The Trump administration’s refusal to publicly accuse Russia and others in a wave of politically motivated hacking attacks is creating a policy vacuum that security experts fear will encourage more cyberwarfare.
In the past three months, hackers broke into official websites in Qatar, helping to create a regional crisis; suspected North Korean-backed hackers closed down British hospitals with ransomware; and a cyber-attack that researchers attribute to Russia deleted data on thousands of computers in the Ukraine.
Yet neither the United States nor the 29-member NATO military alliance have publicly blamed national governments for those attacks. President Donald Trump has also refused to accept conclusions of US intelligence agencies that Russia interfered in the 2016 US elections using cyberwarfare methods to help the New York businessman win.
“The White House is currently embroiled in a cybercrisis of existential proportion, and for the moment probably just wants ‘cyber’ to go away, at least as it relates to politics,” said Kenneth Geers, a security researcher who until recently lived in Ukraine and works at NATO’s think tank on cyberdefense. “This will have unfortunate side effects for international cybersecurity.”
Without calling out known perpetrators, more hacking attacks are inevitable, former officials said.
“I see no dynamics of deterrence,” said ex-White House cybersecurity officer Jason Healey, now at Columbia University.
The government retreat is underscored by the departure at the end of July of Chris Painter, the official responsible for coordinating US diplomacy on cybersecurity. No replacement has been named and the future of the position in the State Department is in flux.
Some of Trump’s cyber-officials have publicly highlighted a strategy to focus less on building global norms and more on bilateral agreements. Trump and the Kremlin have said Russia and the United States are in discussions on creating a cybersecurity group.
But at the big Black Hat and Def Con security conferences this week in Las Vegas the US government will have an unusually light footprint. Past government speakers have included a head of the National Security Agency and senior Homeland Security officials.
A session featuring US law enforcement officials discussing the purported theft by Russia of hundreds of millions of Yahoo account credentials was pulled at the last minute. A spokeswoman for the Federal Bureau of Investigation said the presentation was canceled because the Yahoo expert slated to talk, Eric Sporre, a deputy assistant director, had been reassigned to run the Tampa FBI office.
The policy vacuum left by the United States is also affecting private security firms, which say they have grown more cautious in publicly attributing cyber-attacks to nation-states lest they draw fire from the Trump administration.
Trump suggested in an April interview that the security firm CrowdStrike, which worked on investigating the election hack of the Democratic National Committee, might not be trustworthy because he was told it was controlled by a Ukrainian. It is not.
Cyberpolicy veterans are particularly alarmed about the lack of US and NATO response to the destructive attack, dubbed NotPetya, in June that struck computers worldwide but was especially harmful for Ukraine, which is in armed conflict with Russia in the east of the country.
Cybersecurity experts, such as Jim Lewis of the Center for Strategic and International Studies, a government veteran who advised former President Barack Obama, believe Russia carried out the attack. The Russian defense ministry did not immediately respond to requests for comment.
Lewis and others predicted that Trump will not publicly accuse Russia, and NATO has only said it appears to be the work of a government agency somewhere.
“If you are not ringing alarm bells in an eloquent way, then I think you’re dropping the ball,” retired CIA officer Daniel Hoffman said, who worked on Russian issues. “When we fail to do enough, that just emboldens them.”