War Stories

How the U.S. Could Respond to Russia’s Hacking

Each strategy has its problems, but the future of democracy is at stake.

Russian President Vladimir Putin attends a meeting to discuss the Ukrainian peace process at the German federal Chancellery on October 19, 2016 in Berlin, Germany.

Russian President Vladimir Putin attends a meeting to discuss the Ukrainian peace process at the German Chancellery on Oct. 19, 2016, in Berlin, Germany.

Adam Berry/Getty Images

The headlines about the hacking of our election have only begun to blare. Monday morning, Senate Majority Leader Mitch McConnell joined the bipartisan chorus calling for an investigation, which will likely follow the U.S. intelligence community’s own “full review,” ordered by President Obama to be finished before Inauguration Day. At this point, everyone but the president-elect and some of his entourage accepts that the Russian government directed the hacking, either to undermine the election or—in the CIA’s latest estimate—to help Donald Trump win.

Before we plunge too deeply into this tale, straight out of a Cold War movie, it’s worth reviewing some context: How long has this sort of thing been going on? How is this hack different from all other hacks? How shocking is it? And what can President Obama (or, if he ever snaps out of his denial, soon-to-be-President Trump) do about it?

First, nations have been hacking into each other’s computer networks for a long time. Back in 1967, when the ARPAnet, the military’s precursor to the internet, was about to roll out, a few computer scientists warned that putting information on a network—where it can be accessed online from multiple, unsecured locations—creates inherent vulnerabilities; keeping secrets, they warned, will be very difficult from now on. In 1984, Ronald Reagan signed the first presidential directive on computer security, warning of electronic interference by foreign intelligence agencies, terrorist groups, and criminals. The staffers who wrote this document—most of them in the Pentagon and the NSA—knew about this danger because they knew the United States was already hacking into foreign networks, and they inferred that what we could do to them, they could someday do to us.

The Russians got into the game in 1997 (or at least they were first detected that year) when, in an operation called Moonlight Maze, the NSA and other intelligence agencies detected intruders hacking into several U.S. military sites and—through various means—traced them back to a server at the Russian Academy of Sciences. The French were seen hacking into Defense Department networks the same year. China took its plunge—targeting defense manufacturers, then businesses of all types, then government agencies and critical infrastructure worldwide—in 2001. Russia’s first known hack of a classified site took place in 2008, when, in an operation called Buckshot Yankee, the NSA detected a massive hacking of U.S. Central Command (caused, it was determined later, by someone purchasing a malware-infected thumb-drive from a bodega in Afghanistan and inserting it in a military computer). Today, more than 20 nations have cyber units (offensive and defensive) in their militaries, including Iran, Syria, and North Korea.

During the 2008 presidential election, China hacked into the websites of both parties’ candidates, Barack Obama and John McCain—troubling, but hey, it was espionage, no big deal. In 2015, after China hacked the personnel records of millions of federal employers, a member of the House Intelligence Committee asked James Clapper, director of national intelligence, what he was going to do about this cyberattack. Clapper replied that the Chinese hadn’t launched an attack, exactly. They’d engaged in “passive intelligence-collection activity”—cyberespionage—“just as we do.”

In the present case, there would have been no ruckus if the Russians had simply hacked emails from the DNC and the Clinton campaign; that’s what intelligence agencies do, if they can: collect intelligence on what the presidential candidates and their close aides are saying and doing, what kinds of policies they might pursue.

What’s different this time around is that the Russians leaked cherry-picked excerpts of these stolen files to WikiLeaks, which passed them on to the scoop-happy mass media. In short, the Russians didn’t merely engage in “passive intelligence collection”; they weaponized what they collected. They didn’t merely hack files to learn about U.S. politics; they then strategically planted damaging bits from those files in order to shape U.S. politics.

There is no evidence—nor is anyone claiming there’s evidence—that the Russians tampered with voting machines or registration rolls. What is alleged (and is incontestably true, regardless of Russia’s motives) is that the contents of those emails damaged Hillary Clinton’s reputation. Early on, the DNC emails revealed that the party’s leaders were conspiring with Clinton to weaken Bernie Sanders’ chances in the Democratic primaries. This wasn’t so surprising (Sanders wasn’t even a Democrat until he ran in those primaries), but it angered and disillusioned his supporters—to the point where many of them didn’t return to the party’s fold in the general election.

The later emails—in which top Clinton aides made intemperate remarks about her judgment, hollow beliefs, and conflicts of interest—played into Trump’s campaign rhetoric. He quoted them widely as proof of his charges about her. The Russians had hacked files from Trump’s campaign as well, and no doubt many of those emails would have damaged his reputation, had they been leaked. But that’s the thing: They weren’t leaked. This feature of the tale—the dog that didn’t bark, as Sherlock Holmes would put it—stiffened the CIA’s assessment that the Russians weren’t trying merely to disrupt the political process but to help Donald Trump, their preferred candidate, win.

During the Cold War, the Russians referred to this sort of spying as “active measures,” and the Americans engaged in it too. Both sides rigged elections in smaller countries around the world, either to protect governments serving their interests or to overthrow those that weren’t. This was done mainly by funneling money, spreading propaganda, assassination; the techniques were many.

The 2016 election marks the first time that the United States has been on the receiving end of such a campaign—and the first time that it’s been hurled forth in the cyber realm. Does that make us hypocritical? Maybe. Does that make our outrage less valid? Not at all.

Putin may well see the hacks as acts of revenge. A former KGB officer with a paranoid worldview who regards the implosion of the Soviet Union as the 20th century’s greatest geopolitical catastrophe, Putin blames the United States for plotting that implosion. He also blames the United States—and specifically Hillary Clinton, when she was Obama’s secretary of state—for prodding democratic activists in Ukraine to move away from Russia and toward the European Union. By contrast, Trump has expressed admiration for Putin, has never criticized Putin for anything, has raised doubts about whether he’d defend NATO allies from a Russian invasion—and some of Trump’s associates have business interests in Russia. If Putin had the power and desire to help tilt the election one way or another (as it now seems he did), it’s clear which way he’d help tilt it. Even if Putin’s premises and justifications were true, would that make the hack less objectionable? No. As almost everyone except Trump is acknowledging, it was an attack on our democracy, on our nation.

So, in the brief time he has left, what should President Obama do about it? One answer is, we don’t know whether he has done—or is in the process of doing—something already. And if he does do something, we may never know about it. (If Stuxnet hadn’t spiraled out of control, probably as the result of Israeli overreach, Iranian nuclear scientists might still be thinking that all those exploding centrifuges at the Natanz reactor were the result of damaged parts or incompetence.)

If Obama were retaliating in some way, what might that be—what could he do? This question has been asked several times over the years, in various forums (official and unofficial) on “cyberdeterrence,” and the answers are still vague. One problem is that so much of America’s economy, social structure, and military command-control systems are heavily dependent on computer networks. If Russia (or China or a number of other countries) launched a cyberattack against us and we responded with a cyberattack on them, they could strike back with another, possibly more damaging cyberattack on us. In other words, escalating a cyberwar doesn’t appear to be a winning game for us. We have better cyber rocks to throw at other nations’ houses, but our house is glassier than theirs.

The Obama administration has said, in the context of cybersecurity generally, that the United States might respond to a cyberattack with noncyber means (for instance, with sanctions or a conventional military attack). Even so, what kind of response, in whatever sphere, would have dissuaded the Russians from doing what they did in this election—or would punish them after the fact in a way that would have impact, that would, for instance, ensure they never do anything like it again?

Intelligence officials who have examined this issue say the key consideration is what sort of penalty we could impose not so much on “the Russians” but rather on Putin personally? One possibility is to go after his money. I’ve heard estimates of his private wealth ranging from $8 billion to $22 billion. Intelligence agencies know where he keeps a lot of it. Conceivably, the NSA could hack into those banks and pilfer his holdings. President Bill Clinton considered doing this to Slobodan Milosevic during the war against Serbia, and in fact there was a very active “information warfare” campaign threatening the financial assets of Milosevic’s cronies—a big reason why they deserted him. But several of Clinton’s advisers, including the secretary of the treasury, urged him not to go after a foreign leader’s money: The dangers of blowback were too severe. Another target might be Putin’s image at home or abroad—for instance, information that shows him to be weak or corrupt or in some other way the opposite of the image he projects. These ideas, as well as several others, have been discussed at high levels of the U.S. and other Western governments.

In this case, though, such steps might come too late. Obama’s initial concern, in the summer and early fall, was that the Russians might tamper with the actual election—removing names from voter-registration rolls (they had hacked into those rolls) or hacking into voting machines. When James Clapper released a public statement, on Oct. 7, declaring that the DNC and Clinton campaign emails had been hacked by the Russian government—indeed by its “senior-most officials”—for the purpose of influencing America’s election process, that was intended, in part, as a warning to Moscow not to go any further. In fact, that explicit message was sent through a channel ordinarily used for “hot line” communications about nuclear attacks, threats, or misunderstandings. To the extent the Russians had been planning hacks of that sort, the warning may have worked; no such hacks took place. But the damage was already done: The contents of those leaked emails cemented vague feelings about Hillary Clinton’s shortcomings; and there were no leaked emails from the RNC or the Trump campaign.

The Washington Post reported this past weekend that, after the CIA concluded the Russians had hacked those emails for the purpose of helping Trump win the election, some White House officials briefed congressional leaders and asked them to take a bipartisan stance against this blatant foreign interference. Two Republicans, including Sen. McConnell, refused. As a result, Obama decided not to confront the Russians directly—in part because it would look like he was trying to use intelligence information for partisan electoral purposes, in part because he didn’t want to get into a round of cyberescalation with Russia. (This reluctance was reinforced by the sense that Clinton was going to win, anyway.)

It was after the election, after Clinton lost and as more intelligence confirmed the assessment that the Kremlin directed the hack to help Trump win—in short, after it was clear that Russia’s active-measures campaign worked—that Obama and his advisers started seriously discussing a series of countermoves.

Will he do something, and if so, what? We may soon know; we may never know. Cyberspace is invisible, after all, and sometimes the aggressor and the aggrieved both want a cyberattack to stay secret. But one thing is clear: A threshold has been crossed. Stuxnet marked the first time that a nation-state destroyed physical objects—the critical infrastructure of another nation-state—through strictly cyber means. Russia’s hack against Hillary Clinton’s campaign appears to have marked the first time that a nation-state tried to tilt a presidential election—or at least an American presidential election—through strictly cyber means. The consequences—for future elections, for the prospects of democracy, and for Russian-American (or East-West) politics—depend, in part, on what we do about it.