Influencers: US should hit Russia harder for political hacks
The US should retaliate more strongly against Russia for its digital attacks on American political organizations, more than three-quarters of Passcode鈥檚 Influencers said.
Earlier this month, the US intelligence community released a report that聽blamed President Vladimir Putin聽for ordering a campaign of cyberattacks, propaganda, and fake news to undermine public confidence in the democratic process and discredit Hillary Clinton鈥檚 campaign.
In light of this, Passcode鈥檚 group of digital security and privacy experts said President Trump should roundly condemn the hacks 鈥 and impose serious consequences.
鈥淚f the Russians had physically sent agents into the offices of the Democratic National Committee to steal files or into polling stations to stuff ballot boxes, they would have done so certain of consequences if those agents were caught: they鈥檇 be imprisoned and probably tried,鈥 said Nate Fick, chief executive officer of Endgame, a cybersecurity company. 鈥淯ntil the US government makes explicitly clear that the full weight of American power is available to respond to hostile cyber adventurism, we can expect the assaults on our institutions to continue.鈥
The Obama administration鈥檚 response included economic sanctions, the expulsion of 35 diplomats, the聽, and strong hints of covert retaliation. Yet some members of Congress聽criticized Mr. Obama鈥檚 response聽to the hacks 鈥 coming six months after suspected Russian breaches into the Democratic National Committee were detected 鈥 as too slow.
It鈥檚 not yet clear how Mr. Trump plans to deal with the issue.
The new commander-in-chief has said he agrees with the intelligence community鈥檚 united assessment that Moscow was behind the suspected digital attacks and leaking of confidential emails to the antisecrecy site WikiLeaks, but has so far declined to publicly condemn Russia for its actions. Some Trump advisers have suggested the post-hack sanctions聽聽鈥 though some of Trump鈥檚 cabinet choices, such as CIA Director Mike Pompeo and Defense Secretary James Mattis,聽have taken a harder line.
Some Influencers are worried that Trump might not act 鈥 and are calling on Congress to step in. 鈥淐ongress should pass bipartisan sanctions against Russia to inflict additional costs and prevent those costs from being easily reversed by the Trump administration,鈥 said Chris Finan, chief executive officer of Manifold Technology.
Peter Singer, a senior fellow at New America think tank, sees the next phase as a test for the Republican-controlled government. 鈥淭he Obama administration鈥檚 recent moves to sanction Russia for targeting US democracy were a good start, albeit too little and too late 鈥 criticism that the Republican congressional leadership was quick, and right, to make,鈥 Mr. Singer says. 鈥淎 test of its sincerity will be whether Congress backs its words with action, by turning the sanctions into law and strengthening them further.鈥
For his part, Congressional Cybersecurity Caucus cochair Rep. Jim Langevin (D) of Rhode Island says he supported the Obama administration鈥檚 actions 鈥 but will advocate in the legislative branch for more action. 鈥淚 do believe that the actions made public to date are not commensurate with the enormity of the attack on the fundamental underpinnings of our democracy,鈥 Mr. Langevin said. 鈥淚 will continue to support efforts by the Congress and the new Administration to ensure that Russia does not again threaten our electoral systems.鈥
The US has a variety of tools besides sanctions at its disposal. One Influencer is calling for a 鈥渢it-for-tat鈥 response.聽鈥淭here should be a price for their actions, and it should involve doxing powerful Russians connected to the Kremlin so they get the point,鈥澛爏aid the expert, calling for a kind of cyberattack ultimately aimed at exposing sensitive information. (Passcode鈥檚 Influencers can choose to keep their responses anonymous to preserve their candor.)
A lack of a strong public response will only encourage 鈥渂older behavior鈥 from Russia, added Eric Burger, a computer science professor and director of the Center for Secure Communications at Georgetown University. The US arsenal ranges 鈥渇rom hacking back and exposing Botox use all the way through kinetic warfare, with things like sanctions, public shaming, and the like in between,鈥 he adds.
The probe into suspected Russian digital interference into US elections isn鈥檛 over yet: The House and Senate Intelligence committees聽are investigating聽the hack.
Even so, Passcode鈥檚 experts largely believe that by taking a strong stand now, the US can play an important role in creating聽rules of the road for cyberspace聽鈥 or internationally accepted norms of behavior. That process has moved slowly in international bodies such as the United Nations, but experts say a public response to the high-profile hacks could spur some momentum.
鈥淟et鈥檚 call it what it is: a digital attack on one a foundational element of societal confidence,鈥 said Steve Weber, a professor at the School of Information at the University of California at Berkeley of this summer鈥檚 cyberattacks against the DNC and other Democratic political organizations.
鈥淣ow is the time to set some norms about how states use the internet to create corrosion in the social contract of other states. We shouldn鈥檛 wait for norms to 鈥榚volve鈥 鈥 we should state clearly what we consider out-of-bounds behaviors, not engage in them ourselves, and punish those who do with serious costs and pain.鈥
However, some experts insist it鈥檚 too early to begin talking about further penalties for the suspected Russian digital attacks. A small but vocal 24 percent minority of Influencers said it wasn鈥檛 the right time to respond, given a lack of what they said was compelling evidence.
鈥淯ntil we actually see the evidence of Russian political hacking, this entire episode remains unverified.鈥 says Sascha Meinrath, who heads up X-Lab,聽a Washington-based venture focused on technology policy and innovation. 鈥淎nyone promoting retaliation is doing so in ignorance.鈥 While the intelligence community鈥檚 declassified report on Russian hacks featured some technical indicators, such as internet protocol addresses, the public evidence聽did little to satisfy聽some security researchers.
Some of Passcode鈥檚 experts think that by retaliating more strongly 鈥 or mounting a digital counterattack against Russia 鈥 the US could make itself vulnerable by exposing its own digital espionage operations to potential criticism.聽
鈥淥ffensive operations are a critical part of nation-state intelligence,鈥 says Nick Selby, from US cybersecurity firm Secure Ideas. 鈥淔eigning outrage at operations results in embarrassing propaganda campaigns in which we must 鈥榙emonstrate鈥 how awful it all is.鈥
The US intelligence community in its report聽聽Russian digital interference in global politics could be the 鈥渘ew normal.鈥 With suspected Russian cyberattack campaigns potentially targeting elections in Germany, France, and the Netherlands this year, some Influencers say it鈥檚 time to buckle in for the long haul 鈥 and focus on defense.
鈥淚t was inevitable that traditional espionage would evolve to utilize the Internet,鈥 says Scott Montgomery, vice president and chief technical strategist at Intel Security. 鈥淭he energy spent on 鈥榬etaliation鈥 would be better served improving defensive posture and training personnel.鈥
What do you think?聽聽of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our聽
Comments:
YES
鈥淲hile not endorsing direct retaliation, the US should and could do more to protect our networks. Constructive policies include creating legal frameworks that protect the important work done by legitimate security researchers and policies that strengthen and facilitate the use of encryption in the public and private sectors. So let鈥檚 talk about how we 鈥榩rotect鈥 against political hacking so we don鈥檛 have to 鈥榬etaliate鈥 against it.鈥澛鈥 Abigail Slater,聽Internet Association
鈥淏ut only if it is part of a cohesive approach to all nation states. The Russian hacks are important, but should not divert us from the bigger picture. For example, China has waged a largely unanswered cyber offensive against our country that has caused significant economic harm and damaged our national security. In terms of cyber damage, China makes Russia look like amateurs. We need a comprehensive approach, and we needed it yesterday.鈥澛鈥 Jenny Durkan,聽Quinn Emanuel
鈥淎nd we should not confine our response to the digital domain.鈥聽鈥 Influencer
鈥淚 caution the US against CyberSaberRattling. Things can escalate very quickly in cyberconflict and spill into physical domains. The US often forgets we are the most connected nation and therefore stand the most to lose. We have too much indefensible [information technology] which can affect free and democratic elections 鈥 and even public safety and critical infrastructure. We need to either be 鈥榣ess dependent鈥 and/or 鈥榤ore defensible.鈥欌澛鈥 Joshua Corman, Atlantic Council
鈥淭hose who trafficked in US election tampering must be held accountable and dissuaded from considering a repeat offense.鈥澛鈥 JJ Thompson, Rook Security
鈥淚t needs to be part of a larger coherent strategy that addresses Russia鈥檚 broad non-kinetic campaign that includes attacks on the Ukraine and others. They are incrementally executing a high level strategy that is integrated and patient.鈥聽鈥 Influencer
鈥淐ongress should pass bipartisan sanctions against Russia to inflict additional costs and prevent those costs from being easily reversed by the Trump administration.鈥澛鈥 Chris Finan, Manifold Technology
鈥淸The] Obama administration response to the foreign interference in our election can only be characterized as 鈥榯oo little, too late.鈥 The response did nothing to get the Russians to stop the leaks during the election and will do even less in deterring future activities. The President and his team abrogated their responsibility to protect the integrity of the election process.鈥澛鈥 Influencer
鈥淟ast month鈥檚 Russia sanctions and related activities were an important first step, but were only a first step - we鈥檙e going to need to do more if we want to deter further Russian interference. In addition to deterrence, this experience should be a catalyst to drive an expanded focus on security solutions not just for large organizations, but also for smaller organizations (like the DNC) that today often cannot afford the type of security that they need.鈥澛鈥 Nathaniel Gleicher, Illumio
鈥淔irst of all, no response encourages further, bolder behavior. Second, remember the U.S. has a full arsenal of options to respond, ranging from hacking back and exposing Botox use all the way through kinetic warfare, with things like sanctions, public shaming, and the like in between.鈥澛鈥 Eric Burger, Georgetown University
鈥淲e first need better clarity around attribution to the Russian government. There could certainly be classified information from [human intelligence] or other sources that the US government can鈥檛 expose, but based on public information, there just isn鈥檛 enough to definitively draw a conclusion. If the US government is certain based on other evidence, we need to take a tougher stance. At a minimum, we need to be proactive about locking down our political apparatus to avoid a similar breach, regardless of the actor, in the future.鈥澛鈥撀燡ay Kaplan, Synack
鈥淢aterially strengthening existing economic sanctions is in order. Under no circumstances should existing sanctions be lifted.鈥澛鈥撀营苍蹿濒耻别苍肠别谤
鈥淏ut it should have come when the initial sanctions were announced, which came too late after the attribution.鈥澛鈥 Adam Segal, Council on Foreign Relations
鈥淎nd the Intelligence Community should keep it鈥檚 [darn] mouth shut about what exactly it is we are doing.鈥澛鈥 Influencer
鈥淭he Chinese found our sanctions somewhat underwhelming, indicating they don鈥檛 have a deterrent effect.鈥澛鈥 Dave Aitel, Immunity
鈥淭he United States should also have responded earlier in 2016, rather than at the tail end of the Obama Administration.鈥澛鈥 Influencer
鈥淥ur current lack of deterrence effectively condones the exploitation of computer systems in government and critical private sector enterprises.鈥澛鈥 Amit Yoran, Tenable Network Security聽
鈥淭he US should act based on the facts provided from the intelligence.鈥澛鈥 Influencer
鈥淭he full scope of actions are still unknown, but meddling in our democratic process should not be taken lightly.鈥澛鈥撀燡oel de la Garza, Box
鈥淭it for tat. There should be a price for their actions, and it should involve doxing powerful Russian鈥檚 connected to the Kremlin so they get the point. MAD.鈥澛鈥撀营苍蹿濒耻别苍肠别谤
鈥淥ur response to Russia鈥檚 political hacking has an audience far beyond the walls of the Kremlin. It鈥檚 important to signal to other cyber aggressors on the international level that we hold sacred the integrity of our domestic elections at all levels of government.鈥澛鈥撀燚ave Weinstein, State of New Jersey
鈥淯S has not, at least publicly, shown enough power and ability in cyberspace operations to act as a deterrent.鈥澛鈥撀营苍蹿濒耻别苍肠别谤
鈥淚 strongly supported the Obama administration鈥檚 response to the information warfare operations targeting faith in the US elections. In particular, the announced actions span a range of domains including diplomatic, economic, and cybersecurity effects. Using a comprehensive approach to counter these unprecedented attacks is a vital step in norm building and puts the world on notice that when they attack US interests in cyberspace, we will respond. That said, I do believe that the actions made public to date are not commensurate with the enormity of the attack on the fundamental underpinnings of our democracy. I will continue to support efforts by the Congress and the new administration to ensure that Russia does not again threaten our electoral systems.鈥澛鈥撀燫ep. Jim Langevin (D) of Rhode Island
鈥淏eginning with voting machines, a thorough audit needs to be conducted, and a time machine needs to be invented to travel back and set up a paper audit trail to verify the results. The US intelligence community has a rare general consensus that Russian hacking of the US election occurred. We need to start by believing them and preparing to create public-facing evidence for the future.鈥澛鈥撀营苍蹿濒耻别苍肠别谤
鈥淚 am in favor of return fire for any and all. If there is any implication in the question that somehow this episode was the worst, then I reject the question and change my answer.聽 What we are seeing is the weaponization of the data dump and nothing more since, after all, there was nothing fabricated in the DNC e-mails if you want to get down to that level. All in all, the episode means exactly two things: (1) do not put so [darned] much data online and (2) never let data dumps go unpunished even if there is collateral damage in the process or if the perpetrator wraps him or herself in a greater good.鈥澛鈥 Dan Geer, In-Q-Tel
鈥淏ullies only back down when they get punched in the nose.鈥澛鈥撀营苍蹿濒耻别苍肠别谤
NO
鈥淚t was inevitable that traditional espionage would evolve to utilize the internet. The energy spent on 鈥榬etaliation鈥 would be better served improving defensive posture and training personnel.鈥澛鈥撀燬cott Montgomery,聽Intel Security
鈥淏ased upon the lack of verifiable evidence that can differentiate between state and non-state actors, the US [government] should refrain from any action that could be seen as an escalation.鈥澛鈥撀燡effrey Carr, Taia Global
鈥淗ow can you retaliate against an entity consisting of unwilling victims who unknowingly shuffle attack traffic, launched by a mob of patriotic actors, and directed by a nebulous Russian entity?鈥澛鈥撀燝眉nter Ollmann, Ablative Security LLC
鈥淩etaliation isn鈥檛 a constructive approach, but deterrence is an important capability in any consideration of ways to minimize this sort of activity. We should remember that there were reports of a different foreign nation-state fostering hacks into U.S. political organizations in the 2008-2010 timeframe. We鈥檙e not hearing as much noise about those for one reason - the actor didn鈥檛 seem to leak their findings. I鈥檓 actually less comfortable with that than a case where the actor chooses to at least let us know in a material way some of what they have obtained illicitly. Whether one chooses to view this as an actual new domain for conflict or not, it is not an area in which to operate precipitously or lightly. We have reached a point where proliferation of capabilities is a real concern, and setting an example for measured investigation, attribution, and response is a worthwhile idea.鈥澛犫 Robert聽Stratton, security entrepreneur, investor, and consultant
鈥淭his isn鈥檛 as simple as a yes/no question. Should they do more? Perhaps. Are we doing more? Quite likely. Will we or should we know about it? Not necessarily.鈥澛鈥 Influencer
鈥淎t the end of the day, hacks are going to continue to happen. Organizations will continue to be infiltrated, no matter what the retaliation strategy. Organizations need to arm themselves with the best tools of defense - which secure the network from the inside out, can genuinely self-learn what鈥檚 鈥榥ormal鈥 for a network, and spot anomalies at their nascent stages. While there is no silver bullet to security, it is the only chance we have to stay on top of an ever-evolving threat landscape that is growing in sophistication.鈥澛鈥 Influencer
