How to Really Punish Russia for Hacking
We must respond to Russia’s hacking—but any response risks escalation.
After much hand-wringing, the Obama administration admitted that the Russian government interfered with the presidential election. (It was not a 400-pound hacker, unless that hacker lives in Moscow.) It’s true that people often question attribution, but the critics were wrong on Sony and they are wrong now. It was the Russians.
What the U.S. worries about when it comes to responding to cyberattacks, once attribution has been determined, is the risk of escalating conflict or damaging other important equities.
One reason for Obama’s delay in addressing the hacking was a desire not to appear to be interfering in the election—which seemed like a safe calculation back when the White House thought Clinton was certain to win. There was also the pious hope—don’t laugh—for a peace deal with Moscow on Syria.
The Obama administration’s response options were ready in August. So why only act now? The most likely reason is domestic politics (and maybe a final realization of the futility of negotiating over Syria). The goal is to hem in the new administration on Russia. If President Obama imposes sanctions, President Trump will have to take action to lift them, complicating his relations with the Hill and the nominating process. This muddles what should be a straightforward story, since one essential lesson for cybersecurity is that unpunished acts are seen as a green light by an attacker.
The Russians calculated that they could manipulate the U.S. without punishment. So far, they have been right. They have succeeded beyond their greatest hopes. There is no reason for them to stop of their own accord and the likelihood of further Russian action is high if the U.S. does not take action in response.
The administration is considering an “all tools of government” approach. The agencies involved are CIA, NSA, Cyber Command, Treasury, and the Department of Justice. The most likely public action will be to use the cybersecurity sanctions announced in April 2015, accompanied by some kind of covert response involving either interference with Russian attack servers or, perhaps, leaks of documents detailing Russian corruption.
Any response raises important issues. First, the U.S. and Russia agreed several years ago to create a hotline for cybercrises and to consult before acting. Russian sources imply the U.S. has used neither. Any call would be pro-forma, as the Russians will deny everything, but it sets a bad precedent if we create a crisis management structure and then do not use it in the first test.
Second, the U.S. has struggled for a decade with how to respond to cyberattacks. If an attack produces an effect equivalent to a kinetic weapon, destroying physical infrastructure or harming American citizens, the nature of the response is clear. But when the attacks do not involve force (or its cyberequivalent) as is the case with espionage or the kind of information warfare the Russians are using now, how to respond is unclear.
There are several reasons for this. In discussing how to respond to Russia, people ask when we will unleash Cyber Command without noting that using Cyber Command for offensive action would likely be disproportional and counterproductive. We are not going to go to war with Russia over their blatant intrusions. The Russians know this and it gives them a kind of freedom. The only thing that has changed is that now, the Russians will want to avoid damaging their relationship with the incoming administration. That gives Obama room to be a little more aggressive, if he wants.
Third, international law and the Laws of Armed Conflict, which the U.S. tries to follow, define when force can be used in self-defense and require that it be proportional to the attack. International law and state practice do not define espionage, crime, or disinformation as actions that justify the use of force in response.
For example, some years ago a U.S. general threated that a cyberattack might provoke a cruise missile in response. This threat had no effect because it was not believable. A cruise missile is not proportional to most cyberattacks. Sending a cruise missile in response to a cyberattack risks the opponent sending a missile back. The threat was aimed at China, which ignored it and kept on spying. Faced with widespread PLA hacking, it took the U.S. a decade to define a realistic and proportional response, settling on indictment and the threat of sanctions.
Finally, the U.S. is constrained by its Constitution. The Russians clearly committed a crime when they stole private emails, and we may not like WikiLeaks publishing those emails, but the publication raises difficult First Amendment issues about freedom of speech and the right to publish, rights that protect WikiLeaks as well as The New York Times. The Russians know this complicates our decision-making and take advantage of it.
One question about a response to Russian hacking is how we will control the risk of escalation without being ineffective. Unplugging a few servers will not end Russian action, but unplugging many servers may lead to broader conflict. When facing an opponent who is nimbler in decision-making, less bound by law, and more willing to take risks, the chance of escalation is greater.
So retaliation probably means a lawful response not involving force and that does not unduly risk escalating the conflict. This response cannot be that old favorite of amateur cyberstrategists, name-and-shame. Vladimir Putin cannot be shamed. He believes his actions are justified against an aggressive U.S. that is implacably hostile to Russia. While some kind of counterattack by Cyber Command is tempting, any retaliation must have political effect, and in Russia, that means going after relationships and money.
It is important to lay down a marker with the Russians. They have gone too far and need to be checked. The U.S. needs to navigate a narrow and difficult path between inaction and escalation. We can start by recognizing that this is cyberconflict, not the kind of cyberconflict we planned for—no cyber Pearl Harbor or cyber 9/11—but a conflict nonetheless. Anything we do should reinforce (or at least not undercut) the long-term goal to create a framework of agreements for stability in cyberspace. The U.S. needs a new strategy for dealing with Russia and its new style of conflict that uses hybrid warfare, including a mix of cyberaction, threats, disinformation, and corruption. It is too late for this administration to define that new Russia strategy, but it can lay the groundwork for it with the actions it takes now. This sounds like a long list of requirements, but none of these are impossible or preclude action.