Financial

Clapper: U.S. shelved ‘hack backs’ due to counterattack fears

Former Director of National Intelligence says there were numerous times the U.S. government wanted to go on the offensive after a cyberattack, only to decide against it at the last minute.

By Shaun Waterman

October 2, 2017

James Clapper at the LBJ Presidential Library in 2016.

When the Obama administration was weighing a response to distributed denial-of-service attacks against U.S. banks in 2012, officials vetoed any retaliation because they were worried that the country’s digital infrastructure wouldn’t be able to deal with counterattacks, according to former Director of National Intelligence James Clapper.

The DDoS attacks, which slammed dozens of U.S. banks with increasing force, were traced back to Iran by U.S. intelligence, Clapper recently told the ICF CyberSci Symposium in Fairfax, Virginia. The attacks, launched from networks of compromised servers around the world, struck 46 major banks and other financial institutions — including Bank of America, Capital One, JPMorgan Chase, PNC Bank, New York Stock Exchange and Nasdaq. Hundreds of thousands of customers were unable to access their bank accounts online and the victim companies spent tens of millions of dollars to mitigate the attacks.

“We’d all built up quite a head of steam, [thinking] ‘By God, we’re not going to let the Iranians get away with this! We’re going to do something!'” Clapper said, describing a 2012 National Security Council meeting where intelligence officials laid out options for retaliatory cyber measures against Iranian hackers believed responsible.

“We had teed up a bunch of options for cyberattack against the very same players who had participated in these denial of service attacks [against the banks],” he said. “The initial instinct was: Let’s attack back.”

According to Clapper, then-Secretary of the Treasury Tim Geithner ultimately put a stop to the attack after expressing concern over the banks’ ability to withstand a counter-retaliation. Additionally, the U.S. also chose not to formally raise the issue with Iran through diplomatic channels, but instead enlisted allies across the world to help dismantle the global infrastructure used to launch the attacks.

Clapper added that the conclusion he drew was that no matter how accurate your attribution, cyberattacks were always going to rely on robust online fortifications.

“The big take away for me, is that unless you are very confident in your cyberdefenses, it’s almost pointless to talk about cyberattacks. The very essence of offense is, you have to have a good defense,” he said. “And what complicates it further is, we in the U.S., we have an inclination to be very precise, very limited, very surgical, legalistic. You cannot be assured that the adversary is going to be similarly precise and surgical and legalistic. So if you attack them, you have a anticipate a probably much … greater retaliation as a result.”

Sam Visner, an ICF executive and former senior NSA official, told CyberScoop the questions the decision raised made sense to him.

From Visner’s perspective, the question is “Would Iran’s counteraction also be in proportion, or would it have sought to demonstrate the capacity to damage and/or destabilize the international monetary system? Would Iran have seen itself as a stakeholder in the stability of that system, or as an insurgent?”

It was the prospect of just such an all-out assault by Iranian hackers, rather than any doubt about the attribution, that stayed the hand of the U.S., Clapper said.

“We had the Iranians cold,” he added, “The forensics were quite precise, quite good and also quite fun.”

Clapper’s remarks are a reference to the detailed profiles that U.S. agencies were able to build of the alleged attackers, many elements of which were made public when the Justice Department indicted seven of them last year. One hacker, for instance, was allegedly given credit towards his compulsory military service obligations for his work on the huge botnet that launched the assault — at that time among the largest DDoS attacks ever seen.

Clapper did not elaborate on his comments any further after his speech when approached by reporters. The Department of the Treasury declined to comment through a spokesman. Representatives of Warburg Pincus, where Geithner now works, did not respond to a request for comment.

Clapper said the incident was one of two in Obama’s tenure where the administration weighed, but ultimately decided against online retaliation. The other incident was the North Korean attack on Sony Pictures Entertainment in 2014.

“Again, we had excellent attribution with the North Koreans,” he said, adding that there was a different “complicating issue” in this case. “Was it okay to go through some other country’s infrastructure when you’re doing essentially a cyber act of war against your adversary?” he asked.

North Korea, which has very limited connectivity to the outside world, relies on China for its internet access.

When intelligence officials raised this option, Clapper said, “The lawyers went nuts, so we didn’t do anything on the cyber front. We ended up sanctioning a bunch of North Korean generals.”

Clapper added he believed that, at least in the first term of the Obama administration, officials had made the mistake of separating cyber out from other instruments of national power; both for the U.S. and its adversaries.

“In the end,” he concluded, “cyber’s a tool, not an end in and of itself… [Our adversaries] do it to achieve an outcome, not because cyber’s cool.”