Former officials urge response to Russian hacking

The growing consensus in the intelligence community, according to press reports, is that Russia not only interfered in the U.S. election, but did so to sway the outcome in favor of Donald Trump. That is fueling calls by former officials that President Barack Obama needs to retaliate against Russia before he leaves office.

The latest reports indicate that the Central Intelligence Agency, Federal Bureau of Investigation, and Director of National Intelligence now concur that Russia carried out a complex cyber operation at the direction of President Vladimir Putin designed to help President-elect Trump.

In a Dec. 16 press conference, Obama addressed the hacking of the Democratic National Committee and other targets, and indicated that responses are in the works.

"Our goal continues to be to send a clear message to Russia or others not to do this to us because we can do stuff to you, but it is also important for us to do that in a thoughtful, methodical way. Some of it, we do publicly. Some of it, we will do in a way that they know but not everybody will," Obama said.

National security experts agree that a U.S. response is required, but they face the same issue that Obama is wrestling with -- how public should it be.

"There has to be a response to this," said retired general and former CIA director David Petraeus at a Harvard Belfer Center event in Washington. "The question is, how do you craft that response knowing that we are more vulnerable than any other country to further escalation of [cyberattacks]?"

Petraeus, who had been in the running to be Trump's secretary of state, said that current officials with whom he has spoken are wrestling with the fact that the U.S. is the most cyber-vulnerable nation, and that there are risks to responding too aggressively or publicly.

"How subtle do you want it?" he said. "How damaging do you want it? Do you try to sort of end it here rather than starting to just to ratchet up and take it farther and farther?"

Other participants at the event cautioned that while a response is essential to punish Russia and deter future hacks, the U.S. has to think through the consequences of any retaliation and recognize that cyber deterrence is not like nuclear deterrence was back in the Cold War.

"Deterrence in cyber is a lot more like deterring crime," said Harvard professor and former assistant secretary of defense Joseph Nye. "It's not going to be perfect. There are a whole series of acts and we want to focus on the ones that are more important and figure out a variety of ways to discourage them."

At his press conference, Obama picked up on the idea on how effective the strategy of naming and shaming would be against an adversary like Putin.

"It's not like Putin's gone around the world publicly saying, look what we did. Wasn't that clever? He denies it. So the idea that somehow public shaming is gonna be effective, I think doesn't read the -- the thought process in Russia very well," Obama said.

Nye argued the U.S. should mix public and private responses to Russia such as publicly sanctioning oligarchs while also quietly "taking away" a cyber capability such as a known zero-day exploit used by Russian intelligence.

However, retired Admiral James Winnefield, former vice chairman of the Joint Chiefs of Staff, cautioned that in cyber, if you take away someone else's tool or capability, you might have to give up one of your tools to do that, so that can also be a high-cost response.

He said that a U.S. retaliation should target Putin's fear of being perceived as weak and undermine his image as a strong leader.

"The concern that we have to keep in mind is the Russian presence throughout U.S. infrastructure," said Michael Sulmeyer, director of the Cyber Security Project at the Belfer Center.

He argued that any deterrence strategy must recognize that Russia has "advanced placement" of capabilities across U.S. systems, and the U.S. has "to get serious about detecting, removing and blocking further Russian and other adversary activity on our most vital infrastructure."

Making it more difficult to hack U.S. systems or having a more robust containment response in the early stages of a hacking operation would also serve as a deterrent, panelists said. Which raises the question of whether the U.S. could have contained the crisis in the first place with a better response to the initial infiltration by Russia.

Over the last year, the Obama administration has put a great deal of effort into formalizing how the government would respond to an attack on a power grid or a transportation system through Presidential Policy Directive 41 and the National Critical Infrastructure Response Plan.

Yet at levels below critical infrastructure, it's not clear that there are any formal structures guiding the response to a significant cyber intrusion.

For example, the New York Times reported on Dec. 14 that in September of 2015 an F.B.I. agent simply left a voice mail at the Democratic National Committee to warn DNC officials that one of their computer systems had been compromised by a hacking group linked to the Russian government.

"The low-key approach of the FBI meant that Russian hackers could roam freely through the committee's network for nearly seven months before top D.N.C. officials were alerted to the attack and hired cyber experts to protect their systems," reported the Times.

"Honestly, when I read that they just left a message, my jaw dropped," former secretary of homeland security Michael Chertoff told FCW.

"For someone at the bureau not to recognize hacking into a major political party is…at a minimum a significant amount of espionage, is a real failure," he said.

Chertoff said the FBI should have gone to the DNC in person immediately and offered assistance, or called in DHS right away "so DHS can send folks over to help them figure out what's going on and guide them to some sort of forensic resolution."

That could have contained the breach before hackers were able to exfiltrate thousands of emails and documents that were then leaked out to damage the Clinton campaign – which was Russia's intention, according to recent intelligence assessments.

"I think the first step is a lesson one of my first bosses at DOD taught me -- when it's important, make it personal," Michael Sulmeyer told FCW.

That attitude, he explained, would in turn lead organizations to take more assertive action in response.

Sulmeyer said that ideally the government would develop a more structured response to intrusions that are significant but don't rise to the level of an attack on critical infrastructure. And that requires thinking through a number of serious questions.

"What institution in the federal government is going to have the lead?" he said. "Just how sensitive is it that you don't blow the intrusion and tip off the adversary, or is it the kind of the situation where it's OK if you actually take a more drastic step early in the name of exposing the operation?"

Ann Barron-DiCamillo, former director of the U.S. Computer Emergency Readiness Team at DHS, told FCW that she expects to see changes at FBI, DHS and other agencies going forward to address attacks on non-critical infrastructure.

"I think you'll see some level of formality added to these institutions because of this," she predicted.

Other former officials, however, cautioned against creating too much structure that ends up becoming restrictive. And Michael Chertoff warned that agencies still must constantly instill a sense of urgency in cybersecurity staff.

"As we've seen in the counterterrorism area too, sometimes you have all the structure and you have the playbook, and somebody just drops the ball," he said.