Will Obama Order American Hackers to Dox Putin?

President Obama’s threat was direct and unequivocal: The United States will retaliate against Russia for its election-related cyberattacks. “And we will, at a time and place of our own choosing,” the president told NPR’s Steve Inskeep in an interview that aired Friday. “Some of it may be explicit and publicized; some of it may not be.” But what he didn’t say is what the response will look like.

His national-security team has likely laid out a menu of options for him: He could ask intelligence agencies to train a cyberattack on Russian networks or infrastructure, to demonstrate the strength of their offensive capabilities. He could release damaging information about Vladimir Putin, the Russian president, just like Russian hackers published data stolen from top Democrats’ email accounts. Or he could choose a more traditional response, like imposing economic sanctions.

It’s most likely that Obama will pick a combination of these options—both overt and covert—that punishes Russia and damages Putin’s reputation, while sending a signal to would-be hackers that interfering in American democracy comes with a heavy price.

One public option is a direct, tit-for-tat response to the release of Democrats’ emails and research. “If they’re doxing you, you can dox back,” said Peter Singer, a senior fellow at New America, referring to the practice of releasing potentially damaging secret information. Releasing embarrassing information has gotten under Putin’s skin before, like when the Panama Papers revealed details about how members of his inner circle make, move, and hide their wealth. Exposing more about his money and his relationships with oligarchs would be a jab aimed straight at one of Putin’s pressure points, said James Lewis, the director of the technology program at the Center for Strategic and International Studies.

A visible reaction would indicate to other adversaries how the U.S. will respond to cyberattacks in the future. “We’ve got to demonstrate and be a little more transparent about some of our own attack capabilities,” said Frank Cilluffo, the director of George Washington University’s Center for Cyber and Homeland Security. “That is part of this delicate dance. We shouldn’t be treating this as black magic.”

A doxing campaign would have to aim high to be effective. Lewis says officials have considered leaking Putin’s botox-injection schedule, or photos of his girlfriend. That won’t embarrass him, he said. “That’s not just going to happen with this guy.”

Obama made it clear that deterrence is one of the main objectives of responding to cyberattacks. “Our goal continues to be to send a clear message to Russia and others not to do this to us—because we can do stuff to you,” he said at a press conference Friday.

But he said his answer to Russia’s election meddling might have a secret element to it, too, without making it clear what he has in mind. A quiet, targeted cyberattack—on Russian intelligence networks, for example, or on military infrastructure—would send a message about the American government’s offensive capabilities, and could make Putin think twice about using hackers to meddle so directly in U.S. politics in the future.

But the administration will need to tread carefully: Hacking back risks escalating the situation. “A cyberattack could be interpreted by the Russians as the use of force, justifying a military response,” said Lewis. Obama wants to leave a legacy of strength and leadership in cyberspace—not of provoking war. “We have been working hard to make sure that what we do is proportional, and that what we do is meaningful,” the president said on NPR.

There are always traditional, non-technological forms of retaliation to fall back on. As Russia made moves to annex a part of Ukraine in 2014, the U.S. and the European Union placed coordinated economic sanctions on individuals and businesses close to Putin. To the extent there’s anything left to sanction, further penalties could cause targeted harm on sectors of the Russian economy and people in power—and, unlike a hacking campaign, imposing sanctions is a familiar tactic that’s less likely to spiral out of control into a larger conflict. Another, softer option is to expel Russia’s ambassador, a classic public rebuke.

The cyberwar experts I spoke with were exasperated that the conversation has turned to retaliation only now, more than a month after the election and with just weeks left in Obama’s presidency. “It’s like, what clock are you using?” said Singer.

The DNC announced in June that its networks had been infiltrated by two separate Russian intelligence agencies, but according to a report in The New York Times, the FBI knew as early as September 2015 that Russian hackers were targeting the organization. But the administration didn’t retaliate before the election. Obama said Friday that he didn’t retaliate publicly at the time in order to avoid further politicizing an already “hyper-partisan atmosphere,” especially because Donald Trump had repeatedly questioned the integrity of the elections. “I wanted to make sure that everybody would know that we were playing this thing straight,” Obama said.

The administration may have also decided it may not have to to do anything too dramatic, expecting Hillary Clinton to win the election. What’s more, the State Department was in talks with Russian diplomats at the time to strike a peace deal in Syria, which may have made the administration hesitant to antagonize Putin in the moment. (The peace deal fell apart in October.)

“I talked to officials at three different agencies who would’ve been responsible for implementing this, and they were ready to do so” before the election, Lewis said. “If you’d called me up in August, I would’ve told you we were two weeks away from doing something.”

The reticence to respond before the election may have also been related to the intelligence community’s initial disagreement over whether Russia’s involvement was meant just to cause chaos in American politics, or if the Kremlin was specifically trying to get Donald Trump elected. On Friday, The Washington Post reported that the FBI, the CIA, and the Director of National Intelligence had reached a consensus that Russia was trying to help Trump win the presidency. Obama declined to elaborate on the intelligence community’s findings on Friday, but he strongly implied that Russia’s president had directed the hacking operations himself. “Not much happens in Russia without Vladimir Putin,” Obama said.

But Singer says the resolving question of intent shouldn’t have held up the administration’s response.

“If someone’s robbed a bank, we don’t stop to debate, ‘Did they rob the bank because they wanted the money themselves, or because they wanted to harm the bank owners?’” Singer said. “That’s a great debate to have. But that doesn’t make you go, ‘Oh, I should wait to figure that out before I go respond to the bank robbery.’ And it also doesn’t mean people debate if the bank was robbed or not, which is what half the community is doing.”

Singer was referring to Trump’s habit of questioning the fact that Russia was behind the cyberattacks that targeted political institutions.

With just five weeks to go before inauguration day, Obama’s actions may be aimed partly at hemming in Trump once he takes office in January. Putting Trump in the position of having to undo whatever political and economic retaliation the Obama administration decides to pursue could make it harder for him to make immediate overtures to Putin once he arrives at the White House.

And a strong response will throw echos beyond just the U.S.-Russia relationship. “The Germans, the French, and the British have the same kind of evidence we have that the Russians are attempting to interfere in their elections. We need to help our friends, now,” said Lewis. “We need to put the Russians on notice. Right now they have a green light. At least we can change it to yellow.”