The president-elect is caught between promises to be more aggressive in cyberspace, and U.S. demands for payback against a Russian hack apparently done for his benefit.
As a candidate, President-elect Donald Trump said he was eager to use “crippling, crippling” counterattacks to protect the United States from foreign cyberthreats. Once elected, he began surrounding himself with security advisors who have called for ramping up cyberwarfare.
But Trump’s tough talk about using digital weapons to strike back against America’s enemies appears to have its limits. He has resisted acknowledging — to the point of rejecting — Russia’s involvement in what the U.S. intelligence community calls an unprecedented campaign by Moscow to influence the very vote that elected Trump last month.
With Russia looming as the top cyberthreat to the United States, Trump must now decide whether he will unleash the aggressive cybertactics he once admired from afar or continue building the warmer relationship he is seeking with Moscow.
He may try to do both. Given the coterie of hawkish advisors that surrounds him and his saber-rattling rhetoric against Iran and China, Trump could easily execute cyberattacks against other foreign threats — whether state actors or not — with profound consequences for how war is waged in the future.
Trump, by his own admission, is ready to deploy cyberweapons against American adversaries and in October declared it necessary for the United States to possess “unquestioned capacity to launch crippling cyber-counterattacks. And I mean crippling, crippling.”
“This is the warfare of the future,” he said then.
The Trump transition team has made a comprehensive cyberstrategy one of its top military priorities, according to a confidential memo obtained by Foreign Policy.
But on the cusp of taking office, Trump refuses to acknowledge the voluminous evidence documenting the Kremlin’s campaign against the U.S. election. “It could be Russia. And it could be China. And it could be some guy in his home in New Jersey,” Trump told Time in an interview published this month. “I believe that it could have been Russia and it could have been any one of many other people.”
In a Dec. 12 tweet, Trump doubled down on his defense of winning the presidential election without any help from hackers. “Unless you catch ‘hackers’ in the act, it is very hard to determine who was doing the hacking,” he wrote.
The U.S. intelligence community, however, has no doubt about who was responsible. On Thursday, U.S. officials said Russian President Vladimir Putin appeared to be personally involved in directing a covert operation to influence the election, an effort that overwhelmingly favored Trump.
At least one of Trump’s top advisors, impatient with eight years of relative cyberpassivity, agrees Russia is to blame — a striking break with the president-elect. K.T. McFarland, the incoming deputy national security advisor, even wants to escalate attacks against Russia.
“They can push, push, push, and there’s no push back,” McFarland told Fox News in October. In response, she suggested the United States “muck around” with elections in Russia.
Other key advisors in the incoming administration hold similarly hawkish views on the use of American power in cyberspace, if not necessarily the desire to unleash those weapons against Russia.
Michael Flynn, the incoming national security advisor, pushed for more aggressive cybersecurity policies while heading the U.S. Defense Intelligence Agency from 2012 to 2014. Trump’s pick for defense secretary, retired Marine Gen. James Mattis, oversaw U.S. Central Command war games with Iran that incorporated the use of cyberweapons, according to a former defense official who worked with Mattis there.
The nominee for CIA director, Rep. Mike Pompeo (R-Kan.), has suggested treating Chinese hacking as a conventional attack that could muster a military response. And Adm. Michael Rogers, currently the embattled head of the National Security Agency and one of the leading candidates to become Trump’s director of national intelligence, reportedly urged a tough response this year to Russian hacks but was overruled by the White House.
In a Thursday interview with NPR, President Barack Obama pledged the United States would retaliate but remained cagey on how he would do so. “We need to take action,” he said. “And we will — at a time and place of our own choosing. Some of it may be explicit and publicized; some of it may not be.”
Obama has been roundly criticized for failing to strike back at Moscow for meddling in the American elections. Despite a growing body of evidence pointing toward Russian interference in the months leading up to the election, the White House stayed silent until Oct. 7, when American intelligence officials blamed Russia for breaking into the Democratic National Committee. The breach was uncovered more than a year earlier.
Even as he continues to deny Russian involvement, Trump on Thursday railed against the lack of action.
Hours later, defeated Democratic presidential nominee Hillary Clinton blamed Putin for “an attack against our country” that in part cost her the election, according to a Friday report by the New York Times.
A chorus of national security experts has called for a response to Moscow’s campaign against the election.
“We have to retaliate against Russia in order to deter not only Russia from ever trying to do this again, but to deter other countries who undoubtedly are watching all of this,” former acting CIA Director Michael Morell, who advised Clinton’s campaign, said this week. “In order for a U.S. response to actually result in deterrence, two things have to be true — one, it has got to be overt, it has got to be seen, and two, it has got to be painful to Putin.”
Dmitri Alperovitch, the chief technology officer at CrowdStrike, which investigated the DNC hack and identified the Russian groups responsible, called the lack of a response to what is “arguably the most consequential breach of our time” as “outrageous and inexcusable.”
Congressional Republicans and Democrats have vowed to investigate the hack, and intelligence suggesting that Putin appeared to be personally involved will put even more pressure on Trump to respond.
If he chooses to do so — which seems unlikely against a Russia he sees as a potential partner — Trump will have a wealth of tools that he salivated over while on the campaign trail.
“Honestly, I wish I had that power,” Trump said in July while discussing the DNC hack. “I’d love to have that power.”
When he takes office Jan. 20, Trump will control of the world’s biggest hacker army. The U.S. military and intelligence agencies now devote an increasing share of manpower and resources to cyberwarfare, which will soon have its own unified military command.
Trump enters office after an eight-year period during which the Obama administration pioneered the use of digital weapons. By attacking Iranian nuclear enrichment sites beginning in 2009 with the Stuxnet computer virus, the Obama administration steered Tehran to the nuclear negotiating table. Many scholars considered Stuxnet the opening salvo for a completely new kind of warfare.
More recently, Washington has stepped up offensive cyberattacks on the Islamic State’s networks in Iraq and Syria.
But the Obama administration has not always responded to cyberattacks with reciprocal action on the internet. Early in 2015, the United States slapped North Korea with economic sanctions after hermit kingdom hackers attacked Sony Pictures. Obama has long refused to define exactly how it will respond to a cyberattack, saying it will do so “in a place and time and manner that we choose” — talking points he repeated, almost word-for-word, in his NPR interview Thursday.
Before he was forced out of the DIA in 2014, Flynn pushed a more muscular strategy and grew frustrated with what he saw as the Obama administration’s lack of aggressiveness in cyberspace. A former intelligence official who worked with Flynn, and spoke on condition of anonymity to describe his thinking on the issue, said the retired three-star lieutenant general advocated a tit-for-tat approach in cyberspace. “If you saw the adversary attacking you, then you should attack back,” the official said of Flynn’s thinking.
Flynn also publicly called for a buildup of U.S. cyberweapons. Asked at the 2014 Aspen Security Forum whether the United States “should scale up our offensive capabilities in cyber,” Flynn offered an unequivocal, one-word answer: “Yes.”
But that brings risks, many of which remain unknown. “The rashness with which he thinks doesn’t take into account the second-order consequences,” the former intelligence official said of Flynn.
The United States does not enjoy overwhelming superiority in the cyberwarfare realm as it still does in many areas of conventional combat. Adversaries and rival nations including Russia, China, Iran, and North Korea are building and sometimes using powerful digital weapons. Offensive operations in cyberspace present particular challenges for leaders like Flynn and Mattis, who have been schooled mostly in aggressive conventional tactics based upon American technical superiority.
In cyberspace, many typical rules of military engagement do not apply. A weapon can often be used only once — and, once revealed, can boomerang on its user in dangerous and unpredictable ways. Identifying the enemy with certainty is still devilishly difficult. How escalation works in cyberspace — and its relation to real-world violence — is still highly unclear. Decades into the computer revolution, officials have fallen short of defining exactly when a cyberattack constitutes an act of war.
“It sounds good to use cyberweapons. But what does that really mean?” said Amy Zegart, the co-director of the Center for International Security and Cooperation at Stanford University. Cyberattacks dwell in a legal no-man’s land, and American hackers could open the United States up to punishing retaliation: “There are good reasons the Obama administration has been reluctant to venture down this path with cyberguns ablazing,” Zegart said.
Stuxnet was a notable and aggressive exception in Obama’s cyberwarfare policy, and Mattis was running Centcom when the virus escaped into the wild. Also on Mattis’s watch, Iran carried out cyberattacks on oil company Saudi Aramco and American banks.
Pushed into retirement for what the Obama administration considered his far too hawkish views on Iran, Mattis calls Tehran the “single most enduring threat” to Middle East stability. Flynn shares Mattis’s intense antipathy toward Iran, and as a candidate, Trump casually entertained the possibility of a military conflict with Iran.
But in the years since Mattis left the military, Iran has upped its ability to launch cyberstrikes, moving beyond low-sale disruptive activities that were not “quite as worrisome as they are now,” said the former defense official.
In a speech this year, Mattis likened Iran’s hacker army to “children juggling lightbulbs filled with nitroglycerin” that will one day attack a high-profile target and require an international response, possibly with military force. He proposed setting up a cybersecurity monitoring center focused on Tehran to catch its hackers red-handed.
Pompeo hasn’t sketched out detailed plans to leverage U.S. hackers offensively. But after China hacked into the Office of Personnel Management and stole sensitive data last year, Pompeo blasted the Obama administration for its “refusal to treat cyber-attacks in the same manner we would if our national sovereignty was violated through a conventional attack.” His office declined to give details or otherwise elaborate for this story.
Trump has flirted with appointing Rogers, the current NSA head, as director of intelligence; the two met at Trump Tower last month. Rogers’s bosses have urged Obama to fire him, partly because of a series of embarrassing data breaches at the agency. He has also come under fire as head of U.S. Cyber Command, which is responsible for going on the offensive against cyberthreats, for not being aggressive enough against the Islamic State.
Although his exact views on the use of offensive cybertools are difficult to pin down, Rogers has told Congress that the United States could exercise more aggressive cyberpower to deter states like Russia, China, or Iran from hacking into American computers. “A purely reactive, defensive strategy is not ultimately, I think, going to change the dynamic where we are now,” he told a House panel in 2015. “And the dynamic we find ourselves in now, I don’t think is acceptable to anyone.”
In response to Moscow’s campaign against the election, Rogers reportedly drew up a list of possible retaliations, including exposing Putin’s financial dealings and efforts to undermine internet restrictions on Russian dissidents. The White House rejected those suggestions, reportedly because it was fearful of starting a conflict it did not know how to end.
Experts warn of the risks of being trigger-happy on cyberwar — particularly given Trump’s own lack of experience in the nuances and likely enduring aftershocks on the electronic battleground. And despite the experience Trump’s advisors may bring to the fight, Republican leaders generally have not been on the front lines during cyberwarfare’s formative years.
“The Republicans have been out of power for eight years, which is the exact period of time when cyber-operations have matured,” said Michael Sulmeyer, who advised Clinton and is the director of the Cyber Security Project at Harvard University’s Belfer Center for Science and International Affairs. “It’s a lot harder than it looks and a lot less rewarding than it seems.”
Photo credit: Joe Raedle/Getty Images