WASHINGTON (AP) – All fingers point to Russia as the source of the worst hacking of all time by US government agencies. But President Donald Trump, long cautious of blaming Moscow for cyber attacks, has been silent so far.
The lack of any statement to Russia questions the likelihood of a quick response and suggests any retaliation – whether through sanctions, criminal charges or cyber actions – will be left in the hands of the future administration of President-elect Joe Biden.
“I would imagine that the incoming administration wants a menu with options and then it will choose,” said Sarah Mendelson, a professor of public policy at Carnegie Mellon University and a former US ambassador to the UN Economic and Social Council. “Is there a gradual assault? Is there a total assault? How much do you want to make from the gate? “
It is certainly not uncommon for administrations to refrain from bringing public charges of hacking until they have accumulated enough evidence. Here, US officials say they have only recently become aware of devastating violations at several government agencies where foreign intelligence agents have been rooted undetected for up to nine months. But Trump’s response, or lack thereof, is being closely watched because of his concern about an unsuccessful effort to overturn last month’s election results and his refusal to publicly acknowledge that Russian hackers interfered in the 2016 presidential election. in his favor.
Exactly what action Biden could take is unclear or how his response could be shaped by criticism that the Obama administration did not act aggressively enough to prevent interference in 2016. He gave clues in a statement Thursday, saying his administration will be proactive in preventing cyber attacks. and impose costs on the opponents behind them.
The US government’s statements so far have not mentioned Russia. Asked on Monday about Russia’s involvement in a radio interview, Secretary of State Mike Pompeo acknowledged that Russia is constantly trying to break into US servers, but quickly pivoted on threats from China and North Korea.
Democratic Senators Dick Durbin and Richard Blumenthal, who were briefed Tuesday on the piracy campaign at a scheduled session of the Armed Services Committee, were unequivocally blaming Russia.
There are other signs in the administration of a clear recognition of the severity of the attack, which happened after the elite cyber spies injected malicious code into the software of a company that provides network services. The civil cybersecurity agency warned in an advisory Thursday that the hack posed a “serious risk” to government and private networks.
A response could begin with a public statement that Russia is held accountable, an assessment already widely shared by the US government and the cyber security community. Such statements are often not immediate. It took weeks after the incidents became public for the Obama administration to reach North Korea in the 2014 Sony Pictures Entertainment hack and for national intelligence director James Clapper to confirm China as the “main suspect” in Office hacking. of Personnel Management. .
The name and public shame are always part of the textbook. Trump’s former internal security adviser, Thomas Bossert, wrote this week in a New York Times opinion piece that “the United States and, ideally, its allies, must publicly and formally assume responsibility for these hacks ”. Republican Sen. Mitt Romney said in a SiriusXM radio interview that it was “extraordinary” that the White House had not ruled.
Another possibility is a federal indictment, assuming investigators can gather enough evidence to implicate individual hackers. Such cases require intense work and often last for years, and although they may have a low chance of being prosecuted, the Department of Justice considers them to have strong deterrent effects.
Sanctions, a time-honored punishment, can take even more bites and will almost certainly be weighed by Biden. President Barack Obama has expelled Russian diplomats over the 2016 election, and the Trump administration and Western allies have taken similar action against Moscow for allegedly poisoning a former British intelligence officer.
Exposing corruption in the Kremlin, including the way in which Russian President Vladimir Putin accumulates and hides his wealth, can mean even more formidable retaliation.
“It’s not just a tit-for-tat or a hacking back into their systems,” said Mendelson, the former ambassador. “It is,” We will go for what you really care about and what you really care about are the funds that are hidden and reveal the larger network and how it is connected to the Kremlin. ‘ “
The US can also retaliate in cyberspace, a path facilitated by an authorization from the Trump administration that has already led to some operations.
Former National Security Adviser John Bolton told reporters in a 2018 briefing that offensive cyber operations against foreign rivals will now be part of the US arsenal and that the US response will no longer be primarily defensive.
“We can completely melt their networks at home,” said Jason Healey, a cyber-conflict scholar at Columbia University. “And every time we see their operators appear, I know we’ll go after them, wherever they are.”
The US Cyber Command has also taken more proactive measures, engaging in what officials describe as “forward hunting” operations, which allow it to detect cyber threats in other countries before reaching the desired target. Military cyber fighters, for example, joined forces with Estonia in the weeks leading up to the US presidential election in a joint operation aimed at identifying and defending against Russian threats.
While the US is also prolific in its offensive collection of cyber information – touching the phones of Allied foreign leaders and introducing spyware into commercial routers, for example – such efforts are measured against the infection of 18,000 government organizations and from the private sector in the SolarWinds hack, Healey said.
The best answer – since espionage itself is not a crime – is to triple defensive cyber security, Healey said.
David Simon, a cybersecurity expert and former special adviser to the Department of Defense, said there must be consequences for those responsible for the attacks – and the Trump administration “failed to answer the Kremlin.”
“Until it is clear that the US will impose significant costs on opponents,” he said in an email, “it is unlikely that a significant change in the Kremlin’s behavior will be seen.”