Time to Go on Offense against Russian Cyberattacks

By John Yoo &Ivana Stradner

Monday, December 21, 2020

 

The recent hack into sensitive U.S. government networks compromised sensitive information from government agencies with considerable national-security roles. The covert operation targeted the Departments of State, Homeland Security, Treasury, and Commerce. It was exceptionally sophisticated, and long went undetected due to the hackers’ expertise and use of cyber tools that had never been seen before.

 

In order to counter the cyberattack, we need to hold someone responsible for it. That process is now underway, as Secretary of State Mike Pompeo on Friday evening became the first administration official to explicitly label Russia as the culprit, saying that it was “pretty clearly” behind the SolarWinds operation. The next day, President Trump complicated the matter by downplaying the severity of the attack and accusing China instead in a series of tweets.

 

The attribution of cyberattacks is never an easy task, though in this case the evidence seems to overwhelmingly weigh in favor of the secretary. And, while the Russian government has unsurprisingly denied involvement — claiming that such allegations are “unfounded attempts of the U.S. media to blame Russia” — a growing chorus of lawmakers has joined in condemning the act. Washington now faces the challenge of how to respond.

 

Neither international law nor multilateral institutions have managed so far to hold Russia, China, et al. legally or politically accountable for such aggression. The U.S. will have to take matters into its own hands, as it did when facing nuclear weapons during the Cold War, and begin to rely on retaliation. Indeed, it must impose consequences for irresponsible behavior that harms the United States, in order to deter competitors from attacking its cyber networks.

 

Absent any prospects of legal or political accountability, America’s adversaries have turned to cyberwarfare with abandon. China has allegedly stolen the designs of advanced U.S. weapons systems as well as the government database of all federal personnel. Since 2016, U.S. elections have been consistently threatened by foreign states such as Russia. NBC News even reported that U.S. intelligence had substantial evidence that Russia successfully targeted the voter-registration systems of 21 states even prior to the 2016 election. The FBI and U.S. Cybersecurity and Infrastructure Security Agency issued warnings about the potential spread of disinformation by foreign actors before the 2020 election, and the U.S. intelligence community pointed to Russia, China, and Iran as the primary aggressors.

 

Russia uses the cyber arena to challenge the U.S. in ways it would never consider in other areas. It has developed advanced cyber capabilities and a willingness to use them aggressively. For Moscow, cyber operations fall within a broader framework of information warfare, a concept that includes psychological, political, and propaganda operations. While the U.S. has a fundamentally different understanding of such warfare, it can correct it and deter Russian cyberattacks by matching the Kremlin’s moves with corresponding measures of political competition, economic cost, and espionage.

 

Part of Russia’s strategy has been to prevent international legal institutions from punishing its bad behavior. One of Moscow’s deceptive — and effective — tactics has been to present itself as a cooperative power in support of the international institutions that regulate cyberspace. In 2017, Trump tweeted that he and Russian president Vladimir Putin had discussed forming “an impenetrable Cyber Security unit so that election hacking & many other negative things, will be guarded . . . and safe.” In 2020, the U.N. passed a Russian-led resolution on cybercrime, despite Moscow’s track record as one of the world’s largest sponsors and purveyors of it. Russia has even suggested the creation of a new U.N. cybercrime treaty.

 

The United States should develop an agile strategy based on deterrence instead of turning to international law and institutions that have been coopted. Like nuclear weapons, cyber weapons are cheap to deploy but difficult to stop. Preempting cyberattacks is more effective when offensive attacks are easy and defense expensive.

 

Evidence suggests that the Kremlin stops short when Washington pushes back. Take, for example, the U.S.’s successful covert cyberattacks against Russia’s Internet Research Agency during the 2018 U.S. midterm elections. It is quite possible that similar operations prevented Russian interference in the 2020 elections. Rather than building expensive — but ultimately vulnerable — security systems, the U.S. should launch a series of escalatory responses, ranging from offensive cyberattacks to economic sanctions to covert operations. The goal is to raise the costs for Moscow until it stops its cyberwarfare. U.S. Cyber Command should not only put Russian hackers on notice that they will face U.S. criminal charges and economic and travel sanctions, but also target them with U.S.-backed hacking. More important, the U.S. should target Putin’s wealth, and that of senior government officials and oligarchs to boot. If the Russians break into sensitive U.S. government networks, the NSA should respond, in turn, by stealing personnel files of Russian military and political leaders. If Moscow seeks to disrupt U.S. elections, the CIA should drain the overseas hidden bank accounts of Russian leaders.

 

International law is unclear on matters of cyberwarfare. For its part, the U.S. is attempting to develop a customary norm of “no first use,” just as it did with WMD in the Cold War. The most appropriate way to accomplish this is to retaliate, and to use these actions as policy foundations so that state practice eventually becomes international law.

 

With an effective deterrence strategy, the U.S. can stop Russia’s subversion of international law and multilateral institutions and eventually take away most of its options. If Moscow comes to believe that offensive cyberattacks are actually illegal, it could always go to the International Court of Justice and claim that the U.S. has illegally interfered in Russian internal affairs. Putin claiming Russian victimhood from cyber meddling would be a sight to see.