After much hand-wringing, the U.S. publicly admitted that the Russian government is interfering with the Presidential election. This was an open secret for weeks, but pious hopes for the bilateral relationship postponed any confirmation.
The Russians calculate that they can manipulate the U.S. and take advantage of its spectacularly messy election. So far, they have been right. They have succeeded beyond their greatest hopes. There is no reason for them to stop on their own accord, and the likelihood of further Russian action before election day is high if the U.S. does not take action in response. One essential lesson for cybersecurity is that unpunished acts are seen as a green light by an attacker.
The administration has decided to take action and is considering an “all tools of government” approach. The agencies involved are CIA, NSA, Cyber Command, Treasury, and the Justice Department. The most likely public action will be to use the cybersecurity sanctions announced in April 2015, accompanied perhaps by some kind of covert response, involving either interference with Russian attack servers or perhaps leaks of documents detailing Russian corruption.
Any response raises important issues. First, the U.S. and Russia agreed several years ago to create a hotline for cyber crises and to consult before acting. Russian sources imply the U.S. has used neither. Any call would be pro-forma, as the Russians will deny everything, but it sets a bad precedent if we create a crisis management structure and then do not use it in the first test.
Second, the U.S. has struggled for a decade with how to respond to cyberattacks. If an attack produces an effect equivalent to a kinetic weapon, destroying physical infrastructure or harming American citizens, the nature of the response is clear. But when the attacks do not involve force (or its cyber equivalent), as is the case with espionage or the kind of information warfare the Russians are using now, how to respond is unclear.
There are several reasons for this. First, the U.S. preference is for some kind of military action. In discussing how to respond to Russia, many point to Cyber Command’s capabilities for offensive action, without noting that using cyber command for offensive action would likely be disproportional and counterproductive. We are not going to go to war with Russia over their blatant intrusions. The Russians know this, and it gives them a kind of freedom.
Second, international law and the Laws of Armed Conflict, which the U.S. tries to follow, define when force can be used in self-defense and require that it be proportional to the attack. International law and State practice do not define espionage, crime, or disinformation as actions that justify the use of force in response.
For example, some years ago, a U.S. general threatened that a cyber attack might provoke a cruise missile in response. This threat had no effect because it was not believable. A cruise missile is not proportional to most cyber attacks. Sending a cruise missile in response to a cyber attack risks the opponent sending another missile. The opponent (in this case, China,) dismissed the threat. Faced with widespread PLA hacking, it took the U.S. a decade to define a realistic and proportional response, settling on indictment and the threat of sanctions.
Finally, the U.S. is constrained by its Constitution. The Russians clearly committed a crime when they stole private emails, and we may not like WikiLeaks publishing emails, but the publication raises difficult First Amendment issues. The Russians know this complicates our decision-making and take advantage of it.
One question American policymakers will ask about a response to Russian hacking is how we will control the risk of escalation without being ineffective. Unplugging a few servers will not end Russian action, but unplugging many servers may lead to broader conflict. When facing an opponent who is nimbler in decision-making, less bound by law, and more willing to take risks, the chance of escalation is greater.
So proportional means a lawful response not involving force that does not unduly risk escalating the conflict. This response cannot involve military force, which is not justified by international law. Nor can it be that old favorite of amateur cyber strategists, name-and-shame. Russian President Vladimir Putin cannot be shamed. He believes his actions are justified against an aggressive U.S. that is implacably hostile to Russia.
It is important to lay down a marker with the Russians. They have gone too far and need to be checked. The U.S. needs to navigate a narrow and difficult path between inaction and escalation. We can start by recognizing that this is cyber conflict, not the kind of cyber conflict we planned for but a conflict nonetheless. Anything we do should reinforce (or at least not undercut) the long-term goal to create a framework of agreements for stability in cyberspace. The U.S. also needs a larger strategy for dealing with Russia and its new style of conflict that uses hybrid warfare against some opponents and a mix of cyber actions, disinformation, and corruption against others. It is too late for this Administration to define that strategy, but it can lay the groundwork for it with the actions it takes now. This sounds like a long list of requirements that require a complex response, but none of these are impossible or preclude action.