How could Russia do this?: Deterrence and Cyberwar

Even if there was no collusion between the Trump presidential campaign and the Russian government, it has become clear that Russia as a nation-state was explicitly involved in sabotaging the Clinton campaign. At a recent event by New America, a leading think tank on these issues, Nate Fick, the CEO of Endpoint, explained one of the reasons why the problem of cyber attacks, and thus the Russia hack, is so tricky. He said that it was because unlike most national security issues, the victims were primarily private. The Russians did not attack a military base to steal our national secrets but rather attacked individuals and organizations not under the protection of the government.

Fick’s solution was to suggest that the United States needs to become better at deterrence. I have already written a little about deterrence in a few of these posts but thought it was appropriate to focus in on this one strategy specifically.

A Brief History of Deterrence

Deterrence is a concept that came out of the Cold War Nuclear strategy. Once the Soviet Union got nuclear weapons, it was of vital importance thet America never threatened the territorial integrity of the Soviet Union because if the regime felt as though there was an existential threat, they would use all of their fire power to defend themselves. This is why North Korea wants nuclear weapons, why the India/Pakistan rivalry is so dangerous, and why trying to prevent Iran from getting the bomb is so vital. Because once you have the bomb, you basically become untouchable. Missile defense is really the only protection and that doesn’t even work.

So how do you prevent two antagonistic superpowers from starting the hot war to end all wars? By promising that a small attacks would be countered by extreme payback. For example, if the Soviets start pushing into West Germany, we would carpet bomb East Germany and start pushing our tanks into Poland. By rapidly escalating responses to aggression, the US is basically attempting to scare the Soviets away from any action because of the threat of nuclear weapons.

This worked for a time. There were not outright hostilities between the two super powers and the world remained in one piece. However, this idea caused a number of proxy wars (Korea, Vietnam, etc.) where the super powers fought over influence but had no real skin in the game themselves.

After the Cold War ended, America was faced with a variety of enemies that began to upend the strategy of deterrence. One such enemy is terrorism. It is illogical to deter a suicide bomber with acts of increased violence and it makes even less sense to exact violence on the citizens of the country from which the terrorist come. Russia has begun to push on to doorstep of Europe by annexing Crimea, threatening the Baltic states, and weakening Georgia. Deterrence only works when the threat is carried out. When the West allowed Ukraine to be attacked, not only did it fail to live up to its duties in the Budapest Memorandum on Security Assurances but its deterrent capabilities lost credibility.

Why Deterrence is so Hard in Cyberspace

If Russia is not deterred from annexing part of a neighbors sovereign territory, it is definitely not scared of a cyber attack on a non-state actor. Although I have laid out the case against deterrence before, it is well worth laying out again here for clarity.

Deterrence is difficult in cyberspace because identities are hard to pin down. Although we are getting better at this, there are still ways of spoofing. Spoofing is when a hacker makes it look as though she is a different person/entity. For example, a German hacker writing code in Russian and operating in a cybercafe in Tehran may be able to successfully mask their true identity. Additionally even if a hacker or group is caught red-handed, the nation to which these hackers belong can sometimes claim that they had no involvement. These groups are often called patriotic hackers. Patriotic hackers are people or groups who loosely affiliate with the aims of their nation state but are distant enough for the nation state to avoid responsibility. Identity become particularly difficult when there is no attack over the internet at all and rather a jump drive or similar storage device is plugged in without proper security inspection (which was apparently the case in the Stuxnet attack).

So deterrence is difficult because it is hard to figure out who to make the threat against, it is also difficult to know what to threaten. When America has been attacked in the past, there have been three types of responses typified by the North Korea, Russian, and Chinese examples.

When North Korea attacked Sony, America came out with a strong response. It not only publicly named North Korea as the culprit, but it followed up with sanctions and unspecified countermeasures. Although America does not claim responsibility for the shut down of the North Korean internet in the months following the attack, this could have been one of those countermeasures. Recently, the New York Times put out an article describing additional actions which have been going on for a long time against the North Korean Nuclear program.

With the Russian hacks, America has been divided to say the least. Although it is commonly accepted that Russia worked to get Trump elected (whether or not they colluded is another story), the Obama response seemed to be weak. America expelled a number of Russian diplomats and closed down a few Russian diplomatic outposts. An attack on the election of a President would seem to be more important than an attack on an entertainment company. However based on the response, it would not appear that way. There are a few reasons for this, maybe the Obama administration was not as sure about the Russian hacks as the Sony attack but wanted to impose sanctions for political reasons. or maybe it was because provoking Russia with a larger response could cause a war. Either way, it appears as though only sanctions were doled out.

In the case of the Chinese, things get even more tricky. China is one of the largest players in this domain along with the US and Russia. America worked with China diplomatically to resolve their private sector hacking instead of imposing sanctions. In 2015 Obama and President Xi signed a treaty saying that neither country would attack each other’s private sector and the number of attacks dropped precipitously.

These three cases show the different levels of American response. The first level is publicly accusing a country of wrong-doing and threatening sanctions. The second level is actually imposing those sanctions and the final level is to hack back. None of these levels have the threat of physical violence which is essential to the old style of deterrence.

Where do we go from here?

Despite the two glaring issues with traditional deterrence, America must be able to deter foreign adversaries from future cyber attacks. The US cannot just build up our defenses because as Nate Fick said in his remarks at New America “A dollar offense beats a dollar of defense”. Instead we have to go on offense diplomatically.

Sanctions are tricky because they typically only work on countries already linked heavily with the international system. This is why the North Korean sanctions have not worked and why the Chinese ones have. Targeting of sanctions is also difficult because the intended target, the government, often is impacted less than the innocent civilians of that country. This is why in the Russian case the US placed sanctions only on top-tier Russian government officials and business leaders when they annexed Crimea. Further complicating the matter, sanctions also tend to work best when they are imposed by multiple states at once.

To create a scheme where cyber attacks can be successfully deterred, America should work on three major areas. The first is that the US and its allies in Western Europe along with any other countries willing to join must come to agreement quickly on norms of cyber conflict. President Trump is not a fan of multilateral agreement or norms but in order to make this work, America must work with our partners to develop rules which can be enforced. The second is holding states accountable for the actions of non-state actors operating within their territory. Peter Singer, a fellow at New America, has pushed this idea by referring to the way pirates were dealt with in the 17th and 18th centuries. By holding states accountable for actions done on their soil, states will be more likely to impose rules and best practices when in comes to cyber security. This is a potentially difficult area because this may also give rise to more authoritarian measures by states to limit the rights of their citizens online. The final area is the imposition of sanctions themselves. A good place to start when crafting these sanctions is the sanctions against state sponsors of terror. Sanctions would have to include future sales of high end technology as potential dual-use (meaning civilian and military) items. Additionally, states could explore cutting off state sponsors of electronic terror from the cloud and technology services provided digitally.

Traditional deterrence does not work in cyberspace. Spoofing and the lack of a desire to turn cyber wars hot means that America is in no position to dissuade nation states from attacking. In order to follow Nate Fick’s advice and make future attacks like that of the Russians less likely, the world must focus on creating norms, enforcing them against nation states and not just against the individual actors, and including technology sales as dual-use and thus prevent them from being sold to state sponsors of electronic terror.