President-elect Donald Trump’s repeated attacks on the Intelligence Community and denials of Russian involvement in the hacking of the Democratic National Committee (DNC) risk emboldening U.S. adversaries. Attribution of cyber intrusions to particular perpetrators is a necessary precondition to every possible response, from criminal indictments to economic sanctions to countermeasures. By at times denying even the possibility of attribution, Trump is signaling that the United States might not respond to future cyber incidents and that hackers could act with impunity. That’s a dangerous message to send, and it’s one his national security nominees need to counter by acknowledging Russia’s actions.
Trump’s attribution denials began during the presidential campaign. In the first presidential debate, Trump said, “I don’t think anybody knows it was Russia that broke into the DNC. . . . I mean, it could be Russia, but it could also be China, but it could also be lots of other people, it also could be someone sitting on their bed that weighs 400 pounds, OK?”
His denials have continued in recent weeks. In a tweet in December, Trump said, “Unless you catch ‘hackers’ in the act, it is very hard to determine who was doing the hacking.” On New Year’s Eve, Trump told reporters, “I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else.”
Even after being briefed Friday on the intelligence community’s classified report on Russian hacking, Trump released a statement that did not clearly accept the attribution of the DNC hack to Russia. He focused instead on asserting that “there was absolutely no effect on the outcome of the election including the fact that there was no tampering whatsoever with voting machines” and that “the RNC had strong hacking defenses.”
Trump’s persistent denials are at odds with the determinations by the U.S. intelligence community and multiple cybersecurity companies that Russia was responsible for hacking the DNC. Top intelligence officials told the Senate Armed Service Committee again Thursday that they “assess that only Russia’s senior-most officials could have authorized the recent election-focused data thefts and disclosures.” Friday’s unclassified intelligence report went further, stating, “We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.”
But maybe even more importantly Trump’s denials fly in the face of years of government and private sector efforts to improve attribution of cyberattacks.
Attribution is a key first step to deterring or responding to cyberattacks. Unless and until the attacker is identified, the victim state cannot use legal tools like sanctions, indictments, or countermeasures against the attacking state. Trump’s claims that the first step is impossible implicitly takes all other possible subsequent steps off the table. Whether any of these steps will deter cyberattacks remains unclear, but eliminating them as possibilities shreds the only existing U.S. deterrence strategy without providing a replacement. And it suggests to would-be attackers that there is a new open season on U.S. targets.
In addition to the risk of not responding, Trump’s cavalier approach to attribution creates a risk that Trump will order a response to a cyberattack, but a response against the wrong country. During the campaign, Trump stressed the need for the United States to be able to “launch crippling cyber counter-attacks.” A “cyber counterattack” launched based on incorrect attribution is not a counterattack at all; it’s just an attack. Such an attack would put the United States in violation of international law and potentially on the receiving end of lawful countermeasures by the attacked country.
Denying the attribution of the DNC hack to Russia also severely hobbles the credibility of a process that the Trump Administration may need to use in the future. Setting aside the DNC hack, at some point after Trump’s inauguration, there will be a major cybersecurity incident. The Trump Administration will then need domestic and foreign audiences to believe that the incident occurred, that a foreign government is responsible, and that a U.S. response is legally justified. Those will be very hard arguments to make for a president who has personally undermined the credibility of the U.S. governmental and non-governmental entities that engage in attribution.
Every tweet and public statement that President-elect Trump makes denying attribution digs a deeper hole for the day when President Trump will need the world to believe him.
President-elect Trump’s national security nominees can start to repair some of the damage if they acknowledge and accept the DNC hack attribution. Just Security has posted suggested questions for CIA Director nominee Rep. Mike Pompeo, whose confirmation hearing is scheduled for Thursday. They include a point blank question that needs to be asked and answered: “Do you believe that the Russian government was responsible for the recent hacking of the Democratic National Committee?”