Since 2014, President Barack Obama's administration has punished three of the four states considered the top cyber threats to U.S. computer networks: China, Iran and North Korea. The curious exception is Russia, the country experts and Hillary Clinton's campaign say was behind the hack of the
Democratic National Committee.
While senior U.S. officials have called out Russia in broad terms for its increasingly aggressive behavior in U.S. cyberspace, the U.S. has only once tied Russia to a specific attack. That was in 2015 when Secretary of Defense Ash Carter accused Moscow of probing a Pentagon system.
Compare that to recent actions the administration has taken against other states for cyberattacks. In 2014, the Justice Department charged five members of China's People's Liberation Army for stealing trade secrets from U.S. industries in cyberspace. This year, the Justice Department charged seven Iranian hackers it said were linked to the country's Revolutionary Guard Corps with hacking into U.S. banks and a Rye, New York, dam between 2011 and 2013. At the beginning of 2015, Obama sanctioned North Korea for the 2014 Sony hack.
Russia has yet to face any consequences like that. But with the growing consensus among experts inside and outside the U.S. government that Russia was behind at least the hack of the Democratic National Committee (if not the public disclosure of the stolen documents through WikiLeaks) there is mounting pressure on the White House to try to deter Russia's cyber aggression.
Speaking this week at the Aspen Security Forum, John Carlin, the U.S. assistant attorney general for national security, issued a warning. "You haven't seen yet a public action against Russia," he said. "But it would be a mistake for them to assume that we are not going to apply this deterrence model when it comes to their action if they continue to intrude."
Earlier this week at a speech at Fordham University in New York, FBI Director James Comey sounded a similar note. He said cyberattacks from states and non-state actors "needs to be called out, it needs to be sanctioned, it needs to whenever possible be prosecuted."
All of this raises the question why Russia has gotten off the hook when other countries haven’t. After all, this isn't the first time the Russians have done this kind of thing. U.S. officials have alleged that Russia was also responsible for hacking the State Department's unclassified email system in 2015 and other unclassified White House computer networks. In 2014, the Russians were widely viewed as having intercepted and leaked a phone conversation between Assistant Secretary of State Victoria Nuland and the U.S. ambassador to Ukraine, Geoffrey Pyatt.
There are a few explanations. To start, U.S. intelligence agencies traditionally have seen cyberattacks by other nations as a window to collect intelligence on the attackers’ own sources and methods. In this sense, the less said about an intrusion the better. The National Security Agency often chooses to respond to foreign government hacking with hacking of its own.
There are also diplomatic considerations. While the U.S. has sanctioned sectors of Russia's economy for the annexation of Ukrainian territory, Secretary of State John Kerry has also tried unsuccessfully now for a year to entice Russia to use its leverage with the Syrian regime to end the civil war there. A public response to Russian cyber-aggression could invite a diplomatic response from Russia in Syria.
A senior administration official told me Saturday that there was no "across-the-board policy regarding Russia when it comes to prosecution or attribution." Lisa Monaco, the president's adviser on homeland security on Saturday told an audience at Aspen that the administration approaches each cyberattack on a "case by case basis," depending on the quality and preponderance of evidence linking the hack to a state actor.
But one explanation for the lack of punishment is that, until recently, most of Russia's cyberattacks were aimed at probing networks and not destroying them or leaking the pilfered data onto the internet. Jason Healy, a senior researcher at Columbia University, told me Saturday, "Up until the annexation of Crimea, their aggression was largely espionage. So it doesn't surprise me we have not done indictments on Russian actors to date. Now that Russian actions are becoming much more disruptive, not just in the U.S., but in Ukraine and Western Europe, I expect the administration will feel the need to be more vocal and more aggressive in their response options."
So far, the Obama administration has not publicly pinned the DNC hack on the Russians, despite the growing consensus among experts that Russia was responsible. In public talks at Aspen, CIA director John Brennan, Director of National Intelligence James Clapper and Monaco all declined to say Russia was behind the hacks when asked.
U.S. officials say this is because the FBI is just beginning its formal investigation into the matter. These investigations can take time. Nonetheless, the president's own party wants Obama to go public. Senator Dianne Feinstein and Representative Adam Schiff, the ranking Democrats on the Senate and House intelligence committees, asked the White House in a public letter this week to release and declassify any intelligence assessments of the DNC hack. "Given the grave nature of this breach and the fact that it may ultimately be found to be a state-sponsored attempt to manipulate our presidential election, we believe a heightened measure of transparency is warranted," they wrote.
It presents a dilemma for Obama. Accusing a powerful foe like Russia of such an attack without all the evidence can of course backfire. But there is also a consequence for keeping quiet. It might give Russian hackers the impression that the U.S. is uninterested in deterring them. Indeed, it appears they are under that impression already.