As Thomas Rid explains in this terrific piece in Esquire, the Russian government has developed a remarkable capacity for blending the fruits of espionage with information operations designed to manipulate public opinion abroad. It has deployed this capacity in the past in various contexts without generating much discussion in U.S. circles, but recent activities apparently designed to impact the U.S. presidential election (in favor of Donald Trump) have sparked a sudden surge of attention. Many are asking what the U.S. government should do in response to this particular provocation. Unfortunately, the resulting discussions all too often seem to get bogged down in ambiguous talk of “cyber war” and the like.
I certainly do not claim to know precisely what response would be best. Ultimately, only U.S. government officials with access to all the relevant intelligence—not to mention an understanding of the full suite of issues in the many-faceted U.S.-Russia relationship—are in a position to make that decision. But I do have a view on how to think through the question in a careful way, in hopes of spurring a more-focused public discussion.
1. Distinguish Espionage from Information Operations, and Be Precise About Our Concerns
While much of the public discussion has treated the Russian intervention as a single activity, I think it is more useful to divide it into its component parts: espionage, and information operations.
The Russian program in the first instance involves espionage (i.e., using the resources of the state to acquire protected information via theft, fraud, inducement, or other means) targeting both Democrats and Republicans. As NBC’s Josh Meyer put the point here, the Russians appear to have invested a great deal of effort into hacking a wide array of key political figures “whose work is considered strategically important to the Putin regime”. To be sure, we can and should be doing everything reasonably possible to defeat such efforts. But it would make no sense to describe the existence of this sort of intelligence collection (again, just talking about collection at this stage, not what came next) as somehow beyond the pale, for we surely do much the same thing ourselves in many contexts; access to the private communications of significant political figures who are either in power or may come to power can have significant intelligence value, of course, including by providing insight into real intentions and motivations. That said, it does not follow that we must meet espionage solely with passive defense. Where espionage rises to this level of significance, we should do our best to impose serious costs on the responsible government regardless of the fact that it was within the rules of the game for them to make the attempt. This is a point that Stewart Baker, among others, has made in relation to the OPM hack; imposition of real costs, from this perspective, is an important aspect of defense, quite apart from whether a norm was violated. We should aggressively deter significant espionage simply because it is harmful to us, regardless of whether it is wrongful in some vague sense.
All that said, the story of Russian hacking would not be in the headlines if the Russians were using the fruits exclusively for analytic purposes (and to develop approaches to prospective assets). It might seem like a minor variant of the OPM hack, in fact. But of course the Russians are not just using the fruits of their hacking for analytic purposes. As the Rid story so well explains, they are using it as grist for the mill of a remarkable information operation—i.e., an effort to influence public opinion through the carefully-crafted dissemination of information (both genuine information, and information falsified for effect).
At a high level of generality, this too is familiar territory. This is a species of covert action, and there is little doubt that we have on occasion engaged in covert actions intended to influence foreign elections via information operations. In the current case, however, the Russian operation feels different in that (i) it involves hacking and doxing (thus touching on a host of issues generally associated with public anxieties about cybersecurity, including oft-repeated fears that we do not have clear rules or sufficient capacities in that area) and (ii) it targets not some third country’s political process, but our own (thus violating a holdover Cold War norm (or at least something the public perceives to be a norm) in which America and Russia would not do to one another some things that both might due to the other’s allies and proxies).
Again, it should go without saying that we can and should do all we reasonably can to defeat such information operations. And again, the significance of this particular operation is such that we should be aggressively imposing costs on the Russians quite apart from whether any red line has been violated. But it is still interesting to ask: has a red line been violated here, and if so precisely what is that line?
On one hand, I doubt the U.S. government could or should attempt to show that hacking-and-doxing, standing alone, contravenes some norm we would be willing to accept with respect to covert action. On the other hand, it is of course very tempting to say that a red line was crossed here because the doxing is an attempt to manipulate our election. Indeed, that point seems rather obvious, but for the qualification that we have at times employed arguably similar interventions in the past and might have occasion to do so again in the future. Hypocritical or not, however, this to me is the primary cause for the intense concern that the Russian intervention has generated, and our response should be crafted with that in mind.
2. Distinguish Among the Relevant Audiences for Our Response
There are many relevant audiences to bear in mind as we develop our response to the Russian intervention.
Most obviously, there is the Putin regime. Here I want to emphasize two points. First, our response must include elements that are reliably-visible to the Russian leadership if we intend for them to perceive that their cost-benefit calculus was mistaken. Second, notwithstanding the emphasis in the media on the possibility that our response will take place in cyberspace, we have other options and might be wise to focus on them instead. The United States and Russia interface in many, many contexts—military activities in Syria and the ongoing tug-of-war over sanctions are just the tip of the iceberg—and just about any of them could be the venue for a meaningful response. The academic way to put the point is that we do not have to confine our response to the same domain as the provocation, but can instead cross domains. And we should do so if some other domain or combination of domains offers us better leverage over the Russians in terms of our relative capacities and vulnerabilities. From this perspective, it is very tempting to conclude that an expansion of economic sanctions might be an especially attractive response or component of a broader panoply of responses.
Next, consider the perspective of other potentially-hostile states that might have the capacity to engage in electronic espionage or information operations of a comparable significance (i.e., China, Iran, and perhaps North Korea). They are observing what the Russians have done, and they are observing as best they can how we may be responding. This matters because there may be some responses that are effective in terms of imposing costs on the Russians in a manner that they will understand are related to this issue, yet are either not at all visible to these third parties or at least will not be so clearly understood by the third parties to be tied directly to the Russian interference in our election. The point being: some attention needs to be paid to ensuring that the response is seen by others to be quite costly.
Last, consider the perspective of the United States itself. There are at least two distinct interests that need to be addressed under this heading. First, it is important to counteract any impression that the U.S. government is not (or, worse, cannot) minding the store sufficiently in terms of defending not just our networks but the electoral process itself. This is another reason why the U.S. response ought to include high-visibility elements where the tie to the provocation can readily be seen. Second, it is important, too, that the U.S. government take steps to counteract the actual impact of the Russian information operation. This is a delicate affair, given that the manipulation (in contrast to the first-stage espionage) takes the form of a partisan intervention. The U.S. government obviously cannot and should not attempt to counteract the manipulation in any manner that could fairly be construed as trying to rebalance the partisan playing field. Instead, the government on this point should focus simply on loud exposure of the Russian role as such, while otherwise leaving the consequences of the Russian activities to play out as they will in the political marketplace.