Checklist for a U.S.-Russia Cyberwar


Oct 31, 2016

Russian President Vladimir Putin attends a press conference at Tegel airport in Berlin, Germany, October 20, 2016

Russian President Vladimir Putin attends a press conference at Tegel airport in Berlin, Germany, October 20, 2016

Photo by Axel Schmidt/Reuters

This commentary originally appeared on TechCrunch on October 31, 2016.

Following the hack of the Democratic National Committee, many in Congress and elsewhere have called on the United States to retaliate against Russia, the country the Obama administration says is the perpetrator.

The administration is reported to be seriously contemplating a response. While doing so may be satisfying and worthwhile, whether and how to respond is hardly a simple matter. Many questions need to be addressed before going ahead.

What Are the Stakes?

Assuming it is the perpetrator, Russia has clearly tampered with the U.S. election process by stealing and revealing political information that was private and had every right to be. That was bad. Be that as it may, keep in mind that leaked DNC computer files are not the only information that has been put into the public domain surreptitiously. (See Trump tax returns and various interviews that have surfaced.)

If the election process can be hacked by Russians, it can probably be hacked by others. Retaliation won't fix that.

Even in the absence of Russian involvement, the political environment would not have been pristine. Regardless, the second argument for a response is that Russia needs to be discouraged from tampering with U.S. voting systems. This is clearly more serious because the U.S. political system depends on (so far well-deserved) trust in the voting system. But if the election process can be seriously hacked by Russians — something most experts remain skeptical about — it can probably be hacked by others. Retaliation won't fix that. Continued careful attention to security would be needed.

What Would the United States Be Saying to Russia?

The United States could be telling Russia: You have angered us, and in our anger, we have retaliated. The lesson, of course, would be not to anger the United States.

Or it could be saying: Your actions have clearly violated what all responsible countries would consider acceptable state behavior. Punishment reflects not our anger but your transgression; the United States punishes to foster a respect for international norms of responsible state behavior.

Although both arguments are functional, which narrative represents the world the United States wants to see? Is it a world run solely by the dictates of power or a world run according to norms? If it is the latter, that leaves the challenge of crafting norms that would (1) put Russia in the wrong, (2) put the United States always in the right, and (3) make sense, at least to U.S. friends.

Should a Response be Hidden or Obvious?

Should the rest of the world know what the response was and how Russia was punished? An obvious response is generally more likely to generate a counter-response because being punished and not responding could mean a loss of face before others. But a hidden response does little to warn other countries.

With Russia, the case tilts to a hidden response because the two countries have experience in covertly signaling each another (during the Cold War) when bounds looked as if they were overstepped.

Furthermore, Russia has a healthy ability to counter-respond and, arguably, dissuading Russia from further mischief matters more than dissuading other countries because no other country combines Russia's capabilities and Russia's hostility to the West. Regardless, the prior fact of public attribution and the public mulling of response options would keep a response from being completely hidden.

To What Extent Must the United States Prove Russian Responsibility?

The U.S. intelligence community has offered little public evidence to support claims that Russia is responsible for the DNC hack while private cybersecurity companies have been somewhat more forthcoming.

If U.S. punishment is obvious or a matter of enforcing norms, then more proof is needed.

Putin, of course, denies everything. If U.S. punishment is obvious or a matter of enforcing norms, then more proof is needed. If U.S. punishment is hidden or justified by U.S. anger, then less proof is needed. Presenting evidence is not free—it often points to intelligence sources and methods, and gives future attackers clues on how to avoid future punishment. Lastly, the need to provide evidence presumes a world in which facts matter.

How Urgent Is a Response?

In particular, should response precede the U.S. election? Yes, if the point is to protect the integrity of the 2016 election — but the real extent of such a threat is disputable. And while trust in an election's overall integrity matters a great deal, the primary threat to such trust originates not abroad but in the United States with accusations regarding rigging the election. A pre-election response, particularly if overt, risks becoming grist for the political mill; it could be dismissed as the actions not of the U.S. government but of a partisan administration.

The effects of a post-election response may be hard to assess after the fact. By then the Russians would have already stopped interfering in the 2016 election's political process (since it would be over) whether or not the U.S. response was dissuasive. But the Russian attraction for hacking and doxing its opponents is not limited to the United States — as demonstrated by recent hacks against The Soros Foundation and the World Anti-Doping Agency. So, some measurable good may still come from a post-election response.

How Harsh a Response?

The usual calculus applies. Too little a response will seem hollow and not dissuade while too great a response could risk a counter-response, perhaps an escalatory one. Some responses may be viewed as insults, and be likely to lead to a harsh counter-response even if not dissuasive. Conversely, some types of dissuasive responses may hit a sweet spot—they discourage follow-ups but do not incite overreaction. The United States promised to react to North Korea's hack of Sony, but the actual (known) response, (re-)imposing sanctions on several named individuals, was essentially indistinguishable from doing nothing.

Too little a response will not dissuade. Too great a response could risk a counter-response, maybe an escalatory one.

If it is a good idea for the United States to have a deterrence policy against mischief in cyberspace, then at least once it has to render a non-trivial response. Yet credibility imposes no requirement for the response to be particularly painful. If the response is visible to the public, it should be accompanied by a narrative of justice, not revenge.

Who Would Win an Extended Tit-for-Tat in Cyberspace?

If the United States responds and Russia counter-responds, the fight may go into later rounds. The United States has the best offense and the deepest defense. Russia's offense is almost as good but its defenses lack depth. Conversely, the United States needs a deep defense because its dependence is much higher, thanks to higher levels of digitization and networking. But if the United States needs to seriously contemplate the potential outcome of such a conflict, perhaps the question — what are the stakes? — needs to be seriously re-examined.

Martin Libicki is the author of the recently published Cyberspace in Peace and War and is the Maryellen and Richard Keyser Distinguished Visiting Professor in Cyber Security Studies at the U.S. Naval Academy. Libicki also serves as an adjunct senior management scientist at the RAND Corporation.

More About This Commentary

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.