Trump gets echo of Obama’s Russia crisis with lame-duck hacking

Nick Wadhams
Bloomberg

A massive hack on the federal government presents President Donald Trump with the same choice Barack Obama faced in the waning days of his tenure: whether to impose sanctions on Russia, and how severe to make them. So far, Trump has shown little willingness to impose costs.

Confronted with evidence that Vladimir Putin’s government orchestrated cyberattacks aimed at interfering with the 2016 election, Obama levied sanctions against Russia’s intelligence services and expelled 35 diplomats.

Russian President Vladimir Putin speaks via video call during a news conference in Moscow, Russia, Thursday, Dec. 17, 2020.

Now, it’s Trump’s turn to decide whether to call out and punish the Kremlin, as Obama did, or go easy on the Russian president and leave it to President-elect Joe Biden to formulate a response to a hack so serious it prompted National Security Advisor Robert O’Brien to cut short an overseas trip and return to oversee daily crisis meetings at the White House.

Government agencies and hundreds of Fortune 500 companies are still assessing the damage done by the cyberattack, which involved code embedded in updates for a widely used network-management software made by SolarWinds Corp.

Among the targets hit were the U.S. nuclear weapons agency and at least three states, according to people with knowledge of the matter. Other potential victims include the Pentagon, which confirmed it has contracts with SolarWinds, and Microsoft Corp., which found code related to the cyber-attack “in our environment, which we isolated and removed,” spokesman Frank Shaw said in a statement Thursday.

A poster showing six wanted Russian military intelligence officers is displayed before a news conference at the Department of Justice, Monday, Oct. 19, 2020, in Washington.

Unlike in 2016, the latest attack didn’t involve election interference, but there’s little doubt it was a serious strike. The U.S. Cybersecurity and Infrastructure Security Agency on Thursday called it a “grave risk” to federal, state and local governments, as well as critical infrastructure and the private sector. SolarWinds said 18,000 customers downloaded the tampered software update.

More: 6 Russian officers charged in ‘destructive’ hacking campaign

Security experts familiar with the hack said that even if evidence is still being gathered, it’s important to come out with a swift condemnation and set about taking measures to establish some sort of deterrence.

“The one thing you can say is the Trump administration has basically given the Russians a green light by not calling them out,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “That’s what you want to watch for: Does the Trump administration take any action even if it’s just symbolic? And so far the answer is no.”

Although Obama has been criticized for reacting too slowly to the Russian election meddling, the sanctions he eventually imposed sparked one of the most notorious episodes of the Trump era: the decision by Trump’s incoming national security adviser, Michael Flynn, to privately urge Russia not to respond to Obama’s sanctions. Trump last month pardoned Flynn after he was convicted of lying about the conversations he had with Russia’s ambassador on the matter.

Trump and many of his top aides have repeatedly tried to shift the spotlight to China as America’s biggest national security threat, sometimes downplaying Russian actions in comparison. Ending his presidency by going after Russia would contradict that strategy.

According to one person familiar with the president’s thinking, who asked not to be identified discussing private deliberations, Trump has never let go of the belief that he could leverage personal ties with President Putin to improve relations with Russia. That would make it much harder for his staff to discuss punishment for fear that Trump would reject it out of hand.

Fraught Issue

Issues of cybersecurity seem to be particularly fraught for Trump’s aides. In his 2017 book “Fear,” Bob Woodward recounts an episode when Trump’s homeland security adviser at the time, Tom Bossert, tried to approach the president.

President Donald Trump listens during a meeting in the Cabinet Room of the White House, Thursday, July 9, 2020, in Washington.

“I want to watch the Masters,” Woodward says Trump told Bossert, referring to the annual golf tournament. “You and your cyber…are going to get me in a war with all your cyber sh_t.”

In an opinion piece in the New York Times on Thursday, Bossert suggested an idea that’s likely to find a better reception from the Biden team than Trump’s. He said the U.S. must call out Russia but also work with allied nations to pressure Russia.

Although Trump has yet to say anything about the hack, Biden echoed Bossert’s argument in a statement Thursday, vowing to united with allies and impose “substantial costs on those responsible for such malicious attacks.” He promised to make cybersecurity a “top priority at every level of government.”

There are many ways for Trump’s administration to respond – new sanctions on Russia’s intelligence services, for example. Yet one challenge officials face is that such actions, as the current episode proves, clearly have failed to deter Russia in the past.

Another issue that Trump – and later Biden – will have to confront is that no one knows the true extent of the hack and what the hackers will do with the information they gleaned. Snooping on an adversary’s networks is something countries routinely do to each other and, as brazen as the hack may be, might provoke only a moderate response, in keeping with what past administrations have done.

But if the hackers use the breach for more nefarious ends – shutting down electrical grids, for example, or wiping out people’s bank accounts or exposing sensitive information publicly – that could provoke a more serious response.

“Sanctions are probably the most politically expedient option,” said Lauren Zabierek, executive director of the Cyber Project at Harvard University’s Belfer Center for Science and International Affairs. “That’s probably the minimum that we can expect out of this from this administration, but I honestly don’t know what they’re going to do especially given their response to previous Russian actions.”

Indeed, top advisers including Secretary of State Michael Pompeo have played down the hack. In a recent interview, Pompeo portrayed it as more of the same from Russia.

“The Russian efforts to use cyber capabilities against us here in the United States is something that’s been consistent certainly for goodness, I guess I was in Congress six years and now four years in the administration,” Pompeo said on the Ben Shapiro Show.

Given that Russia is unlikely to be deterred, experts argue that the best result will have to be a fundamental rethinking of cyber issues, something that will require new money and more time than the Trump team has left before Biden’s Jan. 20 inauguration.

“We’ve been talking about this for 25 years, and we’re not there,” said Christopher Painter, who was the State Department coordinator for cyber issues before Trump shut down his office in 2017.

“The way you do that is you make this whole area much more of a mainstream national security priority and not treat it as this little boutique-y tech issue, which I think in large part it has been relegated to,” Painter said.