An Eye for an Eye: Deterring Russian Cyber Intrusions
The U.S. intelligence community has confirmed what many suspected for months: Agents directly affiliated with the Russian government conducted malicious cyber operations intended to influence the 2016 U.S. presidential election. Russia’s primary motive — now accepted by the Director of National Intelligence, the Central Intelligence Agency, and, most recently, the Federal Bureau of Investigation — was not simply to undermine the legitimacy of American democracy, but to actually bolster Trump’s chances of defeating Clinton. Moreover, new reports suggest that Vladimir Putin himself may have actually given the orders.
Notwithstanding the president-elect’s persistent disbelief in the intelligence community’s assessment, many in Washington are calling for action. Several days ago, a bipartisan group of senators penned a letter urging further investigation into Russian hacking. President Obama went one step further:
I think there is no doubt that when any foreign government tries to impact the integrity of our elections … we need to take action. And we will – at a time and place of our choosing. Some of it may be explicit and publicized; some of it may not be.
Our goal here is to imagine what a proportionate response in cyberspace might look like and what the United States might plausibly seek to accomplish in the process. Drawing on our ongoing research, we argue that retaliatory cyber operations against targets of value to President Putin, coupled with a willingness by the United States to claim credit for the attack, might deter future meddling by the Russian Federation.
The Appeal of Deterrence by Denial
Deterrence in cyberspace has long been viewed as challenging for a host of different reasons. Early studies tended to focus on the fact that cyber warriors often hide behind a complex veil of anonymity, making it hard for victims to accede to coercive demands. In Erik Gartzke’s words, “How does one surrender to no one in particular?” More recent concerns turn on the prospect that any counterpunch intended to serve as a deterrent would result in unwanted escalation or perhaps fail entirely, sending a far worse message than inaction: impotence.
In light of these issues, many argue that the best anyone can hope for is to deny adversaries opportunities to attack. This is known as deterrence by denial and usually takes the form of increased monitoring and defenses. In a recent op-ed in The New York Times, Mark Galeotti prescribes exactly this: “The United States and its allies should pursue a strategy of deterrence by denial. Mr. Putin shouldn’t fear retaliation for his information warfare – he should fear that he will fail.”
As offensive cyber capabilities rapidly proliferate, America and its allies would be wise to follow Galeotti’s advice and continue to invest time and energy trying to deny would-be adversaries the opportunity to do harm. But is this the best we can hope for? Is traditional deterrence, as many have concluded, either entirely implausible or simply too risky?
Not Your Grandparents’ Deterrence
The answer is not necessarily. In a previous article, we distinguish between two qualitatively different types of deception – clandestine and covert action – and explore how these distinctions help us understand how coercion can operate in cyberspace. Let’s take each in turn.
To begin, the technical demands of cyber-attacks almost always require perpetrators to act clandestinely during planning and execution. As Jon Lindsay argues, “[s]oftware vulnerabilities consist of private information that an attacker cannot reveal to make specific and thus credible threats, lest the defender close them via patching, reconfiguration, or countermeasure.” In a narrow sense, then, deterrence of the following variety — “Don’t do X or I’ll do Y” — where Y refers to an attack on a very specific target that exploits a very specific vulnerability, may not be possible in cyberspace. Of course, it may still be possible to announce the kinds of targets you plan to attack, e.g. critical infrastructure. Depending on how specific one gets, however, even this may give away too much. At the very least, precisely detailing the exact pain you intend to inflict should the target fail to comply with stated demands is much easier in conventional domains than it is in cyberspace where there is an extremely high premium on clandestinity and surprise.
But there may be a way to generate the credibility necessary for no-kidding cyber deterrence: forgo plausible deniability (read: covert action) by voluntarily claiming credit for successful attacks. Because many observers assume, sometimes implicitly, that anonymity is a built-in feature of cyberspace, the very idea of actors willingly and openly owning their handiwork may strike some as odd. As we show elsewhere, this is not as far-fetched as it seems. The recent record is littered with cases of cyber warriors of all stripes forgoing anonymity of their own volition. This is particularly true of non-state actors. Moreover, U.S. Cyber Command’s apparent interest in developing “loud” offensive cyber weapons suggests that nation-states are also thinking hard about voluntary attribution.
By willingly claiming credit for attacks, challengers can send signals about their capabilities and their willingness to use them should the target perpetrate (additional) unwanted behavior. To be sure, the intended target will still not know the exact pain they will suffer should they fail to comply with stated demands owing to the constraints detailed above. But a history of successful attacks may generate enough credibility such that the victim believes there is a reasonably good chance that non-compliance will be met with some form of punishment. Put differently, challengers simply need to warn, “Don’t do X or else,” in a way that convinces the target that the “else” is credible and would be sufficiently painful.
Deterring Future Russian Meddling
The United States may be able to deter future instances of Russian electoral interference — a worthwhile goal — by voluntarily claiming credit for cyber operations carried out against the Russian Federation. Obama’s not-so-veiled threat to Putin from a few days ago — “Our goal continues to be to send a clear message to Russia or others not to do this to us, because we can do stuff to you” — is a step in the right direction. But without actually demonstrating these capabilities by attacking Russian targets and leaving a calling card, it will be difficult for Putin to update his beliefs about the pain he might suffer should he choose to continue meddling in U.S. politics — a core requirement for deterrence to function.
Even if we accept that a voluntarily attributed cyberattack could deter Russian meddling in the future, several decisions still must be made. First, whether to claim credit publicly or privately. Public credit-claiming would offer the most bang for the buck. By openly embracing sponsorship of a cyberattack, the United States could plausibly deter actors beyond those in Russia, demonstrating that interference in American domestic politics will not be tolerated. With publicity, however, comes certain risks. Most immediately, such brazen behavior would likely not sit well with Putin and the Russian public, who may feel compelled to respond in turn.
Private credit-claiming may thus be more desirable. By communicating with the Kremlin quietly but directly or by leaving identifiable signatures in their hacking operation, American agents can signal their complicity while reducing the chances of escalation, a key concern among U.S. officials. Limiting the public’s awareness creates the space necessary for the challenger and victim to issue and accede to coercive demands, respectively, without setting off an infinite spiral of escalation. To the extent that Russia feels an interest in avoiding escalation with the United States, Putin may tacitly collude by keeping these private signals private.
Second, it is necessary to decide what or even whom to target with a cyberattack. The key goal, of course, is to target assets of value to Putin. Just as economic sanctions have been levied against members of Putin’s inner circle, so too could cyberattacks be carried out against actors with close connections to the regime. Targeting the oligarchs whose support is vital to Putin’s grip on power, for example, could provide Russia with a potent disincentive to engage in future meddling.
Alternatively, the United States might target financial institutions or other sectors of the Russian economy with the goal of turning the tide of popular opinion against the regime. Assuming that Putin wishes to avoid or otherwise limit such internal challenges, credible threats to foment further unrest might cause him to think twice before meddling in American elections.
In closing, there are three important caveats and extensions. First, there is no absolute guarantee that the strategy outlined above would necessarily work. As noted, Washington would have to successfully target assets of sufficient value to Putin and convince him that there is more to come should Moscow fail to comply. Whether trying and failing is worse than not trying at all is something administration officials should consider. In fact, they almost certainly are. When it comes to these kinds of state-on-state operations and the likely responses of an autocratic leader, we are largely in uncharted waters.
Second, to the extent a strategy of this kind is successful, it may be possible for the United States to not only deter future meddling in its own elections but also those of its allies. Germany, who has a consequential election coming up next year and is already concerned about Russian interference, would be an obvious and worthwhile test case for this kind of extended cyber deterrence.
Finally, the strategy outlined above is only one of many potential responses the United States might pursue to punish or deter Russia. There is no theoretical reason why a U.S. response must be limited to cyberspace or that a cyber operation cannot be combined with other forms of retaliation. Imposing additional economic sanctions, for example, may also be a viable option. Our aim here is simply to outline what a viable cyber response might look like.
Evan Perkoski is a Postdoctoral Research Fellow in the Sié Chéou-Kang Center for International Security and Diplomacy at the University of Denver. Starting in fall 2017, he will be an Assistant Professor of International Relations at the University of Connecticut. Perkoski holds a Ph.D. in Political Science from the University of Pennsylvania. You can follow him on Twitter: @EPerkoski
Michael Poznansky is an Assistant Professor of International Affairs and Intelligence Studies in the Graduate School of Public and International Affairs at the University of Pittsburgh. Poznansky holds a Ph.D. in Political Science from the University of Virginia. You can follow him on Twitter: @m_poznansky