On April 15, the Biden administration imposed a suite of sanctions and punitive measures directed at Russian entities with the goal of “imposing costs for harmful foreign activities by the Russian government.” The executive order, in particular, called out Russia’s efforts to undermine the free and fair elections of the United States in 2020, one Christopher Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), had declared the most secure in U.S. history. The Russians, Krebs pointed out, did not pursue the widespread hacking campaign they did in 2016. The administration also came down with punitive measures directed at entities involved in the Sunburst/SolarWinds campaign by Russia’s foreign intelligence service's leveraging of software supply chain vulnerabilities to infiltrate dozens of government agencies and private firms in one of the most significant known cyber espionage campaigns to date.
Yet, the U.S. national security community must recognize that conflict and contestation in cyberspace is as much about combating disinformation as it is protecting 1s and 0s transmitted across networks. To give the disinformation threat the credence it deserves, the government must create a public strategy on combating disinformation, with deterrence as a main component. Such a strategy should emphasize deterrence by punishment, where the government should take an active role, as well as deterrence by denial, where the government should take a backseat to the private sector.
A core tenet of information security is protecting data’s confidentiality, integrity, and availability—the CIA triad. But for the future of cyber conflict, protecting these three elements is not enough. It is information’s perceptibility that can be equally as damaging; that is, if something is true yet perceived to be untrue, or vice versa—something Stephen Colbert might call truthiness. This leads to a critical lesson on the future of cyber conflict and American democracy: the security of the democratic process effectively does not matter if media, citizens, adversaries, and even public officials peddle enough mis- and disinformation so as to completely undermine public trust altogether.
This was manifestly clear two months after Krebs’ assertion, when armed insurrectionists stormed the seat of American democracy in a terroristic furor, galvanized by a lie that the election results were fraudulent. The vulnerability of the United States’ democratic institutions had not been so evident since the American Civil War, and it had nothing to do with the hacking of computer networks.
Propaganda has long been a tool used by governments both democratic and authoritarian, in wartime and in influence campaigns; the United States is no exception. Yet the scale, scope, and reach provided by the internet enables unprecedented levels of mass-messaging and micro-targeting. As Peter W. Singer and Emerson Brooking write in LikeWar, “There’s no historical analogue to the speed and totality with which social media platforms have conquered the planet.” And in this modern information domain, the United States has been far behind adversaries in appreciating the potential for online information campaigns to undermine its own democracy.
Authoritarian governments, particularly those in China and Russia, are pouring millions or even billions of dollars into disinformation campaigns. While they may have occasionally divergent objectives and tactics, both are intent upon undermining democratic institutions. This is now widely known, especially after Kremlin disinformation campaigns against U.S. and European elections and Chinese government disinformation about the coronavirus pandemic. But information threats are melded with cyber operations, too.
Russian hack-and-leak operations against the United States are a prime example of how adversaries can fuse information manipulation with cyber operations. In 2016, Russia’s military intelligence agency hacked into the Democratic National Committee and leaked internal communications online. Media outlets subsequently covered the hacked materials and made the stolen information into national news. This cyber activity, for the Russians, was the “simulation of scandal”: stealing and spreading information to “direct public moral judgment against their target.” Washington has not been the only target, with a hack-and-leak operation against the 2017 French presidential election also seemingly coming from Russia, for instance. These hacks, mostly reported on without hesitation, combined overlooked information threats with better-understood cyber threats to exploit political discourse.
But information threats—those which threaten American prosperity, security, and democracy—also come from the homeland. Perhaps the most influential and damaging information campaigns are those stemming from certain U.S. government officials and metastasized across traditional media and internet platforms. Look no further than the “big lie” propagated by former President Trump and his supporters, asserting falsehoods such as that rigged Dominion Voting System machines manipulated 2020 vote tallies. Trump spent months spreading disinformation about election “fraud,” and insurrectionist supporters spent weeks plotting and organizing on social media, all of which culminated in a coup attempt. A post-election voter confidence survey reported that a whopping 39 percent of voters lacked confidence that their votes in the national election were accurately counted. Despite all the attention to disinformation, the United States still lacks a comprehensive strategy for deterring it.
Deterrence by Punishment
The prime spot for the U.S. government to act is in deterring adversary information operations by punishment, contingent upon the specified imposition of meaningful costs upon an adversary. Washington is best positioned to execute this first strategic component because of the range of diplomatic, economic, information, financial, intelligence, and law enforcement means at its disposal. The U.S. government has imposed economic sanctions—the Biden administration’s recent executive order and Executive Order 13694, as a couple of examples—on foreign entities and persons who have engaged in “interference” in a U.S. election, but such costs have been limited, lacking the permanence and forcefulness necessary to effectively deter further interference. Statements from diplomats and cyber officials, subsequently undermined by the former president, likewise did not constitute effective punishments. Foreign adversaries, frankly, are indifferent if not emboldened by the perceived low punitive costs of engaging in disinformation campaigns against the United States. Disinformation campaigns are inherently antidemocratic, and for adversaries, there is no greater bang for their buck than degrading American democracy.
The U.S. government’s deterrence strategy must therefore inflict punishment so great as to change adversaries’ calculus on disinformation campaigns. In so doing, Washington must make its intentions not just known but felt, and beyond the information domain. The U.S. intelligence community should thus continue publicizing foreign information campaigns. The White House should continue condemning these campaigns on the global stage. Congress should expand the U.S. government’s power to sanction foreign entities engaged in election interference. And the United States must reinvigorate its alliances and partnerships abroad to build international coalitions and capacity to counter foreign malicious information operations.
Deterrence by Denial
Due to the nature of global digital communications, domestic and foreign threat actors feed off and amplify each other in the information space. Because the private sector majority owns the social and digital infrastructure exploited by disinformation campaigns, from television networks to social media platforms, the U.S. government should take a backseat in the second component of a disinformation deterrence strategy: denial.
Media outlets should develop more comprehensive policies on when they cover or cut away from disinformation, and how they report on hacked-and-leaked materials. Limiting the spread of falsehoods comes back to denying malicious actors airtime and column inches. Similarly, private internet companies should build better policies and best-practices for taking down violence-inciting content and other dangerous disinformation. Leaving it up until reported or letting social media firms’ profit models undermine public discourse, public health, and American democracy, is not an option.
Mainstream media have generally made a marked improvement in best-practices following their lamentable coverage of the 2016 presidential election cycle, which was wrought with amplification of falsehoods. Fox News, of all outlets, cut away from a November 9 live feed of former White House Press Secretary Kayleigh McEnany baselessly claiming that there had been widespread voter fraud. Even though media often still reported on dishonest allegations peddled by public officials, outlets have made a concerted attempt to qualify claims as “unfounded” or “disputed,” and it is clear that market and social pressures, combined with looming regulation, have pushed some internet companies to at least act slightly more assertively in taking down lies and violence-inciting content. Private-sector actors should look to the last five years of challenges and failures to draw lessons and develop playbooks for deterring disinformation through denial. To change threat actors’ cost-benefit calculus in this conflict, the United States must show that disinformation efforts will at best have limited success.
As the information contest reshapes the future of cyber conflict, there is still space for the U.S. government to take part in deterrence by denial. Chris Krebs and his team at CISA were instrumental in fact-checking election claims and working with state and local governments to promote reliable public information. The U.S. intelligence community has likewise played a pivotal role in tracking disinformation campaigns from foreign adversaries and in bringing those findings to light through unclassified reports and congressional briefings. Focusing on transparency, and even publicly attributing perpetrators, will be a key part of successfully bolstering American democracy in the face of disinformation threats.