It’s hard to assess President Obama’s response to Russia’s hacking of our election, and part of the difficulty stems from a passage at the end of his official statement on the matter. After detailing his sanctions against Russian intelligence agencies, companies, and individuals; his shuttering of two Russian facilities outside of Washington and New York; and his expulsion of 35 undercover spies, the statement reads as follows:
These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.
I’m just guessing, but some of these covert actions are likely to involve our own set of cyberattacks, launched by the National Security Agency or U.S. Cyber Command and aimed at targets or assets that are important not merely to the Russian Federation but to President Vladimir Putin himself.
When the director of national intelligence and the secretary of homeland security released their Oct. 7 statement on the hacks and leaks of emails related to Hillary Clinton’s presidential campaign, they said—reflecting the unanimous view of the U.S. intelligence community—that the operation could only have been directed by the Russian government’s “senior-most officials.” At his pre-Christmas press conference, Obama clarified this phrase to include Putin.
Ever since the initial revelation of Russia’s involvement, Obama and other U.S. officials have said that this subversion of our democracy must have “consequences.” Since Putin has been identified as the main culprit, should these consequences be deemed inadequate if they don’t fall, at least to some extent, on him personally? Some former senior intelligence officials, who are now writing the first Pentagon report on “cyber deterrence,” say that, under these circumstances, Putin’s interests should be targeted—as part of a “proportionate response” to his attack and as a way to deter him from launching such attacks in the future.
But what are these personal interests, and how should the United States go about damaging them? Some commentators have urged Obama to go after Putin’s money. Putin is believed to have more than $10 billion stashed in various banks, and U.S. intelligence agencies likely know where. But it would be an unprecedented—and, many think, unwise—move for those agencies to hack into those accounts.
In the late 1990s, President Bill Clinton contemplated doing just that to the bank accounts of Serbian President Slobodan Milosevic. (The war against Milosevic, which was most visible as a series of airstrikes, also involved a highly classified campaign of “information warfare.”) A joint British-American special ops team did threaten the assets of Milosevic’s cronies, many of whom backed away from his regime as a result. But Clinton’s economic advisers urged him not to tamper with another president’s money, warning of blowback against his own funds and of chaos in global financial markets, as people everywhere begin to wonder about the security of their money. Obama has probably heard similar advice about Putin. As for going after cronies, Milosevic depended on his, so their departure left him isolated. Putin’s cronies, on the other hand, depend on him; ravaging their assets wouldn’t hurt him much at all.
Another possible tactic might be to puncture Putin’s domestic image of invincibility. But, again, it’s hard for us on the outside to gauge whether this is possible. Has the NSA unearthed embarrassing missives or photos in his email files? Would Russians believe in their authenticity if they were leaked? And who would disseminate them? WikiLeaks doesn’t seem to be in the business of tarnishing the Kremlin’s reputation, and almost all Russian media are state-owned and thus resistant to news that doesn’t serve Moscow’s interests.
It may be that Obama and his aides have decided not to go after Putin personally—in part because of the risks and the difficulty, in part because these sorts of attacks take time to execute, and Obama’s successor could be expected to call them off. (If Hillary Clinton had won the election, instead of Donald Trump, the calculation might have been different.)
If that’s the case, the main goals of a U.S. response should be the following: to punish the culprits below Putin’s level; to put a dent in Russian intelligence activities that Putin values; to show state-sponsored hackers—whether Russian, Chinese, or some other nationality—that they will pay a price for continuing their adventures; and to make it harder for them to succeed if they try.
It’s notable that Obama responded to the Russian meddling at all—and, no less so, that he responded in public. The only other time that he (or, for that matter, any president) has called out a foreign power for hacking, and pledged to retaliate, was in December 2014, after North Korea hacked Sony Pictures over its release of The Interview, which ridiculed (and depicted the explosive killing of) Kim Jong-un. Cyberattacks—by Russia; China; Iran; Israel; France; Syria; and, yes, very much so, the United States—have been going on for decades. Yet because these attacks and the agencies that launched them have been smothered in secrecy, there has been little public discussion about the fact of the attacks, much less what the government should do in response and what individuals and companies can do to block them. In other words, there has been little public discussion of cyberespionage or cyberwarfare—the latest, fastest-growing, and most dominant form of international crime and conflict today.
In this sense, the most remarkable document, among the seven that the White House released on Thursday, was the FBI and DHS “Joint Analysis Report” on “Russian Malicious Cyber Activity.” This 13-page paper lists all the Russian military and intelligence agencies engaged in cyberattacks, summarizes their recent campaigns, cites the coded signatures that indicate an attack, and recommends several steps to block an intrusion and mitigate its damage. For several years, the U.S. government has been sharing this sort of information with corporations involved in “critical infrastructure” (energy grids, transportation, banking and finance, communications, defense industries, etc.), usually on a classified, need-to-know basis. This is the first time it has released this sort of material, in such detail, to the general public—first, to let the Russians (and other hackers) know that we know what they’re doing; second, to let all potential objects of hacking know ways to counter it.
A new executive order, signed by Obama, expands the government’s authority to deal with cyberattacks. Before, the authority covered only attacks on computer networks and critical infrastructure; now it also allows sanctions on nations that “tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.” That would cover a repeat of what Putin’s Russia did with the 2016 U.S. election.
Which raises a question: Could Obama have done something to prevent the interference of 2016 from taking place? Maybe. Obama has said that signs of Russian hacking were first clear in the summer and that he warned Putin not to go further when the two leaders met at the G-20 in September. But at the time, the Obama administration’s fear was that Russia would sabotage voting machines and remove names from voter registration rolls. (These rolls, in several states, had been hacked.) Maybe Putin was planning to do those things, and maybe Obama’s warning deterred him from doing them; we may never know. But Obama and his aides failed to realize that the real damage had already been done, with the hacking of campaign emails.
That the interference was so one-sided (lots of embarrassing emails from Clinton’s camp, none from Trump’s) is likely what led to the punctilious wording in the new executive order, which authorizes sanctions not only on nations that “tamper with” or “alter” election processes but also on those that “cause a misappropriation of information with the purpose or effect of interfering” with those processes.
Returning to Obama’s punishments: Are they proportionate to Putin’s offense? To the extent that Russia’s “misappropriation of information” contributed to Trump winning the election, probably not, though it’s hard to imagine what mountain of sanctions would square so severe a twisting of our democracy.
By lesser measures, the actions are fairly substantial. Obama ordered sanctions against the FSB and the GRU, the two main Russian intelligence agencies involved in the hacking; four specific GRU officers; three companies that provided technical assistance with the hack; and two more Russian individuals involved in cybertheft. He also expelled 35 Russian officials from the Washington and San Francisco areas, saying they were undercover intelligence agents. And he closed down two Russian country homes, on the Maryland and Long Island coasts, that were said to be intelligence-gathering facilities.
It’s a bit unclear what it means to sanction foreign intelligence agencies, unless it involves seizing the assets of—and barring financial transactions with—undercover companies that are actually owned in part by those agencies. (That may in fact be what it means; a spokesman for the Treasury Department wouldn’t comment.) The sanctioning of those companies and individuals is a very real impediment to Russian officials and entrepreneurs who like to travel and move their assets around. Expelling a few dozen Russian spies is a time-honored tradition, though only twice in recent years have presidents got rid of so many. (Ronald Reagan and George W. Bush declared about 50 “persona non grata” in the wake of intelligence scandals.) And of course we don’t know what those other actions Obama reserved the right to take—the ones that may not be publicized—will or won’t amount to.
(Putin’s response, meanwhile, has been quite clever. He put out news reports that his foreign ministry officials urged him to expel 35 U.S. diplomats in retaliation—but, no, Putin has decided to do nothing and instead to wait for warmer relations with the incoming President Trump. The man does have a way with jiujitsu.)
Will any of this have an effect in the longer run? It’s hard to say. Some shrugged in 2014 when the U.S. Justice Department indicted five Chinese army officers for hacking American corporations. I was among those who wondered what that could possibly accomplish. Yet, according to Robert Knake, a former White House cyber official who is now a senior fellow at the Council on Foreign Relations, “There has been a massive drop off in Chinese hacking.” He also notes that “no evidence has come out that China targeted the [Clinton or Trump] campaigns”—which would be the first time since 2000 that China hasn’t hacked either or both candidates. (The difference between China and Russia is that China hacked campaign files strictly for espionage, while Russia weaponized the intelligence by trickling strategic bits of it back into the American polity.)
Freelance criminal hackers may also be getting nervous. In October, a Russian hacker wanted by the FBI for stealing from American corporations was arrested while vacationing with his girlfriend in Prague. Many countries, including Russia, recruit hackers to do cyberespionage or cyberattacks, and in exchange the authorities ignore or even abet their criminal enterprises. Will this collusion continue if, suddenly, the risks seem high? Until very recently, the risks seemed nonexistent.
It may be that simply talking about cyberwar—acknowledging its existence, trying to set norms, exposing those who violate them—will gradually have consequences. Obama is famously keen on international norms. In this sense, with these new orders and sanctions, he’s making the first substantive moves in a long game. The problem is he doesn’t have much longer on the playing field.