On Wednesday night, the FBI alleged that Iranian intelligence was trying intimidate Florida voters. The agents noted that Russia was also working to influence the election. While the full details of these new allegations remain unclear, what is clear is that the collective evidence of foreign meddling continues to mount. But America's response continues to underwhelm.
On Monday, the Justice Department announced indictments of six Russian intelligence officers for what it described as their roles in persistent and pervasive cyberhacking around the globe. But instead of being a strong response to Russia's digital aggression, the indictments exemplify the Trump administration's failed strategy against the Russian threat.
The indictments exemplify the Trump administration’s failed strategy against the Russian threat.
According to the indictment, these military spies were modern-day marauders, hellbent on wreaking havoc on a wide spectrum of targets from presidents to power grids to the PyeongChang Winter Olympics. One of the attacks they are alleged to have unleashed, NotPetya, has been described as the most devastating in history. Some of the indicted officers were behind the 2016 U.S. election interference hacking, according to the Justice Department. These charges represent a laudable investigative and intelligence achievement. Unfortunately, they join similar actions from the Trump administration as part of a pretense, one that permits our president to pretend he's tough on Russia.
As widely reported last year, the U.S. government, as coordinated by U.S. Cyber Command, significantly stepped up its approach to the growing threat posed by Russia's coordinated incursions into our private- and public-sector systems. Using new legal authorities quietly authorized by Congress, the government has been carrying out "clandestine military activity" in cyberspace to "deter, safeguard, or defend against attacks or malicious cyber activities against the United States." These same reports disclose that such activity includes boring deep into Russia's utilities infrastructure for a two-fold purpose — letting it know we can enter its networks and planting "seeds" that might enable us to shut down power and other infrastructure if the need arises.
This kind of clandestine initiative sounds like strong and sensible strategy, particularly when paired with public-facing overt indictments like the ones this week. But our digital digging isn't a secret, and our indictments aren't a deterrent.
We'll never get our hands on the indicted Russian officers. They won't be foolish enough to travel to a country that would extradite them to the U.S. Neither this law enforcement action nor our covert sorties in Moscow's systems have prompted any soul-searching or remorse by Russian President Vladimir Putin. To the contrary, the Russian government denies any involvement in the alleged hacks and dismisses all of this as just more anti-Russia sentiment
In fact, when the FBI's deputy director announced this week's indictments, he all but conceded that nothing has changed:
Time and again, Russia has made it clear they will not abide by accepted norms, and instead, they intend to continue their destructive and destabilizing cyber behavior. Of course, this threat is not new. We’ve been fighting the cyber threat for years now, addressing hack after hack, as our adversaries continue to escalate their crimes and use their capabilities not just to gather intelligence, but also to disrupt, degrade, and destroy.
In case we need any further proof that the Trump approach to Russian cyberattacks isn't helpful, the Justice Department's announcement of the indictments tells us that at least one defendant, Anatoliy Sergeyevich Kovalev, was also among the 12 Russian intelligence officers previously indicted by special counsel Robert Mueller two years ago.
America's approach to the growing Russian cyberthreat isn't effective — but that can change. First, any strategy to effectively curtail cyberattacks must bring pain to the enemy or those who associate with it. Indictments that have little chance of leading to arrests serve only to provide clues to how we might have attributed specific attacks to specific people.
Second, the kind of easily detected incursions into Russian systems that is embodied in our current approach exposes to the Russians what our malware looks like, allowing them to isolate and filter it out in the future. The fact that this strategy has been corroborated by multiple U.S. government sources means that signaling our capability is actually part of our strategy. The intended threat implied by such an unstealthy approach — that we might someday activate our digitally embedded silent soldiers and take down a power grid or other infrastructure component — rings hollow, though, when this administration has never demonstrated any interest in bringing pain to Putin.
Under the law, these recently authorized operations can be approved by the secretary of defense without presidential approval. Maybe that's a good thing, since Trump seems not to want to hear anything negative about Russia. Although Trump claims that "no one's been tougher than me on Russia," it's simply not true. One of Trump's first acts upon becoming president was to try to undo President Barack Obama's sanctions against Russia. When Congress finally approved veto-proof sanctions, Trump made sure there would be lax enforcement. Even more recently approved sanctions against Russian individuals seem designed to have little or no impact on their lives or finances.
In a well-known military concern, Trump has repeatedly discounted his own intelligence agencies' reporting that Russia may have placed bounties on the heads of U.S. troops in Afghanistan, and he admits that he hasn't even asked Putin about such reports. More recently, reports are emerging from the CIA that Director Gina Haspel has suppressed the flow of Russia-related intelligence to the White House for fear that the president simply won't like it. We also now hear claims from CIA employees that Haspel may have bought into the Trump mindset by refusing to acknowledge evidence that Russia is responsible for debilitating sonic attacks that have injured numerous CIA employees posted abroad. An adversary is emboldened when it knows you have zero intention of following through on your implied capabilities.
All bark and no bite is not an effective strategy to counter cyberattacks. We must demonstrate not just capacity but also intention. The only way to be taken seriously is to actually do something. Making it painful to be a friend of Putin's would be a start. His oligarch buddies should be so financially penalized in the global marketplace that they wish they had never met him. Meaningful sanctions not only against individuals but also against Russia itself need to be implemented and enforced.
Bringing pain to Putin also means being more assertive in exposing and punishing him for what he is — a corrupt, stone-cold killer. We have the kind of intelligence reporting that could personally devastate Putin and prompt his own people to question his legitimacy. We should be publicly shaming him and pushing back against his misdeeds. He needs to understand that we can and will use what we know.
Last, we can't just taunt with our cyber skills. The next time Russia (or Iran) launches a digital attack against American or allied interests, we must consider an in-kind commensurate response. This kind of impactful strategy won't happen under our current president. Yet his opponent seems to understand that the current plan isn't working. At the very least, former Vice President Joe Biden has said he would exact a high price for interference in this year's election. In a July statement, Biden said he was "putting the Kremlin and other foreign governments on notice." If elected, he added, he would retaliate against any election meddling through "sanctions, asset freezes, cyber responses, and the exposure of corruption." That's exactly the kind of action we need if we're ever going to get Moscow to realize that we aren't the soft target it thinks we are.