The U.S. Justice Department is adding resources and agents in Pittsburgh to combat hackers, after the steel city’s law enforcement agencies, universities and companies led the way on two landmark prosecutions.
The two cases targeting people in China and Russia have helped make Pittsburgh the epicenter of the U.S. fight against foreign hackers. Now, the Federal Bureau of Investigation is sending a portion of 1,500 new agents to the city, mainly to support such cybercases, and the Justice Department is studying if Pittsburgh’s example can be replicated across the nation.
Pittsburgh’s efforts have been enabled by a mix of local technology researchers, aggressive law enforcement agents and businesses rich with trade secrets. While attorneys in other cities have gone after foreign hackers, Pittsburgh was the first to connect corporate cyber-espionage to the Chinese government and document direct consequences to U.S. companies.
“It’s a model that we need to apply nationally,” John Carlin, assistant U.S. attorney general for national security, said in an interview during a recent visit to Pittsburgh.
Carlin said he met with representatives from public and private organizations in order to study and learn. He said he had discussions about emerging technology and digital threats to think through what kind of legal questions and procedures need to be addressed for future hacking investigations.
“In order to bring a case, we need to learn not just technically how it was done but we need to learn why it was done and why it mattered,” Carlin said.
A lot of those answers can be provided by U.S. Attorney David Hickton, the top federal law enforcement officer in western Pennsylvania. He was responsible for the indictment of five Chinese military officials in May on claims they infiltrated the computers of Pittsburgh icons U.S. Steel Corp. (X) and Westinghouse Electric Co. A month later, his office helped with a case led by the FBI in Pittsburgh to dismantle one of the world’s most insidious computer viruses, Gameover Zeus.
“We are at the emergent stage of the problem of our age,” Hickton said.
Hickton, 58, who was confirmed as U.S. attorney in 2010, said he is marshaling all the public, private and academic resources he can, in part, to help save jobs in his hometown.
“The feeling is that because Pittsburgh is doing well they might put another cyber section here, so there would be two cyber sections at the FBI,” he said. The FBI declined further comment, spokeswoman Jennifer Shearer said in an e-mail.
While FBI Director James Comey declined to say how many of the 1,500 agents would go directly to Pittsburgh, he did tell reporters July 30 that it would be “enough to make a meaningful additional contribution to support the work” that Hickton’s office is doing.
Hickton said his biggest concerns include hackers stealing intellectual property from companies and drug gangs trying to hide from law enforcement by organizing and communicating through the Internet.
“We’ve doubled down on community impact prosecutions in the drug arena but a lot of those organizations are using the Internet and using technology to communicate to try to evade detection,” Hickton said.
At first glance, Pittsburgh would seem an unlikely venue for such ambitious anti-hacker efforts. Yet the city is a place where the past and future collide. Manufacturing companies built by industry titans Andrew Carnegie and George Westinghouse have withstood the test of time, including economic downturns, wars and global competition.
Elsewhere in the city of 300,000, universities, companies and government are coordinating cybersecurity research. The FBI’s cybersecurity fusion unit in Pittsburgh works with other law enforcement agencies, Internet companies and industry officials to share information and resources.
Carnegie Mellon University’s Software Engineering Institute, which receives Department of Defense funding, worked with the FBI to take down Gameover Zeus, which allegedly stole more than $100 million and locked down U.S. computers until ransom was paid. Hickton’s office indicted Evgeniy Mikhailovich Bogachev for running the operation.
Along the banks of the Monongahela River, where copper smelting and steel manufacturing plants once thrived, now stands the Pittsburgh Technology Council, a trade association representing more than 1,400 multinational and startup technology companies.
The 56-page indictment unveiled by Hickton’s office on May 19 marked the first time the Justice Department legally accused members of the Chinese People’s Liberation Army with hacking U.S. companies. The Chinese government has repeatedly denied these charges. In the months since, U.S. companies operating in China, including Microsoft Corp. and Apple Inc., have come under antitrust scrutiny or been denied inclusion for government procurement.
“It was all done on a blank piece of paper where there was no precedent,” Hickton said. “We don’t tell people in other sectors when there’s a threat coming from a nation-state ‘It’s your problem.’ The government steps in. So that’s what we did.”
The companies attacked were as legendary in Pittsburgh as the Steelers, including U.S. Steel, Westinghouse, Allegheny Technologies Inc. (ATI) and Alcoa Inc. (AA) Westinghouse is the nuclear reactor arm of Toshiba Corp. (6502)
Investigators learned, for example, that Chinese hackers on multiple occasions broke into the computers of U.S. Steel in 2010 while the company was litigating trade disputes against Chinese firms for dumping subsidized steel in the U.S., according to the indictment. The hackers gained unauthorized access to data on more than 1,700 computers, including sensitive, non-public, information about the company’s litigation strategies, the Justice Department said.
In 2012, one of the hackers stole network credentials for virtually every employee of Allegheny Technologies, according to the indictment. The access would have allowed the hackers to monitor activity on the company’s computers and steal information, the indictment said.
Hickton wouldn’t discuss exactly how the investigation was conducted or how much participation he received from the targeted companies, saying he didn’t want to re-victimize them. None of the public companies had notified investors of the attacks; aluminum-maker Alcoa and metals supplier Allegheny said the attacks had no “material” impact and were not required to be disclosed under securities laws.
“It’s our decision, not their decision, what case we bring,” Hickton said. “The responsibility for bringing the case lies on my shoulders and the shoulders of our partners in Washington.”
One of the first actions Hickton took after being confirmed was starting up a national security team to focus on cybercrimes because he realized it was a growing threat.
Then, in 2012, the University of Pittsburgh received almost 150 bomb threats. Hickton’s office got involved and in August 2012 secured an indictment against Scottish-born Adam Busby in connection with making e-mailed threats. Busby was living in Ireland at the time. The case convinced Hickton he could bring indictments against hackers in foreign countries.
Technology has proved to be a double-edged sword for many companies. While the health care, engineering and information technology sectors have helped revitalize Pittsburgh’s economy, the reliance on networked computers and servers has given hackers new avenues to attack.
“The hackers are more aggressive, they’re more focused and the way they’re able to go about getting data is more sophisticated,” said John Houston, vice president of privacy and information security for the University of Pittsburgh Medical Center, a $11 billion global health-care nonprofit group.
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editors responsible for this story: Romaine Bostick at email@example.com Elizabeth Wasserman