15 July 2017

How to Deter Russian Cyber Attacks

George Beebe

Washington’s political class may not agree on much these days, but nearly everyone agrees that Russia should be punished for meddling in the US presidential election. The only question is how severe that punishment should be. Many worry that if the consequences are too lenient, Moscow will interfere in future elections, perhaps on an even grander scale than in 2016. As a result, a consensus appears to be forming around some combination of clear warnings, strengthened sanctions, and retaliatory cyber operations all meant to demonstrate that Russia will pay a severe price for interference in US politics, thus deterring future meddling.

One element of this package, a new and toughened sanctions regime, was passed in the Senate in June 2017 by a vote of 98-2 and includes an automatic renewal provision absent specific Congressional action to lift sanctions. The Washington Post reported that the second element, retaliatory cyber operations, was authorized by the Obama administration before it left office and requires no further action by the Trump White House for the bureaucracy to act. Former Assistant Attorney General for National Security John Carlin advanced a novel suggestion for the warning element in a recent article in Atlantic Monthly, calling for creation of a “dead-hand switch” that would automatically trigger retaliation if the Intelligence Community determines a country has interfered in our elections.

Such steps have undeniable cathartic appeal, and they would certainly enable both the White House and Congress to show they have done something significant in response to what the Washington Post has dubbed “the crime of the century.” But what makes sense politically does not always produce effective policy. Deterring cyberattacks by Russia -- and by others -- is a vital U.S. interest, but unless we think carefully about how we do it, we could end up incentivizing the very behaviors we hope to discourage. The U.S. has a long history of success in nuclear deterrence, rooted in a robust literature on deterrence theory. Adapting the principles that proved so effective in dealing with the Soviet nuclear threat is our best formula for deterring Russian cyberattacks today.

Principle One: Examine Their Motives

If war is politics by other means, as Clausewitz famously characterized it, deterrence can be thought of as political persuasion by other means. The objective is to convince an adversary that his desired goal would be too difficult or costly to achieve. Doing this necessarily requires an accurate assessment of what the adversary hopes to accomplish, how important those objectives are to him, and what outcomes he fears. Misperceptions of his hopes and fears can lead to underestimations of how much pain he is willing to endure in pursuit of his goals or failure to anticipate his countermoves.

When it comes to evaluating Russia’s hopes and fears as they relate to cyber operations, it is tempting but misleading to reason from effect to cause, survey the societal divisions in the United States that have grown during and after the 2016 presidential campaign, and assume that Russia’s influence activities are aimed broadly at destabilizing our country. That reasoning appears to underpin the judgments about Russian goals offered by key intelligence officials. “They’re in to do us in,” former Director of National Intelligence James Clapper has asserted, adding that the Russians “have to be celebrating” their success in sowing dissension. The much-cited Intelligence Community Assessment (ICA) on Russia’s role in the 2016 US presidential election sings from this same music sheet, asserting that Russia’s goals are nothing less than “to undermine faith in the US democratic process” and “to undermine the US-led liberal democratic order.” The policy implications of this assessment are clear: unless we meet Russia’s aggression with a resolute response, we will invite even more aggression.

In fact, contrary to Clapper’s expectations, Russia’s diplomats and foreign policy experts are lamenting the instability and unpredictability flowing from what they regard as a U.S. domestic political crisis. According to Fyodor Lukyanov, one of Russia’s most respected foreign policy analysts and editor-in-chief of the journal Russia in Global Affairs, Russians “are very confused and even a bit terrified by what we see unfolding in Washington.” That American disarray is causing worry rather than celebration in Moscow is a sign that we need to take a deeper, evidence-based look at Russian goals before settling on a policy response to their influence activities. 

Not all threatening behavior flows from aggressive intent. If what we view as aggression is actually fear and insecurity, rooted in Moscow’s perceptions of aggressive U.S. designs, too forceful a response could exacerbate Russian fears and trigger a dangerous escalatory spiral of hostility. The recent report that Russian intelligence hackers have penetrated the systems of some U.S. nuclear power plants and other power generation companies, perhaps to put retaliatory options in place in the event of U.S. cyberattacks on Russia, is an ominous sign in this regard. By contrast, a better understanding of these fears might facilitate negotiation of a mutual pledge of non-interference in each other’s domestic politics, including a provision that attacks on voting systems and other critical infrastructure will be treated as acts of war.

Principle Two: Make Both Punishments and Rewards Credible

It is a long-accepted axiom of deterrence theory that an adversary must not only believe that his opponent will follow through with any threatened consequences, but also that he will refrain from punishment if the adversary complies with the desired behavior. If the adversary believes the threat is illusory, he has little incentive to comply with his opponent’s demands. And if he believes he will be punished regardless of whether he complies, he might as well defy his opponent.

There are three big implications that flow from this principle. First, it places a premium on effective communication with Russia and others that we hope to deter. As Thomas Schelling highlights in his work on deterrence, Arms and Influence, without clear communication, deterrent policies are prone to misunderstanding or misinterpretation, increasing the chances of escalation. Abjuring talks in the vain hope of punishing Russia through isolation has been counterproductive to our deterrent goals. We need to be talking with Moscow at both the presidential and working levels about our approach to cyber deterrence, making clear what we regard as unacceptable and what the consequences for bad behavior will be. In so doing, we need to be clear in our own minds about what we can reasonably expect to deter and what we cannot. Propaganda is hard to define and almost impossible to restrict without compromising cherished American free media principles, while cyber espionage will inevitably be a fact of international life regardless of our preferences. Deterring cyberattacks on voting systems and other critical infrastructure, on the other hand, is both possible and highly desirable. 

Second, it makes sound intelligence analysis doubly important, because it must not only serve our nation’s decision-makers in guiding their understanding of cyber threats and who is behind them, but Russia and other cyber actors must have some degree of confidence that the U.S. can identify false-flag operations when they occur. Absent such a perception, Russia and others are likely to suspect that the United States will be quick to attribute any election-related cyberattack to Moscow and carry out punishment regardless of whether Russia is to blame. That discourages Russian compliance with our demands and incentivizes other state and non-state actors to employ readily available cyber technology to spoof Russian cyberattacks in the hope of stoking US-Russian hostility.

This danger places a premium not only on getting our intelligence calls right, but also on procedural approaches that encourage others to believe that our intelligence agencies are methodologically rigorous, independent of partisanship, and substantively expert in their analysis of Russia. The Washington Post report that the ex-CIA Director John Brennan secretly hand-selected a couple dozen people to produce a rapid assessment of Russian influence activities to meet a White House-imposed political deadline, hiding their work from the rest of the IC, does not contribute to such confidence. Neither does it help to base conclusions about Putin’s personal authorization of the election hacking on a single report, nor to rely on technical intelligence produced by another country’s intelligence service, as the Post also reported. The failure of the Intelligence Community Assessment to discuss any alternative explanations for the evidence its authors examined further detracts from an impression of methodological rigor.

The third implication is that we need to build rewards for good behavior into our deterrence approach, as distressing as this prospect may be for Americans in the aftermath of the electoral interference. The sanctions package passed by the Senate does the opposite; its provisions make lifting the sanctions practically impossible, regardless of good Russian behavior. The authors of the bill appear to believe that the built-in difficulty of lifting them enhances their deterrent value by emphasizing U.S. resolve. But in this instance, we would be wise to recall the history of the Jackson-Vanik amendment sanctions, enacted in 1974 to pressure the Soviet Union to allow increased Jewish emigration. Moscow reacted to the pressure by restricting rather than easing that emigration. Even after the Soviet Union dissolved and Russia had no restrictions on Jews leaving the country, the sanctions remained in place until 2012. Our failure to lift those sanctions in the wake of significant Russian intelligence and logistical support for U.S. counter-terrorist operations after September 11, 2001, served as a substantial irritant in our bilateral relations while doing little to encourage continued good behavior from Moscow.

Principle Three: Get Resilient

Deterrence by denial focuses on defensive measures aimed at convincing potential attackers that their effort will not succeed or that they will be denied the benefits they seek. If they perceive formidable obstacles to their success, such that attaining their goals will be either too difficult or too costly, they are less likely to undertake the action. This approach has particular application to the cyber world, where more than ninety percent of successful breaches, including those against the Democratic National Committee, employ rudimentary hacking techniques that could be easily prevented.

There are several important steps we can take to reduce our vulnerability to cyberattacks on our voting systems and other critical infrastructure. Within the cyber realm itself, we can make a concerted effort to patch vulnerabilities, update software, and employ malware detection systems. This would go far toward making cyberattacks more difficult, even if it would not preclude intrusions by sophisticated operators. Increasing the difficulty of success can have important deterrent value, not only because it makes the operations more costly and less certain, but also because it narrows the field of potential intruders to those with advanced – usually government-supported – capabilities, allowing analysts to better focus their attribution efforts.

Because no cyber defense can preclude all attacks, we should consider supplementing our defensive efforts with the construction of separate back-up analog control systems for our critical infrastructure that would operate off-line in the event that our digital control systems were compromised. Returning to the use of paper balloting would be fairly easy to do with voting systems. It would be a lengthy and costly undertaking to build back-up controls for power generation and water supply systems, but it would greatly reduce incentives to attack our critical infrastructure and substantially increase our national confidence in our ability to withstand attacks.

Finally, our efforts to build our resilience to foreign influence campaigns should not be limited to the digital world. Moscow has engaged in propaganda campaigns since the Czarist era, and the Soviet Union perpetually targeted the U.S. with aggressive disinformation campaigns throughout the Cold War. At the time, we regarded them as irritations to be countered with diplomatic demarches and corrective press releases, not as existential threats to our national security. Today, a hidden cost of the emotionally satisfying exercise of vilifying Russia is that it distracts us from addressing the domestic roots of our growing societal divisions and putting our own house in order. There is perhaps nothing that will do more to encourage our adversaries to believe in the effectiveness of influence campaigns than the hysteria over Russian activities that has gripped Washington since last fall. Restoring our national confidence that our republic cannot be toppled by propaganda is perhaps the most effective deterrent in our toolbox.

No comments: