One of the things that makes successful detective work in cyberspace a real challenge is that any hacker can imitate an attack by using the same tools and methodology of a known hacker. That means malicious actors can easily position their breach to be attributed to whomever they wish. This makes establishing attribution in the case of election meddling extremely difficult to do with complete accuracy. Russia may well have interfered in the 2016 U.S. presidential election, and may be in the process of doing the same in the 2018 midterms, but the Kremlin can easily point the finger at any other state, many of which maintain a digital library of attacks and techniques from a variety of hacker groups. In theory, any other government, hacker group, or individual could be the guilty party.
Nations have been in the business of interfering in other nations’ elections since the beginning of recorded history. Since cyber-meddling in other countries’ electoral processes is also now well established, and there appear to be a variety of means and incentives to engage in cyber-meddling, what, if anything, can be done to discourage it? Imposing sanctions on Russia has not proven to be particularly effective, illustrating the relative powerlessness countries have to keep other countries from engaging in cyber-election meddling. Doing so could be rendered somewhat less effective by seeking to reduce or counter its influence on electoral debates by swiftly exposing and/or ignoring them. That is largely what occurred during the 2017 French election.
Enhancing cyber network defenses with an “active” defense would also certainly help and that is a goal that President Donald Trump verbally committed to shortly after he became president. Demonstrating both a capability and a willingness to strike back and punish those states and actors engaged in cyber-meddling might also act as a deterrent, but any nation wishing to discourage cyber-meddling must adopt a stronger declaratory posture by robustly emphasizing (publicly and privately) the importance placed on the integrity of each democratic process. Using existing military-grade cyber tools would no doubt be seen as escalatory and would perhaps better reserved for wartime, but it cannot hurt to let America’s adversaries know that those tools exist and could be used if deemed necessary. President Trump did something similar this year in announcing to the world that a cyberattack on critical U.S. infrastructure would be deemed an act of war, and could be met by a nuclear response. Ultimately, however, effective cyber deterrence can only emerge out of a consistent set of actions, policies and declarations implemented consistently over time.
In the case of the alleged Russian hacking of the 2016 U.S. presidential electoral process, the Obama administration did not use anywhere close to all of the tools available in its tool kit. This example illustrates well how realpolitik and other considerations can impact—and ultimately severely weaken—the laws (or theories about how the laws should be applied in the real world) that exist to combat virtual terrorism. The Obama administration was well aware of what the Russians had already done and were continuing to do during the election campaign (based on apparently overwhelming intelligence-based evidence), but its concern that the Russians could have chosen to more directly interfere with the electoral process prompted Obama to opt to “send a message” to Vladimir Putin by repatriating thirty-five Russian diplomats and closing two Russian compounds. Obama also leveraged against Russia economic sanctions so narrowly targeted that even those who helped design them describe their impact as largely symbolic.
Less reported at the time, however, was that Obama also approved a covert measure that authorized planting cyber weapons in Russia’s infrastructure—the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It was left up to President Trump to decide whether to use that capability, and few expect him to do so, given all of the allegations and controversy swirling around the Trump campaign and presidency regarding possible collusion with Russia during the campaign and into the Trump presidency.
It is ironic that Obama chose such a tepid response to the alleged Russian hacking, especially since in 2015 he proposed sweeping new cybersecurity legislation designed to establish alignment of some existing state data-breach laws. The legislation also aimed to close legal loopholes to enable the government to pursue cybercriminals who steal and sell the identities of Americans. Obama’s bill—the Personal Data Notification and Protection Act—was an honest attempt at making some real progress and holding organizations accountable for data breaches. However, as was the case with previous pieces of legislation whose purpose was to fortify U.S. cyber-response capabilities, the bill was introduced in 2015, sent to a congressional committee, and it never again saw the light of day.