Select Page
Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

“Legal scholarship provides little clarity regarding § 641’s interpretation; only a few scholars have even recognized § 641’s application to information,” reads a Columbia Law Review article about the statute’s use for prosecuting leakers, written by Jessica Lutkenhaus, an attorney focused on criminal defense at the law firm Wilmer Hale. “The circuits disagree about whether § 641 applies to information, and, if it does, what its scope is: What information constitutes a ‘thing of value’?”

Sharing information is arguably fundamentally different from stealing “a thing of value,” Freedom of the Press Foundation’s Timm points out. “You can’t steal a government Jeep or take something tangible or physical from government offices,” Timm says. “But copying something can be construed as different from stealing something. You copy it, and the original thing is still there, and you just leave with papers that didn’t exist before.”

That ambiguity has led different federal courts to come to contradictory conclusions. A Fourth Circuit court, for instance, found in 1991 that a Department of Defense employee who left the DOD for a job at a defense contractor and took information with him was guilty of violating § 641. But a Ninth Circuit court has come to an opposite conclusion, finding in a 1959 case that “intangible” goods are not covered by § 641. That ruling was later applied in 1988 by the same circuit to the case of an information leaker, a naval officer accused of stealing computer punch cards related to secret encryption information. The court confirmed that the information itself was not covered by § 641—though his appeal was thrown out anyway because he’d stolen the physical punch cards that stored it.

Other circuit courts have come to conclusions somewhere in between, with some finding, for instance, that the § 641 does apply to information leaks but noting that this doesn’t extend to those covered by the First Amendment’s protections on free speech and freedom of the press—findings with direct relevance to Politico’s Supreme Court leaker.

Several of the most notable leakers in history have been charged under 18 U.S.C. § 641, too, including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. But the use of that law was overshadowed by their prosecution under the Espionage Act, since all three were accused of leaking classified secrets, and none set a clear precedent. Ellsberg’s charges were dropped due to improper government conduct by the Nixon administration, and Snowden has yet to face trial. Manning was convicted on the 18 U.S.C. § 641 count she faced, but in a military court, not a civilian one.

All of that leaves the legal status of Politico’s leaker—if they are identified—far from certain. But any confident argument that they committed a crime is on equally shaky terrain, argues Timm. And that’s especially true in a case where the leaker appears to have leaked a document directly to the press, with a clear interest in making the information public.

“Even if prosecutors think 18 U.S.C. § 641 applies, I’d have serious First Amendment concerns with broadly applying it to anyone who leaks a government document to the press,” Timm says. “Leaks to the press are as American as apple pie. And, in many cases throughout history, have furthered democracy rather than hindered it.”


More Great WIRED Stories

Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Systems

Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Systems

Malware designed to target industrial control systems like power grids, factories, water utilities, and oil refineries represents a rare species of digital badness. So when the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.

On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.

“This is the most expansive industrial control system attack tool that anyone has ever documented,” says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.”

Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”

The CISA advisory refers to an unnamed “APT actor” that developed the malware toolkit, using the common acronym APT to mean advanced persistent threat, a term for state-sponsored hacker groups. It’s far from clear where the government agencies found the malware, or which country’s hackers created it—though the timing of the advisory follows warnings from the Biden administration about the Russian government making preparatory moves to carry out disruptive cyberattacks in the midst of its invasion of Ukraine.

Dragos also declined to comment on the malware’s origin. But Caltagirone says it doesn’t appear to have been actually used against a victim—or at least, it hasn’t yet triggered actual physical effects on a victim’s industrial control systems. “We have high confidence it hasn’t been deployed yet for disruptive or destructive effects,” says Caltagirone.

How Russia’s Invasion Triggered a US Crackdown on Its Hackers

How Russia’s Invasion Triggered a US Crackdown on Its Hackers

Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.

Over the past two months, President Joe Biden’s executive branch has taken more actions to deter and even temporarily disarm Russia’s most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia’s GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent “hunt forward” teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.

Together, it adds up to “a concerted, coordinated campaign to use all of the levers of national power against an adversary,” says J. Michael Daniel, who served as the cybersecurity coordinator in the Obama White House, advising the president on policy responses to all manner of state-sponsored hacking threats. “They’re trying to both disrupt what the adversary is doing currently, and to also potentially deter them from taking further, more expansive actions in cyberspace as a result of the war in Ukraine.”

Daniel says compared to the Obama administration he served in, it’s clear the Biden White House has decided to take a far faster and harder-hitting approach to countering the Kremlin’s hackers. He attributes that shift to both years of US government experience dealing with Vladimir Putin’s regime and the urgency of the Ukrainian crisis, in which Russian state hackers pose an ongoing threat to Ukrainian critical infrastructure and also networks in the West, where Kremlin hackers may lash out in retaliation for sanctions against Russia and military support for Ukraine. “The Russians have made it pretty clear that signaling and small steps are not going to deter them,” says Daniels. “We’ve learned that we need to be more aggressive.”

The Biden administration’s ratcheted-up responses to Russian cyberattacks began in mid-February, before Russia had even launched its full-scale invasion. In a White House press conference, Deputy National Security Advisor Anne Neuberger called out Russia’s GRU for a series of denial of service attacks that had pummeled Ukrainian banks over the prior week. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,” Neuberger told reporters. Coming just days after the GRU’s attacks, that rebuke represented one of the shortest-ever windows of time between a cyber operation and a US government statement attributing it to a particular agency—a process that has often taken months or even years.

Last month, the Department of Justice unsealed indictments against four individual Russians in two state-linked hacker groups. One indictment named three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to an infamous hacker group, known as Berserk Bear or Dragonfly 2.0, that engaged in a years-long hacking spree that repeatedly targeted critical US infrastructure, including multiple breaches of power grid networks. A second indictment put a name to another highly dangerous hacking campaign, one that used a piece of malware known as Triton or Trisis to target the safety systems of the Saudi oil refinery Petro Rabigh, potentially endangering lives and leading to two shutdowns of the refinery’s operations. The Justice Department pinned that attack on a staffer at the Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (known as TsNIIKhM) in Moscow, along with other unnamed coconspirators at the same organization.

At the same time, the Cybersecurity and Infrastructure Security Agency, Justice Department, and FBI were taking on a third Russian state hacker group even more directly. In February, CISA first issued a warning that a GRU hacking group known as Sandworm—with a track record that includes everything from triggering blackouts in Ukraine to the release of the NotPetya malware that inflicted $10 billion in damage worldwide—had assembled a botnet of hacked network devices, along with guidance on how to detect and remove the malware, known as Cyclops Blink. When that advisory led to only a 39 percent drop in the number of devices the botnet hijacked, the FBI took the rare step of actually impersonating the hackers’ communications to its command-and-control machines, sending commands to remove the hackers’ malware from those devices, and thus cutting off Sandworm’s access to at least part of its botnet.

The specific targeting of those three hacker groups—the FSB-linked Berserk Bear hackers, the TsNIIKhM hackers allegedly behind Triton, and GRU-linked Sandworm group—shows how the US government is intentionally taking actions to deter and disable the Russian hackers who present the greatest threat of not mere espionage or cybercrime, but targeted, disruptive cyberwarfare, says John Hultquist, who leads threat intelligence at the cybersecurity firm Mandiant and has tracked all three groups for years. “At a time when the US is bracing for potential cyberattacks from Russia, the Department of Justice has specifically indicted two of these actors and carried out an operation against the third,” says Hultquist. “Those are the actors that have the history and proven capability for disruptive and destructive attacks. That’s why operations have been and should be focused on those actors.”

The Enduring Danger of Russia’s Cluster Bombs in Ukraine

The Enduring Danger of Russia’s Cluster Bombs in Ukraine

A graphic designer and illustrator now in his twenties, Worley was one of the lucky children to escape a bleak cluster bomb fate. And while the bombings occurred long before Worley’s birth, he talks about their present-day consequences without concern or a sense of abnormality, as if dealing with the effects of that dark history is a natural and even daily fact of Maltese life.

Stories like Worley’s are woefully common. One popular podcast, My Favorite Murder, even recently aired an episode where the hosts read a letter from an adult listener who, as a child, had thrown rocks at and picked up an unexploded piece of a bomblet-sized explosive from a beach out of concern for the safety of “the beloved sea creatures.” 

Historically, 98 percent of cluster bomb victims are civilians, because of the way the munitions are peppered into an area before—or sometimes even without—sending in troops, according to a 2011 study by foreign policy and terrorism expert Beau Grosscup. It was a tactic the Nazis would use to clear land they wanted, and ironically, they used it heavily against Russia. After one so-called “saturation raid” unleashed over a Russian forest, as Leatherwood detailed in his book on the subject, a German general said, “German ground forces could enter … without encountering any resistance—the forest was truly dead.”

Russia’s modern PTAB-1M bomblets, shown in one recent video of Ukrainian forces collecting them by the hundreds, have evolved since the days of the SD-2 to be able to penetrate tanks, and they can impact areas hundreds of meters in radius. However, both old and modern bomblets can fail to explode.

 Calculated percentages of cluster bomb duds vary between 5 and 40 percent, which when multiplied by the massive total numbers of cluster bombs typically released to create the “saturation” effect, provides a terrifying amount of ordnance left behind. 

Of the 1,818 American bomblets that the US acknowledges it sprayed over the Shomali Valley in Afghanistan in the fall of 2001, 17.4 percent failed to explode, leaving over 300 deadly weapons lying in wait in that valley alone, according to a 2003 study published in Military Medicine. About a third of those were embedded under the soil, meaning they were impossible to see and could easily be set off by the foot of an innocent pedestrian. By 2003, at least three children had already been injured because they thought American bomblets found in the Shomali Valley were toys.

A Ukrainian soldier shows a captured Russian flak vest and casing of a cluster bomb rocket

A Ukrainian soldier shows a captured Russian flak vest and casing of a cluster bomb rocket as Ukraine Army troops dig in at frontline trench positions to continue repelling Russian attacks, east of the strategic port city of Mykolaiv, Ukraine, on March 10, 2022.

Photograph: Scott Peterson/Getty Images

How Iran Tried to Undermine the 2020 US Presidential Election

How Iran Tried to Undermine the 2020 US Presidential Election

Less than two weeks before the 2020 US presidential election, tens of thousands of emails purportedly from the far-right group Proud Boys threatened to “come after” Democrats if they didn’t vote for Trump. As officials warned at the time, the messages were part of a broader Iranian disinformation and influence campaign meant to sow division in the US and undermine confidence in the electoral process. Now, the US Department of Justice has unsealed an indictment that charges two Iranian nationals with carrying out those email blasts and more, providing new details on an audacious election interference scheme.

Seyyed Mohammad Hosein Musa Kazemi, 24, and Sajjad Kashian, 27, face charges of conspiracy, transmission of interstate threats, computer fraud, and voter intimidation. The two allegedly worked for the Iranian cybersecurity company Emennet Pasargad, which Justice Department officials say has contracted with the Iranian government. In addition to the indictment, the Treasury Department’s Office of Foreign Assets Control announced sanctions on Thursday against the company, four members of its leadership, and the two defendants.

“As alleged, Kazemi and Kashian were part of a coordinated conspiracy in which Iranian hackers sought to undermine faith and confidence in the US presidential elections,”  Damian Williams, US attorney for the Southern District of New York, said in a statement on Thursday. “As a result of the charges unsealed today, and the concurrent efforts of our US government partners, Kazemi and Kashian will forever look over their shoulders as we strive to bring them to justice.”

Officials said that they believe the defendants are currently in Iran. The State Department announced a reward of up to $10 million for information about Kazemi and Kashian.

Court documents say that, in addition to the threatening email campaign, the two men also attempted to compromise voter registration databases in 11 states and succeeded in one, where they were able to grab more than 100,000 voters’ private data because of a misconfiguration. Officials declined to identify the state, but The Wall Street Journal reported in October 2020 that it was Alaska.

The defendants are also accused of hacking an unnamed media company that offers content management services to a number of newspapers and other publications around the US. After detecting the activity, the FBI warned the company, which took action to block the unauthorized access. Officials say that the attackers attempted to connect to the media company’s network the day after the election but found themselves shut out. Iranian hackers are known for crafting and distributing legitimate-looking fake news articles or even seemingly hacking real news sites to post manufactured content. 

The indictment also accuses the defendants of carrying out other types of influence operations. Again masquerading as the Proud Boys, they allegedly sent Facebook messages and emails to Republican members of Congress, Trump campaign staffers, and journalists, claiming that the Democratic party planned to exploit security vulnerabilities in state voter registration sites, edit mail ballots, and register fake voters. They also allegedly created and distributed a fake hacking demonstration video on Twitter, YouTube, and Facebook that appeared to show attackers exploiting election infrastructure vulnerabilities to compromise state voter websites and other platforms and generate fraudulent absentee ballots.