The crimes unfolded while much of America slept.
Throughout the night, the computer systems of major United States businesses were being infiltrated, their data stolen. Financial reports, research and development documents, personnel stats, organizational charts, strategic plans. Vast amounts of confidential, potentially valuable information were being snatched out of cyberspace—but by whom?
David Hickton found out.
He opened an investigation into the thefts in 2010, shortly after being appointed U.S. Attorney for the Western District of Pennsylvania. John Surma, then-CEO of U.S. Steel, and Leo Gerard, former president of the United Steelworkers, believed their organizations were being hacked and asked Hickton to investigate possible corporate espionage. Suspicious activity had been detected on their networks for as long as a decade; simultaneously, the steel industry had faced steep international competition from state-owned companies like those in China.
What Hickton (LAW ’81) and his team’s investigation found was stunning: a foreign government allegedly meddling in U.S. interests.
They tracked the thefts to an office building in Shanghai where five soldiers in China’s People’s Liberation Army apparently spent their time stealing reams of information from American industry.
“It was their day job,” Hickton says. When mapping a schedule of the hacks, investigators produced a graph that looked like a typical 9-to-5 workday, even including lunch breaks. Their target was the steel industry but also included Westinghouse, Alcoa, and Allegheny Technologies.
“When these cyber intrusions occur, production slows, plants close, workers get laid off and lose their homes,” Hickton said at a 2014 press conference held alongside the U.S. Department of Justice to announce the filing of charges against the five soldiers. “This happens in steel towns in western Pennsylvania like Braddock, McKeesport, and Clairton, as well as many other similar towns and cities in the United States.”
The case marked the first time in history that the United States brought a criminal law-enforcement indictment against cyberhackers working for a foreign government. It led then-president Barack Obama to call on Chinese President Xi Jinping to stop the country’s efforts to hack American intellectual property. Ultimately, the two presidents declared that neither government would engage in cyber theft “for commercial advantage.” Several reports have since shown that the number of network hacks from China dropped substantially in the years directly following the agreement.
But Hickton, who is today the founding director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security (Pitt Cyber), knows better than most that the threat from international cybercrime remains real and present. And the economy isn’t the only thing at risk.
The problem, he says, is only getting bigger.
Hickton is a cybersecurity pioneer. Over the past decade, he’s trailblazed legal practices for investigating some of the nation’s biggest cybercrime cases. He’s pushed for increased awareness of the menace such crimes pose and advocated for innovations to protect the country’s often outdated or poorly secured digital infrastructure.
He continues this work at the helm of Pitt Cyber, an institute where experts in law, policy, computer science, engineering, and other disciplines are finding answers to some of the greatest challenges that come with a digitally interconnected world. And Hickton’s experience has shown him just how many challenges there are.
“The digital space has emerged so rapidly that it is effectively an airplane we are building as we fly,” he says. “There’s growing space between technology and law.”
His work in cybersecurity—the protection of electronic data and information—is helping to change that.
Cyberattacks come in a range of sizes and severity. Some are small in scale, like stolen passwords to social media accounts. Some are so large that they can cause massive destruction. Imagine malicious code infiltrating government agencies or businesses to obtain top-secret information, as in the China espionage case, or to control the computers of individuals, banks, power plants, hospitals, or state voting systems.
As the methods for these attacks evolve and advance, so must the tools and techniques required to identify, prevent, and prosecute them. And that’s no easy task. Litigating cybercrime cases has historically posed a number of challenges: first in simply detecting and identifying suspects and having enough investigative manpower and technical know-how to pursue them, then in gathering enough credible evidence to build a case, which often requires that investigators work across multiple domestic and international jurisdictions. The complexities of the work mean that success can take many forms.
In the China espionage case, the first-of-their-kind indictments Hickton helped bring against members of the People’s Liberation Army have yet to yield convictions, but they served as the premise for initiating diplomatic change. When it comes to cybersecurity, Hickton says, bringing problems into the light is key to finding solutions.
“Being invisible is the principal currency of our hacking adversaries,” he says. “Unmasking them is very important.”
At Pitt Cyber, Hickton leads the charge to expose and explore key subjects like election security and Russian hacking—problems that are influencing the course of the country’s future. Their examinations may help prevent future cybersecurity disasters.
Before he was appointed as a U.S. Attorney, Hickton felt like something was missing. After growing up in Pittsburgh, he earned his law degree from Pitt in 1981 and cofounded his own firm where he practiced commercial law. He was highly accomplished. But he eventually began to feel unfulfilled.
“I wanted to do something that really impacted people,” he says.
Being a U.S. Attorney certainly matched his aspirations. As the 93 highest-ranking federal law-enforcement officers in the country, U.S. Attorneys take on terrorism and organized crime, fight racial discrimination, and prosecute corporate fraud and insider trading. One of Hickton’s most notable predecessors, former U.S. Attorney Dick Thornburgh (LAW ’57), combated pollution by Pittsburgh steel companies in the ’70s, before many environmental laws existed, and he laid the groundwork for protections still in place today.
“No matter what happens in a U.S. Attorney’s office, the responsibility is awesome—in the way the word used to be meant—and you feel it,” Hickton says.
Appointed in 2010 by President Obama, he was involved in many high-priority initiatives throughout his six-year tenure. He co-chaired a national Heroin Task Force to address the opioid epidemic. He investigated misuse of educational funding and led the prosecution of those involved. He initiated changes to the Pennsylvania Department of Corrections and helped to facilitate better relations between communities and law enforcement. But even amid that important work, the “cyber threat” loomed large in his mind and on his schedule.
As a private attorney, Hickton had worked cases involving cybercrime. He’d also taken an interest in “the question of a borderless cyber environment where laws in the United States might not match up with . . . laws in countries that are not allied with us.”
The first job of any U.S. Attorney, he says, is to assess existing threats like these.
Within a month of taking office, Hickton created a dedicated national security cyber group—something he says had yet to be done in any of the other U.S. Attorney offices. He held weekly meetings with about 40 other lawyers, many of whom were skeptical that they’d have any cases to work on or be able to prosecute them.
Despite his colleagues’ initial uncertainty, cybercrime cases would become some of the biggest his office would handle.
Like the China espionage case, much of Hickton’s work involved forging new pathways to investigate and prosecute crimes—and discovering how foreign governments can use the Internet to compromise U.S. interests. To list the investigations he initiated throughout his tenure is to catalog some of the most significant cybersecurity-related cases of the past decade.
Weeks after the China indictments were issued, another landmark case was announced. Hickton’s office and the Department of Justice indicted Russian cybercriminal Evgeniy Bogachev, whose identity had eluded law enforcement for more than a decade. Bogachev was the mastermind behind a large-scale racketeering scheme that used a computer program to allow him and others to capture bank account numbers and other personal information and steal more than $100 million from businesses and individuals. Some evidence suggests that the Russian government sanctioned some of the crimes.
In another case, Hickton worked with the FBI to shut down a cybercrime forum called Darkode, which involved at least 70 criminals in 20 countries sharing and selling malicious software and other illegal goods. In yet another, he began the work to identify and indict three Chinese nationals believed to be responsible for stealing sensitive information from three companies, including Siemens. And before leaving office, he kicked off the investigation into the Russian agents believed to be behind the hacking of the Democratic National Committee.
He also took down cyber threats closer to home. In 2012, Hickton oversaw efforts with the FBI’s Joint Terrorism Task Force to pinpoint the primary culprit behind a series of disturbing and disruptive bomb threats made to the University of Pittsburgh. Over two months, the Pittsburgh campus received more than 52 threats, many of which were emailed. The perpetrator used digital masking devices to hide his location.
“Someone said at the time we started that we have about as much chance to identify who’s doing this as finding a single grain of sand on a beach,” Hickton says. But in fewer than 90 days—using methods that are still confidential—the team found and charged a suspect, known disrupter and Scottish separatist Adam Busby.
Upon stepping down from his position in 2016, Hickton was lauded by then–Attorney General Loretta Lynch.
“Under David’s outstanding leadership, his office has been at the forefront of some of the Justice Department’s most consequential achievements of the last few years,” she wrote in a statement at the time. “There is no doubt that the United States is a stronger and safer place because of David’s many contributions.”
Hickton was satisfied with his accomplishments, but he was also left with deeper quandaries about the future of the country’s digital infrastructure.
“We’ve connected 7 billion people around the world to the Internet,” he says. “But we basically have no rules.”
He was still planning how to continue his work in cybersecurity when Pitt Chancellor Patrick Gallagher called.
In 2018, Pitt Cyber took on an issue that Hickton views as a threat to the nation’s democratic fiber: voting security. The institute launched the Blue Ribbon Commission on Pennsylvania’s Election Security to examine potential vulnerabilities to the Commonwealth’s election infrastructure and recommend solutions. Among its sobering findings were that 83 percent of Pennsylvania voters were casting ballots at a precinct with no paper-based fail-safe, making hacking easy and essentially undetectable. The commission recommended an immediate overhaul to include voter-marked paper ballots, among other changes. The findings helped bolster state lawmakers’ work to update the system. New voting machines are expected to debut across the state in time for the 2020 presidential election.
This is the kind of work Chancellor Gallagher had in mind when he reached out to Hickton in late 2016 to discuss an idea for a cybersecurity and policy institute at Pitt—an idea the former U.S. Attorney found exciting.
Both individuals, it turns out, have backgrounds in cyber issues. Before being appointed chancellor in 2014, Gallagher directed the National Institute of Standards and Technology (NIST), which has responsibility for developing cybersecurity standards for the non-national security side of the U.S. government. He also led the development of a first-ever framework for the standardization of cybersecurity practices in the private sector, in response to a 2013 presidential executive order.
But Gallagher deduced from the outset that the NIST standards were only one step in addressing the problem. “This is not a once-through,” he said in 2013. “We are not done. Cyber threats are going to continue to evolve, and cyber-risk management has to therefore evolve with them.”
“We have to treat the efforts to stop hacking like the efforts to first go to the moon,” Hickton says. “President Kennedy said that we would do those things ‘not because they are easy, but because they are hard.’ What do we do otherwise? Surrender? I won’t accept that.”
Though the institute is still in its infancy, it is already making strides with help from its staff of experts, including Executive Director Beth Schwanke, an accomplished lawyer with extensive experience in federal law and global policy development.
Pitt Cyber’s inaugural symposium in 2017 took on Russian hacking, drawing a capacity crowd of security experts, journalists, and members of the University community. The institute launched a salon series with Carnegie Mellon University’s Software Engineering Institute to discuss technology-related challenges in areas like health care, education, the military, and the corporate world.
Pitt Cyber also provides grant funding for research projects involving key issues like preventing cyberattacks in smart grid systems or securing the computer networks that direct automated manufacturing. During the summer, it hosts an Air Force Association CyberCamp, where 250 high school students learn about cyber ethics and network and systems security, culminating in a cyber defense competition.
Hickton wants to ensure that Pitt Cyber is helping to train the next generation to pick up the mantle. There’s a “staggering gap,” he notes, between demand and the number of skilled cybersecurity professionals in the workforce.
“Dave is a force,” Gallagher says. “He’s lived, worked, and led through some of the most complicated and cutting-edge cyberspace challenges. At the University of Pittsburgh, he’s continuing this charge, defining and redefining the fields of cyber law, security, and policy for society’s clear gain.”
For Hickton, a man who knows firsthand the dangers lurking in an underprotected digital landscape, the work is a calling. And it is never done.
Cover image: David Hickton
This article appeared in the Fall 2019 edition of Pitt Magazine.