with Tonya Riley


The United States has historically been wary of punching back in cyberspace, fearing that a digital conflict could rapidly escalate to rockets and bombs. But those concerns may be overblown.

A pair of recent studies has found it's extremely rare for nations to ratchet up a cyber conflict, let alone escalate it to a conventional military exchange, and that the U.S. public may put extra pressure on leaders not to let a cyber conflict get out of hand.

“The emerging consensus among researchers is that cyberattacks aren’t unusually escalatory. If anything, the opposite is true,” writes Jacquelyn Schneider, a researcher at Stanford University's Hoover Institution, who was a co-author on one of the studies and detailed both of them in a Post analysis. The other study came from the libertarian-leaning Cato Institute.

The findings could be a boon for the Trump administration, which has announced a muscular new hacking back strategy in an effort to cow digital adversaries, such as Russia and China. That has included digital strikes against Russia to prevent election interference and against an Iranian computer system used to plan attacks on oil tankers. The administration is reportedly considering another round of digital retaliation to punish Iran for a drone strike against Saudi oil facilities.

That’s a major shift from the Obama administration, which preferred responding to adversary cyberattacks with just sanctions, indictments and other tools that didn’t risk sparking a tit-for-tat digital conflict.

But there’s also some bad news for the Trump team: The Cato study didn’t find much evidence that hacking back does anything to make adversaries stop hacking you in the first place, which could undermine the administration's main goal for the program. 

“Attacks do not beget attacks, nor do they deter them,” the authors Brandon Valeriano and Benjamin Jensen wrote.

Schneider and her co-author, Cornell University professor Sarah Kreps, are more bullish on the Trump strategy — provided it’s focused on disabling adversaries’ infrastructure to prevent future attacks rather than scaring the adversary into not hacking us at all.

The Russia strike, for example, successfully disabled a notorious Russian troll farm, the Internet Research Agency,on Election Day 2018, but there’s no evidence it has dissuaded Moscow from launching cyberattacks since then.

They warn the public wouldn’t support a long and damaging cyberwar, though, often out of fears the United States, which is far more dependent on the Internet than its adversaries, would suffer more during a drawn-out conflict.

In many cases, the approximately 1,000 people they surveyed were unwilling to endorse digital retaliation even against a cyberattack that caused as much damage as a conventional attack, such as an airstrike.

“Deterrence hinges on public resolve for overwhelming uses of force and a willingness to escalate, which appears lacking in the cyber domain,” they write.

The Cybersecurity 202 will publish Oct. 3, 8, 9 and 10 while Congress in recess. We will return to our normal schedule Oct. 14.


PINGED: The Trump White House last year upgraded cybersecurity protections for a highly classified computer system, partly to protect against leaking transcripts of controversial phone calls between the president and foreign leaders, Politico’s Daniel Lippman and Natasha Bertrand report.

The upgrade has allowed officials to more closely monitor who accessed the transcripts now at the center of a whistleblower complaint that’s led to an impeachment investigation by House Democrats. At least one call transcript with the president of Ukraine seems to show Trump urging foreign leaders to help his 2020 electoral prospects.

“Prior to the upgrade, officials could see only who had uploaded or downloaded material to the system but usually not who accessed which documents,” Daniel and Natasha reported.

Former White House officials have said it was highly unusual for the president’s call transcripts to be stored in the code-word system in the first place and suggested the system was being misused to protect the president from embarrassment rather than safeguarding national security.

PATCHED: The FBI is investigating an attempted hack of a mobile app used by some West Virginia voters during the 2018 midterms, Kevin Collier at CNN reports. There is no evidence that hackers gained access to election systems or compromised results through the app, which was used by West Virginia voters in the military and those registered to vote overseas. But the ongoing investigation could increase scrutiny of mobile voting apps in 2020.

"No votes were changed and the integrity of the elections in West Virginia was absolutely secure. Our security systems worked completely as designed," West Virginia's top election official Mac Warner said in a statement.

Warner has previously defended the state's use of mobile voting against election security critics who say Internet-connected mobile phones are far more easily hacked than voting machines. 

The attempt was reported to authorities when employees at the app company, Voatz, noticed unusual activity. 

"Somebody downloaded, registered and then tried to tamper with it, do something. We caught unauthorized activity, and they immediately got stopped," Voatz co-founder and CEO Nimit Sawhney told Kevin. Sawhney dismissed the possibility that any nation-state-backed hackers were involved.

Federal authorities have not determined who is behind the attack or if any laws were broken. It's unclear if any other states intend to use the app for the 2020 elections.

PWNED: The Department of Homeland Security and the Food and Drug Administration are urging medical device manufacturers to take extra precautions against newly discovered digital vulnerabilities in millions of medical devices including an infusion pump and an anesthesia machine. The bugs could allow hackers to force the devices to stop working, steal their data, or change how they operate in certain cases.

The warnings follow a revelation by a cybersecurity researcher that a piece of decades-old software code containing the vulnerabilities is present “in far more platforms than originally believed,” Lily Hay Newman at Wired reports. DHS first warned about the initial set of vulnerabilities in July.

Both the FDA and DHS are urging device makers to fix the vulnerabilities as quickly as possible and to keep the devices offline until they’re fixed. It could take months or years for the bug to be completely fixed, though, because it's exceptionally widespread and some manufacturers may not even know they're vulnerable to it. 


A recent seven-month assault on Southeast Asian governments by Chinese hackers should have U.S. officials bracing for a similar attack, researchers at cybersecurity firm Check Point say. 

Researchers are calling the campaign the most “persistent attack on a government” to date and say that adapting to target the U.S. government would be easy. “The Chinese hackers wouldn't need to change much, except making their lure documents all in English, and includ[ing] themes that would trigger the interest of the victim,” the researchers note.

Over the seven-month campaign, hackers changed their tactics as often as eight times to avoid detection. Hackers posed as government employees and sent realistic-looking documents to gain the target's trust. After the targeted employee opened an email file, however, a malware would give hackers access to the computer and any government secrets on it.

— More cybersecurity news from the public sector:


A former Yahoo software engineer pleaded guilty to hacking into the accounts of about 6,000 users while searching for sexual photos and videos. Reyes Daniel Ruiz victimized women, including his co-workers and friends, by using software he had access to at work to hack their accounts, according to court records.

Ruiz destroyed the data shortly after Yahoo caught on to his behavior. Reyes also compromised his victims' iCloud, Facebook, Gmail, Dropbox and other accounts, according to court documents.

Ruiz, who faces up to five years in prison and up to $250,000 in fines, will be sentenced next year.

— More cybersecurity news from the private sector:


— Cybersecurity news from abroad:


— Today:

  • The Washington Post Live will host a Cybersecurity Summit featuring. The event starts at 9 a.m. You can watch here.
  • The Aspen Institute Cyber Summit will take place in New York City tomorrow.

— Coming Up:

  • The Department of Justice will host a Lawful Access Summit on warrant-proof encryption and its impact on child exploitation cases on Friday.