Next week America’s intelligence community will release an unclassified report detailing as much as they publicly can why they believe the Russian government hacked and leaked private emails from the Democratic National Committee and engaged in a campaign of fake news intended to influence the outcome of the presidential election.
Because of the confluence of President-Elect Donald Trump’s reflexively defensive personality and the lack of trust good chunks of the public have of our intelligence leaders, it is easy to predict that the outcome of this report’s release will be more public squabbling. Was Russia truly responsible? Is Trump Vladimir Putin’s willing lackey? Or is he being used and doesn’t realize it?
At a Senate Armed Services Committee hearing today, though, the emphasis was on what to do about it, whether America has a strategy on cyberattacks, why America doesn’t have a strategy, what deterrence and retaliation looks like, and whether we should treat our intelligence community with much more credibility than Wikileaks’ Julian Assange. That last part was a little bit strange, given that one of the participants in the hearing was outgoing Director of National Intelligence James Clapper, who will forever be remembered for openly lying to a Senate committee about the National Security Agency (NSA) engaging in mass surveillance of American citizens. Sen. Joe Donnelly (D-Indiana) said he was “astounded” at the idea that people would grant Assange greater credibility than our intel folks.
As much of a critic I’ve been of Clapper, it’s worth noting that he emphasized a couple of very important facts to the committee. First, they need to grasp the difference between foreign surveillance and espionage and an actual cyberattack for the very obvious reason that America engages in surveillance and espionage of foreign nations (and cyberattacks as well, honestly). A policy of retaliating against other countries who engage in the same practices will result in some nasty blowback and unintended consequences. It’s something to keep in mind when discussing things like China’s hacking and collection of private information about federal government employees.
Second, he wanted the Senate committee to resist the idea of looking at responses to cyberattacks as a tit for tat game where America strikes back in the same fashion. It’s not an arms race with the non-word “cyber” inserted everywhere. “Noncyber tools have been more effective in changing our adversary’s behavior,” he said.
But after several hours of the hearing, one thing became abundantly clear: This was a debate on how aggressively America should react to these incidents. There was very little to no discussion of taking defensive actions or protective measures to keep Americans safe from hacking. The main of the discussion (when not about how our intelligence operatives deserve all of our respect) was about what sort of interventions or punishments America needs to implement to deter attacks.
Early on Sen. John McCain (R-Ariz.), chairman of the committee, set the tone by suggesting that while it’s clear that the Russian government didn’t directly interfere with voting, if the information released by the hackers and if the propaganda and fake news efforts Russia put forward actually influenced the election results, he considered that to possibly be an act of aggression. He later complained that handling incidences of cyberattacks against the United States on a case-by-case basis was not “a strategy.”
Other senators on in both parties were also very much caught up in the idea of how America will respond to attacks in the vein of “What do we do to these countries?” rather than from an interest in bolstering American cybersecurity. Sen. Bill Nelson (D-Fla.) asked what it would take to “impose enough of a cost to get them to stop.” Sen. Lindsey Graham (R-S.C.), still living in full fear that the world is out to destroy us all, wanted to know whether America would start “throwing rocks” back at countries who engage in cyberattacks.
We should be concerned at the use of cyberattacks as yet another excuse for more foreign intervention. It shouldn’t be a surprise at this point that McCain and Graham are beating the drums for more responses. It’s what they do. Geico could make an ad about their propensity for calling for military action and foreign intervention.
But it’s a response that, just like reckless military foreign military intervention, fails to focus on outcomes that actually make us safer from cyberattacks (the blowback that Clapper himself warned about at the hearing).
Don’t want Chinese or Russian or North Korean hackers snagging vast amount of data about Americans? Maybe have a discussion about data minimization, the idea of maybe not collecting mass amounts of information about people in one place unless it’s directly connected to a particular purpose. That might be an awkward prospect, though, given how our own intelligence community is so insistent in trying to collect as much as everybody’s data as possible.
The focus on intervention as a solution rather than better defenses is what keeps the encryption fight alive. There are lawmakers and government officials and law enforcement agencies who are insistent on wanting to bypass tech security as an interventionist system of fighting crime and terrorism. That encryption bypasses or “back doors” severely compromises the defenses and privacy protections of anybody using communication tools doesn’t factor in as much with these folks.
While the debate continues to be about who was really, really responsible for the DNC hacks (my prediction is that it’s probably Russia, but we’ll never be able to prove it in a way that actually ends the argument), we must not lose sight of the core debate of cybersecurity and how similar it is to foreign policy discussions. We must be wary of how politicians’ desire to use aggression as a solution to difficult relationships with other countries compromises our long-term safety and security. The end result could lead to really bad policy choices.