Lawmakers pressed President Donald Trump’s pick to lead the National Security Agency over the government’s failure to deter Russian cyber aggression Thursday at the same time the Treasury Department imposed the broadest sanctions to date against Russian government hackers.
The timing underscored two points made frequently by government cyber officials and by their critics outside government. First, the best response to a cyber strike often isn’t a cyber counterstrike. Second, those non-cyber responses, though they keep piling up, still aren’t doing the trick.
Thursday’s sanctions target five Russian entities, including intelligence services and social troll creator, the Internet Research Agency, as well as 19 individuals, many of whom were previously indicted by Special Counsel Robert Mueller.
The sanctions respond both to Russian meddling in the 2016 election and to global cyber mischief such as the NotPetya ransomware attack, which locked computers around the world last year.
The Treasury Department notice also cited Russian efforts to burrow into government and critical industry computer systems, including in the energy, nuclear, aviation and manufacturing sectors. Those efforts were detailed in a separate joint technical alert from the Homeland Security Department and the FBI.
The sanctions follow months of complaints from congressional Democrats and some Republicans that Trump—who has wavered on whether Russia was responsible for data breaches connected to the 2016 election—has been far too slow to punish Russia for its cyber aggression.
During Thursday’s confirmation hearing, Trump’s NSA pick, Lt. Gen. Paul Nakasone, repeatedly stressed that, while he expects to prepare possible military responses to enemy cyber strikes, he expects political leaders will often prefer non-military responses, such as sanctions, indictments and diplomatic pressure.
“I think it’s important to state that it’s not only cyber or military options that may be the most effective, and, in fact, it may be less effective than other options,” he said.
Since 2014, the U.S. government has indicted government hackers from China, Iran and now Russia. It has also instituted cyber sanctions against Russia and North Korea.
By contrast, the only offensive cyber actions the Defense Department has acknowledged target recruiting and communications efforts by the Islamic State, though it’s highly possible there are other offensive cyber strikes that are not publicly known.
The preference for non-cyber responses stems partly from the fact the U.S. is much more reliant on technology than its adversaries and so is in danger of coming out behind in a tit-for-tat exchange.
Diplomatic pressure and the threat of sanctions is widely believed to have forced a 2015 U.S.-China agreement that caused a steep reduction in Chinese hacking of U.S. companies to steal intellectual property. In most other cases, however, sanctions and indictments have had little visible deterrent effect.
While lawmakers generally praised Thursday’s sanctions, many Democrats also complained that they were unlikely to force a significant change.
“Sanctioning individuals already under indictment thanks to Special Counsel Robert Mueller is not going to change Russia’s behavior,” said Rep. Jim Langevin, D-R.I., who called the sanctions “woefully inadequate.”
“I thought the Obama administration’s sanctions were just a first step,” he later tweeted. “That this administration is getting credit for re-sanctioning Russians 15 months later shows how askew our Russia policy is.”
Senate Intelligence ranking member Sen. Mark Warner, D-Va., criticized the sanctions for not going far enough.
“Nearly all of the entities and individuals who were sanctioned today were either previously under sanction during the Obama administration or had already been charged with federal crimes by the special counsel,” Warner said. “With the midterm elections fast approaching, the administration needs to step it up now if we have any hope of deterring Russian meddling in 2018.”
When asked Thursday if Russian cyber meddling is likely to decrease before the 2018 midterm elections, Nakasone cited a negative assessment by Director of National Intelligence Dan Coats, saying “unless the calculus changes, we should expect continued issues.”
During a daily press briefing, White House Press Secretary Sarah Huckabee Sanders said: “We’re going to be tough on Russia until they decide to change their behavior.”
Reviewing the Dual Hat
Nakasone repeated a pledge Thursday to review within 90 days the current “dual hat” leadership of NSA and U.S. Cyber Command. Nakasone said he has “no predisposition” on whether the agencies are ready for the split.
“My assessment is that what we should do at end of day is make a determination that is in the best interest of the nation,” he said.
Congress has set a series of conditions that CYBERCOM must meet before the Defense Department splits that leadership role. Critics say the dual leadership leads to confused priorities between the intelligence agency and the military command.
Yep, Encryption’s Tricky
Nakasone answered with a “conditional yes,” when Sen. Ron Wyden, D-Ore., asked him to confirm security experts’ conventional view that it’s impossible to provide a government backdoor into encrypted communications without also making it easier for criminal hackers to access those communications.
FBI and Justice Department officials have frequently warned that end-to-end encryption systems which shield communications even from the communications provider are allowing terrorists and criminals to “go dark” online.
Intelligence officials, however, have generally expressed far less concern about those systems.
Wyden called Nakasone’s comments “encouraging.”
Not Buying Huawei
Nakasone said he would not use products provided by Chinese telecom companies Huawei or ZTE and would not recommend that friends or family use them.
The comments were in response to a question from Sen. Tom Cotton, R-Ark., who has introduced legislation to ban those companies and their affiliates from government contracts. Lawmakers are concerned the companies could be used as conduits for information theft by Chinese spies.
A Senate Intel Committee First
Thursday’s hearing marked the first time an NSA director nominee has faced a confirmation hearing before the Senate Intelligence Committee. Director nominees were only required to appear before the Senate Armed Services Committee prior to a change in the 2014 Intelligence Authorization Act.