While the consensus on Russian authorship of cyber-attacks on the Democratic National Committee (DNC) and on state voter registration systems has largely solidified, few commentators have focused on the nature and volume of possible responses that the United States should adopt in retaliation.
A response, cyber and otherwise is a necessity.
The synchronization of short and long term actions is key to achieving the desired outcome. That outcome or result should include progress toward a set of rules governing how states use cyberspace operations in their relations with their peers.
The potential for miscalculation and escalation in any response is high.
Equally of concern is the likelihood of such an attack establishing a precedent for inaction, which could mislead states into mistakes that themselves could increase the chance of conflict.
First Principles — Attribution Requires a Response
First, let's enumerate Russia’s problematic behaviour. By targeting a major US political organization — the Democratic Party and the DNC — for cyber penetration, Russia undertook a not very surprising intelligence operation against a foreign political system.
Nothing novel in that. States seek to influence their competitors and to understand governments with whom they have both friendly and conflictual ties.
The problem with Russian behaviour primarily derives from the purposeful leaking of information to US and foreign news and influence outlets in a manner calculated to injure one party in a closely fought election.
Added to this is a set of leaks and relationships with cyber actors that look designed to disrupt the stability of the US presidential election, while also placing in doubt the integrity of political processes across the political system.
The discovery of actors known to be personas used by Russia’s FSB (domestic intelligence agency) and GRU (military intelligence agency) further adds to the magnitude and precedent setting nature of Russia’s behaviour. Rather than distant and irritating behaviour, Russian actions seem carefully targeted to sabotage an election — producing broad disruption in the result and an outcome favouring a specific candidate.
Finally, the use of WikiLeaks for propagating leaks connected advocates for government transparency in cyber surveillance with a one-sided influence operation that targeted western governments and democratic political systems.
In contrast to FBI Director James Comey’s re-opening of the Clinton emails issue, the DNC hack was a structured and prolonged assault — manipulating public opinion and media reporting. This is the context in which Russia’s provocative cyber operations threatens to create a destabilizing precedent.
Second Principles — Damage Limitation, Not Escalation Control
Countering this precedent requires a powerful focusing idea. While many focus on avoiding escalation in US-Russian relations, it would be wise for the next set of policies to emphasize minimizing the damage to democratic political system legitimacy and process norms caused by failing to respond appropriately to Russian activity.
At present, US and Western political systems are under active cyber assault by Russian proxies.
Not only is this an unacceptable situation, but it is also one that threatens to worsen relations in Europe and between the US and Russia by failing to correct and clarify government’s perceptions on acceptable cyber behaviour.
Clarifying state preferences in this area will diminish misperceptions on tolerable assaults on democratic systems, and enhance the integrity and transparency of political processes and discourse.
For us, this requires that the Russians stop executing cyber campaigns of the kind they have just demonstrated.
It doesn’t require they abandon espionage, or cease any other behaviours that they deem their sovereign prerogative. Nor does it require that we stop calling them out, or that we refrain from defending ourselves.
Damage limitation requires that we choose cyber defence of democratic political system integrity as an operating goal. We have yet to make this choice an overt part of the cyber norms that we pursue in both bilateral and UN Group of Governmental Experts (GGE) contexts. It should become the guiding point for Western democratic countries’ collective action.
Short Term Counters
But what sort of prompt countermeasures should be launched to counter Russian actions?
The spectrum of actions available to the US and Western countries includes both traditional diplomatic tools but also cyberspace operations designed to blunt the effectiveness of the attacking Russian proxies.
These potential actions include:
- Sanctions against Russian principals deemed to be orchestrating cyber-attacks on the US;
- Expulsion of Russian diplomats and intelligence personnel operating in the US, up to and including their Ambassador;
- Targeting and possibly banning of the US operations of RT — a broadcast outlet used by Russia to disseminate propaganda against US and other Western governments;
- Approach ISPs to disrupt the C2 infrastructure of known Russian cyber operators related to the DNC hackers and/or Guccifer 2 persona;
- Take actions against WikiLeaks continuing dissemination of sensitive information from Western governments;
- If supportable, investigation and possible indictment of foreign or US persons involved in cyber-attacks on the DNC, state election databases, and other targets.
It is important to note that the foundation for these efforts, however, cannot be an unconstrained race to the bottom. Some redlines, even somewhat arbitrary ones, are necessary.
Longer-Term Process Points
US policy on the cyber-behavior of peer competitors needs to be grounded in an appreciation of the impact that even small increments in cyber activity may have on the integrity of key political processes in democratic government.
This means that damage limitation — or risk minimization — needs to ascend the priority agenda over concerns with a continued deterioration in relations with Russia or any other country.
Rather than defensive actions designed to gain generalized agreement to cyber norms, our goal should be proactive engagement in a process that targets the negative growth of state practices which threaten the closure of the cyber environment in response to heightened concerns with the weaponization of online speech.
Consensus norm development among like-minded states offers the best starting point to a more rule-governed framework for cyberspace that safeguards both open participation and democratic transparency.
David Mussington is a Senior Fellow at the Center for International Governance Innovation and is also the Director, Center for Public Policy and Private Enterprise, University of Maryland. He is an expert on issues centered around cybersecurity, cyber-defense and cybercrime.
This article first appeared in The Hill.