Hillary Clinton is vowing anew to respond to foreign hacking the same as any other attack against the United States. When she openly blamed Russia for recent U.S. cyber break-ins, Donald Trump wondered whether to blame overseas governments or overweight hackers working from home.
“She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China,” Trump said during this week’s presidential debate. “It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”
These are the unanswered questions about how the U.S. government should defend itself after an attack in the internet age: Whether to fire back, how to fire back, and at whom? The Obama administration is still writing its rulebook.
A lingering challenge involves identifying whose hands were on the keyboard: Foreign hacker spies, cybercriminals, disgruntled insiders or bored teenagers? Skilled hackers can cover their tracks, use software tools traceable to others and feign their location across borders or continents.
On Wednesday, Rep. John Conyers, D-Mich., said during a congressional hearing that it was “now the clear consensus of the intelligence community that the Russian government was behind the hack of the Democratic National Committee and not, as some suggested, somebody sitting on their bed that weighs 400 pounds.”
The White House has not officially declared Russia responsible and it’s unclear whether or when it might, since blaming Russia — with whom the U.S. is locked in a bitter dispute over fighting in Syria — would probably require plans for a response.
Clinton has raised eyebrows among some cybersecurity experts with her hawkish language on the campaign trail about retaliating with political, economic or even military means. Her aggressive policy proposal is especially notable since the State Department, which she led during President Barack Obama’s first term, traditionally has a vested interest in avoiding overt conflict since it might complicate diplomatic efforts.
“We’re going to have to make it clear that we don’t want to use the kinds of tools that we have. We don’t want to engage in a different kind of warfare. But we will defend the citizens of this country,” Clinton said during the presidential debate, when asked how she would respond to cyberattacks.
For the first time, cybersecurity led the national security portion of the presidential debate, demonstrating its political stakes and the fact that the next president will shape 21st century cyberwarfare policies, setting rules about how the U.S. responds to foreign hackers.
Trump has not released an official position on cybersecurity. Clinton tackles the issue in one-and-a-half pages of her 288-page campaign book. At the debate Trump mentioned “the cyber” without detailing specifics.
“We should be better than anybody else, and perhaps we’re not,” Trump said. “The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”
The high-profile discussion came amid a presidential race that has been punctuated by hacks that cybersecurity firms, Democrats and the Clinton campaign have pinned on Russia, as well as multiple security breaches and data leaks. The White House is grappling over how to respond to hacking that some lawmakers have said is attempting to undermine voter confidence in the election.
“We’re in the process now, really the very early stages of developing those norms by virtue of the types of attacks we’re seeing,” said Matt Olsen, a former general counsel for the National Security Agency.
Olsen said responding is a challenge: “How do you know who’s responsible for the attack (and) to what extent are the cyber actors even susceptible to the normal responses like economic or diplomatic pressure?”
Clinton’s cybersecurity stance tracks with work she started while at the State Department. Even back in 2010, she said countries or individuals who hack “should face consequences and international condemnation” and that “an attack on one nation’s networks can be an attack on all.” In the State Department, she created the Office of the Coordinator for Cyber Issues to deal with global diplomacy and cyber rules.
“There was no other office in the world like mine when it was created five years ago,” said Christopher Painter, who’s served as the office’s coordinator since its inception. “Now we have 25 counterparts around the world and more on the way. That really indicates something that was a huge priority in foreign policy.”
But Clinton is hardly a technology expert herself, once struggling with how to operate a fax machine or connect a new iPad to Wi-Fi. And her cybersecurity record at the State Department is spotty. The FBI said there was no evidence her private email server in her home’s basement was hacked, but agents concluded that it was possible that hackers broke into her personal email account. At the end of her term as secretary, Clinton left behind an agency with one of the lowest scores in government for its compliance with a federal information security law.
Many of the most noteworthy cyberattacks — and the administration’s policy for dealing with them — occurred after Clinton left the State Department. The Obama administration has in recent years adopted a “name and shame” policy for state-sponsored hackers. It criminally charged five Chinese military officials with stealing secrets from nuclear power and solar companies and Iranian hackers with attacks on financial institutions and a small New York dam. In 2014, the U.S. publicly accused North Korea of hacking Sony Pictures and placed sanctions on the already isolated nation.