Ever since the 2016 elections, U.S. government officials have gotten steadily bolder about divulging specific information about Russia’s attempted interference. Their hope, presumably, is to raise awareness about what was going on but also to deter any future such activity by naming and shaming the individuals and organizations involved. It’s an almost unprecedented effort to publicly reveal the machinations of a foreign government’s cyber operations—far more detailed and more extensive than, for instance, the indictments that have been filed against Chinese intelligence officers. But as a new report released by Microsoft this week about Russia’s latest hacking efforts makes very clear, this approach isn’t working at all.
Microsoft’s findings show Russian intelligence officers shifting their focus to encompass conservative American think tanks that have advocated for sanctions against Russia or stronger human rights protections overseas. Russian military officers apparently created phishing sites that mimicked the actual websites for groups such as the Hudson Institute and the International Republican Institute and could be used to capture credentials. What the perpetrators did with those stolen credentials remains unclear, but probably they hoped to infiltrate the internal communications and files of the people who worked for (or with) those institutions and find some way to use that information to their advantage—whether by leaking it to the public, using it for blackmail, or leveraging it to shape international negotiation strategies.
Going after think tanks is far from the scariest or most ambitious thing Russian intelligence has done in recent years. Much of the Microsoft report is pretty ho-hum, in fact. But this story is important because it demonstrates that Russian intelligence, far from being deterred by the attempts the United States has made to reveal its online operations, is instead continuing on in much the same vein as before.
That might seem like an obvious and unsurprising outcome given the U.S. government’s fairly tepid response to Russia’s involvement in the 2016 elections, but it’s actually some of the first concrete evidence we have that public naming and shaming of foreign officials is not an effective deterrence strategy when it comes to cyber-espionage.
The public naming and shaming efforts began with implicating broad groups, such as the Russian government and its intelligence arm. First, there was a very vague declassified intelligence report released in January 2017. Next came a series of congressional hearings and a much more detailed indictment filed in February 2018 detailing how Russians had tried to influence public opinion during the elections. That indictment named 13 Russian individuals and three Russian companies that allegedly purchased political advertisements on social media sites, helped organized political rallies, and promoted election-related hashtags in the months leading up to the 2016 U.S. elections. And then, in July, came an even more damning indictment describing how 12 Russian intelligence officers had hacked into Hillary Clinton’s campaign, as well as the Democratic Congressional Campaign Committee and the Democratic National Committee.
Those charges are, of course, largely symbolic—no one is likely to end up in prison or even standing trial because of them—but they seemed to represent an alternative deterrence strategy to stronger sanctions or kinetic attacks. That deterrence strategy was built on the assumption that the Russian government, or at least individuals working for it, would not want to continue their activities if they knew it would lead to a very public unmasking and criminal charges. In a world where we still don’t know very much about what does and does not work when it comes to negotiating international cyber conflicts, it was perhaps worth a try. But as this week’s news makes clear, months after those indictments were trumpeted by every major publication in the United States, Russia is pursuing its online espionage efforts more boldly and broadly than ever.
From an educational and awareness standpoint, these indictments (like the recently released Microsoft report) are still useful and informative documents that reveal a lot about how Russia’s online operations work and who is behind them. As a tool to deter similar behavior in the future, however, it’s not clear they have helped at all.
Just because naming and shaming isn’t a sufficient deterrent doesn’t mean it’s not worth doing—but it does mean we also need to explore other options for responding to this type of activity. Congressional proposals to implement stronger sanctions against Russia’s energy sector would be one possible way forward. Another might be responding in-kind with cyber-espionage or sabotage efforts directed at Russian targets that might lessen Putin’s enthusiasm for making every-day use of these tactics. That might mean releasing embarrassing information about the Russian government, but it could also involve going after their computer infrastructure—targeting their servers and networks in ways that might have a more lasting impact than just taking down their (easily replaceable) phishing websites one by one. In fairness, it’s not clear how effective these tactics would be either, long term. There’s still a lot we don’t know about the best ways to respond to Russia’s online activity and it’s right to be cautious moving forward and to assess the outcomes carefully—but it’s very clear that what we’re doing now is not working, and it’s time to try something new.