US Response to Russia Hacks Should Be Part of Broader Cyber Strategy, Experts Say
The federal government's response to the Russia-backed hacking of IT systems associated with Democratic Party entities aimed at influencing the outcome of the 2016 presidential election should be part of a more holistic strategy for changing the U.S.' approach to cybersecurity, policy experts said Monday during the State of the Net conference. President Donald Trump said earlier this month that he now believes U.S. intelligence agencies' finding that Russia sponsored the hacking of servers associated with the Democratic National Committee and the campaign of former Democratic presidential nominee Hillary Clinton (see 1701130039).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Trump's acknowledgment of Russia's involvement in the election-related hacks now puts the focus on formulating an appropriate response, said Center for Strategic and International Studies Director-Strategic Technologies Program Jim Lewis. The Russia-led hacks is the real “face of cyber war,” rather than the oft-feared cyber Pearl Harbor, he said. The U.S.' response to the hacks is important given that Russia is attempting to use similar tactics to influence the outcome of upcoming elections in France, Germany, the Netherlands and the U.K., Lewis said.
Response to the Russia-backed hacks will be complicated by a lack of “real rules of the road” for dealing with international cyber war, said Austin Carson, legislative director for House Homeland Security Committee Chairman Michael McCaul, R-Texas. International cyber norms are already “tenuous,” so without stronger rules for responding to foreign-sponsored cyber incidents, “we're never going to be able to effectively combat these types of actions,” Carson said. He cautioned more broadly against federal officials or Congress seeking “knee-jerk” responses to events like the Russia-hacked hacks at the expense of responding to more complex incidents that are also important but aren't considered a cyber Pearl Harbor.
Other experts said there has been too much focus on the Russia-backed hacks. The hacks were important in forcing the U.S. to again focus on cybersecurity protections, but “the Russians didn't write” the emails obtained through the hacks that WikiLeaks later obtained and published, said Internet Education Foundation Vice Chairwoman Shane Tews. Russia's actions are “definitely bad,” but use of multifactor authentication “would have probably stopped” the emails from being stolen, said Technology CEO Council Executive Director Bruce Mehlman.
The October distributed denial-of-service attacks against Dyn may be a more important cyber event from a policy perspective, Mehlman said. Lobbyists have seen the Dyn attacks as a potential catalyst for a broader exploration of IoT cybersecurity this year (see 1610260067). FTC Commissioner Maureen Ohlhausen, who may become the next chair at least on an interim basis (see 1701230054), similarly identified IoT cybersecurity as a policy issue with “huge implications.” The FTC should continue to play a role in developing IoT policy, though self-regulation in the IoT space “has continued to move along well,” Ohlhausen said. She also noted the Broadband Internet Technical Advisory Group's November report on IoT cybersecurity. Ohlhausen spoke Monday about the broader priorities of a GOP-majority FTC (see 1701230043).