News of apparent Russian interference into the 2016 election has dominated the media and political conversations as Capitol Hill readies itself for a new administration. Did Russia’s hacks flip the election?
Both Democrats and Republicans have decried the cyberattacks over the past year as an affront to the American democratic process, insisting on further probes into Russia’s activities — but there isn’t much public discussion of what should happen next. And with only days left in Obama’s presidency, the next moves are on the Trump administration.
Responding to high-profile cyberattacks on the U.S. political system puts the U.S. in unfamiliar territory where the rules of engagement aren’t quite clear.
“As far as rules of the road go, they are very underdeveloped at the moment and that’s part of the problem,” Stephen Biddle, senior fellow on defense policy for the Council on Foreign Relations in Washington, D.C. “It’s the sort of thing happens with trial and error and experience over time.”
“As far as rules of the road go, they are very underdeveloped at the moment and that’s part of the problem.”
Obama’s actions to date seem to have kept things from escalating. Kremlin spokesman Dmitry Peskov vowed retaliation to the sanctions, but Putin said he would hold off retaliating to Obama’s expelling of Russian diplomats, and would work to restore relations with the U.S. under Trump.
The Obama administration’s trepidation in pointing the finger at Russia and taking firmer action has garnered criticism from top congressional Republicans, who have insisted that the U.S. up its response to the attacks.
“The Obama administration has been reluctant to impose such pain because they’re worried it would lead to an escalatory spiral,” Biddle said. “It’s a reasonable hesitation, but at some point, if you’re not willing to impose pain…then the other side will eventually eat you for lunch.”
When considering more solutions to limit intrusive hacking behavior, the key is striking a balance and crafting a forceful response that sends a message but that doesn’t provoke another cyberattack, according to Biddle.
Nations meddling in each other’s political processes has been normalized since the Cold War, but that doesn’t mean there aren’t consequences. “A lot of this stuff amounts to snooping that you don’t make public, and making things public is what’s damaging,” Biddle said.
The U.S. has led its own attempts — often successfully — to disrupt or influence other countries’ governments, including by carrying out assassinations. A recent example is the USAID’s failed social media coup attempt in Cuba, where the organization attempted to spark an democratic uprising to overthrow Fidel Castro via an online platform.
“At lower levels of violence, the U.S. would do things like, when KGB activity was in excess, kick out Soviet diplomats that we believed were spies. Russia would do the same and then scale back,” Biddle said. “The point is to keep the pain so low that the other party won’t invade your country.”
As the United States’ leadership changes hands, preventing the next attack could be Trump’s first major action as president.
Until his first post-election conference Wednesday, the president-elect had questioned the veracity of intelligence reports that connected Russia to multiple cyberattacks on U.S. institutions. Trump still denies reports agreeing reports from multiple agencies that the hacks were tied to Russian support of him. The incoming president, however, did warn Russia to stop, adding that “Russia will have much greater respect for our country when I am leading it than when other people have led it.”
But how to stop future hacks is a separate matter.
Signing sanctions into law
In addition to diplomatic responses to the hacks, the U.S. will likely still need to show force, which will require a Republican-led effort.
“This is where the GOP congressional leadership will have to put action behind its rhetoric,” said Peter Singer, author of Cybersecurity and Cyberwar: What Everyone Needs to Know and a strategist and senior security fellow for New America in Washington, D.C..
House Speaker Paul Ryan (R-WI) and Senate Majority Leader Mitch McConnell (R-KY) have criticized President Obama for waiting to impose Russian sanctions, and pushed for a bigger response to the hacks.
“Sanctions against the Russian intelligence services are a good initial step, however late in coming,” McConnell said. “As the next Congress reviews Russian actions against networks associated with the U.S. election, we must also work to ensure that any attack against the United States is met with an overwhelming response.”
Ryan said the sanctions were “an appropriate way to end eight years of failed policy with Russia.”
Criticism of the Obama administration’s handling of the hacks goes but so far. Now, it’s on GOP lawmakers to decide what to do next.
“The only way they can show that’s not just rhetoric is to strengthen the sanctions and turn them into law, which makes them harder to be dealt away,” Singer said. Congress did this with its sanctions against Iran last year to ensure it would abide by its nuclear agreement and not resume its program. That would extend the sanctions’ longevity and make them less subject to changes in political control.
Prioritizing policies that strengthen U.S. systems
Cybersecurity has become an increasingly politicized issue, on both sides of the aisle, following the Sony hack in 2014. Congressional concerns were amplified after the Office of Personnel Management’s breach of personal data belonging to more than 20 million people in 2015.
As a result, there was a bipartisan push to strengthen the United States’ government systems.
“This is politically doable by the GOP Congress,” Singer said, mentioning that there were already bipartisan measures in place, including the U.S. House Oversight and Government Reform Committee, which released a scathing report following the OPM breach that called out the agency’s poor preparedness.
Congress could prioritize legislation that protects critical computer systems and reduces the United States’ vulnerability to cyberattacks. For example, the Department of Homeland Security recently labeled election systems as part of critical infrastructure in response to the Russian access to points in some state and election boards. Sectors, such as banking or energy, are labeled “critical” when their systems can cause significant damage to the U.S. if compromised.
That would make future hacks “less likely by making them less successful,” Singer said. Such policies encourage communication and information sharing, even across the political spectrum. If the DHS had done this sooner, he suggested, the DNC and RNC would’ve been able to better contain or even prevent their hacks by flagging suspicious activity, such as phishing emails.
Weakening Russia’s economic future
The international politics of retaliating to foreign attacks require more than intimidation — they also have to be advantageous. That’s one of the reasons why Erik Gartzke, a professor and researcher at the University of California, San Diego who focuses on the role that information plays in international disputes and war, argues that the U.S. won’t enter a cyberwar with Russia— at least, as far as the public will know.
“Cyber isn’t particularly suited for this,” Gartzke said. “It’s an information domain. Cyber works back when no one knows it happens.” Launching a counter cyberattack could “turn the psychology of the situation into tit-for-tat” that could escalate.
While Trump has promised to warm U.S. relations with Russia, the country’s connection with interfering with the democratic process means something will have to be done to prevent Russia and any other country from attempting similar feats in the future.
“One way to interpret the Obama administration’s response is that it will carve out covert attacks on Russian facilities,” Gartzke said. “The problem with sanctions, to the degree they have bite, the next time you do them they have less bite.”
Regardless of whether the Russian hacks changed the election results, “the point was to clearly disrupt the election by a foreign power and it’s got to be treated seriously on that level…We need to treat it as an intrusion on our sovereignty,” Gartzke said.
Target U.S. exports to Russia that restrict their cyber capabilities, he said, or hit Russia’s already faltering and heavily oil-dependent economy. The falling value in the ruble and volatile but still low oil prices have made the country vulnerable. Russia temporarily stalled plans to reinvigorate their military in early 2016 as a result, but continued following the hacks.
“Small changes in supply have a huge effect on price. [The president] coming out and saying that the U.S. wants to maintain lower oil prices would have an effect that says, ‘we’re not going to help you make money, if you’re going to hurt our political system,’” Gartzke explained. “And if the Russians make nice, the policy could be reversed.”
But the long term play could lay in immigration policy.
“More than half of Russia’s exports are petroleum. That’s not a particularly appealing place for knowledge workers to live. We just have to continue to be an appealing place for Russians to emigrate. That brain drain for Russia is as damaging or more damaging over time,” Gartzke said.
“Being a happy, prosperous place for intellectuals to live is more valuable than protecting ourselves from people who might steal from us” because it allows for faster innovation, he said.
The U.S. issued 3,694 immigrant visas to Russian nationals in 2016, according State Department visa statistics. That number is down slightly from the 4,197 issued in 2015, and significantly lower than the more than 7,000 visas awarded in 2000.
“We want to punish the institutions for their actions, not the technology or individuals involved,” he said.
This post has been updated.