WASHINGTON (AP) – All fingers are pointing to Russia as the source of the worst hacking of US government agencies. But President Donald Trump, long reluctant to blame Moscow for the cyberattacks, has so far remained silent.

The absence of any statement to hold Russia accountable casts doubt on the likelihood of a swift response and suggests that any retaliation – whether through sanctions, criminal accusations, or cyber actions – will be left in the hands of the new administration of President-elect Joe Biden.

“I imagine the incoming administration wants a menu of options and is then going to choose,” said Sarah Mendelson, professor of public policy at Carnegie Mellon University and former U.S. ambassador to the Economic and Social Council of UN. “Is there a graduated assault? Is there a total assault? What do you want to do outside the gate? “

To be sure, it’s not uncommon for administrations to refrain from laying public accusations of blame for hacks until they have accumulated enough evidence. Here, U.S. officials say they only recently learned of devastating breaches at several government agencies in which foreign intelligence agents went undetected for nine months. But Trump’s response, or lack thereof, is being closely watched due to his concern over an unsuccessful effort to overturn last month’s election results and his refusal to publicly acknowledge that Russian hackers intervened. in the 2016 presidential election in his favor.

It’s unclear exactly what action Biden might take, or how his response might be shaped by criticism that the Obama administration did not act aggressively enough to thwart the interference in 2016. He offered clues in a statement Thursday, saying his administration would be proactive in preventing cyber attacks and imposing costs on any adversary behind them.

The US government statements so far have not mentioned Russia. Asked Monday about Russia’s involvement in a radio interview, Secretary of State Mike Pompeo admitted that Russia is constantly trying to break into US servers, but quickly turned to threats from China and Korea. North.

Democratic Senators Dick Durbin and Richard Blumenthal, who were briefed on the hacking campaign in a classified session of the Armed Services Committee on Tuesday, were unequivocal in blaming Russia.

There are other signs within the administration of a lucid recognition of the severity of the attack, which came after elite cyber spies injected malicious code into the software of a company that provides network services. The civilian cybersecurity agency warned in a notice Thursday that the hack posed a “serious risk” to the government and private networks.

A response could begin with a public statement that Russia is held responsible, an assessment already widely shared within the US government and the cybersecurity community. Such statements are often not immediate. It took weeks after the incidents became public for the Obama administration to denounce North Korea in the Sony Pictures Entertainment hack in 2014 and for then-director of national intelligence James Clapper to confirm that China is the “prime suspect” of the Bureau of Personnel Management hacks.

Public naming and shame are still part of the playbook. Former Trump homeland security adviser Thomas Bossert wrote this week in a New York Times opinion piece that “the United States, and ideally their allies, must publicly and formally assign responsibility for these hacks ”. Republican Senator Mitt Romney said in an interview with SiriusXM radio that it was “extraordinary” that the White House did not speak out.

Another possibility is a federal indictment, assuming investigators can accumulate enough evidence to implicate individual hackers. Such cases are labor intensive and often take years, and although they carry a low chance of prosecution, the Department of Justice considers them to have strong deterrent effects.

Sanctions, an age-old punishment, can take even more bite and will almost certainly be weighed down by Biden. President Barack Obama expelled Russian diplomats following election meddling in 2016, and the Trump administration and its Western allies have taken similar action against Moscow for its alleged poisoning of a former intelligence officer in Britain.

Exposing the Kremlin’s corruption, including the way Russian President Vladimir Putin accumulates and hides his wealth, can constitute even more formidable retaliation.

“This is not just a tit-for-tat or a hack into their systems,” said Mendelson, the former ambassador. “We’re going to go with what you really care about, and what you really care about, are the funds that are hidden, and reveal the larger network and how it is connected to the Kremlin.” “

The United States can also strike back in cyberspace, a route facilitated by a clearance from the Trump administration that has already resulted in some operations.

Former national security adviser John Bolton told reporters in a 2018 briefing that offensive cyber operations against foreign rivals will now be part of the US arsenal and that the US response will no longer be primarily defensive.

“We can totally melt down their home networks,” said Jason Healey, cyberconflict researcher at Columbia University. “And every time we see their operators appear, they know we’re going to go after them, wherever they are.”

The US Cyber ​​Command has also taken more proactive steps, engaging in what officials describe as “forward hunting” operations that allow them to detect cyber threats in other countries before they can. do not hit their target. Military cyber fighters, for example, partnered with Estonia in the weeks leading up to the US presidential election in a joint operation to identify and defend against threats from Russia.

While the United States is also prolific in its offensive collection of cyber intelligence – exploiting the phones of allied foreign leaders and inserting spyware into commercial routers, for example – these efforts are measured against the infection of 18,000 government organizations. and private in SolarWinds hacking, Healey says.

The best answer – since espionage itself is not a crime – is to triple defensive cybersecurity, Healey said.

David Simon, cybersecurity expert and former Defense Ministry special advocate, said there must be consequences for those responsible for attacks – and the Trump administration “failed to hold the Kremlin accountable “.

“Until it is clear that the United States will impose significant costs on adversaries,” he said in an email, “a significant change in the behavior of the Kremlin is unlikely to be observed.”