Butch Cassidy graphically demonstrated that there ain’t no rules in a knife fight. Well, so far, there ain’t no rules in cyberspace or precious few at least. Establishing those rules and practices may take years, as it did for nuclear weapons or cold war spying. The U.S. response to the Russian hacking is the Obama administration’s third effort to lay down a new norm: you don’t steal information to play in the other side’s politics.
Why do you bring a gift to a dinner at a friend's house? Why do neighbors get mad when your dog does his business on their lawn? Is the guy who speeds down the empty lane beside you a jerk or a mathematician optimizing the merge function? Attitudes depend on norms of behavior. Norms come about when there is general agreement in societies, when the dominant group can assert their view or when everyone finds mutual benefit even without mutual interests. What you can and cannot do in cyberspace doesn’t meet these conditions yet. While there are many legal discussions, negotiations, and assertions, we’re really making it up as we go along. President Barack Obama has just tried to assert a new norm.
The hackers of the Democratic emails are well known. Fancy Bear and Cozy Bear go by other names and are usually classified as Advanced Persistent Threats 28 and 29. We’ve seen their penetrations over the years in Georgia, the United Kingdom, France, the U.S., including hacks on the Pentagon, U.S. companies, and academia. Indeed, in the days following the elections, their phishing attempts were actively targeting major U.S. think tanks. This time, the Administration went to some length to prove the difficult issue of attribution, releasing a technical report with signature code from the hackers. Fancy Bear comes from the G.R.U., Russia’s military intelligence service, and Cozy Bear from the FSB, the civilian intelligence agency that succeeded the cold war KGB.
First norm first: In May of 2014, the Administration tried to lay down its first cyber norm after the indictment of five Chinese military hackers for economic espionage. The five, from the infamous Chinese Army Unit 61398 near Shanghai, were accused of breaching defenses at Westinghouse, US Steel, Alcoa, the Service Workers Union, and other commercial entities in order to pass the information to Chinese companies. In September 2015, Obama negotiated with China’s President Xi Jinping; both agreed that governments won’t hack for commercial advantage. Generally, China seems to have followed this guideline, although Chinese non-governmental entities continue to exploit Internet holes for commercial advantage.
The second norm was a non-action, again with China. In June 2015, hackers believed to be Chinese entered a poorly guarded trove of personal information on 20 million U.S. government employees at the Office of Personnel Management. Admiring Chinese spycraft, our Director for National Intelligence, James Clapper, even said, “you have to salute the Chinese for what they did.” Nonetheless, we also expressed outrage, and the Chinese claim to have arrested the perpetrators. However, the bottom line U.S. response is clear: no retaliation. Norm two: spying for government purposes is fair game; woe to those without defenses.
The Russian hacking of the U.S. election continues a cold war tradition of stealing secrets on political candidates and leaking unfavorable “disinformation.” The scale and impact this time were way above any Cold War effort which, for both sides, usually focused on supporting favored candidates in third countries. Obama’s response did three things: contained the crisis in intelligence channels, gave the Russians a familiar path to limit the damage, and made a point about cybernorms.
By expelling the head of Russian military intelligence in Washington and his aides, Obama made clear he wasn’t going beyond the realm of spy-vs-spy which, from Cold War days, has unwritten rules: we act, you respond, it’s over. Putin got the message but took the high road in order to show Obama’s successor that he’s a good guy. The Obama Administration has promised other steps, quiet steps that don’t require a response, probably hacks inside the Kremlin with our fingerprints to show that we can penetrate them, too. Points made, both sides have an interest in standing down, particularly the Russians, as a new President arrives.
We’ll soon see whether this third norm of “don’t hack for political advantage” can stick. French and German elections in 2017 are prime targets for hacked disinformation. If we don’t see the bloom of Russian hacking again, perhaps Obama will have successfully laid down his third norm in cyberspace.
