Now that the Obama administration has publicly attributed the hacking of the Democratic National Committee and other political entities to “Russia’s senior-most officials,” the question remains, how will the U.S. respond to Russia’s meddling in the coming elections? After all, as James Lewis, Senior Vice President and Director of the Strategic Technologies Program at the Center for Strategic and International Studies, argues, “one essential lesson for cybersecurity is that unpunished acts are seen as a green light by an attacker.”
The Obama administration has indicated it will pursue a “proportional” response, but Russian action in the cyber sphere cannot be disconnected from the physical realm. The Cipher Brief’s Matt Olsen, former Director of the National Counterterrorism Center, suggests “the Russian interference with our election is part of the broader context of Russian actions around the world, both in cyberspace and on the ground.”
For the past few years, Russia has fanned the flames of right-wing populism in Europe as a tactic for undermining unified support for NATO—viewed as the bulwark against a resurgent Russia. The country has become internationally emboldened, as shown by their invasion of Georgia in 2008, annexation of Crimea in 2014, and the ongoing bombing campaign in Syria in defense of the Assad regime. The formal accusation of Russia by the U.S. coincides with the souring of relations between the two countries over crumbling peace negotiations in Syria.
Yet, cyber remains an integral aspect of Russia’s foreign projection of power. In 2007, Russia engaged in a series of distributed denial of service (DDoS) attacks that crippled Estonian infrastructure. It often impersonates hacktivists to conduct sabotage that facilitates its campaign of information warfare.
This is also not the first instance where the U.S. government formally attributed cyber attacks to nation-state actors. In 2014, the Department of Justice indicted five Chinese nationals on charges of economic espionage. Earlier this year, the U.S. charged seven Iranians for hacking a small dam in New York and bombarding various U.S. banking servers with artificial web traffic. In December 2014, the Obama administration rolled out a series of economic sanctions against North Korea after it wiped the servers of Sony Pictures. But what is unprecedented is that in this case, the U.S. attributed responsibility for the hacks to the highest levels of the Russian Government.
The U.S. could initiate President Obama’s 2015 Executive Order, allowing the institution of targeted sanctions against those behind cyber attacks. Ultimately, it will be important to focus efforts on the Russian government as a whole rather than merely the individuals directly involved in the breach; focusing on individuals allows governments a scapegoat and to insinuate they were operating without official approval.
To address this problem, Ethan Burger, an international lawyer specializing in cybersecurity, and Donald Jensen, a Senior Fellow at the Center for Transatlantic Relations, argue “a new international legal framework is needed,” such as the so-called “Budapest Convention,” where countries “harmonize their national legislation on cybercrime” and “increase their cooperation in the prosecution and enforcements of the relevant laws.” Burger and Jensen go on that “a state’s non-compliance with the Convention’s requirements may be regarded as a sign that it is involved in the conduct of cybercrime, or found to have provided legal sanctuary to criminals,” allowing guilt to be placed on the state itself, as opposed to individuals.
It is also important to note that hacking into the servers of foreign political parties and exfiltrating data is simply what intelligence agencies do. Former U.S. intelligence chief and Cipher Brief expert Michael Hayden has described the tactic as “honorable state espionage,” used to gather information. But, he points out, by leaking the emails to WikiLeaks in an attempt to influence the U.S. elections, Russia “weaponized” the data. This echoes information operations during the Cold War. But while these tactics are nothing new, it certainly hits closer to home, even if the U.S. itself has a long history of interfering in the elections of foreign governments.
The accusation of the Russian state—rather than Russian individuals—indicates the severity of the issue and could deter future incidents. On top of naming and shaming, signaling is an option. There have been reports of a CIA-led “cyber covert action against Russia” that could include the release of documents intended to “expose the financial dealings of Putin and his associates,” an operation which was later alluded to by Vice President Biden. But such an approach could be dangerous, as it endorses the tactic of hacking and leaking information, setting a dangerous norm.
Regardless, targeting Russian control of information is worth exploring. Burger and Jensen assert, “so long as Russia and other countries engage in or facilitate cybercrime, we could develop appropriate programs for operating open and clandestine blogs, emails (both targeted and spam), social networking tools (e.g. Facebook, Twitter, YouTube, etc.) and various websites in support of our policy goals.”
What should be avoided is any major form of retaliation targeting Russian infrastructure, as it could unpredictably risk escalation and ignores international law of proportional responses in self-defense. The U.S. and Russia put in place a direct hotline to consult each other prior to a cyber crisis for the very purpose of avoiding escalation. James Lewis suggests that while a likely response could include “interference with Russian attack servers,” it “sets a bad precedent if we create a crisis management structure and then do not use it in the first test.” Ultimately, Lewis maintains “the U.S. needs to navigate a narrow and difficult path between inaction and escalation.”
The cyber conflict between the U.S. and Russia will likely have less to do with turning off the lights and more to do with the control of information. Important considerations for any response are whether the retaliation could lead to escalation and whether it is consistent with norms the U.S. is seeking to establish surrounding the use of cyber tools.
Levi Maxey is a cyber and technology producer at The Cipher Brief.