U.S. treads water on cyber policy as destructive attacks mount
By Joseph Menn
SAN FRANCISCO (Reuters) - The Trump administration's refusal to publicly accuse Russia and others in a wave of politically motivated hacking attacks is creating a policy vacuum that security experts fear will encourage more cyber warfare.
In the past three months, hackers broke into official websites in Qatar, helping to create a regional crisis; suspected North Korean-backed hackers closed down British hospitals with ransomware; and a cyber attack that researchers attribute to Russia deleted data on thousands of computers in the Ukraine.
Yet neither the United States nor the 29-member NATO military alliance have publicly blamed national governments for those attacks. President Donald Trump has also refused to accept conclusions of U.S. intelligence agencies that Russia interfered in the 2016 U.S. elections using cyber warfare methods to help the New York businessman win.
"The White House is currently embroiled in a cyber crisis of existential proportion, and for the moment probably just wants 'cyber' to go away, at least as it relates to politics," said Kenneth Geers, a security researcher who until recently lived in Ukraine and works at NATO's think tank on cyber defense. "This will have unfortunate side effects for international cyber security."
Without calling out known perpetrators, more hacking attacks are inevitable, former officials said.
"I see no dynamics of deterrence," said ex-White House cyber security officer Jason Healey, now at Columbia University.
The government retreat is underscored by the departure at the end of July of Chris Painter, the official responsible for coordinating U.S. diplomacy on cyber security. No replacement has been named and the future of the position in the State Department is in flux.
Some of Trump's cyber officials have publicly highlighted a strategy to focus less on building global norms and more on bilateral agreements. Trump and the Kremlin have said Russia and the United States are in discussions on creating a cyber security group.
But at the big Black Hat and Def Con security conferences this week in Las Vegas the U.S. government will have an unusually light footprint. Past government speakers have included a head of the National Security Agency and senior Homeland Security officials.
A session featuring U.S. law enforcement officials discussing the purported theft by Russia of hundreds of millions of Yahoo account credentials was pulled at the last minute. A spokeswoman for the Federal Bureau of Investigation said the presentation was canceled because the Yahoo expert slated to talk, Deputy Assistant Director Eric Sporre, had been reassigned to run the Tampa FBI office.
The policy vacuum left by the United States is also affecting private security firms, which say they have grown more cautious in publicly attributing cyber attacks to nation-states lest they draw fire from the Trump administration.
Trump suggested in an April interview that the security firm CrowdStrike, which worked on investigating the election hack of the Democratic National Committee, might not be trustworthy because he was told it was controlled by a Ukrainian. It is not.
Cyber policy veterans are particularly alarmed about the lack of U.S. and NATO response to the destructive attack, dubbed NotPetya, in June that struck computers worldwide but was especially harmful for Ukraine, which is in armed conflict with Russia in the east of the country.
Cyber security experts, such as Jim Lewis of the Center for Strategic and International Studies, a government veteran who advised former President Barack Obama, believe Russia carried out the attack. The Russian defense ministry did not immediately respond to requests for comment.
Lewis and others predicted that Trump will not publicly accuse Russia, and NATO has only said it appears to be the work of a government agency somewhere.
"If you are not ringing alarm bells in an eloquent way, then I think you're dropping the ball," said retired CIA officer Daniel Hoffman, who worked on Russian issues. "When we fail to do enough, that just emboldens them."
(Additional reporter by Dustin Volz in Washington and Jack Stubbs in Moscow; Editing by Jonathan Weber and Grant McCool)