Cybersecurity and Deterrence

Thoughts on White House Pledge to Respond to DNC Hack

By Jack Goldsmith
Wednesday, October 12, 2016, 8:27 AM

Yesterday Josh Earnest pledged that the United States would “will ensure that our response is proportional” to Russia’s hack of DNC emails, which the United States has concluded was “intended to interfere with the US election process.” Earnest said the President would “consider a response that is proportional." He added that "[i]t is unlikely that our response would be announced in advance," and said it was “possible that the president can choose response options that we never announce.”

Several questions and reactions:

1. What is a proportional response to Russia’s effort to interfere with the U.S. election process? That’s a tricky one.

2. I can imagine reasons for a secret proportional response. Perhaps proving attribution publicly is hard or impossible, and perhaps the United States has more options (and more flexibility) to inflict more pain on Russia in secret. As Admiral Rogers said last week in connection with the Russia DNC hack, “don't just assume that because you haven't seen anything broadly, that it doesn't mean that there isn't activity ongoing.” Fair enough. One hopes that the absence of public responses to the many very serious cyber-intrusions in recent years did not imply the absence of private responses.

But wait, what about the much-vaunted name and shame strategy? John Carlin recently defended the sanctions + indictment approach on the ground that taking responses to harmful cyberoperations “out of the intelligence channels and be[ing] public about it” is the “only way to change the behavior of the people who are launching these attacks, but also the other countries who are watching them get away with it.” I’m a skeptic that this approach will impose enough pain to have much of an impact on determined state actors who reap enormous benefits from cyber-operations. And it would be embarrassing if the U.S. government responded to electoral interference with unenforceable indictments. But I agree with two corollaries to Carlin’s point. (1) A secret response against the perpetrators of the DNC hack may hurt the perpetrators but it cannot shame them. And (2), a secret response cannot deter third parties, who can't know if the United States did in fact respond, or whether the response was in fact proportionate. (Rogers seemed to acknowledge something like these points in his interview last week.) Perhaps (as @MapleLeafLawyer suggested) Earnest was speaking loosely. Perhaps by secret he meant covert, in which case the effects might be public and attributed to the United States even if the United States maintains nominal deniability. (Cf. drone strikes.) But again, what kind of response, public or private, would be proportional?

3. Note the awesome power of the presidency implicit in Earnest’s response. It is the President of the United States alone who will determine what the proportional response to Russia is, and whether it will be secret, and what form it will take. Perhaps Obama will sanction Russia pursuant to authorities delegated to him by Congress. Would further sanctions on Russia be a proportional response to an attempt to influence a presidential election? I doubt that would suffice. But if Obama responds with cyber or kinetic force, and especially if his response is secret or covert, he will likely do little more than inform Congress, or perhaps “consult” it (or its leadership) to take its temperature. One certainly cannot imagine Obama seeking congressional authorization for what he will do. And so once again, the nation’s fate on a very high-stakes foreign policy confrontation with a nuclear power turns on the judgment and discretion of our president alone.

4 Just because the White House says it will respond to Russia does not mean that it will respond. Last summer David Sanger reported that the United States had decided that it “must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management.” Sanger’s story reported on Executive branch equivocations not unlike what Earnest said yesterday. The response may not “happen anytime soon — or be obvious when it does,” Sanger reported. And the White House was still debating its options, he added. In the end, as Sanger (and Nicole Perlroth) noted over the weekend, the United States decided not to sanction China for the OPM hack despite the pledge to do so, apparently as part of the agreement with China over IP theft.* In other words, the United States did not retaliate against China for the OPM hack even though a “senior administration official” told the lead national security reporter for the Times that it had decided to retaliate. Might that happen again?

* This is the first I have seen reported that the United States decided not to sanction China for the OPM hack, and also the first I have seen reported that the non-retaliation for the hack was part of the agreement with China on IP theft. If the latter is true, it puts the IP agreement in a rather different light, for it appears that the United States gave up not only planned sanctions for IP theft, but also planned sanctions for the OPM theft.