Cybersecurity and Deterrence
Contrarian Thoughts on Russia and the Presidential Election
“We assess Moscow will apply lessons learned from its campaign aimed at the U.S. presidential election to future influence efforts in the United States,” says the U.S. intelligence community in the most important sentence in its dismayingly evidence-free report on Russian activities in the presidential election. But how is the United States going to check these future influence efforts?
Simplifying a great deal, when a nation is vulnerable to a foreign threat it has three courses of action to improve its situation: (1) It can raise its defenses; (2) it can credibly threaten greater consequences for the attacker, thereby deterring the attacker from action; or (3) it can cut a deal in which it pledges to forego certain actions in exchange for relief from the threat by the adversary. I think the U.S. government focuses too much on (1) and (2) and not enough on (3).
The United States is not close to raising its defenses adequately and likely will not in the foreseeable future. Offense has too great an advantage over defense. We have too many soft targets and are constantly surprised when new ones are attached or exploited. (The government was stupefied by the OPM hack, and the Sony hack, and the DNC hack, among many others.) And we lack the consensus needed to take the controversial steps that would truly raise our cyber defenses.
If you are finding Lawfare useful in these times, please consider making a contribution to support what we do.
As is evident in the Obama administration’s failure to respond to earlier Russian penetration of networks in the White House, Pentagon, and State Department, and in its relatively tepid response to the highly destabilizing DNC hack, deterrence is simply not going to work in this context. The United States has the most powerful military in the world, including the greatest capacities in offensive cyber. But it cannot use these tools to credibly commit to retaliate powerfully against harmful cyber operations, especially ones that fall below the “use of force” or “armed attack” thresholds. Attribution, especially credible attribution in public, is a very large challenge. And the United States significant digital dependencies mean that it loses in escalation in cyber because, as President Obama explained, “our economy is more digitalized and it is more vulnerable, partly because we are a wealthier nation and we are more wired than some of these other countries and we have a more opened society and we are engaged in less control or censorships of over what happens on the internet.” It’s also clear that the vaunted “name and shame” strategy simply doesn’t work in high-stakes contexts. “The idea that somehow public shaming is going to be effective, I think doesn’t read the thought process in Russia very well,” Obama noted. You don’t have to take my word that deterrence isn’t going to get the job done; as DNI James Clapper said last week: “We currently cannot put a lot of stock, at least in my mind, in cyber deterrence. … It is … very hard to create the substance and psychology of deterrence, in my view.”
That leaves (3), cutting a deal. I’m not talking about squishy cyber “norms.” There is a lot of happy talk about cyber norms, but this talk is almost always about how the United States can force adversaries to agree to the rules of the road that it likes best. I am talking about an agreement of mutual restraint: the United States agrees to restrain itself in its activities in foreign networks in exchange for restraint from our adversaries in our networks. As I wrote six years ago:
U.S. cybersecurity policymakers are in the habit of thinking too much about those who attack us and too little about our attacks on others. Creating norms to curb cyberattacks is difficult enough because the attackers’ identities are hard to ascertain. But another large hurdle is the federal government's refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.
I have expressed skepticism about treaties as a solution to disorder in the cyber realm, and some of the basis for that skepticism, including attribution difficulties, applies to any form of agreement in this context. But I am increasingly of the view that the only way that the United States can get relief from damaging foreign cyberoperations is to significantly restrain its own cyberactivities abroad.
The first step to understanding here, I think, is to try to put oneself in the skin of the adversary, to understand how it sees the world and why it acts the way it does. The United States is angry because of the consequential Russian intervention in the election. But it is important to understand that the United States is widely perceived by Russia to intervene in Russian domestic affairs in ways that are just as offensive and threatening, at least to the leadership in Russia, and just as violative of Russian sovereignty.
For example: Putin attributes the embarrassing and destabilizing protests that began in Russia after the December 2011 legislative election to Secretary of State Hillary Clinton’s charges of voter fraud in the election and the “signal” her State Department sent to opposition leaders in Russia. He also claimed that the United States was responsible for the Panama Papers, which he described as and “attempt to destabilize the internal situation” in Russia. NATO’s enlargement to many former Soviet states, especially to the Baltic States in 2004, when Putin was President of Russia, was not an intervention in Russia’s domestic affairs per se, but it was an embarrassing and threatening intrusion into Russia’s sphere of influence. So too was the extension of missile defense systems to eastern Europe.
But perhaps nothing is as threatening as the pledges and activities associated with the U.S. “Internet Freedom” initiative, which (among other things) involves funding and technical support to empower citizens in authoritarian states to circumvent censorship and promote speech there. Russia views this initiative as “a U.S. strategy to intervene in [its] domestic politics through cyber means,” as David Fidler notes. To get a sense of the extent to which the Russian (and Chinese) governments are threatened by the core elements of the U.S. Internet Freedom initiative, and (relatedly) of the social media and related tools of the U.S. internet technology industries, consider four of the six “main threats in the field of international information security” listed in the 2015 Russia-PRC Cyber pact (a poor translation, but the gist comes through):
The Parties believe that the main threats to international information security are the use of information and communication technologies:
1) to carry out acts of aggression aimed at the violation of the sovereignty, security, territorial integrity of States and a threat to international peace, security and strategic stability;
2) for the application of economic and other damage, including through the provision of a destructive impact on the objects of the information infrastructure; …
5) to interfere in the internal affairs of States, violations of public order, incitement of ethnic, racial and religious hatred, propaganda of racist and xenophobic ideas and theories that give rise to hatred and discrimination, incitement to violence and instability, as well as to destabilize the internal political and socio-economic situation, violation of government;
6) for the dissemination of information harmful to the socio-political and socioeconomic systems, spiritual, moral and cultural environment of other States.
In short, China and Russia, among our most potent adversaries, see efforts to weaken their control over their networks as a direct threat to their core sovereign interests. They view it in the same way that we view the intervention in our election.
This latter point is surprising to many. A casual consumer of the news in the United States would think that the United States is the main victim in the confrontations going on in the cyber realm. It is indeed a victim. But the United States is also widely perceived around the world as the greatest threat in the cyber realm. It has, as President Obama bragged last Fall, greater offensive cyber capabilities than any other nation. And it is perceived abroad to use these capacities aggressively. Stuxnet, now widely attributed to the United States, is one example. The Snowden revelations were an even bigger deal. They provided clear, extensive, concrete evidence about the numerous impressive (and, to many, shocking) ways that the United States penetrates and collects information in foreign networks. And of course the United States isn’t taking all of the information stolen from foreign networks and putting it in a box. It uses the fruits of its espionage and theft to bolster every element of its foreign and defense policy, and its national and economic security.
It’s also worth noting, in this context, the many episodes in which the United States has intervened in foreign elections. I summarized some of the evidence in posts last summer. A study by Dov Levin found that during the Cold War, the United States intervened to influence foreign elections over twice as often (69% to 31%) as the Soviet Union. In many of these cases the United States “weaponized information” to sway the election. U.S. electoral intervention continued after the Cold War. A prominent example is its support of the populist Boris Yeltsin in the 1996 Russian presidential election. “[W]e’ve got to go all the way in helping in every other respect” besides a nominating speech, Bill Clinton told Russia advisor Strobe Talbott, who further explained in his memoir that Clinton visited Moscow in April 1996 “for no other purpose than to give Yeltsin a pre-election boost.” The Clinton administration gave Yeltsin other forms of political support, and ensured that the IMF gave Russia a $10 billion loan in what the New York Times described as a “major election-year boost for” Yeltsin. Other post-Cold War examples include the U.S. financing of “Syrian political opposition groups and related projects, including a satellite TV channel that beams anti-government programming into the country” (another example of “weaponizing information”); similar activities in the 2000 Yugoslav election, which Levin concludes was “decisive” in defeating Milosevic; and (according to David Ignatius) the aborted U.S. covert action in the Fall of 2004 to influence elections in Iraq.
In response to this history, I hear many people say some version of: “But the United States has never doxed another country covertly in the middle of a democratic election.” We don’t actually know that, but we do know this: The United States has covertly stolen information from foreign political parties, it has weaponized information, and it has influenced foreign elections. Perhaps the United States has not done these three things together, at least on the scale of the Russia operation. But the precise contours of U.S. action abroad do not define lawful or appropriate behavior, such that our adversaries feel compelled to do to us only what we do to them. The main point is that the United States is widely seen to engage in activities in other countries, including Russia, that are analogous to the DNC hack and that are viewed to threaten core sovereign interests abroad.
I should be clear, in a probably futile effort deflect charges of Russophilia (or worse), that I am not making a normative judgment here. Obviously there are huge differences in substance between (i) intervening in a foreign nation to disrupt democratic processes and (ii) intervening in a foreign nation to promote democracy and free speech. My normative preferences, for what they are worth, are for the United States to exploit its offensive advantages in cyber to collect whatever information serves our national interests, to use this information in ways that serve our interests, and to promote those interests further by spreading the U.S. conception of freedom of speech and thought to other nations.
The question is whether these are realistic goals. I think they are not, given the clear costs that the United States is suffering and will continue to suffer in the cyber realm. I don’t think the United States can continue unabated with all of its aggressive cyber actions abroad—intelligence collection, cyber attacks, information operations, and especially operations that undermine control abroad—if it wants relief from the cyber operations that are proving to be so damaging to U.S. society. Rather, I think the only hope it has to gain relief from these devastating cyber actions—or, at a minimum, a hope worth exploring—is to give our adversaries relief from our cyber actions that they perceive to be devastating. I am not talking about a treaty. But I am talking about an explicit understanding with major cyber adversaries, akin to understandings about the rules of espionage during the Cold War, that the United States will not engage in certain specific disruptive actions in exchange for desirable restraint by adversaries in U.S. networks.
Cooperation in the cyber realm will not be easy, even on a bilateral basis. There are many hurdles, some of which I outline here in the context of treaties. Attribution will always be a problem. It might not be possible to agree on the precise elements of mutual restraint. And it is possible that a spiraling tit for tat is the only compelling logic here, and that the United States will lose overall due to its digital vulnerabilities. I don’t minimize the hurdles. I only want to suggest that the option of mutual restraint should be explored.
I don’t think that U.S. intelligence collection capabilities per se are at stake. What our authoritarian adversaries really care about—where they are vulnerable in ways analogous to U.S. vulnerabilities in the recent election—are U.S. efforts to use its cyber and related capabilities in ways that are deemed disruptive to their domestic orders, i.e. the very thing the United States is up in arms about now. The most plausible item the United States could offer up in exchange for reciprocal restraint would be the U.S. Internet freedom initiative writ large, including efforts by the United States and U.S. firms to promote certain forms of speech abroad, and to enable circumvention of foreign tools of digital control. It would be a huge cost to the United States to tamp down on those activities, which have been central to its foreign policy during the last two administrations, and which in some ways define traditional U.S. foreign policy. But the costs on the other side are very high as well, and the possibility of some forms of mutual restraint should at least be explored in a serious way.
One response to this argument that I hear in conversation is some version of: “The United States should be able to have its cake and eat it too.” On this view, the United States is the strongest nation in the world militarily and economically, and should not have to give up any of its cyber and related capabilities in exchange for relief from adversary cyber and related actions. We have to get tougher, act more aggressively, and the like. I am surprised by this reaction because in other contexts—most notably, nuclear weapons—the United States perceived a clear advantage from giving up offensive capabilities in exchange for the threat reduction of reciprocal concessions. But in any event, the “tough guy” line of thinking is belied by events of the last five years or so, which has made clear that problems of attribution, escalation, and digital vulnerability mean that no matter how powerful we are at the moment, we cannot in fact have our cake and eat it too in this context.
There are other hurdles to examining what the United States might give up in exchange for relief from the most damaging adversary cyberoperations. Congress and most of the press and the American people are focused primarily on the wounds the United States has suffered and what it should do offensively in response. Our soon-to-be new President possibly benefited from the Russian intervention and in any event appears to have no interest in examining its causes or effects. Worries about the new president and his commitments, and the politics that surround those worries, are further serious hurdles.
And yet I very much hope that the congressional or Executive branch or independent body that studies this problem will try to look deeply in the mirror to see how the United States’ own actions abroad have invited and perpetuate the pain we suffered in this election, and will at least consider how we might possibly adjust our foreign policy, in the ways outlined above, in order to get relief from the very serious threat the nation faces.