U.S. and European officials are likely to fall back on the conventional tools of sanctions and prosecutions to punish Russia for the recently discovered cyberattack while continuing to investigate the full ramifications of the hack.
“We still don’t know the extent of the damage,” said Foundation for Defense of Democracies senior fellow Mark Montgomery, a retired admiral who chaired the congressionally mandated Cyberspace Solarium Commission. “It’s hard to describe the seriousness of the attack, of the incident, and discuss what’s the appropriate response without knowing what happened.”
The hack went undetected for months after thousands of federal government agencies and private companies downloaded compromised software from an IT management company. That breach affected not only the United States but also “governments across the world,” according to Secretary of State Mike Pompeo, who identified Russia as the likely culprit. The width of the net, paired with the European Union’s newfound willingness to impose sanctions for cyberattacks, raises the likelihood of a transatlantic effort to punish Moscow.
“These kind of response measures have, hopefully, some deterrent effect,” said a European diplomat who works on cybersecurity issues. “We can sanction also the malicious cyberactors … We are now in the beginning as democratic governments in sorting out what kind of response we can do.”
Those sanctions could dovetail with Justice Department efforts to levy criminal charges against the cyberattackers, a tactic that special counsel Robert Mueller adopted during his investigation of the 2016 election interference. That investigation produced indictments of 12 Russian intelligence officers.
“The idea that you can never come to the U.S. because … if you turn up, you’ll be arrested — that can be a powerful deterrent because everybody wants to visit Disneyland,” the American Enterprise Institute visiting fellow Elisabeth Braw said. “But as we can tell from the continuation of the attacks, that’s not enough, either.”
European leaders sometimes struggle to agree to punish Russian aggression due to economic ties to Moscow or other disputes between the democracies, but the extent of the operation, perhaps most notably the reported hack of the Energy Department’s National Nuclear Security Administration, could overcome any hesitation.
“Russia is a close neighbor of some, so politics gets in the way, but I think the fact that the Russians seem willing to penetrate [the nuclear agency] will be a reason why they think that this is at least different from other attacks,” said the German Marshall Fund’s Ian Wallace, a cybersecurity expert who previously worked at the United Kingdom’s defense ministry and at the British Embassy in Washington. “I’d be fairly optimistic that the U.S. could get some support for joint action, at least in the diplomatic lane.”
A joint response recalls the coordinated expulsion of Russian diplomats and intelligence officers that U.S. and European allies unveiled after Russian operatives used a chemical weapon on British soil in the attempted assassination of a treasonous former Russian military intelligence officer, a model of the kind of unity that cyberexperts hope to see in their domain.
Yet that “collective” response was spurred by then-British Prime Minister Theresa May’s explicit condemnation of the Russian operation, whereas President Trump cast doubt on Russia’s involvement one day after Pompeo’s statement that Moscow was “pretty clearly” behind the incident. President-elect Joe Biden’s administration is more likely to speak with a single voice about the hack, particularly as the analysis benefits from additional details over the coming weeks.
“I would think, at the bare minimum, imposing sanctions against the SVR would be something that the U.S. government should consider,” the Atlantic Council’s Edward Fishman, who helped craft sanctions policy at the State Department during Barack Obama’s presidency, toldReuters in reference to the Russian intelligence agency suspected of responsibility for the hack.
Yet Biden’s team will still have to confront the fact that coordinated action thus far seems to have failed to alter Vladimir Putin’s behavior; the outcry over the Skripal poisoning didn’t stop Russian officials from violating the chemical weapons ban with another assassination attempt this year, this time targeting a prominent Russian opposition leader, the likewise sanctions and public condemnation have failed to stop cyberattacks.
“One of the big questions [is] what does the incoming administration believe are the pain points that will likely catch the attention of the Russian leadership?” Wallace said. “The easy things don’t appear to have had much impact in the past.”
Montgomery favors an expansive range of responses — not only the now-familiar mix of sanctions and indictments targeting the individuals who implement Putin’s aggressive policies, but also an offensive cyberattack against the SVR, the Russian spy agency regarded as responsible for the attack.
“I do think we should consider whether we conduct offensive cyberoperations against the infrastructure used to conduct this hack,” the retired rear admiral said. “We can limit and/or mitigate their ability to do these kinds of things again soon.”
But “soon” is the keyword. “This is purely punitive,” Montgomery said, acknowledging that neither sanctions nor retaliatory cyberattacks will “convince them they shouldn’t do it again.”