In the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code
CAMBRIDGE – The United States responded weakly after Russian cyber operations disrupted the 2016 presidential election. US President Barack Obama had warned his Russian counterpart, Vladimir Putin, of repercussions, but an effective reply became entangled in the domestic politics of Donald Trump’s election. That could be about to change.
Recently, American officials anonymously acknowledged that US offensive cyber operations prevented a Kremlin troll farm from disrupting the 2018 Congressional elections. Such offensive cyber operations are rarely discussed, but they suggest ways to deter disruption of the US presidential election in 2020. Attacking a troll farm will not be enough.
Deterrence by threat of retaliation remains a crucial but underused tactic for preventing cyber attacks. There has been no attack on US electrical systems, despite the reported presence of Chinese and Russians on the grid. Pentagon doctrine is to respond to damage with any weapon officials choose, and deterrence seems to be working at that level.
Presumably, it could also work in the gray zone of hybrid warfare, such as Russia’s disruption of democratic elections. Given that US intelligence agencies are reported to carry out espionage in Russian and Chinese networks, one can imagine that they discover embarrassing facts about foreign leaders’ hidden assets, which they could threaten to disclose or freeze. Similarly, the US could go further in applying economic and travel sanctions against authoritarians’ inner circles. The diplomatic expulsions and indictments since 2016, and the recent offensive actions, were only first steps toward strengthening America’s deterrent threat of retaliation.
But deterrence will not be enough. The US will also need diplomacy. Negotiating cyber arms-control treaties is problematic, but this does not make diplomacy impossible. In the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user. Thus, it will be difficult to prohibit the design, possession, or even implantation for espionage of particular programs. In that sense, cyber arms control cannot be like the nuclear arms control that developed during the Cold War. Verification of weapons stockpiles would be virtually impossible, and even if it were assured, stockpiles could quickly be re-created.
But if traditional arms-control treaties are unworkable, it may still be possible to set limits on certain types of civilian targets, and to negotiate rough rules of the road that minimize conflict. For example, the US and the Soviet Union negotiated an Incidents at Sea Agreement in 1972 to limit naval behavior that might lead to escalation. The US and Russia might negotiate limits to their behavior regarding each other’s domestic political processes. Even if there is no agreement on precise definitions, they could exchange unilateral statements about areas of self-restraint and establish a consultative process to contain conflict. Such a procedure could protect democratic non-governmental organizations’ right to criticize authoritarians while at the same time creating a framework that limits governmental escalation.
Skeptics object that such an arrangement is impossible, owing to the differences between American and Russian values. But even greater ideological differences did not prevent agreements related to prudence during the Cold War. Skeptics also say that Russia would have no incentive to agree, because elections are meaningless there. But this ignores the potential threat of retaliation discussed above: democratic openness means the US has more to lose in the current situation, which should encourage it not to hold back from pursuing its self-interest in developing a norm of restraint in this gray area.
Jack Goldsmith of Harvard Law School has argued that the US needs to draw a principled line and defend it. That defense would acknowledge that the US has itself interfered in elections, renounce such behavior, and pledge not to engage in it again. The US should also acknowledge that it continues to engage in forms of computer network exploitation for purposes it deems legitimate. And officials should “state precisely the norm that the United States pledges to stand by and that the Russians have violated.”
This would not be unilateral disarmament on America’s part; rather, it would draw a line between the permitted soft power of open persuasion and the hard power of covert information warfare. Overt programs and broadcasts would continue to be allowed. The US would not object to the content of Russia’s open political speech, including their propagandistic RT television network. But it would object when Russia promotes its views through covert coordinated behavior such as the 2016 manipulation of social media, or dumping hacked e-mails.
Non-state actors often act as state proxies in varying degrees, but the rules would require their open identification. And because the rules will never be perfect, they must be accompanied by a consultative process that establishes a framework for warning and negotiation. Such a process, together with stronger deterrent threats, is unlikely to fully stop Russian interference, but if it reduces the level, it could enhance America’s defense of its democracy.
Given the poor state of US-Russian relations, with Putin boasting about new nuclear weapons, the climate for an agreement is not promising, though there have been some hints of Russian interest. At the same time, the partisan divisions in US politics over the legitimacy of Trump’s relationship with Russia also make negotiations difficult. If both sides want to avoid dangerous escalation, perhaps the possibilities can be explored in the context of a professional or military-to-military dialogue. Or the idea may just have to wait until after the 2020 election.
Joseph S. Nye is a professor at Harvard. His forthcoming book is Do Morals Matter? Presidents and Foreign Policy from FDR to Trump