Poking the Bear: Obama Says US Will Respond to Russian Hacking
Former officials say the U.S. should move the fight out of cyberspace.
— -- President Barack Obama today promised the U.S. would "take action" in response to Russia's pre-election hacking, in comments that come more than two months after the U.S. intelligence community publicly implicated the Russian government in a plot to interfere with the U.S. election.
"I think there is no doubt that when any foreign government tries to impact the integrity of our elections ... that we need to take action and we will. At a time and a place of our own choosing. Some of it may be explicit and publicized; some of it may not be," Obama told NPR.
Obama said Russian President Vladimir Putin "is well aware of my feelings about this, because I spoke to him directly about it."
Obama made the remarks after intelligence officials said that Putin was personally linked to the hacking campaign. The White House is under increasing pressure to mount a strong response.
"I think it's extraordinarily serious that we send the message, not just to Russia in this case but to all of the countries out there that are trying to figure out what can [they] get away with in cyberspace? Where are the red lines? What's tolerable behavior?" former Justice Department Assistant Attorney General John Carlin told ABC News' chief investigative correspondent Brian Ross. "And it's very important that we send the message that if you try to undermine our electoral system, in our democratic system, that that will demand a response."
Russia has repeatedly denied the hacking allegations.
Obama declined to say how the U.S. planned to respond, but White House press secretary Josh Earnest said Wednesday that Obama believes in a "proportional response."
When discussing proportional responses to cyber attacks, perhaps the most obvious course of action is to respond with another cyber attack. But former senior U.S. officials and experts told ABC News today that's among the least likely and most ill-advised options at this point.
"You don't win in the retaliation game. You feel better. You scratch a political itch. But you have to think really hard about what you're doing," said former CIA European Division chief Rolf Mowatt-Larssen. "I'm not saying they get off. I'm saying you really have to think of the ramifications and ... it has to be part of a broader solution."
If Obama plans to order any action himself, he has just over a month to do so before President-elect Donald Trump is inaugurated on Jan. 20. Here are some possibilities:
The Cyber Option And Its Shortcomings
Richard Clarke, a former White House cyber security adviser, said Monday it appeared Obama declined to respond to the Russians in kind before the election in November, fearing it would set off a "cycle of tit-for-tat cyber attacks."
"Instead of that, before the election, he threatened Russia through a variety of channels and told them at the very senior level, 'Knock it off.' And they apparently did," said Clarke, now an ABC News consultant. Today Obama told NPR he personally had a "candid, blunt, businesslike" discussion with Putin about cyber security on the sidelines of the G-20 summit in early September.
"Now the question arises, after the election, will he [Obama] engage in any kind of retaliation. If he does, it doesn't have to be a cyber attack. In fact, it probably won't be," Clarke said.
Not that the U.S. was not in a position to do so. Back in July, after Russian hackers had been publicly blamed for the hack of the Democratic National Committee, three former senior U.S. officials told ABC News that the National Security Agency was almost certainly "hacking back" those Kremlin-backed cyber security squads, infiltrating their systems to learn as much as possible about what they did and how they operate.
But generally those kinds of missions, as explained at the time by the head of NSA's elite hacking unit Tailored Access Operations (TAO), were for intelligence gathering -- not active retaliation.
A former member of the NSA's TAO told ABC News today the U.S. could launch a number of cyber attacks should Obama order them -- everything from a broad swipe that could take down portions of Russia's internet to targeting individual computers and systems for virtual destruction.
Former NATO Supreme Allied Commander James Stavridis suggested in The Huffington Post on Tuesday that in addition to some real-world actions, the U.S. can use "clandestine cybercapabilities" to damage the financial accounts of Russian leadership, reveal Russian corruption or attack Russia's technical capability to suppress dissent internally.
One problem with some of those cyber approaches is technical. The former NSA hacker said if American hackers don't already have it, the U.S. would have to gain access to particular systems for any targeted attacks, and that could take months, depending on the target.
The other problem, according to Mowatt-Larssen and RAND cyber security expert Martin Libicki, is that cyberspace is still relatively new to the international community, where real-world norms don't necessarily apply and the possibility for miscommunication or escalation is significant.
"Retaliation, a response is an act of communication," Libicki said. "But you have to understand what's in the other guy's head" in order to communicate effectively, he added.
"We have to think about devising the rules of the game," said Mowatt-Larssen, who explained that the current cyber landscape lacks the long-standing unwritten rules generally followed in other types of espionage. "You have to be careful if you do retaliate against the Russians. They have to know what you're doing."
Part of devising that language on America's side, Mowatt-Larssen said, is having a long-term deterrent strategy, as opposed to "ad hoc" deterrent responses to individual incidents.
Mowatt-Larssen also said the idea of embarrassing Russian leaders may not have the impact America expects, considering the leadership's tighter grip on the Russian population and the substantial domestic support for Putin.
The former NSA hacker, who requested anonymity, and former DIA cyber chief Tyler Cohen Wood, said before the U.S. encourages any escalation in cyberspace, officials need to look hard at America's own significant cyber vulnerabilities -- from the ubiquity of everyday Internet of Things objects to critical infrastructure nationwide.
"They [the Russians] are connected too," Wood said. "[But] it's absolutely ridiculous how insecure our infrastructure is... Every single thing we use is cyber-connected... The more code you have, the more vulnerabilities you're going to have."
Real-World Options: Charges, Sanctions, Covert Action
For U.S. decision makers, there is also a range of real-world solutions to the cyber problem that the U.S. has used before and that are more readily recognized internationally.
"It's not limited to any one tool," said Carlin, the former DOJ official. "In some cases, you may never be able to bring a criminal case. But that doesn't mean there shouldn't be a response. That response could be through the use of Treasury Department sanctions, it could be covert action, it could be forms of public diplomacy."
In the past, the U.S. has publicly outed individual hackers believed to be involved in state-sanctioned attacks -- like the five members of the Chinese military identified by the U.S. Department of Justice in 2014.
The most commonly suggested real-world tactic is to introduce new sanctions against Russia, either directly by the U.S. Treasury -- as the U.S. considered using against China for its cyber operations, as ABC News reported in April 2015 -- or by making its case publicly and appealing to the international community at the United Nations.
The U.S. is also engaged with Russia in a number of different areas internationally -- from Ukraine to Syria -- each of which provide the U.S. an alternative venue for a public response.
Then there's covert action, in which whatever action taken against Russia would be designed to hide America's hand.
Libicki said the U.S. could pursue that path, but Obama would have to decide whether or not he wants to send a message to the general public, and to other nations, or just to Russia.
Former CIA Acting Director Michael Morrell told The Cipher Brief on Sunday that whatever the response, it has to be public for it to do any good internationally.
"It needs to be seen. A covert response would significantly limit the deterrence effect. If you can’t see it, it's not going to deter the Chinese and North Koreans and Iranians and others, so it’s got to be seen," he said.
Morrell had another condition: Putin should "feel some pain."
"[This] has got to be significant from Putin's perspective," he said. "He has to feel some pain, he has to pay a price here or again, there will be no deterrence, and it has to be seen by the rest of the world as being significant to Mr. Putin so that it can be a deterrent."
Mowatt-Larssen said whatever the U.S. does, it should do it soberly and purposefully.
"If we act emotionally, there's no benefit to that," he said. "When we do it, we plan. We think. ...Whatever actions we take should be part of a broader strategy, a longer-term, very deliberate strategy."