Deterring Moscow’s Cyber Threat
Let’s agree on one thing, when it comes to Russia’s recent interference with the U.S. presidential election, no one yet has found a way to deter President Vladimir Putin from doing it again – here in this country or elsewhere.
At Thursday’s Senate Armed Services Committee hearing on foreign cyber threats, each intelligence community witness emphasized this extraordinary point in his own way.
Director of National Intelligence James Clapper said, “We currently cannot put a lot of stock, at least in my mind, in cyber deterrence. Unlike nuclear weapons, cyber capabilities are difficult to see and evaluate and are ephemeral. It is accordingly very hard to create the substance and psychology of deterrence, in my view.”
Clapper added, “In most cases to date, non-cyber tools have been more effective at changing our adversary's cyber behavior. When we do choose to act, we need to model the rules we want others to follow since our actions set precedents. We also need to be prepared for adversary retaliation, which may not be as surgical, either due to the adversary's skill or their inherent difficulty in calibrating effect and impact of cyber tools. That's why using cyber to counter cyber attacks risks unintended consequences.”
Admiral Michael Rogers, director of the National Security Agency, pointed out, “There's no one silver bullet” that would deter Russia or any other nation or group from using cyber and other information warfare against the U.S. “If we're looking for the perfect solution, there isn't one,” Rogers added, “This will be a variety of incremental solutions and efforts that are going to play out over time. There is no one single approach here.”
For Rogers, as for the others, the question was, “How do we convince nations and other actors out there that there's a price to pay for this behavior?”
Defense Undersecretary for Intelligence Marcel Lettre placed it in bureaucratic terms saying, “We need to continue to develop and refine our national cyber policy framework, which includes the evolution of all dimensions of our deterrence posture, the ability to deny the adversary its objectives, to impose costs and to ensure we have a resilient infrastructure to execute a multi-domain mission.”
Armed Services Chairman Sen. John McCain (R-AZ) put the situation in plain English, “Unless we demonstrate that the cost of attacking the United States outweighs the perceived benefits, these cyber attacks will only grow…be it by cyber, or other means.”
Then McCain asked the right questions: “What is our theory of cyber deterrence, and what is our strategy to implement it? Is our government organized appropriately to handle this threat? Or are we so stove piped that we cannot deal with it effectively? Who is accountable for this problem? And do they have sufficient authorities to deliver results? Are we in the Congress, just as stove piped on cyber as the executive branch, such that our oversight actually reinforces problems rather than helping to resolve them?”
Clapper used the Chinese 2015 hacking of the database of the Office of Personnel Management (OPM) that exposed the records of more than 22 million current and former federal employees to illustrate two examples of responses. The OPM breach took place at the same time there was concern about Chinese hacking of private companies, with it being unclear what role the Beijing government was playing in either.
Some U.S. officials saw cyber espionage by the Chinese Ministry of State Security in the OPM operation, while others saw private hackers involved in both.
In private negotiations that preceded the September 2015 Washington summit between President Barack Obama and Chinese President Xi Jinping, the U.S. apparently made threats of economic sanctions against Chinese companies as a response to the hacking. At the summit, Xi pledged that China would not conduct economic espionage in cyberspace. Shortly thereafter, the Chinese disclosed that a group of Chinese hackers had been arrested, although it remains unclear for what activities.
At last week’s hearing, Clapper said, “The intelligence community and security experts…have observed some reduction in cyber activity from China against U.S. companies since the bilateral September 2015 commitment to refrain from espionage for commercial gain.” In short, diplomatic negotiations did some good.
But Clapper also made clear he believed the OPM attack itself was the Chinese government doing cyber espionage, which they continue to do. And for Clapper, when it comes to using cyber for espionage, “you know, people that live in glass houses shouldn't throw publicly too many rocks…and, you know, we and other nations conduct similar acts of espionage. So if we're going to punish each other for acts of espionage, that's a – that's a different policy issue.”
In short, American intelligence agencies have active cyber espionage programs underway and they are not going to be halted or traded away to get others to halt any types of cyber attacks against the U.S.
But Clapper said the Russian effort to influence the election went beyond “passive [espionage collection and…was much more activist.” He pointed out that “in addition to stealing information from the Democratic National Committee and the Clinton campaign and cherry-picking what information it leaked to the media, the Russian government also created and spread fake news and conspiracies across the vast social media.”
What’s more, Clapper added, “These and other cyber tools remain highly active and engaged in misinforming our political dialog, even today.”
Rogers took the latter statement a step further, saying, “What concerns me beyond all that is, what happens if we start to move in an environment in which, not only is information being… weaponized, what happens when we see people suddenly manipulating our network, so we can't believe that data that we're looking at. That would be a real fundamental game changer to me and to me it's only a question of the when, not if this is going to happen.”
So, what’s to be done to deter all this from happening?
President-elect Donald Trump is obviously concerned that whatever is publicly disclosed by a Russian hacking inquiry could impact the legitimacy of his election victory. He has said he wants to “move on” to other matters and perhaps halt, or at least keep behind closed doors, any congressional investigation into the Russian election activities.
After his intelligence briefing on the matter Friday, Trump put out a statement saying he plans to “appoint a team to give me a plan within 90 days of taking office” that will “aggressively combat and stop cyber attacks.”
It’s a Washington fact that creating a new group to study a problem is a way of putting off dealing with that problem.
McCain and Sen. Lindsey Graham (R-SC), who has been announced as chairman of an Armed Services subcommittee that will investigate the Russian cyber activity, have a more active agenda.
On Sunday’s Meet the Press, Graham said, “We’re going to introduce [economic] sanctions that are bipartisan, that go beyond the sanctions we have today against Russia, that will hit them in the financial sector and the energy sector where they’re the weakest. And we’re going to give President Trump an opportunity to make Russia pay a price for interfering in our election so it will deter others in the future. I hope he will take advantage of it.”
There is no doubt Democrats will join in as will some Republicans. That will set up a legislative showdown with the Trump White House if the president-elect does not change course after taking office.
Even Defense Secretary Ash Carter believes that the Obama administration’s steps taken so far against the Russians “probably represent a beginning and not the end” of what should be done. On that same Meet the Press on Sunday, Carter said, “I believe there will be more [steps taken], there probably should be more.”
As I've written before, this year is going to be a test as to whether Congress will or will not play its Constitutional role as an equal branch of the U.S. government.