19 October 2016

Is U.S. Cyber Deterrence Strategy More Than (Russian) Roulette?

By Susan Hennessey 
October 12, 2016

Following the joint statement from DHS and ODNI accusing Russia of a recent spate of hacks aimed at influencing the US election, the obvious question is what exactly the US government plans to do about it. Over the weekend, the New York Times’ David Sanger and Nicole Perlroth offered a rundown of response options and Jack lamented that the Times report suggests that the US government still does not know how it should respond to Russian interference. He notes that, in the past, the US response to malicious cyber operations has been “dithering” at best.

Yesterday’s news that the White House plans to issue a “proportional” but possibly secret response does not actually indicate whether any decision has been reached regarding what sort of response we can expect and when. If anything, the statement indicates a continuation of the same policies. The Administration usednearly identical language when vowing to respond to North Korea’s attack on Sony (where the ultimate visible response was sanctions) and similar terms in pledging to retaliate against the Chinese for the OPM breach (where there was ultimately no visible US response, though China did arrest individuals it claimed were responsible).

It’s easy to be skeptical. Adversary nations continue to engage in significant malicious cyber activity against the United States. The only visible response from the US is a Name and Shame strategy of sanctions and indictments, which is applied sporadically and with mixed results. Name and Shame is purportedly augmented by “proportional” retaliatory cyber operations, but the secrecy and vagueness surrounding those prevent any meaningful assessment, raise questions as to whether adversaries even receive the intended message, and cannot deter outside groups who might be watching.

The unpleasant truth is that each of these episodes raises the spectre that the US still does not know when or how it will respond. Since the fundamental questions of deterrence policy appear to be unanswered, one wonders whether the US has any meaningful strategy at all. Or rather, if we have any strategy beyond playing it by ear.

Still, it isn’t entirely fair to characterize US cyber deterrence strategy, whatever it might be, as a failure.

Notwithstanding valid critiques, thus far US policy has (at least, apparently) been successful at some forms of deterrence. The United States has never been the victim of a cyber attack that genuinely threatened lives. And while the broad statutory definitions of “critical infrastructure” now threaten to encompass almost everything, there has never been a destructive attack against core US infrastructure. Given the fact that a number of US adversaries unquestionably possess the capacity to engage in such an attack, deterrence-by-denial (also known as strong cybersecurity) cannot explain the total lack of serious attacks because we know there is activity that we can’t prevent. With respect to highly capable adversaries, the absence of these kind of attacks can only be fully explained by fear of the United States’ capacity and willingness to respond. So, at least for now, we’re successfully deterring some of the most serious activity.

The present conflict again highlights the initial question where to draw the line: when is an attack serious enough to merit a response? There is a great deal of activity that occurs in this realm on a daily basis that does not even warrant the investment of time and resources to figure out who is responsible. The fundamental issue is determining where a given action, or course of conduct, fits on the scale. The timing of the official attribution in this case-more than four months after initial reports of Russian involvement-and the Administration’s own stated policy may offer some hints as to where on that spectrum it places the DNC hacks and electoral system intrusions.

In response to vocal calls from Congress, most notably from Senator John McCain, the Administration quietly released its policy on cyber deterrence late last year. In a section entitled “What the United States Will Seek to Deter,” the policy states that the White House “is most concerned about threats that could cause wide-scale disruption, destruction, loss of life, and significant economic consequences for the United States and its interests.” This category includes but is not limited to:

Cyber attacks or other malicious cyber activity intended to cause casualties. 

Cyber attacks or other malicious cyber activity intended to cause significant disruption to the normal functioning of U.S. society or government, including attacks against critical infrastructure that could damage systems used to provide key services to the public or the government. 

Cyber attacks or other malicious cyber activity that threatens the command and control of U.S. military forces, the freedom of maneuver of U.S. military forces, or the infrastructure on which the U.S. military relies to defend U.S. interests and commitments. 

Malicious cyber activity that undermines national economic security through cyber-enabled economic espionage or sabotage. Such activity undermines the fairness and transparency of global commerce as U.S. competitors steal developing technologies, win contracts unfairly, or steal information to manipulate markets and benefit their companies directly. 

Broadly speaking, attempts to interfere with the election qualify as “cyber activity intended to cause significant disruption to the normal functioning of U.S. society or government.” As early as July, intelligence officials had “high confidence” that the Russian government was involved in intrusions into the DNC and other political organizations, which resulted in the leaks of large quantities of internal emails. But the administration elected not to publicly respond or confirm attribution at that time, despite calls from commentators and Congress to provide more specific information.

At the end of August, however, reports emerged that a number of states had detected intrusions into election-related systems-first two and then over a dozen. These revelations have generated significant public anxiety over the security of election systems and, when paired with dangerous campaign rhetoric regarding “rigged” outcomes, have stoked genuine concern that people might not trust the integrity of election outcomes. Election-related systems certainly qualify as part of “key services” to the public and the ability to call an election quickly and decisively is incredibly important to functional democratic transitions.

This new information appears to be the impetus for the Administration’s public statement this week. After all, for at least several months the White House has known, with high confidence, that the Russian Government was behind the DNC hack and leaks. The decision to not publicly respond was not based on a need for additional certainty, and there is no indication additional evidence has emerged. The apparent explanation for the change in position is intrusions into state election systems. That activity, either separately or combined with the prior intrusions, crossed the threshold for a response.

With that in mind, the DHS and ODNI joint statement can be read in two distinct ways; it is both a message to Russia and a distinct reassurance to the American people. For Russia, the US government statement is a clear warning. The US government says it knows the Russian Government “directed” the computer intrusions of US political organizations and is not afraid to say so on the record. This limits Russia’s plausible deniability, and adds the U.S. case to the body of international evidence regarding Russian interference around the world, including intrusions into the German parliament and others. And the US government goes further, specifically indicating the leaks are consistent with Russian “methods and motivations” which are to “interfere with the US election process.” The US is typically hesitant to speculate regarding motivations, which can be difficult to discern and are often mixed. Doing so here offers a subtle warning: we know why you’re doing it (Hint: we can hear you, even where you think we can’t.) And naming “senior-most officials” as the responsible actors lays the groundwork to impose sanctions, pursuant to the recent Executive Order for sanctions against “persons engaging in significant malicious cyber-enabled activities.”

Here, the message to the American people is the more important one. By offering a candid assessment of what it knows and does not know, the US government seeks to reassure citizens of the integrity of our elections. The statement carefully notes that “scanning and probing” of election-related systems has been observed, which is less concerning than active manipulations. The government knows the intrusions “originated from servers operated by a Russian company” but expressly declines to attribute the activity to the Russian Government itself. This candor does tip the intelligence community’s hand-by confirming where it lacks specific intelligence-but it also bolsters the credibility of the accusations the US does levy against the Russian government.

And importantly, the statement reassures the public that there is no reason to fear that actual ballot counts could be altered. The government is going beyond a simple “trust us, everything is fine” and offers the specific case regarding what it knows. A sense of candor is critical to reinforcing public trust. And the specific information offered regarding the activity in question-probing and scanning-provides a reference point for experts seeking to publicly explain practical risks and tamps down on speculations regarding worst case scenarios, which feed public anxiety.

Public attribution is itself a significant government response and elucidates some of the administration’s sensibilities regarding line-drawing. But it also raises a difficult question about how we should think about what we are responding to. It appears that the trigger for the Obama administration was the targeting of election infrastructure and the threat to actual or perceived electoral integrity. But it is unclear that the type of election system intrusion thus far at issue-probing and scanning but not disrupting-would have been enough to warrant a response by itself. By linking the two activities together and to an overarching motivation-to interfere with the electoral process-the Administration is signaling that its response is to a course of conduct, not a single event.

Taking a broad view is sensible where Russia undertakes hybrid actions-intrusion into computer systems (malicious cyber activity) combined with the strategic release of documents (information warfare)-as well as larger efforts to undertake many distinct activities to achieve an overall goal-to sow distrust in the US electoral system. But the broad view here-where individual “below established threshold activities” combine to cross the threshold-also requires knowing what to group together.

We simultaneously engage Russia in cyberspace in a great many contexts, just as we do in diplomacy. And not everything is related. As Jack noted in a recent panel at Yale Law School, when we step back, it’s hard to know where the DNC and related leaks fall in the deterrence cycle. Are the leaks Russian retaliation for US action, such as imposing sanctions for Crimea? Or are the leaks intended by Russia to be a deterrent response to US cyber espionage? Or is this, as the White House statement would indicate, just a general attempt by Russia to see if it can sway the US election in its favor? Intelligence collection can answer some of those questions. But persistent uncertainty is a feature of cyber conflicts that is unlikely to ever resolve entirely.

In short, our current posture seems to be effectively preventing very serious activity, at least for now. Below that threshold, however, domestic pressures-like the anxiety over election results-figure into the calculations as to whether the US government responds. The result is that those responses are reactive and unpredictable, which undercuts the deterrent effect.

US deterrence policy currently has the feeling of roulette. Maybe the house still wins overall, but it is clear that actors like Russia are happy to keep spinning the wheel while they’re ahead.

No comments: