The Trump administration’s top cyber officials have emphasized the urgent need to take aggressive action to deter increasingly brazen foreign cyberattacks. Trump himself, however, has repeatedly brushed aside the notion that foreign cyber activity is anything even really noteworthy.
When Trump’s team talks about foreign hacking, be it China’s alleged massive cyberespionage campaign against telecommunications companies or its efforts to take root in U.S. critical infrastructure, they insist the actions can’t be tolerated and must be deterred.
“We need to find some way to communicate that this is not acceptable,” Alexei Bulezel, senior director for cybersecurity at the National Security Council, said in May when asked about the groups thought to be behind those campaigns, Salt Typhoon and Volt Typhoon.
More recently, last month, National Cyber Director Sean Cairncross cast a wider net about foreign adversaries who want to “do us harm,” saying, “To date I don’t think the United States has done a tremendous job of sending the signal, in particular to China, that their behavior in this space is unacceptable.”
Trump, by contrast, has framed all that differently, to the point of dismissiveness.
Asked in June about Chinese hacking of U.S. telecoms, theft of intellectual property and more, Trump answered, “You don’t think we do that to them? We do. We do a lot of things. … That’s the way the world works. It’s a nasty world.”
Asked in August about whether he would discuss alleged Russian hacking of U.S. courts with Vladimir Putin, Trump replied, “I guess I could, are you surprised? … They hack in, that’s what they do. They’re good at it, we’re good at it, we’re actually better at it.”
The gulf between what Trump says about cyber compared to what his top deputies say provokes a variety of reactions from cyber experts and former officials. It sends mixed signals to adversaries, some say, while others say it might just reflect facts of life about today’s cyber environment or a president who doesn’t behave or think conventionally.
At the same time, Trump’s casual messaging about cyber may reflect a broader trend of nations increasingly treating cyber operations as a routine instrument of power.
A need for consistency?
A lack of consistency between the president and his personnel muddles a clear message to adversaries, and downplaying cyberattacks is unwise, said Christopher Painter, who served as the top State Department cyber official under President Obama.
“Either cyber and cyberattacks are a priority or they’re not, and it’s [a] problem if you communicate they’re not serious by saying, ‘Oh, we don’t care now,” said Painter, now a nonresident senior adviser at the Center for Strategic and International Studies. Cyberattacks are serious, he said, and “We need to say it, and we need to be consistent about it, and we need to make sure we take it seriously. So I am concerned that it undermines the narrative that I think we need.”
Trump downplayed foreign cyber activity during his first term, too, both publicly and privately, in the latter case shunting away an adviser while the president tried to watch a golf tournament by saying “You and your cyber … are going to get me in a war — with all your cyber s—t.” According to Painter, Trump often links the issue to Russian interference in the 2016 presidential election, a subject he resents because he believes it undermines the legitimacy of his presidency.
But Painter also noted Trump wasn’t the first to downplay any kind of foreign cyber activity, with former Director of National Intelligence James Clapper remarking about the 2015 Office of Personnel Management hack, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
Clapper also drew a line between the OPM breach, which he said was “passive intelligence collection activity” and a full-fledged cyberattack. There’s a long-lasting debate over whether cyberespionage constitutes a cyberattack.
Trump officials, too, have emphasized they’re more worried about the activity of Volt Typhoon, with its potential for disruption, than that of Salt Typhoon, which is more espionage-focused.
Some analysts acknowledge that Trump has a point when he dismisses cyberespionage as a fact of modern life rather than something that requires retaliation. “My own experience says that it’s extremely difficult, if not impossible, to deter espionage,” said Michael Daniel, who held the White House’s top cyber position under Obama and is now president of the Cyber Threat Alliance.
Any threat in an attempt to deter cyberespionage has to be credible to be effective, said Erica Lonergan, an assistant professor at Columbia University’s School of International and Public Affairs. And there are a few things working against the United States making credible threats.
“We do it, because we all do it, and everyone knows we do it,” she said. Next, the potential consequence has to be more harmful than the value of cyberespionage, which is extremely useful to have. “We’re not going to go to war over cyberespionage. No matter how many times a member of Congress calls it an act of war or not, we didn’t go to war over the spy balloon.”
Yet other analysts read Trump’s comments on foreign cyber activity differently. He might have an aggressive reaction to a more clearly damaging attack than the incidents he’s downplayed, said James Siebens, a fellow with Stimson Center’s Strategic Foresight Hub.
“If we were talking about a genuinely destructive cyberattack that cost people’s lives, I would imagine that there would be a fairly forceful response,” said Siebens, who recently co-authored a study on cyber deterrence. “My view is that President Trump was doing something that he often does, which is to state plainly things that make people uncomfortable, but are nonetheless observable and rooted in an important truth.”
Richard Harknett, director of the Center for Cyber Strategy and Policy at the University of Cincinnati, took Trump’s recent remarks as a comment more on the potency of U.S. capabilities compared to its adversaries.
“It wasn’t sort of a complacency, it was more confidence,” said Harknett, who served as the first scholar-in-residence at United States Cyber Command and National Security Agency beginning in 2016. Of course, he said, “The president tends to speak in confident terms regardless.”
Daniel said that some contradictions between Trump and his cyber team are to be expected. Different officials are bound to have differences of opinion, including in the Trump administration, which has hardly been a “paragon of consistency” in its messaging to the world, he said. Daniel added that deterrence is a challenge for every administration; throughout history, the United States has often threatened not to tolerate certain actions, but then failed to respond when those actions occurred.
Several experts said they were willing to give the administration time to iron out any potential contradictions. Harknett said it’s hard to read too much into public comments alone right now. More important, Harknett and others said, will be what the administration says in a forthcoming cyber strategy.
A global trend?
Trump is not the only world leader in recent months to speak about his nation’s cyber activity in a more casual manner. At the beginning of this month, Chinese President Xi Jinping and South Korean President Lee Jae Myung joked about the security of a cell phone gift that Xi gave his counterpart, which ended in Xi quipping, “You can check if there’s a backdoor.”
It was “weird for Xi, especially because the Chinese are loath to ever admit they do anything,” Painter said, even if he was joking.
The openness about cyber doesn’t end there, extending to a number of cases where nations that historically haven’t pointed the finger at other countries over alleged cyberattacks are more willing to do so by releasing technical analyses.
“We’re starting to see more non-Western countries, and notably China, making attributions back now,” said Allison Pytlak, director of the Cyber Program at the Stimson Center think tank and the co-author of the deterrence report with Siebens. Singapore recently made its first cyber attribution as well.
Trump officials have been touting offensive operations, which used to be a topic of very little public discussion. And other nations have been growing more open about cyber operations, from Japan’s recent active cyber defense legislation to Australia establishing its own Cyber Command last year.
‘There is more openness about cyber in general, the strategic level, in terms of leaders being willing to talk about cyberespionage, cyber offense,” Lonergan said. “No one talked about cyber offense in the U.S. government for years.”
That openness could turn out to be a good thing, Pytlak said. It could “spark debate” in the public about the very nature of cyber, about the differences between the harm espionage causes and the kind of national security threat other kinds of activity poses.