Move over Comment Panda and Putter Panda, make way for Fancy Bear and Cozy Bear. 2016 was the year Russian hackers pushed their Chinese counterparts out of the limelight, becoming a major focus of the presidential election and transition, and driving policy discussions about attribution, norms, deterrence, and countering information operations and fake news. How the United States responds to the hacking of the presidential election, or doesn’t, will have a far-ranging impact on domestic cybersecurity and state behavior in cyberspace.
Attention shifted from Beijing to Moscow in part because Chinese industrial espionage declined. More important, however, was a qualitative, and highly disruptive change in the actions of Russian hackers. For years, the intelligence community has warned that the skills of Russian hackers exceeded those of the Chinese. Director of National Intelligence James Clapper, for example, told a conference at the University of Texas in 2014 “I worry a lot more about the Russians” than the Chinese. But while Chinese hackers targeted the government, private sector, and civil society, the Russians were relatively restrained, concentrating on espionage and mapping the battlefield. Russian hackers limited their actions to collecting information from political and military targets, and surveiling networks that might be attacked if the United States and Russia engaged in serious conflict.
This year, Russian behavior changed. In June, the Democratic National Committee announced that two groups of Russian hackers had penetrated its network: Fancy Bear (also known as APT 28), which works for GRU, or Russia’s military intelligence service; and Cozy Bear (APT 29), which is suspected of having ties to the Federal Security Service, the successor to the KGB. Russian hackers also successfully attacked the Democratic Congressional Campaign Committee, Hillary Clinton’s presidential campaign, and the campaigns of several Democratic candidates for Congress. They tried to gain access to computer networks at the Republican National Committee, but failed. That effort was reportedly less aggressive and much less persistent.
What probably started as an intelligence gathering operation became something different when the documents stolen from the DNC and Clinton campaign began showing up on websites such as Wikileaks and DCLeaks.com, and was then amplified on social networks, Russian news outlets, and U.S. media. This doxing was designed to undermine confidence in institutions and sow confusion and discord, and was a new adaption of what Russians call kompromat, a mix of fabrication and truth.
Who was behind the attack and what they hoped to achieve has been highly politicized. CrowdStrike, the company the DNC hired to secure its networks, quickly attributed the attack to Russia, but an individual calling themselves Guccifer 2.o soon took credit for the hack (the original Guccifer was arrested in for hacking into the accounts of Colin Powell, John Negroponte, Richard Armitage, and others). Journalists, online researchers, and other cybersecurity firms, however, continued to turn up data that pointed to Moscow. In October, the Director of National Intelligence and Department of Homeland Security issued a joint statement declaring, “The U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations.”
During the election, Donald Trump questioned the government’s ability to identify the hackers, claiming that "it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds." That skepticism turned into criticism of the intelligence community when the Washington Post reported on December 9 that the CIA had assessed that Russia interfered in the election to tilt the election to Trump, not just undermine confidence in the electoral system. While the CrowdStrike and other cybersecurity firms have provided public evidence linking Russian attackers to the DNC hack, verification of claims about motivation is highly unlikely as it would most likely require revealing technical measures and perhaps even the existence of spies in Putin’s inner circle.
The United States is not the only democracy being targeted. German Chancellor Angela Merkel has warned of Russian influence on the 2017 German parliamentary election through cyberwarfare and disinformation. German authorities have claimed Russian hackers were responsible for previous attacks on the Bundestag, the lower house of parliament, and on the headquarters of the ruling Christian Democratic Union. The National Cybersecurity Agency of France has briefed presidential candidates on hacking threats to the election. Alex Younger, Chief of the British Secret Intelligence Service, has warned that "The connectivity that is at the heart of globalization can be exploited by States with hostile intent to further their aims deniably. They do this through means as varied as cyber-attacks, propaganda or subversion of democratic process."
In the wake of the leak of the CIA finding, President Obama ordered a “full review” of “hacking-related activity aimed at disrupting” elections that dates back to 2008 to be completed before he leaves office. There have been bipartisan calls for hearings and the creation of a select committee to investigate cyber attacks on the United States. Questioned in his year-end press conference about why the United States had not responded more forcefully and vocally, President Obama gave an answer that touched on domestic politics and cyber strategy. Reticence had been motivated by a fear of being seen as taking sides in a "hyper-partisan" environment, President Obama also claimed, that by warning President Putin to "cut it out" during a one-on-one meeting at the G20 in China, he had deterred further attacks that could "hamper vote counting."
The President promised that the United States would respond "at a time and place of our choosing." "Some of it we do publicly," he said at his press conference. Some activities "we will do in a way that they know, but not everybody will." The difficulty for the United States is that it must design a response that penalizes Russia but does not risk escalation. It must deter future attacks on the United States and its allies but at the same time not undermine efforts to develop rules of behavior for states in cyberspace. Numerous analysts have suggested sanctions and travel restrictions on Russian elites combined with cyberattacks designed to weaken Putin, perhaps by releasing information about his finances or private life, or by damaging the technologies the government uses to control the Russian internet. In his final days, the most President Obama can hope to accomplish is bolstering the public attribution of the attacks through the selective release of intelligence. This might have some limited deterrent effect on future attacks. More important, it will pressure the incoming administration to take some action, despite Trump signalling his intention to reset the relationship with Moscow.
To say the future is uncertain seems a massive understatement. Much of the cybersecurity community is now struggling with how the United States should deter, contain, and control a conflict that is primarily a mix of espionage, disinformation, and disruption, but has the potential to escalate to destructive attacks. The new administration is apparently intent on arguing that those attacks never happened, and that the United States should move closer to the primary suspect behind the attacks. This tension will only be resolved by domestic politics, in particular if Republicans in Congress push the administration to take a harder line, and by the success or failure of Trump’s foreign policy. Cybersecurity policy has never been more important, or more in flux.