All fingers are pointing to Russia as the source of the worst-ever hack of US government agencies. But President Donald Trump, long wary of blaming Moscow for cyberattacks, has been silent.
The lack of any statement seeking to hold Russia responsible casts doubt on the likelihood of a swift response and suggests any retaliation — whether through sanctions, criminal charges or cyber-actions — will be left in the hands of President-elect Joe Biden’s incoming administration.
“I would imagine that the incoming administration wants a menu of what the options are and then is going to choose,” said Sarah Mendelson, a Carnegie Mellon University public policy professor and former US ambassador to the UN’s Economic and Social Council. “Is there a graduated assault? Is there an all-out assault? How much out of the gate do you want to do?”
To be sure, it is not uncommon for administrations to refrain from levelling public accusations of blame for hacks until they have accumulated enough evidence. Here, US officials say they only recently became aware of devastating breaches at multiple government agencies in which foreign intelligence agents rooted around undetected for as much as nine months. But Trump’s response, or lack thereof, is being closely watched because of his preoccupation with a fruitless effort to overturn the results of last month’s elections and because of his refusal to publicly acknowledge that Russian hackers interfered in the 2016 presidential election in his favour.
Exactly what action Biden might take is unclear, or how his response might be shaped by criticism that the Obama administration did not act aggressively enough to thwart interference in 2016. He offered clues in a statement on Thursday, saying his administration would be proactive in preventing cyberattacks and impose costs on any adversaries behind them.
US government statements so far have not mentioned Russia. Asked about Russian involvement in a radio interview on Monday, Secretary of State Mike Pompeo acknowledged Russia consistently tries to penetrate American servers but quickly pivoted to threats from China and North Korea.
Democratic Senators Dick Durbin and Richard Blumenthal, who were briefed on Tuesday on the hacking campaign in a classified Armed Services Committee session, were unequivocal in blaming Russia.
Why hasn’t President Trump said a word about the Russian cyber-attack on the United States? He’s just as silent now as he was when news broke of Russian bounties on American soldiers and it is disgraceful. pic.twitter.com/FCeK6UOc72
— Senator Dick Durbin (@SenatorDurbin) December 18, 2020
There are other signs within the administration of a clear-eyed recognition of the severity of the attack, which happened after elite cyberspies injected malicious code into the software of a company that provides network services. The civilian cybersecurity agency warned in an advisory on Thursday that the hack posed a “grave risk” to government and private networks.
A response could start with a public declaration that Russia is believed responsible, already a widely shared assessment in the US government and cybersecurity community. Such statements often are not immediate. It took weeks after the incidents became public for the Obama administration to finger North Korea in the Sony Pictures Entertainment hack in 2014 and for the then-national intelligence director, James Clapper, to confirm China as the “leading suspect” in hacks of the Office of Personnel Management.
Public naming-and-shaming is always part of the playbook. Trump’s former homeland security adviser, Thomas Bossert, wrote this week in a New York Times opinion piece that “the United States, and ideally its allies, must publicly and formally attribute responsibility for these hacks”. Republican Senator Mitt Romney said in a SiriusXM radio interview that it was “extraordinary” the White House has not spoken out.
The US public is sick, our leaders distracted, and we are under cyberattack. This isn’t about SolarWinds anymore. It hasn’t been for months. The Russians are in our networks at a very fragile time. What are we going to do about it? My @nytimes OpEd https://t.co/MeeKNSzsNh
— Thomas P. Bossert (@TomBossert) December 17, 2020
Another possibility is a federal indictment, assuming investigators can accumulate enough evidence to implicate individual hackers. Such cases are labour-intensive and often take years, and though they may carry slim chances of court prosecution, the Justice Department regards them as having powerful deterrent effects.
Sanctions, a time-honoured punishment, can have even more bite and will almost certainly be weighed by Biden. President Barack Obama expelled Russian diplomats over the 2016 election interference, and the Trump administration and Western allies took similar action against Moscow for its alleged poisoning of an ex-intelligence officer in the United Kingdom.
Exposing Kremlin corruption, including how Russian President Vladimir Putin accrues and hides his wealth, may amount to even more formidable retaliation.
“This isn’t just a tit-for-tat or hacking back into their systems,” said Mendelson, the former ambassador. “It’s, ‘We’re going to go for what you really care about, and what you really care about is the funds that are stashed, and revealing the larger network and how it’s connected to the Kremlin’.”
The US can also retaliate in cyberspace, a path made easier by a Trump administration authorisation that has already resulted in some operations.
The former national security adviser, John Bolton, told reporters at a 2018 briefing that offensive cyberoperations against foreign rivals would now be part of the US arsenal and the US response would no longer be primarily defensive.
“We can totally melt down their home networks,” said Jason Healey, a Columbia University cyberconflict scholar. “And any time we see their operators popping up they know that we are going to go after them, wherever they are.”
US Cyber Command has also taken more proactive measures, engaging in what officials describe as “hunt forward” operations that let them detect cyberthreats in other countries before they reach their intended target. Military cyber-fighters, for instance, partnered with Estonia in the weeks before the US presidential election in a joint operation aimed at identifying and defending against threats from Russia.
While the US is also prolific in its offensive cyberintelligence-gathering — tapping allied foreign leaders’ phones and inserting spyware into commercial routers, for instance — such efforts are measured compared with the infection of 18,000 government and private-sector organisations in the SolarWinds hack, Healey said.
The better response — since espionage itself is not a crime — is to triple down on defensive cybersecurity, Healey said.
David Simon, a cybersecurity expert and former Defense Department special counsel, said there must be consequences for those who responsible for attacks — and the Trump administration “has fallen far short in holding the Kremlin accountable”.
“Until it’s clear the US will impose meaningful costs on adversaries,” he said in an email, “a material change in the Kremlin’s behavior is not likely to be seen.”