It came as no surprise when the U.S. government on Oct. 7 formally declared Russia was the culprit of several high-profile cyber intrusions this year, such as those into the Democratic National Committee. Several news outlets, citing anonymous intelligence officials, reported that the government had already determined Russia had directed the intrusions. With the public declaration, some wonder whether a public attribution makes a difference, and why now make the announcement now. Is this different from other incidents?
For starters, given the common general consensus that Russia was behind the high-profile hacks, some derided the lack of public action to retaliate. For some, the current cyber deterrence policy is too abstract and has not done enough to deincentivize these types of incidents. In fact, the ranking members of both the Senate and House Intelligence committees drafted a letter weeks prior to the official U.S. government attribution that reached the same conclusion.
The U.S. has worked to put in place a framework for responding to cyber action, which involvesemploying a whole of government approach. Lisa Monaco, the president’s homeland security and counterterrorism adviser, said at the 2016 Aspen Security Forum that when the U.S. publicly associates an actor with a particular action taken in cyberspace, the government is saying the "activity was unacceptable and crossed a threshold," giving the Sony Pictures cyberattack, which was attributed to North Korea. This attack, she said, was destructive and coercive; that, along with the confidence of attribution and ability to keep sources and methods secret, allowed the government to decry North Korea. This tactic was also applied against members of the Chinese People’s Liberation Army when the U.S indicted five members for committing malicious cyber activity against U.S. systems.
This naming-and-shaming method has been derided by some as toothless, as it does little to deter future behavior. "Shame only works if someone is going to be embarrassed," Fred Kagan, director of the Critical Threats project at the American Enterprise Institute, told The Hillin March in regard to Iranian hacking indictments. "I think the Iranians are quite proud of this. I would bet you that there are guys in Iran who are high-fiving … getting huge public credit for this."
From the administration’s point of view, however, it garners greater international support to get to a point of international norms in cyberspace, something the administration has pushed for.
"Is it in our interests to publicly attribute that activity, to name and shame, if you will, to isolate that actor on the world stage, to garner international support to, say, sanction or impose diplomatic costs? Is it in our interest to publicly indict and use our criminal justice process as we did with the Chinese case?" Monaco said earlier this month at an event hosted by The Washington Post.
Not all hacks are the same, however. The administration has on countless occasions said it will apply its broad framework on a case-by-case basis depending on the circumstances. For instance, the administration has not publicly attributed the hack of the Office of Personnel Management, which involved the theft of millions of personal data from federal background checks and is largely believed to have been committed by China. For many, the difference between this case and the public attribution of Russia’s involvement in the DNC hacks are that OPM was traditional espionage.
There’s a real difference between the DNC hack and intelligence gathering, which is considered a gentleman agreement in which each side tries to stop each other, according to
, vice president for the National Security Program at the think tank Third Way.
It’s different when you see Russians, in addition to stealing information for their own national security purposes, using stolen data to manipulate U.S. public opinion and the election process, Eoyang told C4ISRNET.
With OPM, the information lifted was not released to the public to embarrass government employees, she said, adding that with the Russian hacks aren’t only meant for data collection but also for publicly releasing and potentially manipulating the data.
The type of activity associated with the OPM hack, while unacceptable, is within the realm of traditional state-backed espionage, Denise Zheng, who is the deputy director and a senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies, told C4ISRNET.
The Russian hack includes the additional step by overtly trying to influence a political and electoral system, Zheng said.
Eoyang noted that taking information from adversaries to develop dossiers is something every intelligence agency wants to do, adding that Director of National Intelligence James Clapper said he would have done the same thing.
Experts did agree with Monaco’s sentiment of calling out behavior when it is "unacceptable and cross[es] a threshold."
There are several reasons why the administration might have decided to make this public attribution now as opposed to keeping it secret or disclosing it at a later date.
One could be that if the U.S is to craft a response, ultimately there has to be a public attribution, Zheng said, noting that different standards of attribution — anonymous intelligence officials talking to news outlets versus an official announcement — depend on the types of actions the government could take. The more formal the attribution, the better postured the government is to take a formal response, she said.
Richard Ledgett, deputy director of the National Security Agency, hit on a similar point. "Attribution … is something that’s a necessary precursor to any other action that the government decides to take," he said at an AFCEA-hosted Cybersecurity Summit on Oct. 11. "If you think about responses to any international event … you need to have a foundation of things to occur … then you have building blocks for things that become increasingly more severe consequences.
"They might be in cyberspace, they might be in diplomatic or economic or some other space, but you have to have that foundation, and the foundation starts with attribution."
Department of Homeland Security Secretary Jeh Johnson had said in an Oct. 7 statement: "The recent disclosures of alleged hacked emails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts."
Zheng noted that threats from WikiLeaks that the organization was to release more damaging emails could have played a factor in the attribution style. Following the release, which turned out to be less damaging than advertised, the government had a better sense of what the emails entailed and may have felt better about taking the next step, she said.
Zheng said while it is possible that this attribution announcement is related the recent diplomatic breakdowns between the U.S. and Russia as it applies to the Syrian conflict, she, like others, declined to speculate further. When asked if last week's announcement could be used as leverage to get the Russian administration to play ball with the U.S. in crafting a constructive end to the Syrian conflict, for which Russia has taken several provocative steps recently, Eoyang expressed skepticism, noting: "I don’t know if there’s anything to make Russia play ball on Syria."
She did offer that given Russia’s permanent seat on the United Nations Security Council, which affords it veto power on any and all resolutions, means the U.S. decision concerning Russia must be taken seriously.
It's unclear what further responses the U.S. can take given the asymmetric nature of what Russia was trying to achieve — interference in the democratic process — and the number of policy options, public and private, the U.S. has on the table.
Mark Hagerott, a retired Navy captain who held posts in strategy at the Pentagon, said in a typical arms race competition or even the Cold War, tit for tat actions were the norm. Russia would build an intercontinental ballistic missile, the U.S. would build one; Russia would build a submarine, the U.S. would build one, he told C4ISRNET.
Hagerott, who is now a cybersecurity fellow at the New America Foundation, said there is no reciprocal retaliation given Russia’s authoritarian government and less participatory electoral process.
Perhaps shaming the Russians in public could be an effective measure, he said, as it might send a signal to other democracies around the world — such as Turkey, for which relations with Russia are thawingas evidenced most recently by an oil deal — that might feel threatened by these meddling tactics.
Public shaming, he added, could spur rapid, high-level negotiations that could take hacking elections and interfering with democracy via cyberspace off the table, similar to the agreement the U.S. inked with China last year that sought to limit the cybertheft of intellectual property to benefit companies.
Monaco hit on this as well, noting that when "you’re calling out that activity, you’re identifying it, you’re naming it, you’re showing that you can attribute that," it ultimately strengthens diplomacy, citing the Sino-U.S. deal.
Given Russia’s provocative actions toward the West, it's difficult to assess whether or not the diplomatic naming-and-shaming track is worthwhile. The Russian embassy in the United States recently tweeted, "Unbiased investigation of
DNChack would be a proportional (and logical) response to it. Threats or attacks against other countries are not."
It's hard to say if lack of evidence for the U.S. attribution will help bring Russia to the negotiating table. Sean Kanuck, who most recently served as national intelligence officer for cyber issues in the Office of the Director of National Intelligence, told C4ISRNET at the 2016 Intelligence and National Security Summit that in the Sony case, while confident attribution was given, there was no supporting evidence.
"I’ve actually been in an international meeting where a Russian government official challenged Christopher Painter from the U.S State Department saying that North Korea was not responsible for that and said no sufficient evidence has been provided," he said.
However, Eoyang believes that these actions by Russia are signs of weakness, not strength, adding that Moscow likely will reevaluate its relationship with the U.S. after the presidential election in November.
According to Eoyang, Russia knows it cannot compete with the U.S. on a military or economic scale, and knows that, if Hillary Clinton becomes president, the U.S. is not going to rush to be Moscow's best friend on the world stage.
Despite taking the significant step of officially blaming Russia for the hacks, the U.S. does not have many options to retaliate," according to an Oct. 11 brief from the Soufan Group, an
intelligence security firm.
"When it comes to cyberattacks, historical methods of deterring and punishing espionage are obsolete or ineffective. While the U.S. may conduct cyberattacks of its own against Russia, the unknown risks of an escalating cyberwar suggest economic and political measures may be preferred."
Experts have also noted that any response must have some importance to Russia and its leaders. However, some Russian oligarchs close to Russian President Vladimir Putin are already under sanctions for Russia’s role in the Ukrainian conflict. U.S. President Barack Obama has offered a glimpse into potential responses, with Reuters quotingWhite House Press Secretary Josh Ernest: "There are a range of responses that are available to the president and he will consider a response that is proportional. … It is certainly possible that the president can choose response options that we never announce."
Some of the unpublicized responses could include private messaging or intelligence operations, Monaco said, though she stopped short when asked about covert operations such as hacking into systems.
Clapper, at the Aspen Security Forum this summer, said Putin is paranoid and wary about the U.S. and West meddling in his affairs, especially considering his authoritarian nature.
"If I look at things from their vantage, I think, [the Russians are] paranoid … about color revolutions and the potential for a color revolution to occur in Russia," he said. "They see a U.S. conspiracy behind every bush and ascribe far more impact than we’re actually guilty of, but that’s their mindset. And so I think it’s their approach is they believe that we’re trying to influence political developments in Russia, we’re trying to affect change and so their natural response is to retaliate and do unto us as they think we’ve done unto them."