After a possible Russian attempt to influence U.S. elections by hacking the Democratic National Committee, the FBI has announced that it will investigate the origins of the hack. International interference in the democratic process has a long and storied past, but inhibiting self-determination is generally considered unacceptable and warrants a response.
But what should that response be? Below are six different paths the United States could take to answer the data breach. The choice will depend on many factors—the evidence supporting Russian involvement, the state of U.S.–Russian relations, the challenge of avoiding the appearance of using the tools of government to assist the Democratic candidate. Whatever the United States does or does not do will set an important precedent worldwide.
1) Public denouncement
Because of the difficulty of attribution in network-based attacks, officially denouncing the perpetrator of an attack is a surprisingly rare move for a government. The Obama administration set a precedent by publicly naming North Korea after the December 2014 hack on Sony, which caused the company to pull The Interview from theaters a day before its premiere. After the FBI blamed North Korea, citing issues of sovereignty and freedom of speech, experts argued about whether the government had the capacity to unequivocally attribute the attack. But later disclosures suggest the U.S. had penetrated North Korean networks thoroughly enough to have clear proof.
The DNC case will prove different; despite mounting evidence, there is not irrefutable proof of Russian involvement in the hack, and there is not likely to be. Russia’s networks are almost certainly harder to penetrate and monitor than North Korea’s, and if NSA did have that kind of access, it would be reluctant to share evidence that would reveal active sources and methods. Nonetheless, the stakes involved may warrant denouncing the Russians on the basis of something less than absolutely definitive proof.
After the December 2014 hack on Sony, the Obama administration enacted sanctions against 10 North Korean officials. These sanctions were later expanded by executive order into a more general framework for sanctions as a response to hacks. However, the framework has never actually been used, which may reinforce a “negative norm” of inaction—that is, a precedent that hacking won’t result in consequences. Sanctioning the Russians may reverse that pattern but would likely be symbolic, since the U.S. Office of Foreign Asset Control would need to be unusually creative to find new and meaningful targets, given the many sanctions already in effect in Russia.
Conversely, the administration very publicly discussed sanctions prior to Chinese President Xi’s state visit in September 2015, during which the two leaders penned an agreement prohibiting cyber-enabled intellectual property theft. The agreement was a greater Chinese concession than many experts expected, which some attributed to the threat of sanctions. Nonetheless, the overall efficacy of sanctions, particularly against Russia, is hard to predict.
Where diplomatic and economic efforts are ineffective, law enforcement options can still convey a strong message. Issuing an indictment against an individual hacker indicates publicly that the United States is so confident in its attribution that it can identify the offending individual by name. As a practical bonus, it also inhibits that individual’s ability to travel overseas due to the threat of arrest. After presenting the Chinese government with strong evidence of culpability, the U.S. Department of Justice issued indictments for five Chinese People’s Liberation Army members on charges of hacking; in conjunction with the September 2015 bilateral agreement, administration officials have tied this policy to subsequent decreases in attacks. If the local government is cooperative, we might see extradition or domestic legal action. (The indictments of the PLA members did not lead to extradition or domestic arrest, but in a later incident China did end up arresting hackers involved in the infamous OPM breach, perhaps as tacit acknowledgement of a move towards legal enforcement.) But such cooperation from the Russian government seems unlikely, leaving the U.S. government with the largely symbolic, albeit targeted, option of legal action.
4) “In-domain” retaliation
The first three options have been, to varying degrees, signaling mechanisms intended to convey a message in the international community. But the U.S. government should also consider offensive action against the Russians either to degrade their capabilities or, more likely, to deter future attacks by raising the perceived cost of actions like the DNC hack. While rarely discussed openly, the United States has developed offensive cyber weapons. Odds are good that the U.S. government has plenty of practice using these capabilities. However, there are strong arguments against using offensive cyber capabilities, not the least of which is the possibility of escalating the conflict into a true cyber, or even kinetic, conflict.
Certainly, it would be inadvisable for the U.S. government to engage in retaliation without internally confirming attribution with extremely high confidence. But in the likely case that the FBI turns up damning evidence that cannot be revealed without blowing U.S. sources and methods for obtaining that information, covert cyber retaliation may be a good option.
Beyond the oft-discussed mainstream responses to a cyber attack, the U.S. government has other ways to make it clear that foreign interference in the election process is not appreciated. On a more formal level, expelling diplomats always conveys moral outrage nicely, but it’s not an especially unique message in the current environment of frosty diplomatic relations. If the FBI does not find sufficient proof to warrant more official action, there are other ways that the United States could unofficially make its displeasure clear to U.S.–based Russian diplomats. For months, the Russians have been waging an unofficial campaign of harassment against U.S. diplomats in Moscow; American officials might consider taking a page from that playbook. (Although, for the safety of foreign service officers everywhere, USG should take the risk of escalating harassment seriously.)
Influential Russians both inside and outside of government may also be vulnerable to a certain level of discomfort. For example, the Kremlin clearly felt compelled to respond to suggestions of corruption disclosed in the Panama Papers leak. If the U.S. intelligence community is sitting on top of any other embarrassing stories, now might be a good time to leak a few.
6) Take it on the chin
The U.S. government can also choose to take no action in the short term. In similar circumstances, Obama stated that a response will come in the “place and time and manner that we choose.” Particularly with the difficult attribution problem and a high-stakes situation, there may be a reason to take no action now and respond later.
However, choosing no action in the short term is different than defaulting to inaction through indecision, which would set a very damaging precedent. As cybersecurity expert Thomas Rid argued compellingly on Motherboard, “American inaction now risks establishing a de facto norm that all election campaigns in the future, everywhere, are fair game for sabotage.” Historically, cases of inaction or handwringing erode American credibility in the efforts to deem certain cyber activities unacceptable, and it incentivizes future transgressions. Regardless of the FBI’s ultimate findings, any choice the U.S. government makes will incur costs. However, the worst possible decision is no decision.
Kayla Cross and Ethan Walker contributed research to this article.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.