The Western world turned a corner in February when the United States indicted 13 Russians for attempting to interfere in the 2016 election. And along with Great Britain, the United States exposed Russia as the culprit behind NotPetya, a costly cyberattack on the Ukraine that was deliberately disguised as ransomware. The Russian modus operandi of hiding state-sponsored maliciousness behind a veneer of plausible deniability did not dissuade either Special Counsel Robert Mueller or the British government from naming and shaming key individuals.
A strategy for addressing current and future vulnerabilities could include at least three goals for the United States and other Western societies that are being targeted: First, be less vulnerable; second, be able to recognize and mitigate the impact of attacks faster; third, be prepared to respond in kind to all levels of offense.
Nation-states and their proxies are spying and attacking in cyberspace across national borders with regularity. Russia is not alone in targeting the United States. Seven Iranian nationals were indicted in 2012 for installing malicious code on a computer that controls a dam in New York state. A number of Chinese hackers were indicted last November for stealing from U.S. companies.
Open and free societies are more vulnerable than adversaries who exploit the tenets and principles of press freedoms. Keir Giles, director of the Conflict Studies Research Centre at Oxford, noted that “the emphasis on balance in many Western media ensures that Russian narratives, no matter how fraudulent, would be repeated to European and American audiences.”
The proliferation and integration of social media into society extends the reach of overseas propagandists. U.S. citizens of all ages and backgrounds can be on the receiving end of a psychological operation. And this is enabled by the vast stores of personal data that are available for sale—or stolen through illegal hacks (like those which targeted Equifax and the Office of Personnel Management)—and can enable a foreign adversary to build a profile of virtually any American citizen.
On the first point, societies can certainly make choices to reduce vulnerabilities by eschewing some conveniences. Cybersecurity guru Bruce Schneier argues for seeking opportunities to be less connected—at least to the internet. A prime example is the modern automobile, which operates with the help of millions of lines of software code and scores of computer processors. Such enhancements add to their cyber vulnerabilities, despite the fact that the basic operations of an automobile—accelerate, brake, steer and so forth—have been accomplished without computers for over a century. The next generation of cars are being designed to be driven by computers. Automobiles are headed in the wrong direction regarding vulnerability.
A lesson also can be drawn from the cyberattack on the Ukrainian power stations in 2015. Employees were able to recover operations in less than seven hours due to redundant manual processes. Redundant, noninformation and communication technology controls can help in both mitigation and response.
Second, there will always be an arms race between attackers and defenders in cyberspace. So, mitigating vulnerabilities faster will require better processes and techniques to build, purchase and field secure computing devices more rapidly. This is difficult for the private sector, which desires to race new functionality to the market as rapidly as possible. The government sector has historically lacked the ability to acquire information and communication technology quickly. In summary, the private sector could be even more deliberate with its design efforts and at the same time, the public sector, which buys from the private sector, could be less deliberate in order to decrease the time needed to field updates and responses to problems.
On the third point, being better able to respond to incidents, we need superior planning for responses to grey area operations, defined as those operations that fall short of international definitions of aggression. Such actions, including the psychological operations described in the indictments, continue to occur with frequency. Most importantly, responses should not be taken unless there is demonstrated resiliency to any counter-response that may follow.
In the United States, the ability to respond is also stymied by the stovepiped nature of the key organizations. As described in RAND research, the military, spy agencies, law enforcement, and diplomatic corps all have roles but also limiting boundaries. This necessitates handoffs and generates turf battles between the organizations and within them. All of this is inhibiting. In congressional testimony, cyber warfare expert Clint Watts argued (PDF) that the Russians are in an opposite position: “They excel in information warfare because they seamlessly integrate cyber operations, influence, intelligence, and diplomacy cohesively; and they don't obsess over bureaucracy; they employ competing and overlapping efforts,” he said.
The Mueller indictments describe violations of U.S. law. But like espionage, these actions are not considered to be gross violations of international law. Almost 20 years ago, Lawrence Greenberg, a legal scholar, predicted (PDF): “The ambiguous state of international law regarding information warfare may leave space for the United States to pursue information warfare activities. Conversely, it may permit adversaries to attack the United States and its system.”
Similar interference can be expected from Russia and other adversaries who will undoubtedly seek to influence the next election and for that matter, all global elections that follow. These expectations reflect the Russian thought-leader and former general Valery Gerasimov, who quotes the Austrian poet Ingeborg Bachmann: “War is no longer declared.” This is especially true when it comes to cyber warfare.
Isaac Porche is a senior researcher at the nonprofit, nonpartisan RAND Corporation and a senior fellow at the George Washington University Center for Cyber and Homeland Security.
This commentary originally appeared on U.S. News & World Report on February 27, 2018. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.