Can the United States Deter Election Meddling?
Americans still have a year before they head to the polls, but law enforcement officials are already sounding the alarm about foreign interference in the coming election. In 2016, Russia used a combination of espionage, leaks, and propaganda in an attempt to undermine Hillary Clinton’s campaign and sow doubt among American voters about the integrity of their institutions. To many observers, Moscow is preparing to launch a similar effort next year. “The Russians are coming,” warns the USA Today editorial board. “Again.”
The unique characteristics of cyberspace exacerbate these fears. Foreign efforts to meddle in elections are hardly new, but cyberspace makes them more likely to succeed. The barriers to entry are low for those who seek to flood the zone with noise, spreading misinformation and messages designed to exploit existing social divisions. Social media platforms encourage political tribalism, as partisans gravitate to mutually reinforcing ideological communities. Key figures are vulnerable to having their emails stolen and leaked in ways that are potentially embarrassing, whether or not they are newsworthy. And voting technologies are potentially open to manipulation. Cyberspace is an avenue for foreign influence in campaign debates and foreign interference on election day.
Bitter memories of 2016 have inspired a burst of proposals for safeguarding 2020. These include stronger efforts to deter election meddling. Critics of the Obama administration blamed it for making weak threats before the last election. Perhaps this time a stronger deterrent signal will cause Russian leaders to think twice. A Stanford University study called for “timely, tailored, consistent and credible costs on Russia for aggression that both adequately penalize past conduct and serve as a deterrent for future interference.” Writing in The Atlantic, Thomas Wright called on leading Democratic candidates to warn Russia about what it can expect from a Democratic administration if it has interfered in the elections. According to Wright, this might include “releasing information the United States possesses about the corruption of autocratic elites, for example, or having the United States intervene in the adversary’s elections or internal politics, through factual information campaigns or equivalent measures.” In the meantime, the Senate Intelligence Committee recommended that the White House “develop a deterrence framework to inform U.S. Government responses to foreign influence efforts using social media.”
Unfortunately, these efforts will probably fail. Two roadblocks stand in the way of cyberspace deterrence. One is the nature of the domain, and the other is the balance of Russian interests.
A Skeptics’ Guide to Deterrence in Cyberspace
The United States has recently become outspoken about using cyberspace operations to impose costs on its adversaries. U.S. Cyber Command argues that persistent engagement can have a cumulative effect on great power rivals, which up to now have been able to operate freely without many consequences. More assertive efforts may disabuse adversaries of the notion that they can act with impunity. A forward defense may raise the long-term cost of cyberspace operations against the United States, reducing adversaries’ belief that they can erode U.S. power by working through the digital domain. Stability may emerge over time as rival powers settle on tacit norms about what kinds of cyberspace operations are tolerable.
None of this is relevant for stopping Russian mischief in the next election, however. The goal is not long-term stability, but immediate deterrence. The United States is facing a specific threat with a clear deadline. If U.S. officials are right that Russia is ramping up its effort in advance of the election, then they will likely conclude that economic sanctions and military posturing are not enough. Observers may turn to more aggressive cyberspace operations in the hopes that reciprocal attacks on Russian networks may force it to reconsider its approach. Imagine a barrage of debilitating cyber operations, employing sophisticated tools to inject friction into Russian government agencies. Imagine Russian officials worrying about the kind of ransomware attacks that hit Baltimore and Atlanta. Now imagine U.S. officials making specific warnings along these lines. Would they work?
Probably not. For a host of reasons, such threats are unlikely to deter Moscow. Economic threats and military posturing have had little effect so far, and the addition of cyberspace operations to the mix adds little in terms of coercive leverage. While there has been enduring interest in the notion of cyber deterrence, a growing body of research finds that the concept has limited value. It may be possible to deter particularly destructive attacks requiring extensive organizational resources – think here of something like an attack designed to cripple a civilian power grid. And recent work on cross-domain deterrence explores the possibility of using non-cyber tools to inspire caution among states considering offensive cyberspace operations. But in most other cases, deterrence is dubious. This is especially true when the actions we seek to deter are not destructive.
The basic problem is that cyberspace is a lousy domain for coercion. Individuals, firms, and states are relatively tolerant of cyber operations, and willing to engage online even in the wake of high-profile cybersecurity breakdowns. Retaliatory threats lack teeth because key actors in cyberspace are not remarkably fearful or vengeful. Experimental studies find that the public is also cautious about escalation in the wake of hypothetical cyberattacks. This tendency not only creates an escalation firebreak but also undermines the credibility of deterrent signals, which require a willingness to accept risk.
Other domestic factors work against deterrence. Sending clear signals in cyberspace is tricky, for example, because states do not control the infrastructure of the domain. Public-private coordination is necessary both to make threats and execute them, but such coordination is difficult and sometimes contentious.
International and technological factors also make deterrence difficult. As Erik Gartzke and Jon Lindsay point out, coercion in cyberspace is difficult because the domain is built on voluntary connections. This reduces the credibility of threats to conduct truly damaging attacks, because such threats give the target a reason to disconnect. Other research has reinforced the conclusion that cyberspace operations have limited coercive value, both in peacetime and war. The theoretical requirements of effective coercion do not map easily onto cyber operations, and empirical studies suggest that they are only useful when they support other policy instruments.
All this suggests that cyberspace coercion is difficult even against vulnerable states that are particularly sensitive to foreign pressure. Putin’s Russia is not one of those states. It has been willing to absorb substantial costs rather than back down from its strategic choices, however dubious. And the cost-benefit equation continues to favor Russian activism: the ability to affect the United States through election meddling is probably irresistible for a country that faces overwhelming military, economic, and diplomatic disadvantages. Meddling is cheap. As Sen. Mark Warner puts it, “if you add up all Russia spent in the Brexit vote, the French presidential elections, and the 2016 American elections, it’s less than the cost of one new F-35 airplane.”
Russia has also taken steps to insulate itself from offensive cyberspace operations. It recently unveiled a new “sovereign internet” law that would, in theory, allow it to organize a tightly controlled national intranet even if disconnected from cyberspace beyond its own borders. Such a move may have more to do with domestic surveillance than protection against foreign attacks, but the result is the same. Investments in a more segregated network indicated that Russia is willing to go to great lengths to shield itself from foreign intrusion – even if it proves to be strategically counterproductive.
Recognition of these problems may encourage the United States to consider stronger signals. If Russia hasn’t been moved by low-level threats, perhaps more ominous threats will suffice. Reports of more aggressive intrusions into Russia’s electrical grid, for instance, convey a willingness to escalate in response to serious cyberspace operations. As then-National Security Advisor John Bolton said in June, more expansive U.S. actions “say to Russia, or anybody else that’s engaged in cyberoperations against us, ‘You will pay a price.’” Bolton’s statement may not represent broader U.S. policy views, however, given his unceremonious exit from the White House. And if the Trump administration made good on such threats, it would torpedo U.S. efforts to establish international norms against infrastructure attacks. A longshot effort to ward off election mischief could lead to lasting harm.
If Not Deterrence, What?
Recognizing the limits of cyberspace deterrence does not mean the United States should remain passive in the face of cyberspace meddling. On the contrary, there are important steps it can take to protect democratic institutions from foreign manipulation while restoring public faith in the integrity of the vote.
U.S. officials can start by distinguishing influence from interference when they speak about foreign activities. Influence campaigns include propaganda and misinformation designed to erode support for specific candidates or depress voter turnout. This is inherently difficult to stop, given that freely available information is a core democratic value. Nor is it the case that the government should play an active role in policing the media to guard against disinformation, even if doing so is tempting. Americans might reject the notion that they need protection from foreign memes.
Interference describes outside efforts to affect the electoral process itself: espionage against political candidates, corruption of voter rolls, attacks on voting machines, and so on. Protecting against such attacks is clearly in the government’s purview, given that states are responsible for ensuring the integrity of elections. The problem is also more tractable. Engineers can fix or replace vulnerable equipment, and policy specialists can reform and monitor voting procedures. Ongoing projects include research into more reliable voting machines, and better training for candidates and campaign staff. Efforts to defend against interference – as opposed to influence – are less controversial and more manageable.
The United States can also maneuver in cyberspace to improve the quality of intelligence and provide early warning of possible attacks on election systems. A forward intelligence posture may also reveal granular details of adversaries’ tools and techniques. The goal of an active presence is not shaping foreign adversaries’ behavior but discovering their capabilities and intentions. Much of what occurs in cyberspace is an intelligence contest, and competing hard gives the United States the opportunity to learn what it needs to do to shore up the electoral process.
Finally, U.S. leaders should not exaggerate the threat. Doing so inadvertently undermines public trust in government, which was in decline long before the 2016 election. Fretting about foreign mischief is self-defeating if the goal is restoring public confidence in the strength and durability of one’s own institutions. This is similar to the danger of overreacting to terrorism. If the purpose of violence is to create fear, then the targets should not terrorize themselves by inflating the threat. Foreign states have a long history of trying to interfere in American democracy, but they don’t have a lot to show for their efforts. Cyberspace creates new opportunities for meddling, to be sure, but defenders have responded with vigor, and there is little indication that critical election systems have been compromised. The 2020 campaign season promises to be a raucous affair. A dose of calm would help.
Joshua Rovner is an associate professor in the School of International Service at American University. He served as scholar-in-residence at the National Security Agency and U.S. Cyber Command in 2018 and 2019. The views here are his alone.