a flash drive full of your employer's data will get an S visa and $1 million. The second one will get an S visa and $100,000. The third will get an S visa and $10,000. And the rest of you will be indicted with the evidence supplied by the first three."
4. Deny visas to enablers
On the flip side, the U.S. government has the power to deny visas and other perks to entities that act as enablers to hackers.
For example, late last year Trend Micro released a report that unmasked "Luckycat," a Chinese hacker who had attacked the Dalai Lama, U.S. aerospace firms, and other targets. His real name was Gu Kaiyuan, formerly a student at Sichuan University's Information Security Institute and at least at the time an employee at a major Chinese Internet company. Now it may be that the U.S. government can't do much to reach Mr. Gu in China, but why haven't the officials investigating those intrusions gone to his employer and his alma mater and asked them to cooperate in the investigation? Unlike Mr. Gu, those institutions need to maintain good relations with the United States government. Sooner or later, every Chinese university wants its students and faculty to get visas to work and study in the United States. And every Chinese company that does business here is subject to U.S. investigative authority. They have many reasons to cooperate, particularly if the government has evidence that they may have condoned or enabled cyberspying. At a minimum, taking a hard look at these institutions will make them think twice before they support or turn a blind eye to hackers in their midst.