by Susan Hennessey
The Cybersecurity Dilemma: Hacking, Trust, and Fear Between Nations. Ben Buchanan. Oxford University Press, 2017. 304pp. Cyberspace in Peace and War. Martin C. Libicki. Naval Institute Press, 2016. 496pp.
In the two years before the 2016 U.S. presidential election, hackers targeted a number of prominent political organizations of both parties, including the Democratic National Committee (DNC), and managed to steal a trove of documents pertaining to the presidential campaign of Hillary Clinton. The hackers got ahold of private e-mails, including those belonging to Debbie Wasserman Schultz, the DNC chair, and John Podesta, Clinton’s campaign chair. Some of these exchanges discussed hot-button issues such as the Clinton Foundation’s fundraising or suggested that senior DNC figures had sought to aid Clinton in her primary campaign against Senator Bernie Sanders of Vermont.
As the presidential election drew near, a number of websites, including WikiLeaks, began publishing the stolen e-mails, fueling right-wing conspiracy theories about Clinton and generating anger among Sanders supporters. Donald Trump, the Republican presidential nominee, seized on the leaks to criticize his opponent; “I love WikiLeaks!” he declared at a rally in October. Meanwhile, Democrats seethed as reports emerged that the hackers were linked to Russian military and intelligence agencies.
Those rumors were officially confirmed in early October when the Office of the Director of National Intelligence and the Department of Homeland Security issued a joint statement asserting that the Russian government had been behind the hacking, which aimed to interfere with the election. In January, the ODNI released a declassified report stating even more definitively that the hacking had been part of a Russian attempt to “undermine the U.S.-led liberal democratic order” by sowing chaos and eroding faith in the democratic process. “There should be no fuzz on this whatsoever: the Russians interfered in our election,” James Comey, the former director of the FBI, said in testimony before Congress in June. Comey had previously issued a warning about the Russians: “They’ll be back in 2020. They may be back in 2018, and one of the lessons they may draw from this is that they were successful because they introduced chaos and division and discord.”
One reason Moscow succeeded is that Washington has failed to devise a strategy to deter cyberattacks or to respond strongly enough when such attacks have occurred. In the face of crafty and concerted assaults on U.S. interests, Washington’s retaliatory measures have amounted to little more than largely symbolic sanctions and diplomatic slaps on the wrist. This has remained true even in the wake of Russia’s unprecedented meddling in the 2016 presidential election. Put simply, the United States failed to deter Russia; instead, Russia has deterred the United States from meaningful retaliation.
Two recent books illuminate the immensely complex issues at play. In The Cybersecurity Dilemma, Ben Buchanan, a cybersecurity specialist at Harvard Kennedy School’s Belfer Center, outlines the structural challenges unique to interactions among states in cyberspace. In Cyberspace in Peace and War, the economist and security expert Martin Libicki authoritatively details states’ operational and strategic considerations in the cyber-realm. These two books add nuance to debates about digital conflicts while resisting the temptation to treat them as analogous to nuclear or conventional ones. And together, they help explain why the United States has failed to adequately protect itself from cyber threats.
Although these authors do not address the hacking that targeted the 2016 campaign, they offer clear-eyed reviews of U.S. responses to earlier state-sponsored hacks and provide analytic frameworks that could help policymakers think through the challenge of preventing future digital assaults. Moving forward, the United States must clearly delineate what constitutes unacceptable behavior in cyberspace and embrace a broader range of retaliatory measures so that it can deter attacks that are certain to come harder and faster than ever before.
TERMS OF ENGAGEMENT
Buchanan and Libicki agree that deterrence is primarily about messaging, or the ability to clearly communicate boundaries and consequences. Libicki renders the core message of deterrence as “if you do this then that will be done.” The ability to send that message requires four things: attribution (the state must be able to define the target of retaliation), thresholds (the state must be able to consistently distinguish between acts that merit retaliation and those that do not), credibility (the state’s will to retaliate must be believed), and capability (the state must be able to pull off a successful response).
Each of these components is exponentially more complex in cyberspace than in a conventional setting. First and foremost, cyberattacks are hard to detect. As Buchanan notes, hackers can easily intrude into a network without attracting attention. Even when an attack is discovered, it can be notoriously difficult to confidently attribute it to any one particular actor. A hacker might be a state agent or employee, or a member of a criminal organization, or even—as Trump once crudely put it—“somebody sitting on their bed that weighs 400 pounds.” And if authorities do identify the perpetrator, they still must determine whether the cyberattack crossed the retaliation threshold and merits a response. In conventional settings, physical troop movements, progress along a path to nuclearization, or military buildups have long guided these decisions. But states have yet to agree on the digital equivalents of such moves.
The state must also signal that it has the will and ability to respond without giving away too much information about just how it would do so, since that would allow would-be attackers to prepare. Cyber-capabilities depend on preserving information asymmetry. Secrecy and surprise are essential because cyberdefenses can block particular methods of intrusion completely, unlike conventional military defenses, which cannot necessarily prevent the actions of a more powerful state.
WHEN DETERRENCE FAILS
Washington has gained ample experience with these strategic dilemmas in the past decade, as it has faced escalating cyberthreats from a range of adversaries. The United States may well have deterred the worst; after all, it has yet to experience a cyberattack that directly threatened lives. As is often true in deterrence, success is invisible but failure is public. But two high-profile failures—the 2014 hacking of Sony Pictures, attributed to North Korea, and the 2015 cyberattack on the U.S. Office of Personnel Management (OPM), attributed to China—revealed important weaknesses in U.S. deterrence policy.
In 2009, President Barack Obama announced a new U.S. strategy to address the threat posed by increasingly aggressive actors in cyberspace. “It’s now clear this cyberthreat is one of the most serious economic and national security challenges we face as a nation,” he declared. “It’s also clear that we’re not as prepared as we should be.” The Obama administration took a number of steps to bolster cybersecurity, such as streamlining response channels and intelligence sharing, increasing the security of government networks, and outlining more explicit thresholds for retaliation. But repeated digital assaults tested the comprehensiveness of these new policies and revealed strategically significant shortcomings.
In November 2014, a group sponsored by North Korea and calling itself the Guardians of Peace infiltrated computer networks at Sony Pictures, extracting sensitive personnel information and stealing copies of unreleased films. The hackers attempted to blackmail Sony, demanding that the studio abandon its plans to release a comedy critical of North Korea’s supreme leader, Kim Jong Un. The disclosure of studio executives’ hacked e-mails proved embarrassing and expensive; one Sony executive estimated that it cost the company $35 million. The U.S. government, however, did not publicly attribute the attack to North Korea until the Guardians of Peace threatened physical attacks on U.S. movie theaters if the film were released. Sony initially capitulated, but following widespread public criticism, including from Obama, it reversed course and released the film on a limited basis. The Department of Homeland Security insisted there was no genuine threat to theaters, and the screenings proceeded without incident. In January 2015, the U.S. government announced new sanctions against North Korean government agencies and officials in response to the hacking, but this haphazard response demonstrated the difficulty Washington has had in defining thresholds for retaliation.
The Sony episode revealed three notable shortcomings in U.S. cyber-deterrence policy. First, there was persistent ambiguity about the government’s role in responding to attacks on privately owned information infrastructure. Second, the government and private industry were unable to coordinate a unified response to the threats. Finally, the press was eager and willing to report on the substance of the hacked e-mails, even if they were brought to light by an aggressive foreign actor, and focused far more on the often frivolous or salacious content of the e-mails than on the motives behind the hacking.
Because a movie studio fell outside the definition of critical infrastructure, Washington was slow to recognize the broader implications of the attack and the need for a government-led response. Drawing the line at intrusion of government networks failed to deter consequential attacks on private networks. In this case, it seemed that U.S. officials had not anticipated an attack on the country’s core values—here, freedom of speech and expression—as a potential trigger for retaliation. And the fact that government action came only after physical threats may have communicated to North Korea and other adversaries that Washington did not consider the cyberattack itself sufficient grounds for retaliation.
Attacks on government networks themselves have also failed to elicit a strong response, a further blow to U.S. credibility. In June 2015, the Obama administration revealed that hackers had stolen a trove of data from servers at the OPM, which houses massive amounts of sensitive personal information about government employees. James Clapper, the director of national intelligence, said that China was the “leading suspect” in the attack. But regardless of that attribution and despite the fact that the theft clearly crossed one of the lines established by the Obama administration, there was no visible U.S. response (although China did arrest several people it claimed were responsible). Clapper even expressed grudging admiration for the hackers: “You have to kind of salute the Chinese for what they did,” he said, acknowledging that unless U.S. adversaries were denied the opportunity through better security or a more substantive deterrence strategy, such attacks would only continue.
But the Obama administration’s updated cyber-deterrence policy, which was signed into law in December 2015, did little to address the weaknesses revealed by the Sony and OPM hacks. Even after such visible deterrence failures, the Obama administration continued to narrowly define thresholds for retaliation in cyberspace, focusing on threats to human life, critical infrastructure, economic security, and military command and control. And Russia was clearly paying attention.
FROM RUSSIA WITH LOVE
The Russians have long engaged in cyber-enabled information warfare campaigns—including targeting the elections of its strategically important neighbors. In 2014, for example, a Russian-backed group known as CyberBerkut interfered in Ukraine’s presidential election. The group temporarily rendered Ukrainian vote-counting systems inoperable, deployed malware designed to portray the ultranationalist candidate as winning on government websites, and launched a cyberattack that delayed the final vote count by hours. Ultimately, those efforts were detected in time and did not alter the election’s outcome.
Given that track record, Russian interference in the 2016 U.S. election should have come as no surprise. And yet Washington’s response was erratic and unclear. The Russians targeted nongovernment networks, just as the North Koreans had done earlier. The Kremlin seems to have noted that the leaked e-mails of Sony executives were deemed an embarrassment rather than a form of information warfare. And indeed, because the DNC and Democratic Congressional Campaign Committee networks that the Russians infiltrated were not government systems or election infrastructure, their penetration by a foreign power did not set off sufficient alarms within the U.S. government. Clapper indicated in May 2016 that the intelligence community was aware that hackers were targeting the presidential campaigns but implied that the activity was within the ordinary course of passive intelligence collection.
By the summer of 2016, there was strong evidence of Russia’s involvement in the hacking and release of the DNC’s e-mails, but the U.S. government did not publicly attribute the attacks to Russia until October. In the intervening period, the press treated the Russian link as speculative and as something of a footnote: as with the leaked Sony e-mails, media outlets focused primarily on the content of the messages, failing to highlight the fact that they had probably been stolen and released by a foreign adversary, in this case, in an effort to influence a U.S. election. If anything, the fact that the e-mails had been surreptitiously obtained created the impression that the Clinton campaign had something to hide; information that was otherwise unremarkable became headline news. Strong and specific U.S. government attribution from the outset could have substantially shifted the focus to Russia’s motives.
When the Obama administration finally did respond to the Russian hacking, the trigger was not the theft itself or the release of stolen e-mails. Instead, it was the targeting of election infrastructure—the threat of actual vote counts being compromised—which had been uncovered by state election administrators. And even after publicly attributing the attack to Russia, Washington stuck to its usual noncommittal lines, employing the same language it had used after the Sony and OPM hacks: the United States’ response would be proportional, perhaps not visible, and “at a time and place of [its] choosing.”
THE CYBERSECURITY DILEMMA
Although his book predates the 2016 election, Buchanan offers a compelling and prescient explanation of why the United States was so hesitant to respond more forcefully: a cyberspace version of what the political scientist John Herz first identified in the 1950s as “the security dilemma.” Herz posited that actions undertaken by states for defensive reasons—such as increased defense spending or amassing troops on a border—are frequently perceived as threats by other states. Those states respond by affirming their own security, which others in turn perceive as threatening. Activities meant to be defensive unintentionally create and fuel an escalatory cycle.
In conventional armed conflicts, Buchanan explains, states have partly dealt with this dilemma by trying to make sure that others don’t mistake their defense for offense. As a result, states have gotten better at making such judgments and have developed a set of standards about what constitutes “normal” defensive behavior. But those improvements have yet to reach the cyber-realm, where civilian and government networks are commingled and defensive and offensive tools are often indistinguishable. A lack of shared norms complicates matters, as does the nature of cyberdefense. As Buchanan highlights, states sometimes intrude into the networks of other states for genuinely defensive purposes, but evaluating intent in cyberspace is often more difficult than judging a conventional military move. And when a state cannot determine intent, it will generally assume aggression. Furthermore, Buchanan argues that even defensive intrusions in cyberspace can compromise the security of the targeted state by establishing footholds that might be later exploited for offensive purposes. Any such move is therefore inherently threatening.
An acute awareness of the risks of escalation has inhibited Washington’s response to cyberattacks. So has the fact that the United States is more reliant on information systems than its adversaries are, contributing to a cautiousness that borders on paralysis. But by failing to come up with an effective cyber-deterrence policy, the United States has increased its vulnerability to adversaries that are more willing to embrace risk.
FAILURE AND CONSEQUENCES
The Obama administration’s concerns about the risks of retaliation ultimately resulted in a feckless response to Russia’s election interference. According to a deeply reported postmortem in The Washington Post, the White House considered responses including cyberattacks on Russian infrastructure, damaging economic sanctions, and the release of information embarrassing to Russian President Vladimir Putin. Some officials even floated the idea of sending aircraft carriers to the Baltics. But the administration ultimately chose a modest response: imposing economic sanctions against a few individuals linked to Russian military intelligence, expelling 35 Russian diplomats from the United States, and seizing two Russian compounds in the United States that Washington believed Moscow used for espionage activity. According to the Post, the administration also approved a covert action to infiltrate Russian cyber-infrastructure in order to plant “cyber weapons” that could be used in the future. Trump, who, as president, has repeatedly cast doubt on the idea that the Russians interfered in the election, appears disinclined to use those tools.
Moreover, the U.S. government report on Russian interference overpromised and underdelivered, outlining the intelligence community’s top-line conclusions without offering much evidence to back them up. Although the protection of sources and methods is important, the document failed to persuade skeptics, and the report’s release backfired. A subsequent series of highly specific leaks of classified information have revealed far more detail, but they lack the persuasive strength of official confirmation.
Domestic political factors also contributed to this reticent response. The Obama administration was loath to be viewed as improperly influencing the election. According to The Washington Post, Senate Majority Leader Mitch McConnell, Republican from Kentucky, told the Obama administration that he would view any effort to publicly challenge the Russians over their interference in the election as politically motivated, thereby blocking any chance for a unified, bipartisan response. The delicacies of electoral politics, however, provide yet another compelling reason for establishing clearer rules of the road when it comes to cyberattacks. By setting neutral standards, future administrations can guard against claims of partisanship should they choose to respond forcefully to foreign attempts to interfere in U.S. politics or policymaking.
Unquestionably, stronger responses carry significant risks. As Libicki writes, “The do-nothing option is not entirely crazy.” Sometimes, an adversary desires a response, and so refusing to acknowledge an attack is one way to fight back. But Libicki also notes that whichever path a state chooses in responding to a cyberattack, it must “assure itself that it is defeating the attacker’s strategy as well as altering the attacker’s calculus.” By that measure, the U.S. cyber-deterrence strategy, both past and present, has failed.
That failure has already affected U.S. allies. In May, the French presidential candidate Emmanuel Macron was targeted with a similar hack and e-mail dump on the eve of a national election. (He won anyway.) Although the evidence is less definitive than in the U.S. case, Russia—which favored Macron’s opponent, the right-wing populist Marine Le Pen—is widely believed to be responsible.
To avoid a repeat of the 2016 fiasco, the United States must chart a new course shaped by a higher tolerance for strategic risk. For starters, Washington must articulate clearer lines. The Obama administration’s cyberstrategy presented ambiguity as a deterrent tactic, claiming that a lack of specificity would discourage states from simply tailoring their malicious activities to avoid crossing lines. But experience has demonstrated that aggressive adversaries considered that zone of ambiguity to be a zone of impunity. Although setting clearer lines does risk encouraging some additional below-the-threshold activity, containing behavior in that space is a better outcome than allowing more serious violations to go unchecked.
Likewise, the United States should be more consistent and proactive in publicly attributing attacks. When officials fail to point fingers for fear of revealing sources and methods, they offer U.S. adversaries plausible deniability. Strong attribution and statements that unambiguously link retaliation to corresponding offenses are important steps toward shaping and enforcing the norms necessary to govern state conduct in cyberspace.
Finally, the United States must cease to be inhibited by the fear of sparking escalatory cycles. Stronger responses to hacking, such as counterattacks and aggressive sanctions, do carry significant risks, but Washington can no longer rely on a do-nothing or do-little approach. Cyber-deterrence policy must reflect the reality that failing to respond in the face of an attack is itself a choice with consequences.
SUSAN HENNESSEY is Managing Editor of Lawfare and a Fellow in National Security Law at the Brookings Institution. Follow her on Twitter @Susan_Hennessey.
This article was originally published in Foreign Affairs.