Obama options on Russian hacks range from covert to military

WASHINGTON -- President Barack Obama has vowed that the U.S. will respond to Russian hacking undertaken during the U.S. presidential campaign. Yet the public may never hear about it.

U.S. President Barack Obama (L) meets with Russian President Vladimir Putin during the G8 Summit at Lough Erne in Enniskillen, Northern Ireland June 17, 2013. REUTERS/Kevin Lamarque

WASHINGTON - President Barack Obama has vowed that the U.S. will respond to Russian hacking undertaken during the U.S. presidential campaign. Yet the public may never hear about it.

During his presidency, Obama favored a policy of deterrence when it came to responding to cyberattacks, in what U.S. officials call "naming and shaming." He's indicted Iranian and Chinese hackers and signed an executive order allowing the Treasury Department to impose financial sanctions on hackers. He could take similar steps against Russia, which has repeatedly denied accusations of hacking.

Another possible route, though, is an offensive cyberoperation. Obama said Dec. 16 that he would respond in a "thoughtful, methodical way," and some of it "we do publicly. Some of it, we will do in a way that they know but not everybody will." Several former military and intelligence officials explained how an offensive response might play out.
Intelligence Agencies vs. Pentagon Response One key step would be deciding which part of the vast U.S. national security apparatus the administration taps for the job. The administration could turn to the Pentagon or the intelligence community to draft "proportional" responses to a breach, said Ted Johnson, a retired U.S. Navy commander and cyberfellow at the New America Foundation. That would ensure the U.S. plays by the norms of international conflict and reduces the risk of escalation.

"Your response to someone's action against you should be proportional. So, if you get punched in the mouth you don't blow up their home, because that's not proportional," Johnson said.

In making that decision, the president could choose a covert action by intelligence agencies, under a law called Title 50, or a military response, under the law known as Title 10.


Spy Agency options If a covert action by the Central Intelligence Agency or National Security Agency is sought, it would come after gathering as much data as possible on the specific "entities and individuals" involved in the U.S. attack, said Terry Roberts, founder and president of cybersecurity firm WhiteHawk Inc. and former deputy director of U.S. Naval Intelligence.

That could involve wiping out hard drives connected to Russia's intelligence community, exposing Russian hacking tools on the web or revealing where the hackers operate in the so-called dark web. Or if the specific hackers involved use bitcoin currency, the U.S. could delete their online financial cache, Roberts said. This could be done without attribution, so it's not obvious the U.S. was behind the action.

"If I want to just quietly take out their capability and send a very sneaky message and not an overt message, I would probably do a covert action," said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the National Security Agency's Cyber Operations Center.

Another possibility, according to another former NSA official, includes "deny, disrupt, degrade" attacks, where agency hackers could take down websites or networks, or break into nongovernment institutions and leak information. That could also include hacking into companies that have ties to Russian President Vladimir Putin or leaders supporting him, or leaking information about Russia's role in another country, deflecting the focus from the U.S.

Military Response If the president chooses an offensive military option, that would fall to U.S. Cyber Command, a relatively new agency headed by Adm. Michael Rogers, who also leads the NSA. This path requires the object of the action be a military target. Possible options here could include a cyberstrike against the systems of the FSB or GRU, Russian intelligence agencies, or launching a ransomware attack against them or manipulating their data.

Using the military could send a strong message, and eventually the operation could be made public. Rogers, for instance, has said he expects to declassify some of the offensive tactics being used against the Islamic State group. But it also raises the idea of overt warfare.

If the U.S. response is a military action, there could be questions around who oversees the operation. "Right now, the Russian geography falls within the European Command area of responsibility," so the defense secretary or the president will have to determine who heads it up, said Johnson, the former Navy commander. "That is not a question that will be easily resolved."

Is there precedent for making an offensive cyberattack public?


"The only publicly declared offensive cyberoperation that the United States is conducting is against" the Islamic State, though few details of that are known, said Michael Sulmeyer, director of the Cyber Security Project at Harvard's Belfer Center and a former senior cyberpolicy adviser at the Defense Department. "I suspect that's why the administration, if they're going to choose to go with an offensive cyber response, they're probably going to be fairly quiet about it," Sulmeyer said.

Case in point: North Korea. The isolated regime's internet was disrupted for about 10 hours on Dec. 21-22, 2014, days after the Obama administration accused Kim Jong Un's government of hacking Sony's computer systems. Although the U.S. didn't claim responsibility, the administration had vowed to retaliate against North Korea.

The Argument For Going Public While policymakers face a challenge deciding whether to make a response public, not disclosing the attack raises the specter that the U.S. isn't actually responding, said Susan Hennessey, a national security fellow at the Brookings Institution and a former NSA lawyer.

"The idea of telling Russia, 'We know it's you, and we might do something about it,' the idea that that is sufficient in this case, I just don't think that's the case," Hennessey said. "I think the White House has indicated that they recognize this is an area in which at least a partially visible and really quite consequential response is required."

What's Next? Former officials and analysts say the process for cyberoffensive operations isn't streamlined and can get bogged down by policy discussions. That could be hindering the U.S. from carrying out such campaigns.

For instance, if Cyber Command presents an option to the president, the National Security Council and a joint task force made up of the intelligence community, including the State Department, "have to determine the collateral effects," Stasio said. They consider the impact of the action, such as relations with the other country and civilian casualties. It's a similar approval process as for a tactical strike.

"There's generally not a whole lot of agreement in these meetings," Stasio said.

Despite all this, Obama already could have ordered an offensive operation. Or he may choose to pursue a noncyber response, or decide to do nothing beyond the public statements he's made. It all depends on what message the U.S. wants to send. Regardless, U.S. allies and adversaries will closely watch the response.


"We're in new territory in the digital age, we're seeing things that we haven't dealt with before," Roberts, the former naval intelligence officer, said. "Our policies and statutes are woefully behind in keeping up with these new dynamics."

What To Read Next
Get Local