Reluctant to point fingers, US treads water on cyber policy as destructive attacks mount
The Trump administration’s refusal to publicly accuse Russia and others in a wave of politically motivated hacking attacks is creating a policy vacuum that security experts fear will encourage more cyberwarfare.
In the past three months, hackers broke into official websites in Qatar, helping to create a regional crisis; suspected North Korean-backed hackers closed down British hospitals with ransomware; and a cyber attack that researchers attribute to Russia deleted data on thousands of computers in the Ukraine.
Yet neither the US nor the 29-member Nato military alliance have publicly blamed national governments for those attacks. US President Donald Trump has also refused to accept conclusions of US intelligence agencies that Russia interfered in the 2016 US elections using cyberwarfare methods to help the New York businessman win.
“The White House is currently embroiled in a cyber crisis of existential proportion, and for the moment probably just wants ‘cyber’ to go away, at least as it relates to politics,” said Kenneth Geers, a security researcher who until recently lived in Ukraine and works at Nato’s think tank on cyberdefence. “This will have unfortunate side effects for international cybersecurity.”
Without calling out known perpetrators, more hacking attacks are inevitable, former officials said.
“I see no dynamics of deterrence,” said ex-White House cybersecurity officer Jason Healey, now at Columbia University.
The government retreat is underscored by the departure at the end of July of Chris Painter, the official responsible for coordinating US diplomacy on cybersecurity. No replacement has been named and the future of the position in the State Department is in flux.
Some of Trump’s cyber officials have publicly highlighted a strategy to focus less on building global norms and more on bilateral agreements. Trump and the Kremlin have said Russia and the US are in discussions on creating a cybersecurity group.
But at the big Black Hat and Def Con security conferences this week in Las Vegas the US government will have an unusually light footprint. Past government speakers have included a head of the National Security Agency and senior Homeland Security officials.
A session featuring US law enforcement officials discussing the purported theft by Russia of hundreds of millions of Yahoo account credentials was pulled at the last minute. A spokeswoman for the FBI said the presentation was cancelled because the Yahoo expert slated to talk, Deputy Assistant Director Eric Sporre, had been reassigned to run the Tampa FBI office.
The policy vacuum left by the US is also affecting private security firms, which say they have grown more cautious in publicly attributing cyberattacks to nation-states lest they draw fire from the Trump administration.
Trump suggested in an April interview the security firm CrowdStrike, which worked on investigating the election hack of the Democratic National Committee, might not be trustworthy because he was told it was controlled by a Ukrainian. It is not.
Cyber policy veterans are particularly alarmed about the lack of US and Nato response to the destructive attack, dubbed NotPetya, in June that struck computers worldwide but was especially harmful for Ukraine, which is in armed conflict with Russia in the east of the country.
Cyber security experts, such as Jim Lewis of the Centre for Strategic and International Studies, a government veteran who advised former President Barack Obama, believe Russia carried out the attack. The Russian defence ministry did not immediately respond to requests for comment.
Lewis and others predicted that Trump will not publicly accuse Russia, and Nato has only said it appears to be the work of a government agency somewhere.
“If you are not ringing alarm bells in an eloquent way, then I think you’re dropping the ball,” said retired CIA officer Daniel Hoffman, who worked on Russian issues. “When we fail to do enough, that just emboldens them.”