Americans became acutely aware of Russian information warfare after the 2016 presidential election, but Russia's actions are anything but new. For more than a century, Russia has relied on disinformation, propaganda and other similar measures to achieve its objectives. For the last three decades, it has exploited its growing capabilities in cyberspace to spy on, influence and punish others.
In June, Russian President Vladimir Putin practically boasted that his country's “patriots” may have led the efforts that upset the U.S. political process, and last week President Donald Trump and Putin spoke of establishing a joint cybersecurity unit — an idea the U.S. president quickly backed away from.
As Russian aggression in the cyberworld expands, the West will continue to struggle to hold Moscow accountable, in part because international law falls far short of fully defining the rules or resolving conflicts. There is much that Western nations can do to address the challenge of modern information warfare, but there is little question that Russia, by virtue of its long engagement in this arena, currently has the advantage.
Early Russian information warfare focused on traditional espionage — stealing information from adversaries. One of the first documented cases of Russian government hacking of U.S. sites to collect intelligence occurred in 1998. Putin, who took office the next year, prioritized broader information operations and institutionalized those operations within Russian policy, government organizational structure and doctrine. For instance, he approved a national security policy that explicitly described “information warfare” and the potential disruptive threat to information, telecommunications and data-storage systems.
The Russian information operations system, combined with the Russian form of centralized government control, allows it to launch cyber-operations with greater speed, agility and brazenness than most analysts believe is possible in the West. The unprecedented 2007 cyberattacks on Estonia illustrate the growing sophistication of Russia's unrelenting focus on cyber-operations. In an attempt to prevent Estonia's removal of a Soviet-era war memorial in the capital of Tallinn, Russia unleashed a digital firestorm that crippled essential computer networks across the tiny Baltic nation.
Now the United States finds itself in Russia's crosshairs and needs to develop a strategy to respond — and a universal cyberwarfare lexicon.
Develop a Mutual Understanding of the Problem
Without clear consensus on what constitutes a cyber violation, Russia will likely continue to maneuver unfettered in the vast gray area of international law.
As NATO's Cooperative Cyber Defense Center of Excellence, formally established in Tallinn in 2008, noted: “There are no common definitions for cyber terms — they are understood to mean different things by different nations/organizations, despite prevalence in mainstream media and in national and international organizational statements.” For example, there are almost 20 different definitions of “cyberattack,” with the meaning varying from country to country. Within the United States and internationally, the lack of clarity has impeded progress on the creation of national policies and international standards that deal with cyber warfare. In fact, the international community spent nearly 20 years debating if existing international law even applies to cyberspace. Without clear consensus on what constitutes a cyber violation, Russia will likely continue to maneuver unfettered in the vast gray area of international law.
In February, the NATO research center took a step toward clarity when it published the “Tallinn Manual 2.0 (PDF),” a second-edition guide to international laws that apply to cyber operations. Although a useful resource, it is mainly an expression of the views of 19 international law experts, mostly from NATO countries, and does not represent the position of NATO or any other entity. Another shortcoming: The authors were not able to agree on how international law applies in specific situations, such as to the hack of the 2016 Democratic National Committee and the subsequent release of the stolen information.
The United States is capable of advancing the debate on state behavior in cyberspace by more clearly establishing its own national definitions and interpretations for information and cyber warfare. Agreeing on uniform definitions and standards would help the West take the next necessary step: deciding how existing international law applies.
Define How Existing Law Applies to Cyberspace
The United Nations Group of Governmental Experts declared in 2013 that existing international law applies to cyberspace. Two years later it followed up with a consensus report on norms, rules or principles of the responsible behavior of states in the cyberspace that includes a commitment to “non-intervention in the internal affairs of other States.” These agreements ended a nearly two-decade debate by deciding that existing obligations under international law are applicable to state use of cyberspace. There is still a need to define how existing international law applies to cyberspace — how should Russian interference in the 2016 U.S. election be legally dealt with? After that, the international community should work to make binding the recently agreed-upon norms.
Only when norms and laws are binding will there be legal and tangible consequences for cyber actions against others. Tangible costs, such as sanctions, are important because without them history has shown that malicious actors will continue or intensify their behaviors in pursuit of their objectives. The editor of the “Tallinn Manual 2.0” may have said it best: “The Russians are masters at playing the 'gray area' in the law, as they know that this will make it difficult to claim they are violating international law and justifying responses such as countermeasures.”
While the international community continues to make progress on binding standards and norms, countries can, and should, choose to do the right thing by demonstrating responsible behavior in cyberspace.
Bruce McClintock is an adjunct policy analyst at the nonprofit, nonpartisan RAND Corporation and a former U.S. Defense Attaché in Moscow.
This commentary originally appeared on U.S. News & World Report on July 17, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.