How to Deter Russian Cyber Attacks

July 12, 2017 Topic: Security Blog Brand: The Buzz Tags: RussiaPutinTrumpCyber2016 Election

How to Deter Russian Cyber Attacks

If war is politics by other means, as Clausewitz famously characterized it, deterrence can be thought of as political persuasion by other means.

Washington’s political class may not agree on much these days, but nearly everyone agrees that Russia should be punished for meddling in the US presidential election. The only question is how severe that punishment should be.  Many worry that if the consequences are too lenient, Moscow will interfere in future elections, perhaps on an even grander scale than in 2016. As a result, a consensus appears to be forming around some combination of clear warnings, strengthened sanctions, and retaliatory cyber operations all meant to demonstrate that Russia will pay a severe price for interference in US politics, thus deterring future meddling.

One element of this package, a new and toughened sanctions regime, was passed in the Senate in June 2017 by a vote of 98-2 and includes an automatic renewal provision absent specific Congressional action to lift sanctions.  The Washington Post reported that the second element, retaliatory cyber operations, was authorized by the Obama administration before it left office and requires no further action by the Trump White House for the bureaucracy to act.  Former Assistant Attorney General for National Security John Carlin advanced a novel suggestion for the warning element in a recent article in Atlantic Monthly, calling for creation of a “dead-hand switch” that would automatically trigger retaliation if the Intelligence Community determines a country has interfered in our elections.

Such steps have undeniable cathartic appeal, and they would certainly enable both the White House and Congress to show they have done something significant in response to what the Washington Post has dubbed “the crime of the century.”  But what makes sense politically does not always produce effective policy.  Deterring cyberattacks by Russia -- and by others -- is a vital U.S. interest, but unless we think carefully about how we do it, we could end up incentivizing the very behaviors we hope to discourage. The U.S. has a long history of success in nuclear deterrence, rooted in a robust literature on deterrence theory. Adapting the principles that proved so effective in dealing with the Soviet nuclear threat is our best formula for deterring Russian cyberattacks today.

Principle One:  Examine Their Motives

If war is politics by other means, as Clausewitz famously characterized it, deterrence can be thought of as political persuasion by other means. The objective is to convince an adversary that his desired goal would be too difficult or costly to achieve. Doing this necessarily requires an accurate assessment of what the adversary hopes to accomplish, how important those objectives are to him, and what outcomes he fears. Misperceptions of his hopes and fears can lead to underestimations of how much pain he is willing to endure in pursuit of his goals or failure to anticipate his countermoves.

When it comes to evaluating Russia’s hopes and fears as they relate to cyber operations, it is tempting but misleading to reason from effect to cause, survey the societal divisions in the United States that have grown during and after the 2016 presidential campaign, and assume that Russia’s influence activities are aimed broadly at destabilizing our country. That reasoning appears to underpin the judgments about Russian goals offered by key intelligence officials. “They’re in to do us in,” former Director of National Intelligence James Clapper has asserted, adding that the Russians “have to be celebrating” their success in sowing dissension. The much-cited Intelligence Community Assessment (ICA) on Russia’s role in the 2016 US presidential election sings from this same music sheet, asserting that Russia’s goals are nothing less than “to undermine faith in the US democratic process” and “to undermine the US-led liberal democratic order.”  The policy implications of this assessment are clear: unless we meet Russia’s aggression with a resolute response, we will invite even more aggression.

In fact, contrary to Clapper’s expectations, Russia’s diplomats and foreign policy experts are lamenting the instability and unpredictability flowing from what they regard as a U.S. domestic political crisis.  According to Fyodor Lukyanov, one of Russia’s most respected foreign policy analysts and editor-in-chief of the journal Russia in Global Affairs, Russians “are very confused and even a bit terrified by what we see unfolding in Washington.” That American disarray is causing worry rather than celebration in Moscow is a sign that we need to take a deeper, evidence-based look at Russian goals before settling on a policy response to their influence activities.  

Not all threatening behavior flows from aggressive intent. If what we view as aggression is actually fear and insecurity, rooted in Moscow’s perceptions of aggressive U.S. designs, too forceful a response could exacerbate Russian fears and trigger a dangerous escalatory spiral of hostility. The recent report that Russian intelligence hackers have penetrated the systems of some U.S. nuclear power plants and other power generation companies, perhaps to put retaliatory options in place in the event of U.S. cyberattacks on Russia, is an ominous sign in this regard. By contrast, a better understanding of these fears might facilitate negotiation of a mutual pledge of non-interference in each other’s domestic politics, including a provision that attacks on voting systems and other critical infrastructure will be treated as acts of war.

Principle Two: Make Both Punishments and Rewards Credible

It is a long-accepted axiom of deterrence theory that an adversary must not only believe that his opponent will follow through with any threatened consequences, but also that he will refrain from punishment if the adversary complies with the desired behavior. If the adversary believes the threat is illusory, he has little incentive to comply with his opponent’s demands. And if he believes he will be punished regardless of whether he complies, he might as well defy his opponent.

There are three big implications that flow from this principle. First, it places a premium on effective communication with Russia and others that we hope to deter. As Thomas Schelling highlights in his work on deterrence, Arms and Influence, without clear communication, deterrent policies are prone to misunderstanding or misinterpretation, increasing the chances of escalation. Abjuring talks in the vain hope of punishing Russia through isolation has been counterproductive to our deterrent goals. We need to be talking with Moscow at both the presidential and working levels about our approach to cyber deterrence, making clear what we regard as unacceptable and what the consequences for bad behavior will be. In so doing, we need to be clear in our own minds about what we can reasonably expect to deter and what we cannot.  Propaganda is hard to define and almost impossible to restrict without compromising cherished American free media principles, while cyber espionage will inevitably be a fact of international life regardless of our preferences.  Deterring cyberattacks on voting systems and other critical infrastructure, on the other hand, is both possible and highly desirable.  

Second, it makes sound intelligence analysis doubly important, because it must not only serve our nation’s decision-makers in guiding their understanding of cyber threats and who is behind them, but Russia and other cyber actors must have some degree of confidence that the U.S. can identify false-flag operations when they occur. Absent such a perception, Russia and others are likely to suspect that the United States will be quick to attribute any election-related cyberattack to Moscow and carry out punishment regardless of whether Russia is to blame. That discourages Russian compliance with our demands and incentivizes other state and non-state actors to employ readily available cyber technology to spoof Russian cyberattacks in the hope of stoking US-Russian hostility.

This danger places a premium not only on getting our intelligence calls right, but also on procedural approaches that encourage others to believe that our intelligence agencies are methodologically rigorous, independent of partisanship, and substantively expert in their analysis of Russia. The Washington Post report that the ex-CIA Director John Brennan secretly hand-selected a couple dozen people to produce a rapid assessment of Russian influence activities to meet a White House-imposed political deadline, hiding their work from the rest of the IC, does not contribute to such confidence. Neither does it help to base conclusions about Putin’s personal authorization of the election hacking on a single report, nor to rely on technical intelligence produced by another country’s intelligence service, as the Post also reported. The failure of the Intelligence Community Assessment to discuss any alternative explanations for the evidence its authors examined further detracts from an impression of methodological rigor.

The third implication is that we need to build rewards for good behavior into our deterrence approach, as distressing as this prospect may be for Americans in the aftermath of the electoral interference. The sanctions package passed by the Senate does the opposite; its provisions make lifting the sanctions practically impossible, regardless of good Russian behavior. The authors of the bill appear to believe that the built-in difficulty of lifting them enhances their deterrent value by emphasizing U.S. resolve.  But in this instance, we would be wise to recall the history of the Jackson-Vanik amendment sanctions, enacted in 1974 to pressure the Soviet Union to allow increased Jewish emigration.  Moscow reacted to the pressure by restricting rather than easing that emigration. Even after the Soviet Union dissolved and Russia had no restrictions on Jews leaving the country, the sanctions remained in place until 2012. Our failure to lift those sanctions in the wake of significant Russian intelligence and logistical support for U.S. counter-terrorist operations after September 11, 2001, served as a substantial irritant in our bilateral relations while doing little to encourage continued good behavior from Moscow.