The decision by top intelligence and Homeland Security officials to attribute election-related data breaches to top Russian government officials earlier this month marked a sea change in cyber relations between the two former Cold War adversaries.
Eight years after Russian hackers were first rumored to be behind an attack that spread from a suspect flash drive at a U.S. military installation in the Middle East to infect classified and unclassified networks across the Defense Department, the U.S. finally accused the Russian government of a major cyber strike against a prominent U.S. target.
Nine days after that attribution, Vice President Joe Biden promised on “Meet the Press” the U.S. would launch a “proportional” response to the Russian hack and that Russian President Vladimir Putin would know about that response when it happened. The broader public in the U.S. and Russia, he suggested, probably wouldn’t.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The U.S. decision to attribute the hacks to Russia likely stems from numerous factors, legal experts told Nextgov, including improved technical attribution, grave concerns that the breach might undermine the U.S. electoral process and the broader deteriorating U.S. relationship with Russia in Ukraine, Syria and elsewhere.
How the U.S. responds to that attribution, however, will establish an important precedent in the developing cyber domain and could help determine whether cyberspace becomes a more or less lawless place.
“The intellectual dilemma is you have to find a sweet spot between doing nothing and doing too much,” said Herbert Lin, a senior research scholar for cyber policy and security at Stanford University’s Hoover Institution and a member of President Barack Obama’s Commission on Enhancing National Cybersecurity.
“If you do nothing, then they acted with impunity and will do it again,” Lin said. “If you do too much, then you provoke them into doing too much in response … They respond to our response and we respond to theirs and so on. Where do you stop?”
Director of National Intelligence James Clapper struck a similar note at a Council on Foreign Relations event Tuesday, warning that "given the tremendous dependence of this nation on the cyber domain ... we have to think twice, I think, and be very cautious about retaliating in a cyber context."
The joint statement from Clapper's office and the Homeland Security Department on Oct. 7 accused top Kremlin officials of directing “compromises of emails from U.S. persons and institutions, including from U.S. political organizations,” referring to breaches at the Democratic National Committee and of several top political officials.
The statement also noted several U.S. states had reported scanning and probing of election systems, which officials had traced to Russian servers, though intelligence officials cannot be confident the Russian government is involved.
Democratic presidential nominee Hillary Clinton has accused the Russian government of using the leaks to give her opponent Donald Trump an advantage, while Trump has insisted there’s no proof Russia is behind the breaches.
A Symbolic Response
A covert response to the Russian attacks would break with the precedent established by earlier U.S. responses when officials attributed hacks to nation states—at least as far as we know.
The Justice Department indicted five Chinese hackers it accused in 2014 of hacking U.S. companies to steal intellectual property and trade secrets. It also indicted seven Iranians it accused this year of hacking a dam in upstate New York. The Treasury Department applied additional sanctions against North Korea after attributing the Sony Pictures Entertainment hack to the rogue nation in 2015.
But those responses were largely symbolic because none of the Chinese or Iranian hackers has reached a U.S. courtroom and global trade with North Korea is nearly nonexistent.
A covert cyber response against Russia might be equally symbolic, said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. For example, the U.S. might digitally attack the computer hardware the hackers used. That would have the benefit of demonstrating a direct link between the attack and the response but it wouldn’t make much real-world difference, he said.
Even if the Obama administration makes no response at all to the Russian actions, it might benefit from Biden’s statements, Segal said.
“There’s domestic pressure for them to do something,” he said. “Suggesting there are covert or secret attacks going on may take some pressure off … It also creates, in Russia, a sense that now anything that goes wrong there has to be some discussion: ‘Was it a cyberattack? Or just a bug or a glitch?’”
Segal argued in an Oct. 10 blog post the likeliest U.S. response would be outside of the cyber domain, possibly imposing a special set of sanctions the Obama administration created in 2015 that allow the Treasury Department to seize property and assets from people who benefit from cyberattacks and breaches.
That possibility seems to have been foreclosed by Biden’s comments because the public would know about the sanctions. A White House spokesman declined to expand on what Biden’s comments might mean.
U.S. opportunities for a cyber counterstrike are relatively limited because the U.S. has been an outspoken advocate for extending basic principles of international law to cyberspace, said Catherine Lotrionte, director of Georgetown University’s Institute for Law, Science and Global Security and former assistant general counsel at the CIA.
The U.S. also pushed for a set of global norms in cyberspace that were adopted by a United Nations experts group in 2015. Those norms state nations should not attack each other’s critical infrastructure or cyber emergency responders, and should assist investigations of cyberattacks launched from their territory.
Norms are standards not codified by treaties but are generally respected by nations in practice.
Biden’s promise the U.S. will respond to the DNC hack would establish the U.S. believes Russia’s actions fall outside global norms, she said. Specifically that, while nations often steal secrets from their adversaries’ political parties for intelligence purposes, it’s out of bounds to release those secrets in a way that might undermine an electoral process.
“Some activities cross over what the U.S. finds to be acceptable,” she said. “This is distinguishing between espionage versus going a step further and actually trying to influence the political process.”
Possible cyber responses include targeting the hardware used in the attack or undermining Russian web censorship tools, according to an Oct. 12 Foreign Policy article by retired Adm. James Stavridis. Another option is exposing ill-gotten gains in Russian officials’ overseas banking accounts, wrote Stavridis, who is now dean of the Fletcher School of Law and Diplomacy at Tufts University.
A covert response doesn’t necessarily equate to a cyber response, Lotrionte noted. For example, the U.S. could help an ally arrest a top Russian official without disclosing its aid.
Cyber Problem or Russia Problem?
Former National Security Agency Director Gen. Michael Hayden suggested in a question and answer session with the Heritage Foundation Oct. 18 the U.S. should respond more broadly to Russian aggression rather than separating out the DNC attack.
For example, the U.S. might shift course on sharing defensive weapons with Ukrainian forces or increase gas shipments to European allies, he said.
“Do not drop this in the cyber problem box; drop this in the Russia problem box,” Hayden said, arguing that “gives you a far broader view in terms of responding” and also would allow the U.S. to deny a direct link between the hack and the U.S. response.
The Case for Transparency
Mary Ellen O’Connell, a professor of law and international dispute resolution at Notre Dame University, criticized taking any covert response, before presenting evidence Russia is responsible for the hack, first to the Russians themselves and then to the global community if Russia continues to deny responsibility. At that point, the U.S. could respond in a public and proportional manner, she said.
“Two wrongs don’t make a right,” O’Connell said. “It just makes the internet unusable for everybody.”
U.S. intelligence officials are typically wary of such public presentations regarding cyber breaches out of concern they might reveal the U.S.’s own sources of digital intelligence.
Lotrionte urged a less drastic path: presenting some limited evidence scrubbed of information that might compromise intelligence gathering to the United Nations Security Council and force an embarrassing conversation.