By John Yoo &Ivana Stradner
Monday, December 21, 2020
The recent
hack into sensitive U.S. government networks compromised sensitive
information from government agencies with considerable national-security roles.
The covert operation targeted the Departments of State, Homeland Security,
Treasury, and Commerce. It was exceptionally sophisticated,
and long went undetected due to the hackers’ expertise and use of cyber tools
that had never been seen before.
In order to counter the cyberattack, we need to hold
someone responsible for it. That process is now underway, as Secretary of State
Mike Pompeo on Friday evening became the first administration official to
explicitly label Russia as the culprit, saying that it was “pretty clearly”
behind the SolarWinds operation. The next day, President Trump complicated the
matter by downplaying the severity of the attack and accusing China instead in
a series of tweets.
The attribution of cyberattacks is never an easy task,
though in this case the evidence seems to overwhelmingly weigh in favor of the
secretary. And, while the Russian government has unsurprisingly denied
involvement — claiming that such allegations are “unfounded attempts of the
U.S. media to blame Russia” — a growing chorus of lawmakers has joined in
condemning the act. Washington now faces the challenge of how to respond.
Neither international law nor multilateral institutions
have managed so far to hold Russia, China, et al. legally or politically
accountable for such aggression. The U.S. will have to take matters into its
own hands, as it did when facing nuclear weapons during the Cold War, and begin
to rely on retaliation. Indeed, it must impose consequences for irresponsible
behavior that harms the United States, in order to deter competitors from
attacking its cyber networks.
Absent any prospects of legal or political
accountability, America’s adversaries have turned to cyberwarfare with abandon.
China has allegedly stolen the designs of advanced U.S. weapons systems as well
as the government database of all federal personnel. Since 2016, U.S. elections
have been consistently
threatened by foreign states such as Russia. NBC News even reported
that U.S. intelligence had substantial evidence that Russia successfully
targeted the voter-registration systems of 21 states even prior to the 2016
election. The FBI and U.S. Cybersecurity and Infrastructure Security Agency issued
warnings
about the potential spread of disinformation by foreign actors before the 2020
election, and the U.S. intelligence community pointed
to Russia, China, and Iran as the primary aggressors.
Russia uses the cyber arena to challenge the U.S. in ways
it would never consider in other areas. It has developed advanced cyber
capabilities and a willingness to use them aggressively. For Moscow, cyber
operations fall within a broader framework of information warfare, a concept
that includes psychological, political, and propaganda operations. While the
U.S. has a fundamentally different understanding of such warfare, it can
correct it and deter Russian cyberattacks by matching the Kremlin’s moves with
corresponding measures of political competition, economic cost, and espionage.
Part of Russia’s strategy has been to prevent
international legal institutions from punishing its bad behavior. One of Moscow’s
deceptive — and effective — tactics has been to present itself as a cooperative
power in support of the international institutions that regulate cyberspace. In
2017, Trump tweeted
that he and Russian president Vladimir Putin had discussed forming “an
impenetrable Cyber Security unit so that election hacking & many other
negative things, will be guarded . . . and safe.” In 2020, the U.N. passed a
Russian-led resolution
on cybercrime, despite Moscow’s track record as one of the world’s largest
sponsors and purveyors of it. Russia has even suggested
the creation of a new U.N. cybercrime treaty.
The United States should develop an agile strategy based
on deterrence instead of turning to international law and institutions that
have been coopted. Like nuclear weapons, cyber weapons are cheap to deploy but
difficult to stop. Preempting cyberattacks is more effective when offensive
attacks are easy and defense expensive.
Evidence suggests that the Kremlin stops short when
Washington pushes back. Take, for example, the U.S.’s successful covert
cyberattacks against Russia’s Internet Research Agency during the 2018 U.S.
midterm elections. It is quite possible that similar operations prevented
Russian interference in the 2020 elections. Rather than building expensive —
but ultimately vulnerable — security systems, the U.S. should launch a series
of escalatory responses, ranging from offensive cyberattacks to economic
sanctions to covert operations. The goal is to raise the costs for Moscow until
it stops its cyberwarfare. U.S. Cyber Command should not only put Russian
hackers on notice that they will face U.S. criminal charges and economic and
travel sanctions, but also target them with U.S.-backed hacking. More
important, the U.S. should target
Putin’s wealth, and that of senior government officials and oligarchs to boot.
If the Russians break into sensitive U.S. government networks, the NSA should
respond, in turn, by stealing personnel files of Russian military and political
leaders. If Moscow seeks to disrupt U.S. elections, the CIA should drain the
overseas hidden bank accounts of Russian leaders.
International law is unclear on matters of cyberwarfare.
For its part, the U.S. is attempting to develop a customary norm of “no first
use,” just as it did with WMD in the Cold War. The most appropriate way to
accomplish this is to retaliate, and to use these actions as policy foundations
so that state practice eventually becomes international law.
With an effective deterrence strategy, the U.S. can stop
Russia’s subversion of international law and multilateral institutions and
eventually take away most of its options. If Moscow comes to believe that
offensive cyberattacks are actually illegal, it could always go to the
International Court of Justice and claim that the U.S. has illegally interfered
in Russian internal affairs. Putin claiming Russian victimhood from cyber
meddling would be a sight to see.
No comments:
Post a Comment