The headquarters of the Democratic National Committee is seen in Washington, D.C., June 14, 2016

commentary

(FedScoop)

September 29, 2016

The DNC Hack: Are New Norms Needed?

The headquarters of the Democratic National Committee is seen in Washington, D.C., June 14, 2016

Photo by Gary Cameron/Reuters

by Martin C. Libicki

In the wake of the Russian transfer of files from the Democratic National Committee to WikiLeaks, many voices across the political spectrum have urged a U.S. response to discourage further hacks from Russia. Otherwise, Russians might be tempted to manipulate electronic voting systems, throwing the integrity U.S. elections into doubt.

A response could be a very powerful message. But how would it be read?

Perhaps others would hear: you have angered us, and in our anger we have retaliated. The lesson is not to anger us and we leave it up to you to understand what might do so. Whether or not the United States has a right to be angry would be beside the point. Our anger would be the point.

Or others could hear: Your actions have clearly violated what all responsible countries would consider acceptable state behavior. Here's the line. Your action fell on the far side of the line (while none of our actions do). So, the punishment you have received reflects not our anger but your transgression. We punish in order to foster a respect for international norms of responsible state behavior.

Both arguments are functional, but the second is far more consistent with how the United States sees its role in the world — and it sets a better precedent as a unipolar moment fades and a multipolar world emerges. To wit, the world is a better place if everyone plays by the rules. The key to global peace and stability is to develop, maintain — and enforce — such rules. U.S. power is necessary as a backstop to ensure rules are followed, but the United States (in theory) neither exempts itself from the application of such rules nor blatantly rigs these rules to favor narrow U.S. interests.

So, what rule would Russia have violated to deserve punishment? That is unclear. Espionage, itself, is not forbidden; it's what countries do. Even if individual spies are prosecuted if caught, spying is considered an acceptable activity for states. Cyberespionage is regarded likewise: understandable for states and not forbidden to those who work for states (as long as they do not leave their own country).

Or, was it influencing elections that deserved punishment? If influencing election is crossing a line, it is one that the United States has often done openly. President Obama spoke against Brexit, for instance. Furthermore, any rule framed in terms of elections may be deemed unfair by countries whose political processes do not include them (China lacks elections; Russia does have elections, albeit not necessarily free and fair).

Thus, to make the norm relevant to all countries would require stating it in terms of, say, political decision-making. Such a norm would enjoin one country's tampering with another country's political processes in general. Would the United States be comfortable agreeing to that? Perhaps not; there are many countries whose political processes produce outcomes that are awful from the U.S. perspective.

Hence, if one would write a norm that would hold the Russian DNC hack to be unacceptable, it cannot rest on a general prohibition against cyber-espionage or political interference. It would have to combine both prohibitions at once. Many countries would tend to agree to such rules. It may even win concurrence from China, which has an active cyber-espionage capability, but is recognizing limits on what it can do with what it takes (in September, China agreed not to use the results of cyber-espionage to boost the competitiveness of its industrial firms).

Russia — whose recent behavior is what spurs such consideration — will be the major hurdle (unless its leadership signs up in the blithe belief that it can still do what it wants as long as it can pretend otherwise). And while their concurrence is not necessary for such a norm to be recognized by others, it makes it a lot easier to hold them to account.

So, how does the United States show Russia that it is serious about red-lining such behavior? It could increase sanctions on Russia for the DNC hack by way of demonstration, but sanctions have their limits. The more they are used to express displeasure for one act, the less they can be used for another.

Or, the United States can leverage the fact that Russia has more to fear from others using cyber-espionage for political interference than it has to gain by doing it to others. Russia, after all, is a country in which corruption is rife and censorship increasingly relied upon to block reporting of corruption. Cyberespionage can reveal the former, and other cyber tricks can be used to pierce the censorship. Once challenged, the Russian leadership's legitimacy is at risk.

So if the United States would promulgate such a norm, its line could be quite simple: if you want your rules to prevail, understand what your world would look like if we followed them.

But that all assumes that the United States has gone to the trouble of stating which rules it wants to see.


Martin Libicki, author of Cybersecurity in Peace and War (Naval Institute Press, available Oct. 15) is the Maryellen and Richard Keyser Distinguished Visiting Professor in Cyber Security Studies at the U.S. Naval Academy and adjunct senior management scientist at the RAND Corporation.

This commentary originally appeared on FedScoop on September 12, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.