US mulls ‘proportional’ response to Democratic Party hacks in midst of an unprecedented presidential campaign clouded by cybersecurity concerns (among other things).
Whether the next President of the United States likes it or not, she or he will be faced with a whole new era of nation-state cyberattacks that now have crossed a fine line from accepted cyber espionage to a form of cyberattacks aimed at sabotaging the election season.
In the wake of a rare declaration by the Office of the Director of National Intelligence and US Department of Homeland Security last week that named Russia as the actor behind recent hacks of the Democratic National Committee (DNC) and personal emails of US political officials and organizations, the White House this week said the US will respond in a “proportional” manner to the breaches, which have gone glaringly public with online data dumps via WikiLeaks.
Russia may be the first nation to move from cyber espionage to cyber sabotage in an apparent quest to influence or wreak chaos on the US election, but it wasn’t the first nation the US has called out for damaging cyberattacks. First there were the US Department of Justice’s indictments of five Chinese military officials in 2014, followed by the Obama administration’s naming and shaming of North Korea for the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment later that year. Earlier this year, the DOJ indicted an Iranian hacker working on behalf of the Iranian government for allegedly infiltrating a server at a dam in New York.
Even so, Russia’s propaganda-driven campaign in the breach and doxing of the DNC and other Democratic Party operatives, takes this destructive cyber espionage activity to a whole new level. While most experts say it’s unlikely Russia can or will be able to go as far as hack US voting systems to alter the vote-count, there are plenty of ways for the nation-state to sow seeds of distrust, doubt, and fear, in the election.
This threat won’t end after Nov. 8, either.
“We have never been here before. No one really knows what is socially acceptable and what is not when it comes to cyber. We have no ‘Geneva Convention’ for cyber,” says security expert Cris Thomas, aka Space Rogue, who says the administration needs to provide some evidence of Russia’s involvement in the breach.
Thomas says the US should be careful with attribution “and set the stage now as to what is and is not acceptable as we move into the future, when these sort of actions will become more and more commonplace,” he says.
Lisa Monaco, assistant to the President for Homeland Security and Counterterrorism, at a security conference hosted by The Washington Post last week, said the administration would consider tools including “economic, diplomatic, criminal law enforcement, military, and some of those responses may be public, some of them may not be.”
An Executive Order issued in April 2015 by President Barack Obama gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO, which the administration has not used in any case as of yet, allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.
“Our primary focus will be on cyber threats from overseas. In many cases, diplomatic and law enforcement tools will still be our most effective response,” Obama said when announcing the Executive Order. “But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst.”
In response to the US allegations of Russia’s election-hacking activities, Russian President Vladamir Putin this week said the attacks “have nothing to do with Russia’s interests.”
“They started this hysteria, saying that this (hacking) is in Russia’s interests. But this has nothing to do with Russia’s interests,” Putin said at a Moscow business forum, according to Reuters.
Putin appeared to shift the discussion to the contents of the information breached and dumped publicly via WikiLeaks. “Everyone is talking about ‘who did it’ [the hacking],” said Putin. “But is it that important? The most important thing is what is inside this information.”
45th President In The Hacker Hot Seat
While the Obama administration wrestles with how to implement its retribution policy for the first time, Russia’s alleged hacking activity isn’t likely to subside after the new President is elected, nor is the problem of nation-state hacking at this new level. So either new President Hillary Clinton or new President Donald Trump will be forced to tackle this new chapter in nation-state cyber espionage.
John Bambenek, threat systems manager at Fidelis Cybersecurity, says the next President of the US will have some big challenges here. “Ultimately, nations have to behave like economic actors,” he says.
Retribution, like attribution, to a cyberattack, can be a slippery slope.
Unlike the diplomatic agreement between Obama and China’s Xi Jinping, where both nations promised not to conduct cyber espionage for economic gain in the wake of China’s infamous intellectual property theft-related hacks, a deal with Russia would be much trickier and less likely. “You’re going to have to do it adversarily with Russia,” Bambenek says. There’s definitely danger of escalation and “tit-for-tat” responses, he says.
“History tends to favor sanctions in these matters,” he says. Take the US’s economic sanctions against Russia in response to Putin’s aggression in Crimea, he says. “That remains a pain point for Russia.”
But Russian doctrine supports escalation as a way to de-escalate tensions or conflict, notes Christopher Porter, manager of the Horizons team at FireEye. “If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous.”
Even if the US were to out the tools or infrastructure used by the Russian attack groups, it likely wouldn’t pressure Russia to dial back the hacks. Porter points to a previous year-long study by FireEye of Russian threat groups that concluded that even after being outed more than 20 times in one year, the groups continued their operations.
“It had no demonstrative effect on their ability to compromise” their targets, he says. “They are well-resourced” and FireEye has seen them just shift their operations with infrastructure from outside Russia or with other resources, he says.
FireEye’s Porter says there are two things the next US administration could do differently to handle these attackers. “They need to have better delegation for decision-making on the US side,” he says. “Don’t wait until a lot of incidents pile up before formulating a response. The White House has to weigh in on every decision now.”
Second, don’t treat state-sponsored hacks like a legal case. “We still talk about state-sponsored attacks as though they are a case for a lawyer, and we treat them like we have to prove them beyond a reasonable doubt … with forensic evidence,” he says.
That approach doesn’t work because savvy nation-states can easily sow reasonable doubt in their attacks, he says.
New Normal Norms Needed
Ultimately, without any global cyber-norms from which to operate, the US is limited in its response.
“I would love to see the next president somehow reach consensus with other nations as to what is and what is not acceptable in the world of cyber and what responses are acceptable to nations who violate those norms,” Thomas, aka Space Rogue, says.
That would entail defining just what cybersecurity violations would entail when it comes to nation-states. “We should have very defined sanctions regarding hacking and cyberwarfare,” says Miller Newton, president and CEO of data encryption company PKWARE.
But neither Presidential candidate has been eager to embrace the cybersecurity policy issues, despite both of their campaigns directly being drawn into the Russian hacks: Clinton via the DNC email breach as well as that of her campaign manager John Podesta, and Trump, who went so far as to say in the most recent debate that “maybe there is no hacking” in reference to the US government calling out Russia over the alleged data breaches.
Newton says the candidates aren’t emphasizing cybersecurity because it’s just not a hot topic for voters. “It’s not a vote-getting issue,” he says. “They [the candidates] don’t want to hit the privacy versus national security issue head-on [either]. It’s a quagmire: there is no easy solution, but it needs to be front and center.”
But apparently, millennials do care about cybersecurity policy: more than half of US adults ages 18-26 surveyed by Raytheon and the National Cyber Security Alliance (NCSA) say that a candidate’s position on cybersecurity weighs into their decision to support that candidate. Half don’t think cybersecurity has been sufficiently discussed in this election season.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio