It’s On: US Mulls Tricky Options for Retaliation Against Russian Hacks

Russian President Vladimir Putin

Russian President Vladimir Putin Alexander Zemlianichenko/AP

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Joseph Marks By Joseph Marks,
Senior Correspondent

By Joseph Marks

|

The U.S. will find it difficult to stand up to Russian hacking while promoting a stable cyberspace.

The decision by top intelligence and Homeland Security officials to attribute election-related data breaches to top Russian government officials earlier this month marked a sea change in cyber relations between the two former Cold War adversaries.

Eight years after Russian hackers were first rumored to be behind an attack that spread from a suspect flash drive at a U.S. military installation in the Middle East to infect classified and unclassified networks across the Defense Department, the U.S. finally accused the Russian government of a major cyber strike against a prominent U.S. target.

Nine days after that attribution, Vice President Joe Biden promised on “Meet the Press” the U.S. would launch a “proportional” response to the Russian hack and that Russian President Vladimir Putin would know about that response when it happened. The broader public in the U.S. and Russia, he suggested, probably wouldn’t.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The U.S. decision to attribute the hacks to Russia likely stems from numerous factors, legal experts told Nextgov, including improved technical attribution, grave concerns that the breach might undermine the U.S. electoral process and the broader deteriorating U.S. relationship with Russia in Ukraine, Syria and elsewhere.

How the U.S. responds to that attribution, however, will establish an important precedent in the developing cyber domain and could help determine whether cyberspace becomes a more or less lawless place.

“The intellectual dilemma is you have to find a sweet spot between doing nothing and doing too much,” said Herbert Lin, a senior research scholar for cyber policy and security at Stanford University’s Hoover Institution and a member of President Barack Obama’s Commission on Enhancing National Cybersecurity.

“If you do nothing, then they acted with impunity and will do it again,” Lin said. “If you do too much, then you provoke them into doing too much in response … They respond to our response and we respond to theirs and so on. Where do you stop?”

Director of National Intelligence James Clapper struck a similar note at a Council on Foreign Relations event Tuesday, warning that "given the tremendous dependence of this nation on the cyber domain ... we have to think twice, I think, and be very cautious about retaliating in a cyber context."

The joint statement from Clapper's office and the Homeland Security Department on Oct. 7 accused top Kremlin officials of directing “compromises of emails from U.S. persons and institutions, including from U.S. political organizations,” referring to breaches at the Democratic National Committee and of several top political officials.

The statement also noted several U.S. states had reported scanning and probing of election systems, which officials had traced to Russian servers, though intelligence officials cannot be confident the Russian government is involved.

Democratic presidential nominee Hillary Clinton has accused the Russian government of using the leaks to give her opponent Donald Trump an advantage, while Trump has insisted there’s no proof Russia is behind the breaches.

A Symbolic Response

A covert response to the Russian attacks would break with the precedent established by earlier U.S. responses when officials attributed hacks to nation states—at least as far as we know.

The Justice Department indicted five Chinese hackers it accused in 2014 of hacking U.S. companies to steal intellectual property and trade secrets. It also indicted seven Iranians it accused this year of hacking a dam in upstate New York. The Treasury Department applied additional sanctions against North Korea after attributing the Sony Pictures Entertainment hack to the rogue nation in 2015.

But those responses were largely symbolic because none of the Chinese or Iranian hackers has reached a U.S. courtroom and global trade with North Korea is nearly nonexistent.

A covert cyber response against Russia might be equally symbolic, said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. For example, the U.S. might digitally attack the computer hardware the hackers used. That would have the benefit of demonstrating a direct link between the attack and the response but it wouldn’t make much real-world difference, he said.

Even if the Obama administration makes no response at all to the Russian actions, it might benefit from Biden’s statements, Segal said.

“There’s domestic pressure for them to do something,” he said. “Suggesting there are covert or secret attacks going on may take some pressure off … It also creates, in Russia, a sense that now anything that goes wrong there has to be some discussion: ‘Was it a cyberattack? Or just a bug or a glitch?’”

Segal argued in an Oct. 10 blog post the likeliest U.S. response would be outside of the cyber domain, possibly imposing a special set of sanctions the Obama administration created in 2015 that allow the Treasury Department to seize property and assets from people who benefit from cyberattacks and breaches.

That possibility seems to have been foreclosed by Biden’s comments because the public would know about the sanctions. A White House spokesman declined to expand on what Biden’s comments might mean.

Establishing Norms

U.S. opportunities for a cyber counterstrike are relatively limited because the U.S. has been an outspoken advocate for extending basic principles of international law to cyberspace, said Catherine Lotrionte, director of Georgetown University’s Institute for Law, Science and Global Security and former assistant general counsel at the CIA.

The U.S. also pushed for a set of global norms in cyberspace that were adopted by a United Nations experts group in 2015. Those norms state nations should not attack each other’s critical infrastructure or cyber emergency responders, and should assist investigations of cyberattacks launched from their territory.

Norms are standards not codified by treaties but are generally respected by nations in practice.

Biden’s promise the U.S. will respond to the DNC hack would establish the U.S. believes Russia’s actions fall outside global norms, she said. Specifically that, while nations often steal secrets from their adversaries’ political parties for intelligence purposes, it’s out of bounds to release those secrets in a way that might undermine an electoral process.

“Some activities cross over what the U.S. finds to be acceptable,” she said. “This is distinguishing between espionage versus going a step further and actually trying to influence the political process.”

Possible cyber responses include targeting the hardware used in the attack or undermining Russian web censorship tools, according to an Oct. 12 Foreign Policy article by retired Adm. James Stavridis. Another option is exposing ill-gotten gains in Russian officials’ overseas banking accounts, wrote Stavridis, who is now dean of the Fletcher School of Law and Diplomacy at Tufts University.

A covert response doesn’t necessarily equate to a cyber response, Lotrionte noted. For example, the U.S. could help an ally arrest a top Russian official without disclosing its aid.

Cyber Problem or Russia Problem?

Former National Security Agency Director Gen. Michael Hayden suggested in a question and answer session with the Heritage Foundation Oct. 18 the U.S. should respond more broadly to Russian aggression rather than separating out the DNC attack.

For example, the U.S. might shift course on sharing defensive weapons with Ukrainian forces or increase gas shipments to European allies, he said.

“Do not drop this in the cyber problem box; drop this in the Russia problem box,” Hayden said, arguing that “gives you a far broader view in terms of responding” and also would allow the U.S. to deny a direct link between the hack and the U.S. response.  

The Case for Transparency

Mary Ellen O’Connell, a professor of law and international dispute resolution at Notre Dame University, criticized taking any covert response, before presenting evidence Russia is responsible for the hack, first to the Russians themselves and then to the global community if Russia continues to deny responsibility. At that point, the U.S. could respond in a public and proportional manner, she said.

“Two wrongs don’t make a right,” O’Connell said. “It just makes the internet unusable for everybody.”

U.S. intelligence officials are typically wary of such public presentations regarding cyber breaches out of concern they might reveal the U.S.’s own sources of digital intelligence.

Lotrionte urged a less drastic path: presenting some limited evidence scrubbed of information that might compromise intelligence gathering to the United Nations Security Council and force an embarrassing conversation.

NEXT STORY: Finalizing cyber incident response might be easier than deciding when to use it

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.