Cybersecurity and Deterrence

Indicting Hackers Made China Behave, But Russia Will Be Harder

By Timothy Edgar
Sunday, February 18, 2018, 1:36 PM

On Friday, Special Counsel Robert Mueller released the indictment of the "Internet Research Agency LLC," also known as the Russian troll factory, and a number of other entities and individuals.  The indictment states that the Internet Research Agency and the other named defendants "knowingly and intentionally conspired with each other (and with persons known and unknown to the Grand Jury) to defraud the United States by impairing, obstructing, and defeating the lawful functions of government through fraud and deceit for the purpose of interfering with the U.S. political and electoral processes, including the presidential election of 2016."

There is already a lot of chatter about just who those "persons known and unknown to the Grand Jury" might be, and whether any of them include additional people associated with the Trump Campaign (or even Trump himself.)  We simply have no idea at this point.  As the old saying goes, those who know aren't talking, and those who are talking don't know.

Instead, I'd like to focus some attention for a moment on the international and cybersecurity implications of this indictment, rather than speculate on the domestic political implications of future charges.  The closest analogy for Mueller’s decision to charge the Russian trolls is probably the May 2014 indictment in United States v. Wang Dong, in which officers of a special unit of the Chinese People's Liberation Army were accused of hacking U.S. companies to steal intellectual property.  That indictment occurred at an awkward time for the Obama administration, in the midst of the aftermath of the Snowden revelations.

It is difficult to evaluate whether and when it is appropriate for the United States to use the tool of criminal prosecution against government officials who are engaged in malicious cyber activity in on behalf of another government. Criminal law is certainly one way of addressing cyber threats, but it may not always be the right one.  When arrests seem remote or unlikely, it makes sense to ask just what purpose is served by issuing indictments.

In the Chinese case, the U.S. government was setting forth its view of an important cyber norm: commercial espionage should not be tolerated. Governments need to protect a level playing field in commerce, the argument went, even if espionage is tacitly accepted in national security matters.  Thus, it was appropriate to for the United States to charge officers of another government with espionage even though the U.S. government engages in many aggressive operations to collect intelligence, including through hacking.

In the Russian case, the defendants are not actually government employees. But they were still acting for what appears to be a Russian government-sponsored entity carrying out Russian government policy—ordered, according a U.S. intelligence estimate published in January 2017, by President Putin himself.  As in the Chinese case, the U.S. government faces similar problems of jurisdiction and potential retaliation in the form of tit-for-tat indictments of U.S. intelligence officials. 

The Chinese ultimately decided to forgo issuing retaliatory indictments in favor of diplomacy.  No one went to jail, but the U.S. indictments worked: China and the United States eventually agreed that neither side would “conduct or knowingly support cyber-enabled theft of intellectual property.”

But there are two big differences that will make such a happy outcome much more difficult in the case of the Russian hackers.  First, the issue of interference in the U.S. presidential election of 2016 is more significant than theft of intellectual property by Chinese hackers.  Russia’s interference implicates both U.S. sovereignty and ideals that are at the core of American identity.  The fact that the Russian campaign was directed against such vital national security interests weighs in favor of a very tough response by the United States.  

Second—and more problematic, from the U.S. point of view—is that the United States is on weaker ground when it comes to international norms in this case than it was in the case of the Chinese hackers. In the latter instance, the Obama administration argued that the theft of intellectual property is distinct from the work of the NSA and other U.S. intelligence agencies.  Articulating this principle put the U.S. on a firm footing in discussions with the Chinese.  It helped that President Obama had issued Presidential Policy Directive 28 just months before the indictment of the Chinese hackers, which explicitly banned corporate espionage by the U.S. intelligence community.

The U.S. government stands on less firm ground when arguing against the Russian interference campaign.  The U.S. engages in cyber operations not only to collect intelligence information, but also to conduct covert action—defined under 50 U.S.C. § 3093(e) as an "activity or activities of the United States Government to influence political, economic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly." The only requirement is that covert action must be authorized by the president and reported to Congress.

In other words, Russia can make the case that the activities of the Internet Research Agency are not so far from what the U.S. does itself. The U.S. might argue that there is a difference between influencing political conditions in authoritarian countries (often to support democratic elements in closed societies) and subverting the democratic process of a stable and free society—but while that is certainly true, it may not be of much use in articulating a broader principle of non-interference that would serve U.S. goals.  To begin with, there are several countries with which the United States has less-than-friendly relations that also conduct elections, such as Venezuela, Iran and even Russia. These elections are far from free and fair, but they certainly complicate the picture.

When the United States and China agreed not to steal corporate secrets, the United States wasn’t giving anything up.  When it comes to the Russians, the United States won’t get such a sweet deal.  Jack Goldsmith, for example, has proposed limiting U.S. “Internet Freedom” efforts aimed at promoting democracy in Russia in exchange for Russian noninterference in ongoing U.S. elections. This will be a harder pill to swallow, given bipartisan support for the “Internet Freedom” agenda.  A deal is not only politically infeasible, but also normatively undesirable, because it surrenders U.S. human rights leadership in cyberspace.

So the indictment of the Russian troll factory won’t put anyone in jail.  It is also unlikely to establish a cyber norm of noninterference that could be the basis for a deal between Russia and the United States. 

But the indictment does serve a useful purpose.  It sends a warning—not to Putin, but to Americans.  The U.S. government can’t control what Putin does by issuing indictments. But Americans can—and must—do a whole lot more to defend ourselves against foreign interference in our elections.  We can start by 1) encrypting our communications and data; 2) securing our election infrastructure; and 3) working with social media companies to combat “fake news” by exposing state-sponsored trolls. This threat is not going away any time soon.