Most political leaders understand that governments that fail to respond to public provocations by foreign states do so at their own risk. In recent years, the U.S. and some of its allies (such as Australia, Estonia, Germany, Lithuania, and the U.K.) have been subjected to repeated, sophisticated, and costly cyber-attacks, emanating from Russia, China, Iran, and North Korea. These waves of attacks have become the “new normal.”
It is difficult, if not impossible, to determine reliably the lines separating the actions of a state, its proxies, organized criminal groups, and its business sector. Cyber-attackers can, to some degree, engage in aggressive cyber-behavior while remaining anonymous. For example, Russian President Vladimir Putin and his coterie may engage multiple intermediaries so that the numerous degrees of separation between the Kremlin and the direct attackers cannot be traced.
Earlier this month, the Obama Administration announced that it was confident that the Russian government directed the recent theft of emails from the Democratic National Committee, which were later published on anti-secrecy website WikiLeaks.
President Barack Obama is now considering a range of retaliatory diplomatic, informational, military, and economic options. The White House has indicated that the U.S. response would be proportional and may not be announced publicly. Unfortunately, the U.S. Government will not always be able to attribute particular cyber-attacks to specific states or criminal groups.
This problem of attribution allows states to act through proxies so that they can have ‘plausible’ deniability and thus avoid significant retaliation. A further complicating factor is that covert actions and intelligence do not qualify as the “unlawful” use of force under international law. Furthermore, limited “counterattacks” against Russia’s cyber-forces would neither reduce the threat of its further offensive operations against the U.S., nor is likely to have a deterrent effect.
Massive cyber-retaliation could lead to further escalation, including even the use of nuclear weapons and thus represents an unjustifiable risk. This situation seemingly encourages aggressors, especially those who are not overly concerned about domestic and international political opinion or the cost in human life of thermonuclear war.
The existence of cyber conflict short of war has not nullified the Cold War’s doctrine of Mutually Assured Destruction. MAD was the basis for genuine nuclear deterrence, since the horrific alternative was well-understood to be unacceptable in both the Kremlin and the White House. Had either superpower been tempted to unleash a nuclear strike on the other, there could be no doubt as to the identity of the aggressor.
By design, both countries nuclear weapons command and control systems have centralized launch authority in the hands of their political leadership. In contrast, offensive cyber-capabilities are highly diffuse. Today, cyber-attacks can be undertaken by rogue “individuals” working within a state structure, or even by third-parties who are not subordinate in any respect to governmental authority.
Those states responsible for a nuclear attack would be held “accountable,” since it is inconceivable that one state could detonate nuclear weapons on an adversary’s territory without being detected. Each sides’ confidence in its ability to determine who attacked them represented MAD’s informational foundation. The equivalent is not the case in the cyber sphere. Cyber-attacks can be unleashed from anywhere, including from within one’s own borders.
International law does not explicitly authorize the use of force against states that permit their territory to be used against other states. This norm does not seem appropriate given the characteristics of cyber-aggression and crime. A new international legal framework is needed where states are required to endeavor to prevent cyber-attacks from emanating against other states from within their borders, and cooperate fully with others states or international organizations in the investigation and prosecution of transnational financial crimes having a nexus to their territory or their nationals.
During the Cold War, MAD’s existence did not eliminate all forms of competition between the two superpowers. Rather, they adopted both formal and informal rules of conduct concerning the forms that such activity took, and the location in which it occurred. Russia, along with China, purports to have an interest in the adoption of certain constraints on offensive cyber activities. In fact, at the United Nations, they have even proposed having a voluntary, cyber “Code of Conduct.”
The U.S. and its principal allies are parties to the Council of Europe’s Convention against Cybercrime (the Budapest Convention). The Convention requires its signatories to harmonize their national legislation on cybercrime, more vigorously investigate alleged cybercrimes, and increase their cooperation in the prosecution and enforcement of the relevant laws. The U.S. should encourage Russia, China, and Iran to adhere to the Convention or face carefully-designed retaliatory measures if they do not.
A state’s non-compliance with the Convention’s requirements may be regarded as a sign that it is involved in the conduct of cybercrime or found to have provided legal sanctuary to criminals. In either case, they could be subjected to new economic sanctions and other measures. That is, the U.S. should offer foreign states and their leaders a mechanism under which they could exonerate themselves formally of wrongdoing, or accept the situation where their non-cooperation would be deemed evidence that they were accessories after the fact for transnational cybercrimes. Of course, there would be the risk of retaliation, but the most probable form is unlikely to vary significantly from the attacks already occurring.
It is improbable that Russia will acknowledge that it provides sanctuary to certain criminals, or that it is using them as proxies to conduct cyber operations, and will therefore not be eager to help foreign law enforcement authorities combat transnational crime. If this is the case, the Kremlin cannot rightfully expect or complain when other states act in a similar fashion. During the Cold War, the U.S. and its allies used international broadcasting in an effort to undermine hostile regimes by seeking to influence elite public opinion in the Soviet Union and other countries. This approach should be pursued again with a contemporary twist.
So long as Russia and other countries engage in or facilitate cybercrime, we could develop appropriate programs for operating open and clandestine blogs, emails (both targeted and spam), social networking tools (Facebook, Twitter, YouTube), and various websites in support of our policy goals. The U.S. might even take a chapter from Russia’s playbook by crowdsourcing Americans to release an unprecedented volley of targeted emails to Russia’s governmental and “private sector” decision-makers.
These emails would need to be in sufficient volume to ensure their recipients spend a significant amount of time sorting through their inbox; their “payload” could contain information on their officials’ financial crimes and corruption. If done properly, these messages should be able to penetrate in sufficient number these regimes’ information and communications filters and jeopardize their efforts to monopolize information available to the people living within their borders.
Under the best of circumstances, the result of this scenario might make Russia more sensitive to being a good global cyber citizen.