Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Obama options on Russian hacks range from covert to military

In this Sept. 28 photo, a computer screen shows the results from an electronic voting machine as Brian Varner, a principal researcher at Symantec, demonstrates how to hack an electronic voting machine at a Symantec office in New York. (Mary Altaffer / Associated Press)
By Nafeesa Syeed Bloomberg

WASHINGTON – President Barack Obama has vowed that the U.S. will respond to Russian hacking undertaken during the U.S. presidential campaign. Yet the public may never hear about it.

During his presidency, Obama favored a policy of deterrence when it came to responding to cyber attacks, in what U.S. officials call “naming and shaming.” He’s indicted Iranian and Chinese hackers and signed an executive order allowing the Treasury Department to impose financial sanctions on hackers. He could take similar steps against Russia, which has repeatedly denied accusations of hacking.

Another possible route, though, is an offensive cyber operation. Obama said Dec. 16 that he would respond in a “thoughtful, methodical way,” and some of it “we do publicly. Some of it, we will do in a way that they know but not everybody will.” Several former military and intelligence officials explained how an offensive response might play out.

Intelligence Agencies vs Pentagon Response

One key step would be deciding which part of the vast U.S. national security apparatus the administration taps for the job. The administration could turn to the Pentagon or the intelligence community to draft “proportional” responses to a breach, said Ted Johnson, a retired U.S. Navy commander and cyber fellow at the New America Foundation. That would ensure the U.S. plays by the norms of international conflict and reduces the risk of escalation.

“Your response to someone’s action against you should be proportional. So, if you get punched in the mouth you don’t blow up their home, because that’s not proportional,” Johnson said.

In making that decision, the president could choose a covert action by intelligence agencies, under a law called Title 50, or a military response, under the law known as Title 10.

Spy Agency Options

If a covert action by the Central Intelligence Agency or National Security Agency is sought, it would come after gathering as much data as possible on the specific “entities and individuals” involved in the U.S. attack, according to Terry Roberts, founder and president of cybersecurity firm WhiteHawk Inc. and former deputy director of U.S. Naval Intelligence.

That could involve wiping out hard drives connected to Russia’s intelligence community, exposing Russian hacking tools on the web or revealing where the hackers operate in the so-called dark web. Or if the specific hackers involved use bitcoin currency, the U.S. could delete their online financial cache, Roberts said. This could be done without attribution, so it’s not obvious the U.S. was behind the action.

“If I want to just quietly take out their capability and send a very sneaky message and not an overt message, I would probably do a covert action,” said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the National Security Agency’s Cyber Operations Center.

Another possibility, according to another former NSA official, includes “deny, disrupt, degrade” attacks, where agency hackers could take down websites or networks, or break into non-government institutions and leak information. That could also include hacking into companies that have ties to Russian President Vladimir Putin or leaders supporting him, or leaking information about Russia’s role in another country, deflecting the focus from the U.S.

Military Response

If the president chooses an offensive military option, that would fall to U.S. Cyber Command, a relatively new agency headed by Admiral Michael Rogers, who also leads the NSA. This path requires the object of the action be a military target. Possible options here could include a cyber-strike against the systems of the FSB or GRU, Russian intelligence agencies, or launching a ransomware attack against them or manipulating their data.

Using the military could send a strong message and eventually the operation could be made public. Rogers, for instance, has said he expects to declassify some of the offensive tactics being used against Islamic State. But it also raises the idea of overt warfare.

If the U.S. response is a military action, there could be questions around who oversees the operation. “Right now, the Russian geography falls within the European Command area of responsibility,” so the defense secretary or the president will have to determine who heads it up, Johnson, the former Navy commander said. “That is not a question that will be easily resolved.”

Is there precedent for making an offensive cyber attack public?

“The only publicly declared offensive cyber operation that the United States is conducting is against” Islamic State, though few details of that are known, according to Michael Sulmeyer, director of the Cyber Security Project at Harvard’s Belfer Center and a former senior cyber policy adviser at the Defense Department. “I suspect that’s why the administration, if they’re going to choose to go with an offensive cyber response, they’re probably going to be fairly quiet about it,” Sulmeyer said.

Case in point: North Korea. The isolated regime’s internet was disrupted for about 10 hours on Dec. 21 and 22, 2014, days after the Obama administration accused Kim Jong Un’s government of hacking Sony’s computer systems. Although the U.S. didn’t claim responsibility, the administration had vowed to retaliate against North Korea.

The Argument For Going Public

While policymakers face a challenge deciding whether to make a response public, not disclosing the attack raises the specter that the U.S. isn’t actually responding, according to Susan Hennessey, a national security fellow at the Brookings Institution and a former NSA lawyer.

“The idea of telling Russia, ‘we know it’s you and we might do something about it,’ the idea that that is sufficient in this case, I just don’t think that’s the case,” Hennessey said. “I think the White House has indicated that they recognize this is an area in which at least a partially visible and really quite consequential response is required.”

What’s Next?

Former officials and analysts say the process for cyber offensive operations isn’t streamlined and can get bogged down by policy discussions. That could be hindering the U.S. from carrying out such campaigns.

For instance, if Cyber Command presents an option to the president, the National Security Council and a joint task force made up of the intelligence community, including the State Department, “have to determine the collateral effects,” according to Stasio. They consider the impact of the action, such as relations with the other country and civilian casualties. It’s a similar approval process as for a tactical strike.

“There’s generally not a whole lot of agreement in these meetings,” Stasio said.

Despite all this, Obama could have already ordered an offensive operation. Or he may choose to pursue a non-cyber response, or decide to do nothing beyond the public statements he’s made. It all depends on what message the U.S. wants to send. Regardless, U.S. allies and adversaries will closely watch the response.

“We’re in new territory in the digital age, we’re seeing things that we haven’t dealt with before,” Roberts, the former naval intelligence officer said. “Our policies and statutes are woefully behind in keeping up with these new dynamics.”