Deterring Russian Hacking Will Take More Than Latest Sanctions, Experts Say

Sanctions the Trump administration announced Friday against Russian government officials and oligarchs are a major step forward in U.S. efforts to curb Russian cyber aggression.

Those sanctions alone, however, are unlikely to change Russian behavior in cyberspace, Russia watchers told Nextgov.

“It’s a start, but this is a long campaign that’s going to last for years,” said Jim Lewis, a top cyber official at the Center for Strategic and International Studies who previously worked for the State and Commerce departments.

“We’re in a long conflict with Russia,” Lewis said, “and this is a different kind of conflict that will rely more on this kind of thing than on building new bombers or sending tanks to Germany.”

Squeezing the Oligarchs

Friday’s sanctions targeted power brokers in Russian President Vladimir Putin’s inner circle—whether or not they were directly responsible for Russian hacking operations and the country’s other nefarious activities.

That’s a contrast from a separate slate of March sanctions that targeted Russian spies and commercial hackers and trolls who played a direct role in the nation’s 2016 election meddling but may not have overseas bank accounts or other juicy sanctions targets.

The March sanctions also targeted operators of the NotPetya ransomware attack, which locked computers around the world last year.

One goal of Friday’s sanctions, Treasury Secretary Steven Mnuchin said, was to show that “Russian oligarchs and elites who profit from [Russia’s] corrupt system will no longer be insulated from the consequences of their government’s destabilizing activities.”

The unstated follow-up, Russia watchers said, is that those oligarchs and elites should, in turn, put pressure on Putin to step back from Russia’s aggressive stance in the world, including malicious cyber activity.  

“Whether the people being sanctioned are government officials or whether they’re former officials or powerful people within Putin’s inner circle, there’s clearly an attempt to get these folks in an uncomfortable position,” said Barbara Linney, an attorney with Miller and Chevalier, who advises clients on sanctions issues.

“Perhaps [that’s] in the hope that, since they have Putin’s ear, they might be able to persuade him to bring some of these activities to an end,” Linney said.

Sanctioned For … Basically Everything

The sanctions, which target seven top Russian business leaders, 12 companies and 17 Russian government officials, officially respond to “malign activity around the globe” ranging from the occupation of Crimea to support for Syrian President Bashar al-Assad to “attempting to subvert Western democracies” and “malicious cyber activities,” according to a Treasury Department statement.

That broad focus could be a handicap, said Martin Libicki, chair of cybersecurity studies at the U.S. Naval Academy, because it doesn’t send a clear message to the sanctioned oligarchs about which malign act is most important—or what they can do to get the sanctions weakened.

“It’s sort of like if someone hauled you off to jail for shooting your dog, cheating on your wife and spying for the Cambodians,” Libicki said. “It’s like: What is it that you want me to prevent?”

Libicki’s preference, he said, would be for specific punishments—sanctions or otherwise—to be meted out for specific activities.

“My sense is that the narrower the change you want from folks, the easier it is to get,” Libicki said.

Next Steps

While experts agreed there will likely be follow-ups to Friday’s sanctions, it’s not clear what they would be and if they’d be ultimately successful in changing Russian behavior.

The likeliest follow-up will be additional sanctions aimed at increasing pressure on Putin’s inner circle, Russia watchers said. But the government should also explore other options, such as a campaign to embarrass Putin by exposing Russian corruption, Lewis said.

The U.S. might also consider a retaliatory cyber strike that abides by international cyber rules of the road that the U.S. has pushed, Lewis said. An example, he said, might be “frying servers” at the Internet Research Agency, the Russian company that managed most Russian social media trolling in advance of the 2016 election.

While U.S. officials have acknowledged preparing and training for offensive cyber operations, they’ve been tight-lipped about their actual capabilities. The only offensive cyber operations the U.S. has ever acknowledged are Pentagon operations targeting Islamic State recruiting and communications efforts.

The Trump administration should also focus on keeping communication lines open with Russia and seeking a diplomatic solution, Lewis said.

“Each individual step by itself is not enough,” he said, “but, as they accumulate, it has an effect.”