President-elect Donald Trump’s repeated attacks on the Intelligence Community and denials of Russian involvement in the hacking of the Democratic National Committee (DNC) risk emboldening U.S. adversaries. Attribution of cyber intrusions to particular perpetrators is a necessary precondition to every possible response, from criminal indictments to economic sanctions to countermeasures. By at times denying even the possibility of attribution, Trump is signaling that the United States might not respond to future cyber incidents and that hackers could act with impunity. That’s a dangerous message to send, and it’s one his national security nominees need to counter by acknowledging Russia’s actions.
Trump’s attribution denials began during the presidential campaign. In the first presidential debate, Trump said, “I don’t think anybody knows it was Russia that broke into the DNC. . . . I mean, it could be Russia, but it could also be China, but it could also be lots of other people, it also could be someone sitting on their bed that weighs 400 pounds, OK?”
His denials have continued in recent weeks. In a tweet in December, Trump said, “Unless you catch ‘hackers’ in the act, it is very hard to determine who was doing the hacking.” On New Year’s Eve, Trump told reporters, “I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else.”
Even after being briefed Friday on the intelligence community’s classified report on Russian hacking, Trump released a statement that did not clearly accept the attribution of the DNC hack to Russia. He focused instead on asserting that “there was absolutely no effect on the outcome of the election including the fact that there was no tampering whatsoever with voting machines” and that “the RNC had strong hacking defenses.”
Trump’s persistent denials are at odds with the determinations by the U.S. intelligence community and multiple cybersecurity companies that Russia was responsible for hacking the DNC. Top intelligence officials told the Senate Armed Service Committee again Thursday that they “assess that only Russia’s senior-most officials could have authorized the recent election-focused data thefts and disclosures.” Friday’s unclassified intelligence report went further, stating, “We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.”
But maybe even more importantly Trump’s denials fly in the face of years of government and private sector efforts to improve attribution of cyberattacks.
Attribution is a key first step to deterring or responding to cyberattacks. Unless and until the attacker is identified, the victim state cannot use legal tools like sanctions, indictments, or countermeasures against the attacking state. Trump’s claims that the first step is impossible implicitly takes all other possible subsequent steps off the table. Whether any of these steps will deter cyberattacks remains unclear, but eliminating them as possibilities shreds the only existing U.S. deterrence strategy without providing a replacement. And it suggests to would-be attackers that there is a new open season on U.S. targets.
Read the full post at Just Security.