The hacking of Democratic National Committee emails, allegedly by Russia, raises at least three significant cybersecurity policy issues that go beyond the ongoing friction between the Hillary Clinton and Bernie Sanders camps in the Democratic Party.
The FBI is investigating the breach of the DNC system and subsequent posting of embarrassing emails on the WikiLeaks site, but has not yet identified a suspect in the hacking. The Kremlin has denied any role in the affair.
The bureau on Monday released a statement saying: “The FBI is investigating a cyber intrusion involving the DNC and are working to determine the nature and scope of the matter. A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace.”
The Senate Intelligence Committee and possibly other congressional panels are also looking into the breach, according to sources.
If Russia is ultimately identified as the culprit, the first and most prominent policy question is whether the Obama administration actually has a credible cyber deterrence policy.
Senate Armed Services Chairman John McCain, R-Ariz., has frequently lambasted the administration for lacking a policy to deter offensive cyberactions by Russia, China and others.
Even Sen. Tim Kaine, D-Va., Clinton’s vice presidential running mate, in May said that a cybersecurity deterrence doctrine was “sorely lacking” for defining a “proportional response” by the government, particularly in the case of an attack on the private sector.
Former Department of Homeland Security official Stewart Baker, now a partner at Steptoe & Johnson, suggested current deterrence policy is laughable.
“Five years ago, you’d have said that the Russians hacking presidential campaigns to help their favorite candidate win was dystopian fiction,” he said. “Now half the country is shrugging it off or in denial. And the other half is using the episode to score points off Donald Trump. Putin must be amazed to be getting away with this.”
However, an industry source noted that this kind of cyberattack might fall outside the realm of a deterrence policy.
“If it’s true that Russia is behind the hack then administration officials are considering their options,” the industry source suggested. “The hacking episode appears to be good-old-fashioned espionage under international law and norms. It’s not clear how the administration’s deterrence policy would apply here, but it’s a question worth asking.”
The source noted: “First, the United States engages similarly in espionage, and we should. Second, the deterrence policy is rooted in creating uncertainty in adversaries’ minds, not in triggering automatic responses. This would unwisely eliminate policymakers’ discretion.”
And, the source said, “Third, the [administration] policy statement focuses on deterring malicious behavior at a relatively high level, loosely akin to an act of war, including actions that threaten life and serious economic harm. The hacking of the DNC does not rise to this level. But the U.S. response, done publicly or otherwise, will likely set a tone for our adversaries.”
Was Russia behind the hack?
James Lewis of the Center for Strategic and International Studies told InsideCybersecurity.com that the hack would fit into a pattern of covert Russian activities in cyberspace.
“People seem to think it was them, and its consistent with their past practice,” Lewis said. “They use hacking for political effect and to shape opinion. So it fits their M.O.”
Lewis added, “If it really was the Russians, they are very hard to stop.”
That in turn raises the second policy question: Where does responsibility reside for protecting U.S. companies from attacks by sophisticated nation-states?
“It’s really a ‘gov’ responsibility,” Lewis said. “You could hire firms that could make it hard (but not impossible) for the Russians to get in (if it was them) but at the end of the day, it is” the government’s job.
Finally, the attack begs the question of what cybersecurity tools the DNC was employing — and whether the federal government’s efforts to get such tools into the hands of private-sector entities are effective.
Was the DNC using the framework of cybersecurity standards developed by the National Institute of Standards and Technology? That’s the premiere tool kit the government has offered up to the private sector and it has been embraced by major industry groups representing all of the critical infrastructure sectors.
But as the Sony Pictures hack revealed a couple of years ago, cyberattacks aren’t limited to “critical infrastructure” targets, and hits on soft targets like a movie studio or the offices of a political party can have major consequences.
The DNC has yet to respond to questions about its cybersecurity policies but has cited the difficulty in defending against nation-state attacks.
As CSIS’s Lewis noted, “It’s not the kind of cyberattack everyone worries about, but it’s maybe more effective. Once the data is out, that becomes the focus, not who-did-it. The damage is done.”
But among cyber policymakers, a few troubling questions will endure from this episode.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
