In testimony before the US Senate Armed Services Committee on Tuesday, National Security Agency Director and US Cyber Command Commander Admiral Michael Rogers told senators that measures taken thus far by the US government in response to the information operations, malware attacks, and network intrusions attributed to “Russian actors” had not done anything to deter further such attacks. And it’s not clear that USCYBERCOM (essentially the US military’s top command for network defense and offense), or the NSA for that matter, will be able to do anything soon to change that.

Russia’s alleged intrusions included attempts to gain access to voter data. Thus far there’s no evidence any data was modified, though some voter data was clearly accessed. The Department of Homeland Security isn't certain any of the systems were altered or compromised, but it has acknowledged that 21 states’ systems had been “targeted” in some way.

Department of Homeland Security Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra told NBC News in a February 8 interview that “an exceptionally small number of them were actually successfully penetrated." And yesterday, NBC News reported that seven states’ voter data systems had been “compromised” in advance of the 2016 elections—compromises that have largely already been reported.



In response to a question from Senator Richard Blumenthal of Connecticut, Rogers agreed that what has been done so far “hasn’t changed the calculus, in my sense—it certainly hasn’t generated the change in behavior that I think we all know we need.”

Russian President Vladimir Putin, in other words, has little reason to put an end to the type of information operations and malware campaigns his intelligence agencies have sponsored, apparently at his direction. And so far those haven’t stopped, based on allegations that Russian intelligence was behind the attack on the networks of the PyeongChang Winter Olympics earlier this month.



Above his pay grade

Rogers was testifying before the committee in his capacity as USCYBERCOM chief, reporting on the challenges and threats faced in “the cyberspace environment.” Russia currently factors largely in those challenges, Rogers noted in his prepared remarks.

Rogers cited the conclusion by the US Intelligence Community as a whole that Russia “employed influence operations to interfere with the US presidential election in 2016,” and he noted “an even wider pattern of Russian cyber meddling before the election,” based on the records of Facebook, Twitter, and Google. Rogers said that the activities on social media and the leaking of emails during the 2016 presidential race were part of an overall effort “to make Western electorates distrust all news outlets and ultimately one another... This threatens the foundations of democracy, making it difficult to discern Moscow’s intentions and to craft common measures for countering Russia’s aggressive actions in its near-abroad and its repression at home.”

While the intelligence community has been unanimous in its assessment of the Russian information operations activity, there’s little either the NSA or USCYBERCOM can do in response. That’s partially because, as Rogers told senators in response to a question from Senator Jack Reed of Rhode Island, he needs a presidential order to do so. “I am not going to tell the president what he should or should not do," he added. "I'm an operational commander, not a policymaker.”

There’s a reason why there haven’t been orders from either President Trump or President Obama to take direct action against Russia’s information operations infrastructure: it’s not clear exactly what the options available would be or if they would have any effect other than escalating Russia’s cyber-animosity. And the other measures that US intelligence and military arms could take are limited by legal, practical, and political factors.

The Twitterer’s dilemma

On the information operations side of things, there’s not any direct action that the US government can currently take to affect Russian operations—they’ve used commercial services as a platform, after all. And in the case of intrusions into state election systems, the NSA and USCYBERCOM have no jurisdiction or legal authority to act. DHS and the FBI have limited abilities to act as well.

That’s not to say that NSA and USCYBERCOM are toothless when it comes to dealing with information operations by a social media-savvy adversary. In his report, Rogers laid out the basics of how USCYBERCOM has been playing a role in fighting the Islamic State (ISIS) and other groups in Africa and Asia:

USCYBERCOM is... employing cyberspace operations to protect Coalition forces, target terrorist leaders, and disrupt the operations of hostile forces. We are providing similar support to our forces battling other violent extremist groups in Africa and Asia. USCYBERCOM works with law enforcement, intelligence, and liaison partners to find and destroy the key nodes in ISIS online infrastructure and media operations (along with the analogous infrastructures of other violent extremists).

But liaising is about all that can be done in cases when the activity is on social media or on a US state’s systems because of the NSA’s charter and the restrictions placed upon the military under the Posse Comitatus Act. And while it’s possible that NSA and CYBERCOM could share intelligence with state agencies and social media companies as they do through law enforcement, the ability of those organizations to act on that information varies widely.

Many state government officials have complained about the lack of information sharing on the intrusions that have been reported in the press, but states also have resisted designation of their election systems as “critical infrastructure” because of the regulatory and budgetary implications of that designation. State and local electoral systems, and voter registration data systems in particular, have suffered widely from poor or incomplete security implementations. A recent assessment by the Center for American Progress found that only a quarter of states had implemented “good” minimum security for voter registration data; Florida, Arkansas, Kansas, Indiana, and Tennessee received overall failing grades for their voting security posture.

As far as the social media platforms go, while Twitter, Google and Facebook have all been apparently willing to cooperate in the investigation of Russian information operations, there are practical limits to how close a partnership they can have with the NSA, FBI, DHS, or USCYBERCOM. And considering the history of NSA and FBI interaction with Google and other companies under PRISM, more overt cooperation with US intelligence and military organizations could create greater concerns among customers, privacy advocates, and other governments.

In the end, dealing with Russia’s “cyber-meddling” is not a technical problem—it’s a foreign policy problem. And it’s an intractable one at that, only addressable in the broader context of Russia’s goals in the “near abroad” (Ukraine and the other former Soviet and Eastern Bloc states), Syria, and the wider global stage. With tensions between the US and Russia now teetering on the edge of kinetic action in Syria—including the recent attack on US-backed fighters by what appears to have been Russian mercenary-backed Syrian militias—even “cyber” actions could have much larger physical-world consequences.

The Obama administration reportedly considered several cyber-based responses to Russian cyber-meddling in late 2016, but eventually that administration opted for the well-worn tool of economic sanctions. The Trump administration has so far determined that no new sanctions need be applied despite a bipartisan act of Congress authorizing those sanctions.