The Russian DNC Hack: An Opportunity for Cyber Deterrence
Recently, the United States launched retaliatory strikes against Houthi rebels in Yemen in response to multiple cruise missile attacks aimed at U.S. warships. The American reaction to these attacks was in every way just, rational, measured, and appropriate in accordance with international norms. That said, the United States recently experienced another, arguably more egregious, attack from Russia in the form of cyber meddling in the 2016 presidential election. Though the outrage is quite clear, the outcries for retaliation are more muffled than perhaps they would be in the face of a conventional attack. A response is desired, but what it should be is uncertain.
James Stavridis’ recent article in Foreign Policy advocates for a U.S. reply to this transgression, outlines initial steps, and suggests several possible actions. The Admiral’s stance that a U.S. response is required is quite correct, but there is potentially something bigger in play: the United States finally has a chance to respond. Unlike North Korea’s cyber assault on Sony or even Russia’s menacing attacks on Estonia and Georgia, this case presents a relatively clear-cut example of state-sponsored cyber aggression directed at the United States government. More importantly, Russia targeted the very bedrock of the American experiment: a fundamental democratic process that defines the Republic.
America has been handed a golden opportunity, fortunately in the form of a relatively ineffective strike, to set a precedent in the hazy realm of cyberspace while bolstering its cyber deterrence posture and messaging. Offensive and defensive weapons exist in cyberspace just as they do in conventional warfare. Yet, it is highly feasible that deterrence is even more important in the cyber world. The conventional attacks in Yemen are akin to a standard traffic accident: relatively easy to recognize, clean up, assign blame, and punish or sanction accordingly, all with little or no impact to those not involved. Cyberattacks, on the other hand, are the highway chemical spills of modern warfare. Who is responsible? How can they be held accountable and by what means? Who cleans up? How far will the collateral damage spider-web out into society? These questions are much murkier in cyberspace; therefore, an ounce of prevention is probably worth more than a pound of cure. For these reasons, the U.S. should seize the opportunity to retaliate against Russia in cyberspace, not just for reprisal’s sake, but in order to establish a precedent of cyber deterrence, taking into account that deterrence requires a credible and capable threat aimed at something the target values.
Deterrence in Cyberspace
This concept of deterrence sounds relatively easy to grasp, but there are many factors that go into making a deterrence strategy work. Simply wanting to deter an enemy is not enough; one must understand the essence of deterrence and how to employ it. To be effective, deterrence requires credible and capable measures that put something of value at tangible risk. With a little help from Clausewitz, Elbridge Colby defines deterrence as “a theory of defense that uses the threat of force to deter or prevent another party from doing something.” This “threat of force” is the essence of deterrence, but this threat must also be convincing, powerful, and aimed at something the enemy holds dear.[1] When an enemy does not believe that an ultimatum is backed up by impending action, deterrence loses its potency. Credibility is a must. However, the plausibility of military action is not enough; the threat needs some teeth. A sincere threat backed by weak forces deters no one. The threat must also be capable. Finally, a credible and capable threat aimed at superfluous or non-essential assets will also fail to deter. The enemy always values something. That something must be identified and put in peril in order for deterrence to succeed.
All that said, the nebulous nature of cyberspace makes the above formula even more difficult to implement. “Attacks,” “probes,” and “infiltrations” are not always easily detectable, distinguishable, or attributable in the cyber world. How does one respond even if they are? How much collateral damage is the U.S. willing to accept in cyberspace (i.e., are U.S. threats credible)? Even the word “enemy,” as used above, may not suffice. “Target” may provide a better construct. Additionally, with respect to deterrence, there is an alternative to the threat of punishment: improve defenses so the adversary is unable to attack at all. The general consensus is that offense has an overwhelming advantage over defense in cyberspace.[2] Therefore, bolstering deterrence through punishment or retaliation is prudent and likely more effective than simply hardening cyber defenses. Finally, does the U.S. response necessarily need to be in cyberspace? Defensive cyber capabilities, let alone offensive ones, quickly rise to the highest classification levels. Is America willing to let the cat out of the bag with respect to what it brings to the table militarily in cyberspace? Other instruments of power, specifically economic and information, may be better suited than a reciprocal cyberattack. However, a tempered cyber response in the Russian case will likely reap the most benefits with respect to future cyber deterrence while giving the U.S. a chance to showcase its cyber capabilities to further discourage potential adversaries. The results and message should be clear. With these factors in mind, a deterrent strategy and, in particular, a response to the Russian transgression can be formulated that is more appropriate in the cyber regime.
Credibility in Cyberspace Deterrence
Credibility is the most important aspect of any deterrence strategy. No one cares where or how hard they will be hit unless they have reason to believe that a greater danger in reserve is forthcoming. The Russian case provides a perfect opportunity for the U.S. to retaliate while demonstrating its tenacity. Missing the chance to set a clear precedent could prove very costly in the future. When facing a reliable retaliatory strike capability, the target of deterrence must decide if a first strike is worth the consequences.[3] While there is a fine line between being too threatening and not threatening enough, there can be no doubt the U.S. will retaliate if attacked. The U.S. must act in order to bolster its credibility in the future. Additionally, whatever action is taken must be clearly communicated and packaged to send the proper message. The situation does not call for clandestine operations, instead the U.S. must tie action to proportional reaction with consequences for potential adversaries. Unfortunately, due to the sensitive nature of retaliation in cyberspace, any U.S. response will be disconnected in time with the Russian interference. The U.S. message cannot be similarly disconnected. A properly executed, clearly defined and communicated retaliation will send a strong signal to any and all nefarious actors and make them think twice before assailing the U.S. government in the cyber arena.
Capability in Cyberspace Deterrence
Capability is probably the easiest leg of the cyber deterrence triad for the U.S. to manage. Demonstrating U.S. willingness to strike back and selecting a viable target while ensuring the desired effects and minimizing collateral damage are tricky propositions, but the world community has little doubt that the U.S. has vast capabilities in cyberspace. The difficult part will be selecting the proper capability to employ, especially as they are often viewed analogously to “one-shot rifles.” These cyber weapons represent some of the most closely guarded secrets in the U.S. inventory and, though they are definitely capable, there may be utility in not putting all the cards on the table and leaving to chance the question of escalation.[4] Protecting U.S. offensive, defensive, and detection competencies in cyberspace must be balanced with a strong enough punch to get the target’s attention and clearly message to other potential foes. Selection in the Russian case is particularly sensitive, given the rising tension between the two powers coupled with Russian cyber assets and Vladimir Putin’s willingness to use them. Brinksmanship is not an arena in which the U.S. wants to fight, but a strong enough blow is still required. Much like a surgeon carefully selects surgical instruments, U.S. cyber experts must make a well-thought-out choice on what cyber tool(s) to employ in this most important test case with Russia. Finally, one has to consider the intuition that many cyber capabilities are custom-developed to fit both the specific opportunity for a weapon to work against a specific object, making cyber capabilities often a one-shot rifle.
Object and Objective in Cyberspace Deterrence
Finally, the U.S. must select an appropriate target to compromise. While navigating the challenge of establishing U.S. resolve and selecting the proper cyber tools are not easy tasks, at least those decisions are internal. For target selection to be sound, a little help is needed from the mark. First, the U.S. must identify and understand what, in this case, Russia values. Second, the U.S. needs a sound comprehension of how targeting a particular node in cyberspace will affect the rest of the system and how Russia will respond. Third, the U.S. must apply the principles of Just War Theory, ensuring the response is in line with standard rules of self-defense and that it is both discriminant and proportional. The response must be limited in nature, understood to be related in some way to the original act of aggression, and avoid unnecessary collateral damage. To avoid such collateral damage a tailored and precise strike is especially important in cyberspace. The destruction of the coastal radar sites in Yemen serves as a prime example of meeting these criteria, albeit a discrete and conventional one. At the same time, it is important to strike back based on Russia’s intent, not necessarily the results they achieved, which in the grand scheme of things appear to be minimal. Given cyber capabilities might have a more diffuse result, unlike a single Tomahawk destroying a single Yemeni coastal radar site, a different calculus for consequences is appropriate. This suggests careful consideration of Russia’s intent and application of Professor Antonia Chayes’ standard of “reasonable expected consequences” to guide appropriate proportional responses.[5] Stavridis’ suggestions of exposing, undermining, and/or embarrassing the Russian government seem appropriate. It is up to the current or future administration to decide how hard it wants to push.
Conclusion
Bernard Brodie points out that Clausewitz remains as applicable today in the era of nuclear weapons as he was when he first put pen to paper.[6] Deterrence strategy, too, is essentially timeless, which inherently means it is applicable even to cyber warfare. While a legitimate threat of force lies at the heart of deterrence, different modes of warfare may be necessary to accomplish the true purpose of strategy as Clausewitz saw it: the accomplishment political goals. The U.S. political goal in this case is to prevent attacks and other wicked acts perpetrated against America in the cyber realm.
Deterrence strategy...is essentially timeless, which inherently means it is applicable even to cyber warfare.
Though the U.S. definitely has heavy hands in the cyber boxing arena, a better strategy is to avoid punches altogether, rather than slugging it out in the middle of the ring. By seizing this opportunity to set a precedent, countries like Russia, Iran, North Korea and China will take notice and think long and hard in the future about initiating unprovoked cyberattacks against the United States. With this unambiguous standard set, not only will the U.S. better avoid getting punched, it will undoubtedly have fewer punches to dodge.
Gregg Sanders is a U.S. Navy officer, the former Commanding Officer of VFA-147, and a Navy Federal Executive Fellow at The Fletcher School of Law & Diplomacy, Tufts University. The views expressed here are his own and do not reflect the official position of the Department of the Navy, Department of Defense, U.S. Government, or Tufts University.
Have a response or an idea for your own article? Follow the logo below, and you too can contribute to The Bridge:
Enjoy what you just read? Please help spread the word to new readers by sharing it on social media.
Header Image: A hand silhouetted in front of a computer screen. (Pawel Kopczynski/Reuters)
Notes:
[1] Elbridge Colby, “Restoring Deterrence,” Orbis, Vol. 51, No. 3 (Summer 2007): 414-415.
[2] William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Technology, Policy, Law and the Use of Cyberattack Capabilities (Washington, D.C.: The National Academic Press, 2009), 295.
[3] Bernard Brodie, Strategy in the Missile Age (Princeton, NJ: Princeton University Press, 1959), 279 and 281.
[4] Thomas Schelling, The Strategy of Conflict (Cambridge, MA: Harvard University Press, 1980), 187. See also Schelling, Arms and Influence, (New Haven, CT: Yale University Press, 1966), 121n8.
[5] Antonia Chayes, Borderless Wars (New York, NY: Cambridge University Press, 2005), 136.
[6] Bernard Brodie, “The Continuing Relevance of On War,” in On War, ed. and trans. Michael Howard and Peter Paret (Princeton, NJ: Princeton University Press, 1976), 51.