The United States is improving its ability to crack down on Russian hacking but even aggressive deterrence measures are unlikely to influence Putin.
The 2018 Senate Intelligence Authorization Act signifies a government initiative to blame Russia more aggressively for cyber attacks against the United States.
The bill, which calls for the U.S. Government to improve its attribution abilities and impose significant deterrence on Russia, is largely focused on inter-agency coordination and streamlining resources, as well as more explicitly acknowledging government-wide that Moscow interfered in the 2016 presidential election.
However, although the bill might be the Senate’s response to criticisms that the U.S. has been too slow to place blame on Russia and respond accordingly, it is unlikely to seriously deter Russia from attacking our electoral systems in the future. It is more likely that the U.S. will more consistently (and more loudly) blame Russia for cyber attacks committed by the Government and non-state proxies, to send a message to constituents that the government is making its systems safer.
Senate Intelligence Authorization Act reshuffles resources
The Intelligence Act specifically calls for a “whole-of-government strategy” to ward off Russian efforts to interfere with democratic processes in the United States, and instructs federal agencies to provide support to the intelligence community.
Former U.S. intelligence officials say the Office of the Director of National Intelligence, or ODNI, would get new authority to coordinate other federal agencies in the task, and perhaps set the ultimate agenda. Senate Intelligence Committee Chairman Richard Burr, R-N.C., said in a public statement that the burden of protecting citizens from harm and identifying cyber threats early too often falls on the intelligence community, perhaps suggesting that the intelligence community either needs more resources or other departments need to share the burden.
It’s possible this reorganization intends to pardon the previous administration for responding too slowly to suspected Russian interference, by suggesting that the intelligence community didn’t have the requisite resources it would have needed to confidently blame Russia. It’s also possible that the Senate is insinuating other political forces kept the intelligence community from attributing more quickly, thus the shift in responsibility to the ODNI.
"Much of the work to attribute and identify the origins of events in cyberspace already takes place in the intelligence community," said Trey Herr, a postdoctoral fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. “It makes sense that they would be assigned responsibility in the bill, though little of the day-to-day work is likely to take place immediately within DNI."
Much of the operational legwork would be done by the Department of Homeland Security — currently operating without a nominated secretary.
Pushing for faster attribution
Experts say the bill, which seeks “improvements in the identification and attribution of Russian government or nongovernment cyber threat actors,” is an admission that the U.S. government must improve its ability to pin data breaches on their perpetrators.
“The current process is far too slow to help network defenders counter an influence campaign on social media or respond to a major [cyber]attack,” says Christopher Porter, chief intelligence strategist for FireEye, a private cybersecurity firm.
Russian foreign policy experts also worry about the accuracy of cyber attribution tools — specifically, whether they are reliable enough to help shape a significant policy decision like instilling economic sanctions.
"The delay in confirming attribution seems to have been the major reason why Obama did not act more strongly when news broke in spring and summer 2016 about Russian interference in the U.S. election process," said Kimberly Marten, a professor of U.S.-Russia Relations at Barnard College, Columbia University.
Marten and other experts say that the new bill appears to call out this lag in attribution, and specifically notes that future attribution must treat non-government entities indirectly connected to governments as a serious threat. It’s not uncommon for nations, and specifically Russia, to rely on contractors to bolster their government hacking operations. A recent case introduced by Justice Department showed, for example, that officials from Russia's Federal Security Service, or FSB, had hired a mercenary to breach email accounts.
The issues with deterrence
Even with certain levels of proof, publicly shaming a group or country for hacking isn’t always enough to deter future cyberattacks; in fact, it can do the opposite. Broadly speaking, cyber deterrence is a tricky business that today relies on a myriad of largely untested theories and predictive models.
Jason Healey, former White House Director for Cyber Infrastructure Protection and current senior research scholar at Columbia University, said that "deterrence works very differently when your adversary believes he's hitting back, not hitting first."
According to this interpretation, Putin targeted the U.S elections in response to what Russia considered to be U.S meddling in anti-Russian protests, and the release of the Panama Papers, which Putin publicly accused the United States of spearheading in 2016.
Although Healey has recommended that the U.S. continue to impose deterrence measures on Russia, including corralling international allies to call for a NATO Article 4 consultation, he ultimately believes that these measures are unlikely to make much difference.
“Putin will view any U.S. deterrence actions as the next steps in an ongoing covert war between the two countries,” he adds. “As such, it's hard to see how the U.S. can escalate enough to make him back down. For Putin, this is about the future of his regime, and he's shown that he's willing to take an awful lot of pain."
With that in mind, it seems unlikely that an organizational shift in responsibility will cause sufficient pain to impact Putin’s decision. The Senators probably know this, and introduced the bill to send a strong message of resolve to U.S. constituents, and perhaps indirectly Putin.
Nicole Softness is a graduate student at Columbia University’s School of International and Public Affairs in New York, studying International Security & Cyber Policy. Her research focuses on the intersection of counterterrorism, social media, and public-private security partnerships. She is currently the Research Assistant for Columbia’s Initiative on the Future of Cyber Risk.