One of the things that makes successful detective work in cyberspace a real challenge is that any hacker can imitate an attack by using the same tools and methodology of a known hacker. That means malicious actors can easily position their breach to be attributed to whomever they wish. This makes establishing attribution in the case of election meddling extremely difficult to do with complete accuracy. Russia may well have interfered in the 2016 U.S. presidential election, and may be in the process of doing the same in the 2018 midterms, but the Kremlin can easily point the finger at any other state, many of which maintain a digital library of attacks and techniques from a variety of hacker groups. In theory, any other government, hacker group, or individual could be the guilty party.
Nations have been in the business of interfering in other nations’ elections since the beginning of recorded history. Since cyber-meddling in other countries’ electoral processes is also now well established, and there appear to be a variety of means and incentives to engage in cyber-meddling, what, if anything, can be done to discourage it? Imposing sanctions on Russia has not proven to be particularly effective, illustrating the relative powerlessness countries have to keep other countries from engaging in cyber-election meddling. Doing so could be rendered somewhat less effective by seeking to reduce or counter its influence on electoral debates by swiftly exposing and/or ignoring them. That is largely what occurred during the 2017 French election.
Enhancing cyber network defenses with an “active” defense would also certainly help and that is a goal that President Donald Trump verbally committed to shortly after he became president. Demonstrating both a capability and a willingness to strike back and punish those states and actors engaged in cyber-meddling might also act as a deterrent, but any nation wishing to discourage cyber-meddling must adopt a stronger declaratory posture by robustly emphasizing (publicly and privately) the importance placed on the integrity of each democratic process. Using existing military-grade cyber tools would no doubt be seen as escalatory and would perhaps better reserved for wartime, but it cannot hurt to let America’s adversaries know that those tools exist and could be used if deemed necessary. President Trump did something similar this year in announcing to the world that a cyberattack on critical U.S. infrastructure would be deemed an act of war, and could be met by a nuclear response. Ultimately, however, effective cyber deterrence can only emerge out of a consistent set of actions, policies and declarations implemented consistently over time.
In the case of the alleged Russian hacking of the 2016 U.S. presidential electoral process, the Obama administration did not use anywhere close to all of the tools available in its tool kit. This example illustrates well how realpolitik and other considerations can impact—and ultimately severely weaken—the laws (or theories about how the laws should be applied in the real world) that exist to combat virtual terrorism. The Obama administration was well aware of what the Russians had already done and were continuing to do during the election campaign (based on apparently overwhelming intelligence-based evidence), but its concern that the Russians could have chosen to more directly interfere with the electoral process prompted Obama to opt to “send a message” to Vladimir Putin by repatriating thirty-five Russian diplomats and closing two Russian compounds. Obama also leveraged against Russia economic sanctions so narrowly targeted that even those who helped design them describe their impact as largely symbolic.
Less reported at the time, however, was that Obama also approved a covert measure that authorized planting cyber weapons in Russia’s infrastructure—the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It was left up to President Trump to decide whether to use that capability, and few expect him to do so, given all of the allegations and controversy swirling around the Trump campaign and presidency regarding possible collusion with Russia during the campaign and into the Trump presidency.
It is ironic that Obama chose such a tepid response to the alleged Russian hacking, especially since in 2015 he proposed sweeping new cybersecurity legislation designed to establish alignment of some existing state data-breach laws. The legislation also aimed to close legal loopholes to enable the government to pursue cybercriminals who steal and sell the identities of Americans. Obama’s bill—the Personal Data Notification and Protection Act—was an honest attempt at making some real progress and holding organizations accountable for data breaches. However, as was the case with previous pieces of legislation whose purpose was to fortify U.S. cyber-response capabilities, the bill was introduced in 2015, sent to a congressional committee, and it never again saw the light of day.
So why is it that Congress has such a difficult time passing legislation that is sorely needed and should be such a priority for the security of the nation? A large part of the reason appears to be differences over how much liability protection to grant businesses in order to encourage them to share cyberthreat information. The argument against granting the private sector broad liability protection was that businesses could potentially exploit it to collude on other matters. Supporters of more targeted liability protection (mainly Democrats) contended it would provide sufficient protection to enable businesses to share cyberthreat information, but proponents of broad liability protection (mainly Republicans) have argued that businesses would not feel adequately protected if they were granted only limited liability because their lawyers would caution them that they could still be subject to legal action.
After four years of legal and legislative wrangling, in 2015, Congress finally passed the Cybersecurity Act of 2015 (formerly, the Cybersecurity Information Sharing Act) as part of the omnibus spending bill. The Act gave companies the ability to share cybersecurity information with federal agencies (including the National Security Agency), providing liability protection and antitrust exemption for those sharing the information.
Following its passage, security experts and civil-society groups wrote to Congress arguing that lawmakers strongly oppose it because of its weak privacy protections. They also opposed the way that Republican leadership had refused to hold a stand-alone vote, instead forcing the legislation into law as part of the must-pass omnibus spending bill. In the end, it was left up to the private sector to build an information infrastructure that promotes security while preserving trust.
Partisanship, special interests, liability concerns, and a failure of leadership are why the United States lacks consistent, effective, and all-encompassing policies for mounting a meaningful defense against cyberattacks on its election systems and infrastructure. America has only itself to blame for failing to tackle this serious issue in a manner consistent with its power and capabilities. America’s adversaries will never stop trying to attack it with cyber weapons. If we fail to properly defend ourselves, then we will continue to have only ourselves to blame.
Daniel Wagner is CEO of Country Risk Solutions and author of the book Virtual Terror.