US President Barack Obama has vowed that America will respond to Russian hacking undertaken during the country’s presidential campaign. Yet the public may never hear about it.
During his presidency, Obama favoured a policy of deterrence when it came to responding to cyberattacks, in what US officials call “naming and shaming”. He’s indicted Iranian and Chinese hackers and signed an executive order allowing the treasury department to impose financial sanctions on hackers. He could take similar steps against Russia, which has repeatedly denied accusations of hacking.
Another possible route, though, is an offensive cyber operation. Obama said on 16 December that he would respond in a “thoughtful, methodical way”, and some of it “we do publicly. Some of it, we will do in a way that they know but not everybody will.”
Several former military and intelligence officials explained how an offensive response might play out.
Intelligence agencies vs Pentagon response
One key step would be deciding which part of the vast US national security apparatus the administration taps for the job. The administration could turn to the Pentagon or the intelligence community to draft “proportional” responses to a breach, said Ted Johnson, a retired US Navy commander and cyber fellow at the New America Foundation. That would ensure the US plays by the norms of international conflict and reduces the risk of escalation.
“Your response to someone’s action against you should be proportional. So, if you get punched in the mouth you don’t blow up their home, because that’s not proportional,” Johnson said.
In making that decision, the president could choose a covert action by intelligence agencies, under a law called Title 50, or a military response, under the law known as Title 10.
Spy agency options
If a covert action by the Central Intelligence Agency or National Security Agency is sought, it would come after gathering as much data as possible on the specific “entities and individuals” involved in the US attack, according to Terry Roberts, founder and president of cybersecurity firm WhiteHawk and former deputy director of US Naval Intelligence.
That could involve wiping out hard drives connected to Russia’s intelligence community, exposing Russian hacking tools on the Web or revealing where the hackers operate in the so-called dark Web. Or if the specific hackers involved use bitcoin currency, the US could delete their online financial cache, Roberts said. This could be done without attribution, so it’s not obvious the US was behind the action.
“If I want to just quietly take out their capability and send a very sneaky message and not an overt message, I would probably do a covert action,” said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the NSA’s Cyber Operations Center.
Another possibility, according to another former NSA official, includes “deny, disrupt, degrade” attacks, where agency hackers could take down websites or networks, or break into non-government institutions and leak information. That could also include hacking into companies that have ties to Russian President Vladimir Putin or leaders supporting him, or leaking information about Russia’s role in another country, deflecting the focus from the US.
If the president chooses an offensive military option, that would fall to US Cyber Command, a relatively new agency headed by Admiral Michael Rogers, who also leads the NSA. This path requires the object of the action be a military target. Possible options here could include a cyber-strike against the systems of the FSB or GRU, Russian intelligence agencies, or launching a ransomware attack against them or manipulating their data.
Using the military could send a strong message and eventually the operation could be made public. Rogers, for instance, has said he expects to declassify some of the offensive tactics being used against Islamic State. But it also raises the idea of overt warfare.
If the US response is a military action, there could be questions around who oversees the operation. “Right now, the Russian geography falls within the European Command area of responsibility,” so the defence secretary or the president will have to determine who heads it up, Johnson, the former Navy commander said. “That is not a question that will be easily resolved.”
Is there precedent for making an offensive cyberattack public?
“The only publicly declared offensive cyber operation that the US is conducting is against” Islamic State, though few details of that are known, according to Michael Sulmeyer, director of the Cyber Security Project at Harvard’s Belfer Center and a former senior cyber policy adviser at the defence department. “I suspect that’s why the administration, if they’re going to choose to go with an offensive cyber response, they’re probably going to be fairly quiet about it,” Sulmeyer said.
Case in point: North Korea. The isolated regime’s Internet was disrupted for about 10 hours on 21 and 22 December 2014, days after the Obama administration accused Kim Jong Un’s government of hacking Sony’s computer systems. Although the US didn’t claim responsibility, the administration had vowed to retaliate against North Korea.
The argument for going public
While policy makers face a challenge deciding whether to make a response public, not disclosing the attack raises the spectre that the US isn’t actually responding, according to Susan Hennessey, a national security fellow at the Brookings Institution and a former NSA lawyer.
“The idea of telling Russia, ‘we know it’s you and we might do something about it’, the idea that that is sufficient in this case, I just don’t think that’s the case,” Hennessey said. “I think the White House has indicated that they recognise this is an area in which at least a partially visible and really quite consequential response is required.”
Former officials and analysts say the process for cyber offensive operations isn’t streamlined and can get bogged down by policy discussions. That could be hindering the US from carrying out such campaigns.
For instance, if Cyber Command presents an option to the president, the National Security Council and a joint task force made up of the intelligence community, including the state department, “have to determine the collateral effects,” according to Stasio. They consider the impact of the action, such as relations with the other country and civilian casualties. It’s a similar approval process as for a tactical strike.
“There’s generally not a whole lot of agreement in these meetings,” Stasio said.
Despite all this, Obama could have already ordered an offensive operation. Or he may choose to pursue a non-cyber response, or decide to do nothing beyond the public statements he’s made. It all depends on what message the US wants to send. Regardless, US allies and adversaries will closely watch the response.
“We’re in new territory in the digital age, we’re seeing things that we haven’t dealt with before,” Roberts, the former naval intelligence officer said. “Our policies and statutes are woefully behind in keeping up with these new dynamics.” — (c) 2016 Bloomberg LP