Cybersecurity and Deterrence

The DNC Hack and (the Lack of) Deterrence

By Jack Goldsmith
Sunday, October 9, 2016, 6:27 PM

What Options Does the U.S. Have After Accusing Russia of Hacks?, asks the headline in the NYT story yesterday by David Sanger and Nicole Perlroth. To ask this question is to reveal once again the ineffective or non-existent U.S. cyber-deterrence policy. Stories about Russian cyber-operations to disrupt the U.S. election have been published for months, and the government was surely aware of the operations much earlier. And yet one day after the government formally attributes the DNC hack to Russia, the Sanger/Perlroth story makes it seem that the USG hasn’t figured out how to respond.

We have seen a similar pattern of dithering before. For years the United States wrung its hands in the face of billions of dollars of China’s theft of U.S. intellectual property until the finally settling on a name-and-shame strategy combined with threatened economic sanctions. The USG also dithered in response to the Sony hack. And it dawdled in the face of the OPM hack and ultimately did nothing, unless you include DNI Clapper announcing that he “kind of salutes” China for its actions. And now there appears to be uncertainty about how the USG should respond to a cyber information operation directed at U.S. elections.

Such a pattern of vacillation in response to very damaging cyber-operations will not deter our adversaries; it will embolden them. It will especially embolden them since the responses the USG finally settles on are much less than proportionate to the damage caused.

Some U.S. officials have touted the success of the “shame + threatened sanctions” tactics against China. It remains unclear how much IP theft from China has dropped off, especially since the loophole-ridden cyber agreement bars China only from “knowingly support[ing] cyber-enabled theft of intellectual property” with the “intent of providing competitive advantages,” and thus allows IP theft that the Chinese government does not know about or support or does not intend to help its firms (even if it has that effect). But even if the” shame + threatened sanctions” strategy did get China to slow its IP theft, what lessons did the episode teach U.S. adversaries? The lesson they learned is not, as NSD John Carlin has said, that there is an intimidating “new ‘sheriff’ patrolling … cyberspace.” The lesson learned, I submit, is that a nation can do a great deal of damage to the United States via cyber for many years in the face of U.S. complaints and threats, and in the end will suffer at most an unenforceable indictment and threatened sanctions that Michael Morell correctly describes in the NYT as “a slap on the wrist.” The indictments and threatened sanctions were a slap on the wrist because the pain they caused China was a tiny fraction of the pain China caused U.S. firms and the U.S. economy from its gargantuan intellectual property theft over many years.

One hopes that the USG is doing much more in secret to deter our cyber-adversaries, though one doubts it based on news reports about internal uncertainty and disarray in responding to each new offensive cyber-operation. As far as the public record shows, the USG deterrence strategy appears to be: dithering followed by, at worst, a wrist slap. Is it any wonder that Russia—which is increasingly antagonistic to the United States around the globe, and reeling under U.S. sanctions—is emboldened to harm the United States via cyber? And will the hesitant response to the DNC hack do anything other than further embolden Russia and other adversaries? “No,” and “no,” I believe.

The Sanger and Perlroth piece reviews the unattractive options the United States has to respond to the DNC hack. The name and shame strategy has no chance of working with the Russians, and would be a laughable and self-defeating response to election-related intrusions. Something more aggressive—like a cyber or kinetic attack of some sort against Russia—runs the risk of serious escalation, including serious escalation by the Russians to further interfere in the U.S. election. Morell proposes instead “deep sanctions on the entire Russian economy” and an “aggressive Voice of America program in Russian to tell the Russian people that Putin is only interested in his own aggrandizement.” Can the United States coordinate effective deeper sanctions against Russia? Would the VOA strategy change the minds of the Russian people? I think these responses would not work in the first instance. But the important point is that the USG must, and does, think about the Russian response to any of these tactics. And if (as seems likely) Russia is willing to raise the stakes in cyber in response, the U.S. probably has much more to lose than win by ratcheting things up. And so the USG responds with uncertainty and weakness, thereby emboldening adversaries in a cycle that has been repeating itself, to our detriment, for years.

The tepid U.S. response to cyber intrusions may be surprising to some, since the USG possesses the greatest offensive cyber capabilities on the planet, which it often deploys for cyber-exploitation and cyber-attacks and, one can guess, for information operations of various kinds. Here we come to the crux of the matter. For two basic reasons, the USG is not willing to use these tools, or its redoubtable kinetic tools, to redress fully the very serious cyber-operations by adversaries inside U.S. networks. First, our adversaries have a wide array of sophisticated digital weapons that they are willing and able to use to harm or exploit porous and poorly defended U.S. networks. And second, the United States is by far more dependent on digital networks and the digital economy than any other nation in the world, and thus has the most to lose from any escalation related to cyber. As Sanger and Perlroth put these points: “Well-armed cyberpowers face few limits to their ability to escalate attacks. And it is unclear how the United States can establish what the generals call ‘escalation dominance’ — the assurance that America can ultimately control how a conflict ends.”

China IP theft, the Sony hack, the OPM hack, and now the DNC hack are but the beginning. Without robust defenses or effective deterrence, the United States can expect many more, and more harmful, cyber intrusions by adversaries who are asymmetrically empowered by the rise of digital networks. There is no end to the ways that they might spy in, steal from, or disrupt U.S. networks, public and private. That sounds bad, buts the implications are worse. Asymmetric offensive cyber operations by our adversaries can be an effective response to every element of U.S. foreign and military power. For all we know the Russian DNC hack is a response to sanctions for Ukraine and an attempt to win leverage in Syria. Imagine the United States wanted to do more—via sanctions, or through military operations, or in cyber—to slow Russian operations in Eastern Europe or Syria. The Russians could easily respond via cyber, where it appears to have an asymmetrical advantage. Indeed, the relatively tepid USG response to Russian aggression in Eastern Europe and Syria may be a result of USG worries about the implications of the DNC hack. In other words, the Russians may already be using cyber to deter the United States from seemingly unrelated foreign policy actions it might otherwise take. One gets very scared as one starts to think through such possibilities. It may be that the United States’ digital prowess is its Achilles heel.