Just days after Robert Gates became secretary of defense in December 2006, in the middle of George W. Bush’s second term, he found himself so stunned by the volume of attempted cyberattacks against the U.S. military’s computer networks—his daily briefings cited dozens, sometimes hundreds of intrusions—that he wrote a memo to the Pentagon’s general counsel. At what point, he asked, did a cyberattack constitute an act of war under international law?
Not until two years later, on the final day of 2008, did he receive a reply. Yes, the counsel wrote, a cyberattack might rise to a level that warranted a military response—it could be deemed an act of armed aggression under certain circumstances—but what those circumstances were, where the line should be drawn, even the criteria for drawing that line, were matters for policymakers, not lawyers, to decide. Gates took the reply as an evasion, not an answer.
Russia’s hacking of the Democratic National Committee’s email, and of Hillary Clinton’s campaign files, falls well short of an act of war, but it does demonstrate that Gates’ questions remain unanswered. The attack didn’t result in any casualties or physical destruction, after all. But what precisely were the hacks, and what action, if any, should they prompt?
In October 2014, the Pentagon’s Defense Science Board appointed a task force to write a top secret report on “cyber deterrence”—what the term means, what it takes to deter an adversary from launching a cyberattack, and what kinds of attacks should the government have an obligation to deter. One of the panelists tells me the report will be done by this fall—though, a year ago, the same person told me it would be finished this past spring.
A few scientists warned about the vulnerability of computers back in 1967, at the dawn of the ARPANET (the precursor to the internet). The first Russian cyberattack on U.S. military networks, code-named “Moonlight Maze,” took place in 1998. The first string of attacks by the Chinese, dubbed “Titan Rain,” followed in 2001. Russian intrusions into classified military networks were first detected, in an operation called “Buckshot Yankee,” in 2008. And, by the way, American, British, French, and Israeli intelligence agencies have hacked into other nations’ networks for longer still. (For details on the surprisingly long history of cyberwar, click here.)
And yet, when it comes to the most basic issues of strategy and policy, we’re all still wandering in the dark—not just the United States, but the 20-plus other nation-states with cyber units in their militaries.
In one sense Russia’s hack of DNC emails is nothing new. In the 2008 elections, China hacked into the campaign files of both presidential candidates, Barack Obama and John McCain. In this election Russia, China, and who knows who else have probably hacked into Donald Trump’s networks, too. The intrusions themselves are acts of espionage—a game that all nations, very much including our own, have played for centuries. In 2015, when China hacked into the Office of Personnel Management’s network and stole millions of employees’ records, Lt. Gen. James Clapper, the director of national intelligence, declined to call the deed a cyberattack. No, he said, this was an act of espionage, of the sort that we too carry out when we can.
Spies have long been tolerated. Even during the darkest days of the Cold War, the Russians and the Americans abided by an informal agreement not to kill each other’s spies. But when spies—say, diplomats working undercover—get caught in the act, the host government declares them persona non grata and expels them.
The question, which no one has answered and few have given much thought, is how to expel a cyberspy—not a person on the ground but a malicious code in a network. What constitutes a proportionate response (“retaliation in kind,” in the lingo of nuclear strategy), and how do you pull it off without prompting an endless spiral of escalation?
Of course, there’s another, more alarming aspect of the DNC hack. The stolen emails were cycled back to the American public, via WikiLeaks, in a way that seemed designed to harm the prospects of the Democratic presidential candidate. (Julian Assange, the head of WikiLeaks, publicly said that he released the files in order to reduce her chances of winning.) Did Assange get the files from the Russians, and if so, did the Russians have that same goal? U.S. officials, who have “high confidence” that Russia did the hack, say they are less certain on these matters. It seems likely (who else would have means and motive?), but history shows it can be dangerous to act rashly on the basis of what seems only likely.
Whatever the ultimate intelligence finding, some specialists have urged the Obama administration to declare the networks of national elections—candidates’ email, party websites, and (scariest scenario of all) computerized voting machines—as part of America’s “critical infrastructure.”
This was a phrase coined in the late 1990s, when cybersecurity first became a big issue. It referred to telecommunications, electrical power grids, gas and oil, banking and finance, transportation, water supplies, and emergency services—all of them crucial to the workings of a modern society, all of them dependent on computer networks.
The concept made sense, but little has been done since to protect those industries from a massive cyberattack. Most of them are owned by private companies that have resisted mandatory security requirements. The others, owned by public entities, prefer to spend their scarce dollars on day-to-day operations. During Bill Clinton’s presidency, a White House aide floated the idea of devising a parallel internet for critical infrastructures and wiring their networks to a government agency, which could take protective action in the event of an attack. The proposal was leaked and denounced as “Orwellian.” (Some companies, especially in banking and finance, have taken extensive, but still not foolproof, security measures on their own.)
White House officials have said that this basic question—how to respond to a cyberattack is considered on a “case-by-case basis.” This, of course, is how most leaders have to deal with crises. It’s one reason we have leaders and want them to be smart; there’s no cookie-cutter formula that fits all the world’s eruptions.
But it would be a good idea to go into a crisis with some basic principles, strategies, tactics, and techniques already worked out—a menu of capabilities and options, some projections of how various scenarios might play out. These things exist for most anticipated crises; Cabinet secretaries and their aides can bring folders, filled with these materials, to the Situation Room. The process of devising these folders has begun in the past six years, with the creation of U.S. Cyber Command and Obama’s signing of several executive orders and presidential directives. But the process is still at a very early stage.
Figuring out how to deal with Russia’s hack of the DNC offers an opportunity, finally, to deal with these questions. It’s been almost 50 years since the problem of network-vulnerability was recognized, almost 20 years since the first foreign hack of our military networks, and almost 10 years since a secretary of defense wrote a memo asking someone to define the problem systematically. It’s time to take the next step.