WASHINGTON (AP) – All fingers point to Russia as the source of the worst hack ever by US government agencies. But President Donald Trump, long wary of blaming Moscow for cyber-attacks, has been silent so far.
The lack of a statement attempting to hold Russia accountable casts doubt on the likelihood of a prompt response and suggests that retaliation – be it sanctions, criminal prosecution or cyber-action – will remain in the hands of the new government of the United States. new president Joe Biden.
“I imagine the incoming government wants a menu of what the options are and then goes to choose,” said Sarah Mendelson, Carnegie Mellon University professor of public policy and former US ambassador to the UN Economic and Social Council. Is there a phased assault? Is there a total attack? How much do you want to do outside the gate? “
Certainly, it is not uncommon for governments to forgo public allegations of blame for hacks until they have gathered sufficient evidence. Here, US officials say they have only recently become aware of devastating breaches at multiple government agencies in which foreign intelligence agents have been lying around unnoticed for as many as nine months. But Trump’s response, or lack thereof, is being watched closely for his preoccupation with an unsuccessful attempt to reverse last month’s election results and for his refusal to publicly acknowledge that Russian hackers are in benefited from the 2016 presidential election.
Exactly what action Biden would take is unclear, or how his response could be shaped by criticism that the Obama administration did not act aggressively enough in 2016 to thwart interference. He gave directions in a statement on Thursday, saying his government would be proactive in preventing cyber-attacks and imposing charges on any opponents behind them.
Russia is not mentioned so far in statements by the US government. When Secretary of State Mike Pompeo was asked about Russian involvement in a radio interview on Monday, he acknowledged that Russia consistently tries to penetrate American servers, but quickly targeted threats from China and North Korea.
The democratic sens. Dick Durbin and Richard Blumenthal, who were briefed on the hacking campaign in a secret session of the Armed Services Committee on Tuesday, unequivocally blamed Russia.
There are other signs within the administration of a clear recognition of the severity of the attack, which occurred after elite cyber spies injected malicious code into the software of a company that provides network services. The civilian cybersecurity agency warned in an advisory on Thursday that the hack posed a “serious risk” to government and private networks.
A response could begin with a public statement that Russia is seen as responsible, an already widely shared assessment in the US government and cybersecurity community. Such statements are often not immediate. It took weeks after the incidents were made public for the Obama administration to finger North Korea in the 2014 Sony Pictures Entertainment hack and for then-national intelligence director James Clapper to confirm China as the ‘lead suspect’ in Office of Personnel hacks Management. .
Public naming-and-shaming is always part of the playbook. Trump’s former homeland security adviser Thomas Bossert wrote in an op-ed in the New York Times this week that “the United States, and ideally its allies, should publicly and formally attribute responsibility for these hacks.” Republican Senator Mitt Romney said in a SiriusXM radio interview that it was “extraordinary” that the White House has not spoken out.
Another possibility is a federal charge, assuming investigators can gather enough evidence to implicate individual hackers. Such cases are labor-intensive and often take years, and while the chances of prosecution in court are small, the Justice Department considers them to be powerful deterrent effects.
Sanctions, a time-honored punishment, can take even more bite and will almost certainly be weighed by Biden. President Barack Obama has expelled Russian diplomats over the interference in the 2016 election, and the Trump administration and Western allies have taken similar action against Moscow over the alleged poisoning of a former intelligence officer in Britain.
Exposing corruption in the Kremlin, including the way Russian President Vladimir Putin amasses and hides his wealth, could amount to an even more formidable retaliation.
“This isn’t just another tit-for-tat or hacking back into their systems,” said Mendelson, the former ambassador. “It’s, ‘We’re going for what you really care about, and what you really care about is the money that’s been put away and revealing the greater network and how it’s connected to the Kremlin.”
The US can also retaliate in cyberspace, a path made easier by an authorization from the Trump administration that has already led to some operations.
Former National Security Adviser John Bolton told reporters at a 2018 briefing that cyber-offensive operations against foreign rivals would now be part of the US arsenal and that the US response would no longer be primarily defensive.
“We can completely melt down their home networks,” said Jason Healey, a cyber conflict scientist at Columbia University. “And every time we see their operators show up, they know we’ll go after them wherever they are.”
The US Cyber Command has also taken more proactive action, participating in what officials describe as “hunt forward” operations that enable them to detect cyber threats in other countries before reaching their intended goal. For example, in the weeks before the US presidential election, military cyber fighters teamed up with Estonia in a joint operation aimed at identifying and defending against threats from Russia.
While the US is also prolific in gathering offensive cyber intelligence – for example, tapping phones from allied foreign leaders and putting spyware into commercial routers – such efforts have been compared to the infection of 18,000 government and private organizations in the SolarWinds hack. , Healey said.
The better response – since espionage itself is not a crime – is to triple defensive cybersecurity, Healey said.
David Simon, a cybersecurity expert and former special adviser to the Department of Defense, said there must be consequences for those responsible for attacks – and the Trump administration “has been far from holding the Kremlin to account.”
“Until it is clear that the US will impose meaningful charges on opponents,” he said in an email, “a significant change in Kremlin behavior is unlikely to be seen.”