Democrats are furious. Leaders of the U.S. intelligence community have no doubt that Russian trolls, bots and hackers are planning to meddle in the midterm elections this fall, and to date President Donald Trump has not instructed his cyber generals to hit back.
This was the upshot of Senate testimony from Admiral Mike Rogers, the director of the National Security Agency and chief of U.S. Cyber Command. He was repeating a warning voiced by intelligence community leaders earlier this month. Asked if he has been directed by the White House to counter the coming Russian offensive in cyberspace, Rogers responded that he has not.
In this hyper partisan moment, it's understandable that the remarks of the NSA director will be used as a cudgel. In Trump, the Russians got what they paid for, the argument goes. But like most matters of Russia policy, it's a bit more complicated.
Rogers was responding in part to a question about whether he had been told to try to stop Russian hackers at their "point of origin." That means offensive cyber operations designed to shut down, overwhelm or monitor the servers and networks Russia uses to hype fake news, hack Americans and sow chaos in U.S. politics. These would be some of the most sensitive operations conducted by the U.S. government. In such cyber warfare, the rules of escalation and engagement are still not clear.
In this sense Rogers was airing a debate that has raged inside the national security state since 2015. That year, as the Washington Post first reported in December, David Cohen, then deputy CIA director, circulated a menu of covert operations aimed at taking on Russian propaganda on the internet at the source. The options included setting up anti-Kremlin trolls and disabling the servers used by Russian trolls. A U.S. official familiar with the options says these options also included outing the online personas of Russian operatives posing as American activists. As the Post reported, the proposal divided the administration at the time and never reached the president for a decision.
After the 2016 election, some of those ideas were revisited when the Obama administration began drawing up a retaliation policy for Russian meddling that year against the Democratic nominee, Hillary Clinton. Some of the retaliation was public, such as the decision to shut down Russian facilities that doubled as spy hubs. The cyber component however was left for the Trump administration to implement.
A White House official told me on Tuesday that these measures are contentious within the wider government. Rogers and the NSA for example are looking for more authority to begin staging these kinds of attacks, asking for what the NSA in a recent strategy paper called greater "agility" to quickly approve operations as threats gather.
Meanwhile others inside the administration, like Secretary of State Rex Tillerson and Secretary of Defense James Mattis, are wary. There are risks to America's broader reputation if a cyber weapon causes broader damage to the digital infrastructure of allies or countries that were not the target of the attack. This is what happened in the case of a Russian virus, NotPetya, deployed initially against Ukraine's banking infrastructure that spread into the wider internet.
There are turf issues as well. As the Wasahington Post reported in December, one element that has slowed down the cyber retaliation against Russia has been confusion over whether this falls under National Security Adviser H.R. McMaster or Tom Bossert, the top White House official in charge of homeland security.
Finally, there is the very real prospect of escalation. Columbia University researcher and cyber expert Jason Healey made this point in a piece this week. He wrote that Putin saw his election interference in 2016 as a response to what he perceived was the U.S. government's role in releasing the Panama Papers, a trove of secret bank records that exposed offshore wealth hidden by a number of high government officials, including Putin.
Healey told me that the task for policy makers is to get the right balance for cyber actions against Russia related to the election this year. "Trying to get this calibration right - of something that is just disruptive enough that it throws off the Russian game, but not so severe that they feel they need to come back heavier - is what needs to happen," he said.
The problem is that Putin has won the contest of what military planners call "escalation dominance" for now. He proved he was willing to go further in 2016 than the established cyber contest between the U.S. and Russia. In some ways, Russia already showed it was willing to go beyond previously established understandings of cyber warfare when in 2014 hackers made public a recording of a phone call of former U.S. Assistant Secretary of State Victoria Nuland talking with the U.S. ambassador to Ukraine, Geoffrey Pyatt.
Healey says Putin can do worse. "We are seething, and I respect that," he told me. But he said it's worth thinking through how Putin can further escalate. "What if he decides to release the personal information of the people on the Cyber Mission Force?" he asked. It would not be hard for Russian spies to get hold of that. In 2015, Chinese hackers pilfered the personnel records of four million U.S. government workers from the Office of Personnel Management, the government agency that keeps records of U.S. security clearances, among other things.
None of this is an excuse for inaction. Russia's troll farms and hackers should be probed and disrupted. State voting systems should be hardened before the midterm elections. But cyber warfare is complicated. There are honest reasons the Trump administration would want to proceed carefully, so as not to escalate a cyber war with Russia.