Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:00 PM
Connect Directly

Russia, Russia, Russia: What Clinton Or Trump Can Do About Nation-State Hacking Gone Wild

US mulls 'proportional' response to Democratic Party hacks in midst of an unprecedented presidential campaign clouded by cybersecurity concerns (among other things).

Whether the next President of the United States likes it or not, she or he will be faced with a whole new era of nation-state cyberattacks that now have crossed a fine line from accepted cyber espionage to a form of cyberattacks aimed at sabotaging the election season.

In the wake of a rare declaration by the Office of the Director of National Intelligence and US Department of Homeland Security last week that named Russia as the actor behind recent hacks of the Democratic National Committee (DNC) and personal emails of US political officials and organizations, the White House this week said the US will respond in a "proportional" manner to the breaches, which have gone glaringly public with online data dumps via WikiLeaks.

Russia may be the first nation to move from cyber espionage to cyber sabotage in an apparent quest to influence or wreak chaos on the US election, but it wasn't the first nation the US has called out for damaging cyberattacks. First there were the US Department of Justice's indictments of five Chinese military officials in 2014, followed by the Obama administration's naming and shaming of North Korea for the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment later that year. Earlier this year, the DOJ indicted an Iranian hacker working on behalf of the Iranian government for allegedly infiltrating a server at a dam in New York.

Even so, Russia's propaganda-driven campaign in the breach and doxing of the DNC and other Democratic Party operatives, takes this destructive cyber espionage activity to a whole new level. While most experts say it's unlikely Russia can or will be able to go as far as hack US voting systems to alter the vote-count, there are plenty of ways for the nation-state to sow seeds of distrust, doubt, and fear, in the election.

This threat won't end after Nov. 8, either.

"We have never been here before. No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber," says security expert Cris Thomas, aka Space Rogue, who says the administration needs to provide some evidence of Russia's involvement in the breach.

Thomas says the US should be careful with attribution "and set the stage now as to what is and is not acceptable as we move into the future, when these sort of actions will become more and more commonplace," he says.

Lisa Monaco, assistant to the President for Homeland Security and Counterterrorism, at a security conference hosted by The Washington Post last week, said the administration would consider tools including "economic, diplomatic, criminal law enforcement, military, and some of those responses may be public, some of them may not be." 

An Executive Order issued in April 2015 by President Barack Obama gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO, which the administration has not used in any case as of yet, allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

"Our primary focus will be on cyber threats from overseas. In many cases, diplomatic and law enforcement tools will still be our most effective response," Obama said when announcing the Executive Order. "But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."

In response to the US allegations of Russia's election-hacking activities, Russian President Vladamir Putin this week said the attacks "have nothing to do with Russia's interests."

"They started this hysteria, saying that this (hacking) is in Russia's interests. But this has nothing to do with Russia's interests," Putin said at a Moscow business forum, according to Reuters.

Putin appeared to shift the discussion to the contents of the information breached and dumped publicly via WikiLeaks. "Everyone is talking about 'who did it' [the hacking]," said Putin. "But is it that important? The most important thing is what is inside this information."

45th President In The Hacker Hot Seat

While the Obama administration wrestles with how to implement its retribution policy for the first time, Russia's alleged hacking activity isn't likely to subside after the new President is elected, nor is the problem of nation-state hacking at this new level. So either new President Hillary Clinton or new President Donald Trump will be forced to tackle this new chapter in nation-state cyber espionage.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says the next President of the US will have some big challenges here. "Ultimately, nations have to behave like economic actors," he says.

Retribution, like attribution, to a cyberattack, can be a slippery slope.

Unlike the diplomatic agreement between Obama and China's Xi Jinping, where both nations promised not to conduct cyber espionage for economic gain in the wake of China's infamous intellectual property theft-related hacks, a deal with Russia would be much trickier and less likely. "You're going to have to do it adversarily with Russia," Bambenek says. There's definitely danger of escalation and "tit-for-tat" responses, he says.

"History tends to favor sanctions in these matters," he says. Take the US's economic sanctions against Russia in response to Putin's aggression in Crimea, he says. "That remains a pain point for Russia."

But Russian doctrine supports escalation as a way to de-escalate tensions or conflict, notes Christopher Porter, manager of the Horizons team at FireEye. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

Even if the US were to out the tools or infrastructure used by the Russian attack groups, it likely wouldn't pressure Russia to dial back the hacks. Porter points to a previous year-long study by FireEye of Russian threat groups that concluded that even after being outed more than 20 times in one year, the groups continued their operations.

"It had no demonstrative effect on their ability to compromise" their targets, he says. "They are well-resourced" and FireEye has seen them just shift their operations with infrastructure from outside Russia or with other resources, he says.

FireEye's Porter says there are two things the next US administration could do differently to handle these attackers. "They need to have better delegation for decision-making on the US side," he says. "Don't wait until a lot of incidents pile up before formulating a response. The White House has to weigh in on every decision now."

Second, don't treat state-sponsored hacks like a legal case. "We still talk about state-sponsored attacks as though they are a case for a lawyer, and we treat them like we have to prove them beyond a reasonable doubt … with forensic evidence," he says.

That approach doesn't work because savvy nation-states can easily sow reasonable doubt in their attacks, he says.

New Normal Norms Needed

Ultimately, without any global cyber-norms from which to operate, the US is limited in its response.

"I would love to see the next president somehow reach consensus with other nations as to what is and what is not acceptable in the world of cyber and what responses are acceptable to nations who violate those norms," Thomas, aka Space Rogue, says.

That would entail defining just what cybersecurity violations would entail when it comes to nation-states. "We should have very defined sanctions regarding hacking and cyberwarfare," says Miller Newton, president and CEO of data encryption company PKWARE.

But neither Presidential candidate has been eager to embrace the cybersecurity policy issues, despite both of their campaigns directly being drawn into the Russian hacks: Clinton via the DNC email breach as well as that of her campaign manager John Podesta, and Trump, who went so far as to say in the most recent debate that "maybe there is no hacking" in reference to the US government calling out Russia over the alleged data breaches.

Newton says the candidates aren't emphasizing cybersecurity because it's just not a hot topic for voters. "It's not a vote-getting issue," he says. "They [the candidates] don't want to hit the privacy versus national security issue head-on [either]. It's a quagmire: there is no easy solution, but it needs to be front and center."

But apparently, millennials do care about cybersecurity policy: more than half of US adults ages 18-26 surveyed by Raytheon and the National Cyber Security Alliance (NCSA) say that a candidate's position on cybersecurity weighs into their decision to support that candidate. Half don't think cybersecurity has been sufficiently discussed in this election season.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 4:11:45 PM
Re: Leading survey?
I know some security-savvy millennials, but they have been well-coached by their mom. =)
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/17/2016 | 4:04:21 PM
Re: Leading survey?
@Kelly: Judging by the Millennials I have come to know, I think it's more a matter of wanting to appear as if they fit in and are doing the right thing.

If Millennials as a whole truly cared -- genuinely cared -- about information security and data privacy to the level being discussed here, they sure as shootin' wouldn't use so many apps or live on their mobile devices.

Now get off my lawn.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 9:22:55 AM
Re: Leading survey?
Good point about "leading" questions in surveys. But I think it's also not surprising that millennials, who unlike their parents grew up with technology/Internet, are more concerned about cybersecurity. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/16/2016 | 8:14:28 PM
Leading survey?
I question the survey results reported in that last graf.  It is an automatically leading question merely by virtue of asking it.  It makes people feel like they *should* be concerned about cybersecurity when it comes to politics, even if they're not -- or it triggers in people the feeling that they, as rational human beings, OF COURSE factor cybersecurity into their voting decision-making, even when they do not.

I seriously doubt that cybersecurity is a significant factor for the vast majority of US voters. 
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...