Late last week Obama administration officials used NBC News to send Moscow a cryptic threat: The U.S. government is “contemplating an unprecedented cyber covert action” against Russia for allegedly interfering in the upcoming U.S. elections. Anonymous sources cited in the NBC story offered no details about what the U.S. might do, but said the White House has asked the CIA to cook up a “clandestine” cyber strategy “designed to harass and embarrass” Russian leadership, including Pres. Vladimir Putin.
The threat refers to the Obama administration’s contention that Putin is likely behind the cyber attacks on Democratic National Committee computers and the leak of more than 19,000 pilfered DNC e-mails to WikiLeaks just before the party’s July national convention. Additional e-mails from presidential nominee Hillary Clinton and other Democrats have since surfaced on WikiLeaks’ site, fueling concerns that Russia is trying to skew the election in favor of Republican nominee Donald Trump.
The Obama administration’s very public threat to engage Russia in a cyber snowball fight is an unprecedented move with unclear consequences, given the unpredictability of online attacks. Even when China emerged as the most likely culprit in the U.S. Office of Personnel Management data theft last year, the White House stopped short of vowing cyber retaliation. Instead Washington promised economic sanctions against Chinese firms that benefited from the hacking of any U.S. entities.
Scientific American spoke with O. Sami Saydjari—a former senior U.S. Department of Defense cyber expert who now runs a consultancy called the Cyber Defense Agency—about why the government is suggesting cyber retaliation, what such a response might look like, and the dangers of online attacks escalating into cyber war or something much worse.
[An edited transcript of the interview follows.]
Why would the Obama administration publicly announce that it is contemplating a large-scale yet covert digital offensive against Russia?
It’s clearly public posturing for some effect, although it’s not yet clear what that effect will be. This is a cyber version of mutually assured destruction—or, maybe more accurately in this case, mutually assured damage. You damage our cyberspace, we’ll damage your cyberspace. But that’s a dangerous game. Cyberspace is a murky area: It’s not clear who your enemy is, and the outcome of your actions isn’t easy to control. Put another way, when you rattle your saber in cyberspace it’s not clear what you’re rattling, at what you’re rattling and whether you’ll be effective if you do rattle it.
What outcome is the U.S. looking for in making cyber threats against Russia?
If somebody was trying to manipulate the U.S. elections, for example, and they wanted to do it subtly, then the secrecy of what they’re doing is important. So for them to be called out is a countermeasure of sorts by the U.S. It’s telling your adversary, “I see you and I see what you’re doing.” If people see who’s behind a particular attack, the attacker’s ability to manipulate is diminished. Another possibility [for going public] is to draw the attention of the international community and possibly attract sanctions.
Which government agency or agencies would be responsible for the U.S. making good on its cyber threats?
Cyber action is the purview of the U.S. Cyber Command and not the intelligence community. The U.S. Cyber Command happens to be commanded by the same person who’s the head of the National Security Agency [Adm. Michael Rogers], but there are separate sets of laws governing those two entities. That’s not to say other agencies can’t support them, but a cyber attack would have to be led by Cyber Command.
What types of weapons are used to launch a cyber offensive?
Malware, network attacks and cyber sabotage are the three main categories in a cyber arsenal. The issue is more about where you place these attacks. Attackers have found that it’s very useful to pre-place attacks that they can trigger at a moment’s notice. It may take some time—even years—to set up such an attack, to put malicious code in a strategically important place against an adversary. The attackers are waiting for just the right time to use them because they’re use-once weapons.
What has been the biggest deterrent to state-sponsored cyberattacks?
To launch a cyber offensive you have to know who your target is, what effect you want and how to keep your attack on target. For example, in a real-world war when you bomb a radar site to prevent an adversary from detecting your airplanes coming in for an airstrike, that’s a very clear target. Of course in conventional attacks your mission could be affected by poor weather and you could hit a hospital or school instead of the radar site. Cyberspace is way muddier than that. Say you wanted to launch a virus at an adversary’s command-and-control system. There’s also the possibility that after it hits the command-and-control system, it could mistakenly get out of that network—and onto the Internet, where it can propagate worldwide, damaging banking systems and critical infrastructure. When one contemplates action in cyberspace one has to be careful, because it can escalate to impact the real world, too.
How can investigators distinguish between a cyber attack launched by a government entity and one launched by cyber criminals?
Anybody can get their hands on generic malware online and then modify it for their purposes, as opposed to inventing something new. This type of malware may not be very sophisticated but can still do millions or tens of millions of dollars in damage. A nation-state hacker from Russia or China, however, is different. These countries spend a lot of money to hire specialized programmers whose jobs are to develop customized code, to practice with it, to develop [simulated] target system models, attack those models and figure out how to get around any countermeasures and detectors to get what they want. It’s a matter of investment and developing new, more sophisticated, state-of-the-art malware that can attack zero-day vulnerabilities [software flaws that have not yet been found and patched by the company that wrote the software.]
When sophisticated, well-planned cyber attacks are uncovered, is that a clear sign that a government as opposed to criminals launched them?
If a piece of code reaches a certain level of sophistication, it becomes more likely that the developer was backed by a nation-state. You can estimate the resources that an attacker would have had to have at their disposal to write a piece of malware. In some cases you can do “thumb printing,” so to speak, on a piece of code by examining telltale techniques—whether the program calls certain [files] or uses a particular sequence of instructions—that a programmer uses to create the malware. Programmers tend to use the techniques they develop over and over again, so you can tell malware that’s been developed by the same set of people.
It seems that people are being less careful about what they label a “cyber war.” Has that word become more appropriate as the number of high-profile cyber attacks attributed to other nations grows?
There’s cyber conflict and then there’s cyber war. Some people use these terms a little too loosely. We have definitely seen examples of cyber conflict between nation-states—it happens every day. Cyber war is another level, where there is an all-out attack and an intention to do strategic damage to another nation-state entity. We have not seen cyber war yet. Let’s say the Russians really did try to manipulate the U.S. elections. To declare that an act of war is a very dangerous idea. Lots of nation-states try to influence—either overtly or covertly—the elections of other nations. At this point in time there’s really no cyber war independent of conventional war.