It seems that President Obama will retaliate against Russia for hacking into American voter rolls and the Democratic Party’s emails. The question is how he’s going to retaliate. The answer isn’t at all clear. Cyberespionage and cyberconflict have been going on for decades, but the most basic issues of cyberstrategy—how to align goals, means, and national interests— remain unaddressed.
In a statement last Friday, the director of national intelligence, Gen. James Clapper, and the secretary of Homeland Security, Jeh Johnson, said that “only Russia’s senior-most officials could have authorized these activities” and that their intent was “to interfere with the U.S. election process.”
This was a big deal. Not long before then, U.S. officials had told lawmakers that the hack was Russian without specifying whether it came from the Kremlin, rogue underlings, or criminals; nor did they speak definitively about motives. If the hacker’s identity was unclear and if the hacking might simply be espionage (something we do a lot as well), there would be no basis for retaliation. But the Clapper-Johnson statement—which had to have been approved (if not directed) by the White House—signaled there is no ambiguity: U.S. intelligence agencies have determined with “high confidence” that Vladimir Putin or someone close to him did the deed—and not just to gather intelligence,but to undermine our electoral system. Therefore, action is warranted, and I am told that Obama and his national-security team are weighing specific options.
They (and, therefore, we) are wandering in all-but-untrod territory. When a nation is attacked with more conventional weapons, its leaders either declare war or devise some proportional response—“retaliation in kind,” as it’s called. The Russian hack is hardly a cause for all-out war, but what would a proportional response be? Hacking Russian voter rolls? For what purpose? Leaking some of Putin’s emails? Possibly, depending on what they say, but an American president might not want Putin to know that the National Security Agency is hacking his email (if, in fact, it is), and therefore retaliation of that sort might do more harm to U.S. intelligence than to Putin.
The few times Obama or his aides have publicly discussed these issues, they have said that the United States reserves the right to answer a cyberattack with noncyber means. For instance, after North Korea hacked Sony Pictures, Obama retaliated by imposing new economic sanctions on Kim Jong-un’s regime. Did that have an effect? It’s unclear. North Korea hasn’t hacked into American targets since, not that we know of anyway. Then again, Kim might believe that we retaliated with cyber measures, too. A few days after Obama announced that he would respond to the Sony hack in a time and manner of our choosing, North Korea’s internet was shut down for 10 hours. This wasn’t hard to do: There are only about 1,000 internet protocals in the whole country, all of them hooked up to a single server in China; and such an attack could be seen as a “proportional” response.
In fact, the United States was not behind this shutdown. However, if Kim and his aides thought otherwise, and if North Korea had a more robust cyberoffensive arsenal, they might have ratcheted up the conflict, hacking yet another American target. Then what would have happened?
In dealing with Russian cyberattacks, it’s worth noting that Moscow does have robust cyberoffensive capabilities—not as robust or agile as America’s, but that’s less relevant than it might seem. Because the United States is so dependent on computer networks, it’s not a good idea to spur a game of escalation with a nation that’s skilled at exploiting those networks’ vulnerabilities. And Russia is quite skilled at that.
When a nation’s leaders respond to an attack (any sort of attack), they might have one of several goals in mind: to obliterate the aggressor (in extreme cases); to mete out simple punishment (an eye for an eye); or to strike back in a way that inflicts damage and sends a message—“If you don’t stop now, we will hit you much harder, or destroy something you value more, the next time.”
Russia’s hacking of voter-registration rolls and politicians’ emails doesn’t warrant obliteration; and it’s unclear what kind of cyber counterpunch would compel the Russians to back down. If the cyberconflict escalated, it would play into their strengths and our weaknesses. Again, our cyberoffensive powers are superior to theirs, as President Obama recently boasted; but our society is more vulnerable to even inferior cyberoffensives. We have bigger and better rocks to throw at other houses, but our house is made of glass that shatters more easily.
In other words, responding to a Russian cyberattack with a cyberattack of our own doesn’t seem to be a winning game. There might be a place for cyberskirmishing in whatever we do—intensifying and redirecting the cyberespionage that we too have long been conducting. But political and economic pressures—measures that play into our strengths and their weaknesses—are likely to have more impact.
Then again, there’s another way of reading the Clapper-Johnson statement. Richard Clarke, former White House counterterrorism chief and now a cybersecurity consultant, speculates that it might be an attempt to deter the Russians from interfering with our election any further. “Maybe Obama has decided not to do anything until after the election,” Clarke said in a phone conversation. Maybe, instead, he’s waiting to see whether the Russians actually try to alter the election’s results, for instance by removing Democrats’ names from the registration rolls they’ve hacked or by altering the transmission of vote counts. Meanwhile, Obama is telling the Russians that he knows what they’re doing, who’s doing it, and why. The Clapper-Johnson statement said that “senior-most Russian officials” were interfering with “the U.S. election process.” Maybe (and Clarke emphasized that he has no inside knowledge of what’s really going on inside the White House) the message to the Russians is: We’re watching. If there are signs on Election Day that they you’re interfering with the election results, then the hammer comes down.
It’s still not clear what form that hammer might take. In any case, responding now, in some half-hearted way that the Russians could match, might just provoke them to step up their hacking—might actually impel them to do something on Election Day. It could be that Obama is taking aim but holding fire as long as they don’t follow through on what they seem to be preparing to do.
Nobody knows much about “cyberdeterrence”—what it means, what it requires. At this moment, a panel of the Pentagon’s Defense Science Board is writing a report on cyberdeterrence, the first official report on the subject, even though cyberweapons have been in existence for decades. We might be witnessing an attempt at forming a cyberdeterrence policy in the midst of an actual international confrontation. Whether it succeeds (if that, in fact, is what it is) may be determined by what happens, or doesn’t happen, on Nov. 8.