The government's attitude toward attribution moved closer to Alperovitch's in September 2015, in the run-up to a state visit by Chinese president Xi Jinping. A year earlier, five members of the Chinese People's Liberation Army had been indicted by a grand jury in Pennsylvania for stealing economic secrets from the computers of U. S. firms in the nuclear, solar, and metals industries. Carlin told me that the indictments were meant as "a giant No Trespass sign: Get off our lawn." But the indictment didn't stop the hackers. Alperovitch went on television to call for a stronger response. In April 2015, after President Obama signed an executive order threatening sanctions against the Chinese, Alperovitch received a call from the White House. "You should be happy," he was told. "You're the one who's been pushing for this."
Six months later, just before the state visit, The Washington Post reported that the U. S. was considering making good on the executive order. A senior State Department official told me that Xi did not want to be embarrassed by an awkward visit. The Chinese sent over a negotiating team, and diplomats from both countries stayed up all night working out an agreement. During the state visit, Obama and Xi announced that "neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property" for the purpose of economic espionage. Since then, the Chinese burglaries have slowed dramatically.
This past March, Alperovitch hosted a cyber war game at the Moscone Center in San Francisco. Four teams of ten people—representing the government, the private sector, European and Australian allies, and the hackers—met for two hours to play the game. Shawn Henry; John Carlin; Chris Painter, coordinator for cyber issues at the State Department; and Chris Inglis, the former deputy director of the NSA, were all part of the government team. Executives from JPMorgan Chase and Microsoft represented the private sector. A former member of GCHQ, the British intelligence organization, was on the international team. Frank Cilluffo played a hacker. Ash Carter, the defense secretary, arrived halfway through and asked to play, but the game was already under way, so he was politely turned down.
The game's premise was that ISIS had hacked the databases of several state DMVs and their European counterparts. After a twenty-minute brainstorm, the government team said it was organizing a crisis-response group, speaking to the private sector, and sharing information with the Department of Homeland Security and the FBI. The private team said it was trying to get information from the government. The international team, meanwhile, complained that no one had briefed it—a mistake, Alperovitch said.
The adversary team then stood up and announced, "While the government team is deliberating and talking to the private sector, we're going to kill some people." It was a chilling moment that had real-life echoes for many people in the room. In June 2015, a Kosovar named Ardit Ferizi hacked an online retailer and passed the personal details of more than a thousand U. S. government and military officials to a member of ISIS, who in turn posted them on Twitter. (The ISIS member was later killed by a U. S. drone strike in Syria, and the Kosovar hacker was sentenced to twenty-five years in prison.)
The government's reluctance to name the Russians as the authors of the DNC and DCCC hacks made Alperovitch feel that the lessons of the war game—call out your enemy and respond swiftly—had been wasted. He continued to be told by his friends in government that it was politically impossible for the United States to issue an official response to Russia. Some, especially in the State Department, argued that the United States needed Russia's help in Syria and could not afford to ratchet up hostilities. Others said an attribution without a concrete response would be meaningless. Still others insisted that classified security concerns demanded consideration.
Alperovitch was deeply frustrated: He thought the government should tell the world what it knew. There is, of course, an element of the personal in his battle cry. "A lot of people who are born here don't appreciate the freedoms we have, the opportunities we have, because they've never had it any other way," he told me. "I have."
"A lot of people who are born here don't appreciate the freedoms we have."
The government's hesitation was soon overtaken by events. During the first week of October, while Alperovitch was on a rare vacation, in Italy, Russia pulled out of an arms-reduction pact after being accused by the U. S. of bombing indiscriminately in Syria. The same day, the U. S. halted talks with Russia about a Syrian ceasefire. On October 7, two days before the second presidential debate, Alperovitch got a phone call from a senior government official alerting him that a statement identifying Russia as the sponsor of the DNC attack would soon be released. (The statement, from the office of the director of national intelligence and the Department of Homeland Security, appeared later that day.) Once again, Alperovitch was thanked for pushing the government along.
He got the news just after leaving the Sistine Chapel. "It kind of put things in perspective," he told me. Though pleased, he wished the statement had warned that more leaks were likely. "It's nice that you have the DHS and DNI jointly putting the statement out on a Friday night, but the president coming out and saying, 'Mr. Putin, we know you're doing this, we find it unacceptable, and you have to stop' would be beneficial."
Less than a week later, after WikiLeaks released another cache of hacked emails—this time from John Podesta, Hillary Clinton's campaign chair—the White House announced that the president was considering a "proportional" response against Russia. Administration officials asked Alperovitch to attend a meeting to consider what to do. He was the only native Russian in the room. "You have to let them save face," he told the group. "Escalation will not end well."