The Obama administration last year rolled out to great fanfare a new economic sanctions power to punish and deter foreign hackers who harm the United States’ economic or national security.
The threat to use it last year helped wring a pledge out of China’s president that his country would cease hacking U.S. companies’ secrets to benefit Chinese firms.
But officials this fall concluded that it could not, as written, be used to punish the most significant cyber-provocation in recent memory against the United States – Russia’s hacking of Democratic organizations, targeting of state election systems and meddling in the presidential election.
With the clock ticking, White House officials are trying to figure out how they can adapt the authority to punish the Russians they have identified as being involved. President Barack Obama last week pledged there would be a response to Moscow’s interference in the U.S. elections.
One clear way to use the order against the Russian suspects would be to declare the electoral systems part of the “critical infrastructure” of the United States. Or it could be amended to clearly apply to the new threat – interfering in elections.
Administration officials would also like to make it difficult for President-elect Donald Trump to roll back any action they take.
“Part of the goal here is to make sure that we have as much of the record public or communicated to Congress in a form that would be difficult to simply walk back,” said one senior administration official, who like others spoke on the condition of anonymity to discuss internal deliberations.
Obama issued the executive order in April 2015, creating the sanctions tool as a way to hold accountable people who harm computer systems related to critical functions such as electricity generation or transportation or who gain a competitive advantage through cybertheft of commercial secrets.
The order allows the government to freeze the assets in the United States of people overseas who have engaged in cyber acts that have threatened U.S. national security or financial stability. The sanctions would also block commercial transactions with the designated individuals and bar their entry into the country.
But just a year later, a Russian military spy agency would hack into the Democratic National Committee and steal a trove of emails that were released a few months later on WikiLeaks, U.S. officials said. Other releases followed, including the hacked emails of Hillary Clinton’s campaign chairman, John Podesta.
“Fundamentally, it was a low-tech, high-impact event,” said Zachary Goldman, a sanctions and national security expert at New York University School of Law. And the 2015 executive order was not crafted to target hackers who steal emails and dump them on WikiLeaks or seek to disrupt an election. “It was an authority published at a particular time to address a particular set of problems,” he said.
So officials “need to engage in some legal acrobatics to fit the DNC hack into an existing authority, or they need to write a new authority,” Goldman said.
Administration officials would like Obama to use the power before leaving office to demonstrate its utility.
“When the president came into office, he didn’t have that many tools out there to use as a response” to malicious cyber acts, said Ari Schwartz, a former senior director for cybersecurity on the National Security Council. “Having the sanctions tool is really a big one. It can make a very strong statement in a way that is less drastic than bombing a country and more impactful than sending out a cable from the State Department.”
The National Security Council concluded that it would not be able to use the authority against Russian hackers because their malicious activity did not clearly fit under its terms, which require harm to critical infrastructure or the theft of commercial secrets.
“You would a) have to be able to say that the actual electoral infrastructure, such as state databases, was critical infrastructure, and b) that what the Russians did actually harmed it,” the administration official who spoke on the condition of anonymity said. “Those are two high bars.”
Though Russian government hackers are believed to have penetrated at least one state voter-registration database, they did not tamper with the data, officials said.
Some analysts believe that state election systems would fit under “government facilities,” which is one of the 16 critical infrastructure sectors designated by the Department of Homeland Security.
Another option is to use the executive order against other Russian targets – say, hackers who stole commercial secrets – and then, in either a public message or a private one, make clear that the United States considers its electoral systems to be critical infrastructure.
The idea is to not only punish but also deter.
“As much as I am concerned about what happened to us in the election, I am also concerned about what will happen to us in the future,” a second official said. “I am firmly convinced that the Russians and others will say, ‘That worked pretty well in 2016, so let’s keep going.’ We have elections every two years in this country.”
Even the threat of scantions can have deterrent value. Officials and experts point to the agreement China’s President Xi Jinping reached with Obama last year that his country would stop commercial cyberspying. Xi came to the table following news reports last summer that the administration was preparing to sanction Chinese companies.
Complicating matters, the Trump transition team has not yet had extensive briefings with the White House on cyber issues, including the potential use of the cyber-sanctions order. The slow pace has caused consternation among officials, who fear that the administration’s accomplishments in cybersecurity could languish if the next administration fails to understand their value.
Sanctions are not a silver bullet. Obama noted that “we already have enormous numbers of sanctions against the Russians” for their activities in Ukraine. So it is questionable, some experts say, whether adding new ones would have a meaningful effect in changing the Kremlin’s behavior. But in combination with other measures, they could be effective.
Criminal indictments of Russians might become an option, officials said, but the FBI has so far not gathered enough evidence that could be introduced in a criminal case. At one point, federal prosecutors and FBI agents in San Francisco considered indicting Guccifer 2.0, a nickname for a person or people believed to be affiliated with the Russian influence operation and whose true identity was unknown.
Before the election, the administration used diplomatic channels to warn Russia. Obama spoke to Russian President Vladimir Putin at a Group of 20 summit in China in September. About a week before the election, the United States sent a “hotline”-style message to Moscow using a special channel for crisis communication created in 2013 as part of the State Department’s Nuclear Risk Reduction Center. As part of that message, the officials said, the administration asked Russia to stop targeting state voter registration and election systems. It was the first use of that system. The Russians, officials said, appeared to comply.
(c) 2016, The Washington Post · Ellen Nakashima